Unveiling Evil Twin Detection Techniques Through a Normal User's Perspective
Explore the world of evil twin detection from a unique standpoint as a normal user helps uncover suspicious activities in the network. Discover various detection methods, potential approaches, and essential learnings in this insightful journey.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
In air they wander, we exist to blow their cover!!!! {An approach to evil twin detection from a normal user side}
0 Forewords
Who we are??? Amrita C. Iyer Senior QA Associate. Who kills boredom by fuzzing applications. i[dot]c[dot]amrita[at]gmail[dot]com Rushikesh D. Nandedkar Information Security Researcher. nandedkarhrishi[at]gmail[dot]com
Agenda Introduction and some details The Evil Twin Fuzzed Packet Approach Things we learned Related work Potential approaches Conclusions Acknowledgements
1 Introduction and some details
Overview What .11 is blamed for? Victims .11 modes Stumbling and Sniffing Scanning How?
What .11 is blamed for? A hole in the network perimeter (open wireless networks, wep, bad configs). Loose link in client s security: Offensive rogue access points Eavesdropping in socially dense areas Connectivity messups
? So, a lot of mess and mash in the air And as a matter of fact, These all deeds are not very much detectable, generally!
Victims!!! (1) Courtesy to the omnipresence and ease of access of wireless: Mobile phones Cameras Printers Gaming consoles Laptops, desktops . . . . More and more places to be equipped with wi-fi.
Victims!!! (2) The perimeter generals: UTMs Packet Analysers All in all, many victims .. awaiting exploitation !
.11 modes The 802.11 hardware can be operated in many modes: I. Managed: acts as a station II. AdHoc: acts as an AdHoc station III. Master: acts as an access point IV. Monitor (RFMON): shows everything seen by radio. (synonymous to promiscuous mode in .3)
Stumbling and Sniffing Stumblers query the card firmware to see what networks are detectable in the local radio periphery. Pros: Don t require special drivers. Cons: See less number of networks Can not capture data packets. Source: Dragorn, Kismet Presentation.
. Sniffers like Wireshark, Tcpdump or Kismet are capable of capturing raw data frames. Sniffers can capture data packets. Broadly operates in monitor mode. Source: Dragorn, Kismet Presentation
Scanning In our context of discussion, scanning is referred to the activity discovering access points in local radio periphery. where we are
How ? Probe requests/responses. Beacon frames. Combination of probes and beacons.
2 The Evil Twin
Overview Who is Evil Twin? Some Terms Where to find them all together? Some boring text on Evil Twin So much of concern.. uh! Stats from Black Hat US 2013
Defending clients on open AP is very hard ! ~Mike Kershaw, BH-DC- 2010.
We tried understanding this statement in more depths. And eventually we happened to meet the wireless predator
Some terms. Access Point SSID Station/Host/Node
Where to find them all together? Open Wireless Networks: Basic IEEE 802.11 implementation. Never does any exchange of any secret. Airports, cafes, colleges, offices etc. 23 Of 34
Some boring text on Evil Twin A phishing Wi-Fi AP that looks like a legitimate one (with the same SSID). Typically occurred near free hotspots, such as airports, cafes, hotels, and libraries. Hard to trace since they can be launched and shut off suddenly or randomly, and last only for a short time after achieving their goal.
Stats from Black Hat US 2013 Time frame, 24 hours. Number of legitimate devices found, 1300. Number of rogue devices found, 1900. Number of Users found for keynote session, 3500.
3 Fuzzed Packet Approach
Overview What is fuzzing? Assumptions Which fields are of interest? Scapy usage. Results.
What is fuzzing? Fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ( fuzz ). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. [WIKIPEDIA] Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed data injection in automated fashion. [OWASP]
Assumptions Host wireless network interface card is up and tuned on monitor mode. Packet injection is working. Host has aquired an IP address on the suspected AP s network.
Parameters of interest!!! Source : nmap.org
Parameters of interest!!! Source : nmap.org
Parameters of interest!!! Source : nmap.org
Scapy usage Scapy is python module/library. Used as a packet manipulation program. Helps write, read and inject packets and frames as per the user s imagination. More information is at http://secdev.org/projects/scapy .
. What did we use: conf.iface= mon0 i= IP(dst= IP address of Suspecious AP , chksum=1234) Legit checksum= 4567 sr(i/TCP(chksum=2498, flag= 0x01)) Legit checksum= 2345 Bad checksm, Fin flag.
Results Response from Legitimate AP, RST Response from Rogue AP, No response Same old scanning logic: Unsolicited Fin should be dropped and RST be sent in response. In case of Rogue AP, somehow kernel may not be behaving this way and accepting packet.
4 Things We Learned
Things we learned The behavior of the wireless network interface card. Confirming live distro and cancelling usage of the VMs. Alfa cards worked great but Intel built-in chipsets and Cisco wireless adaptors were also competent. Yet another way to understand the wireless networks.
5 Related Work
Related work 1. RF Monitoring 2. Wired and wireless connection consideration
RF Monitoring (1) Monitors RF and gathers information at Switches and Routers . Compares with known authorized list. Eg. Airdefense, scans intranet RF and compares fingerprint.
RF Monitoring (2) An approach where dedicated sensors are used for scanning. They use parameters like SSID, MAC, location information etc. The information collected based on the above said parameters is compared against a verified list.
RF Monitoring (3) Sends a verifier packet If received by internal sensor, AP is internal and hence evil twin. Source: Raheem Beyah and Aravind Venkataraman, IEEE Security & Privacy Magazine, Vol. 9, No. 5, 2011.
Wired and wireless connection consideration (1) Checks connectivity, is it wired to wireless (auth), wireless to wireless(auth), wired to wireless (unauth), by host. They refer to the prepopulated authorization list. The parameters they take in account are, round trip time, entropy etc. and the statistical analysis performed on them.
Wired and wireless connection consideration (2) Another approach calculates clock skew of the access point and builds the relevant fingerprint. Later these details are used in some machine learning algorithms for training detection models. Source: Jana et. al.
Wired and wireless connection consideration (3) Proposes a model named ET sniffer. Counts the round trip time for a packet to travel from host to server. Differentiates on the basis of packet travelled on the wireless link and on wired link. Assumes that wired link is always one hop away. Source: Yang et. al.
Wired and wireless connection consideration (4) Proposes a model named WiFiHop. Sends a watermark packet (know only to user) to the internet. Listen on the channel to find the existence of the watermark packet. If found, evil twin is detected. Overcomes the problem where packet is travelling through more than one wireless hops.
Why we need one more approach? Existing approaches has certain limitations. Majority of them implements some special hardware or setup to make the detection work, which sometimes requires highest level privileges. The approaches existent, are initially designed by taking in account Wireless Network Admin as a detecting authority but not the normal user. Fuzzed packet approach User side approach. Works with WNIC available with our laptops. Uses scapy which is readily available in backtrack.
6 Potential Approaches
Potential Approaches Still there lies a potential in protocols like IGMP, BGP to build intelligence about the rogue access point. Maybe use of techniques similar to traceroute to know the wired transfer time and then exclude/subtract them to minimize the noisy effect at wired side. Mobile implanted WiFi tethered hotspots are yet to be tested with our approach and stand a strong contender to legitimate access point and rogue access point as well.
