Security Awareness is an incredibly important aspect of any security program. As we’ve seen in countless high-profile breaches, users are consistently the path of least resistance into any organization. Which is why training employees to identify ‘suspiciousness’ and react in a safe and effective manner is just as important as maintaining perimeter security and aggregating log data. Since LogRhythm is a security-focused company, we take a more aggressive approach than most when it comes to Security Awareness training by testing our defenses regularly, in realistic ways.
Open Wireless networks are the perfect medium for malicious activity and criminals have leveraged this attack vector in many high profile intrusions for years. One of the more recent and public Wi-Fi attacks came to be known as “Dark Hotel“. In this scenario, the attackers preemptively compromised a hotel network which they know their target would be visiting. They leveraged the Wireless network to deploy their malware to hotel guests for around seven years. This is just one of the more notable breaches involving a public Wireless network; though this case is a bit different than a true rogue AP attack. For this reason, training your employees on the security precautions they can take when using such networks is incredibly important.
Recently, LogRhythm hosted one of our many regular sales events. This is a time when a majority of the organization gathers in Colorado to meet and discuss the future of the company. We decided to use this event as a learning opportunity. Since employees from all around the world gather in one central location for the event, we launched a rogue access point attack with the goal of simulating an adversary targeting LogRhythm employees. This is a fairly straight forward attack in that we hid multiple Wi-Fi Pineapples throughout the hotel and captured employee domain credentials using a custom captive portal (note – we only captured usernames for obvious reasons). Luckily we have some very sharp folks working here and many reported the pineapples immediately, one guy even found one of the Pineapples. Had this been a real attack, it would have been shut down hard and fast due to the diligence of our employees.
Figure 1: Wi-Fi Pineapple Mark V
Exercises like this are usually not common within non-security focused organizations, however it is important for security awareness training programs to take multiple attack vectors into account when evaluating their overall security posture. By now, most people are well aware of generic phishing attacks – however training exercises such as deploying rogue access points are not often conducted internally. This is why I’d like to walk through how to conduct such an exercise and train your employees to report things that just ‘don’t feel right’.
If you frequent the LogRhythm blog, you may have read through the xfinity pineapple post that I put together last year. Since then, I’ve received many questions around exactly how to build such an attack using the Wi-Fi Pineapple. Primarily because I didn’t really dive into the code and this can be a bit more complex than some of the other deployment options, such as PwnSTAR. To help out with this, Labs put together two blank captive portal templates that can be used with either vector in order to assist both penetration testers and various organizations with orchestrating similar training exercises. This code can be downloaded at the link below:
I also gave a talk a few months ago at AppSec California on the topic that goes into much more detail than this post. The slides and presentation recording can be found here:
Getting back to the Pineapple configuration, I like to deploy captive portals using a basic redirect within the NodogSplash configuration — this allows you to stand up various captive portals quickly and easily. All you need to do is point to the new web directory where the actual portal pages will be stored. This also gives you the ability to use PHP scripts, which is not possible on the initial splash page.
Figure 2: Splash Page (click to enlarge)
With the basic splash redirect in place, this opens up the possibility of very elaborate captive portals. This can contain whatever you’d like — anything from a false login form to malicious content delivered via browser exploit. The latter is easy as you can simply pass the client through, however capturing form data is not as straightforward as it sounds — at least not on the Pineapple. In fact there is a thread dedicated to deploying a specific captive portal attack on the Pineapple, which still does not have a definitive answer. Mainly because this attack would be dangerous in the hands of someone who doesn’t really understand the legalities of what they are doing and giving away the easy solution would be irresponsible in my opinion… So, I’d like to cover the attack in general to help folks better understand how to defend against it.
The final piece of this is the PHP form processor. This page basically appends each login attempt to a flat file by capturing the entire contents of the POST data and subsequently allows the user through to the authtarget link once the form has been successfully submitted.
Figure 5: PHP Form Processor (click to enlarge)
Make sure to set permissions properly so your Pineapple doesn’t get owned and that’s it! Now, just give the access point an interesting SSID, launch the captive portal, then sit back and watch the credentials flow…
Figure 6: Customized Captive Portal
Quick Open Wi-Fi Security Tips
- Always use a VPN/VPS/SSH Port Forwarding/etc. when connected to an open access point.
- Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’.
- Try false credentials first, if it lets you through it was a scam.
- Use different credentials for basically everything.
- Visit a common site, like as Google.com and look for a valid SSL certificate — if you get a certificate error then your traffic is being sniffed.
- Use NetCat to check the HTTP Headers of the landing page for the word ‘Pineapple’.
- Beware duplicate networks or the system connecting to your ‘home network’ when you’re really nowhere near your home.
- Use caution when your Wireless connection suddenly drops and re-establishes itself, especially if this happens to everyone around you.
- If it just ‘doesn’t feel right’ then trust your instincts…
Attackers thrive on opportunity. Even something as simple as a target visiting an unfamiliar location can be a goldmine for an adversary — allowing them to manipulate the environment around their mark. Why don’t we as security practitioners do the same? It is important to think outside the box and leverage unique attack vectors to actively test employees. Not only are they your greatest asset, they can often be your weakest point. Training employees on how to recognize and respond to various attacks is crucial to the overall security posture of your organization.