Modified Man-in-the-Middle Attack Team Iota Elizabeth Bartels Russell Brick Catherine Caterson Marcos Hernandez Ryan Moore Kevin O’Connor Josh Shtatman Team Iota Modified Man-in-the-Middle Attack Page 1 Table of Contents Disclaimer and Implications……………………………………………………………………………………………...Page 3 Hardware and Software Used…………………………………………………………………………………………...Page 4 Performing the Attack……………………………………………………………………………………………………….Page 5 Sources...................................................................................................................................Page 9 Team Iota Modified Man-in-the-Middle Attack Page 2 Disclaimer and Implications This video is for a class project and you should not attempt this on your own; it could result in severe consequences. The wi-fi Pineapple – a modified Fonera Router - is a special tool designed to aid penetration testers in vulnerability assessments when permission to do so has been granted. No one other than the members of our group were involved or affected by this demonstration. Depending on the circumstances, you could face: Fines Incarceration A private lawsuit Being banned from ISPs or email providers Difficulty finding employment if convicted Being fired from your current employment Laws you could potentially be breaking include, but are not limited to: Team Iota Invasion of privacy laws Identity theft laws Theft of trade secrets (if getting information from a business machine) Economic espionage act (if you obtain corporate/government information and try to pass it on to a foreign entity) State laws (each state has their own laws dealing with computer related crimes) Computer Fraud and Abuse Act Modified Man-in-the-Middle Attack Page 3 Hardware and Software Used We used multiple tools to complete this project. Below is a brief description of what they do. BackTrack Linux - The software we will be using runs on Linux, and this is the flavor we used. Aircrack-ng – This is a Linux-based program which will be used to initiate our deauthentication attack. Specifically we use the Airmon-ng and Aireplay-ng tools. Jasager - This is the firmware installed on our dual-network interface card portable router. Jasager is the program used to initiate the handshake which will cause users to automatically connect to us. It installs on the open-source router firmware, OpenWRT, using the Karma installation interface. This allows for a man-in-the-middle attack. Wireshark - Wireshark is a packet capture program. It will allow us to monitor, capture, and log all packets being sent across the network. Fonera router - The Fon router contains two NICs allowing for two independent networks to be bridged. This will be used to conduct our man-in-the-middle attack by having users connect to us through one interface card while we make a bridge to serve as a middle-man to the Internet through the second interface card. Hak5 Pineapple device - This device will be used to create our fake access point, it’s a prefabricated Fonera router running Open-WRT, Karma, and Jasager GTKDesktop Record – a desktop recording application for use with Linux based operating systems. iMovie – a video editing application available through Mac OS. This was used to create the documents companion walkthrough video. Team Iota Modified Man-in-the-Middle Attack Page 4 Performing the Attack Jasager Setup This will outline how to setup the Pineapple network penetration device. It details how to setup the modified Fon router that will run the OpenWrt firmware, and how to use the Jasager device. It also describes how to force connections of new clients searching for wireless network access to connect to our own network. Take your Fon powered Wi-Fi Pinapple or other Fonera router running Jasager. 1. Connect power to the Pineapple by using either a direct wall-outlet connection or a battery pack. 2. Using an Ethernet cable, connect the Pineapple to your machine’s NIC card. 3. Open up Internet Explorer, Firefox, Google Chrome, or any other GUI based browser. You can also connect using a text based browser; however, this guide only covers the GUI interface. 4. In your browser’s address bar type in 192.168.1.1, this will connect you to X-Wrt, which is the end-uUser graphical extension for OpenWrt (the open-source firmware powering the Fon router). 5. You will be prompted for login information; by default the username is “admin” and the password is “pineapplesareyummy”. Figure 1: Login Prompt for X-Wrt 6. By default wireless functionality on the router is disabled, enable it by going to the “Network” tab Team Iota Modified Man-in-the-Middle Attack Page 5 7. Select the sub-tab “Wireless”. 8. Enable the wireless radio by selecting the “On” option on the “Radio” line under the first heading “Wireless Adapter wifi0 Configuration”. Figure 2: Enabling the wireless radio 9. Increase “Tx Power” to 11dbm; this will increase the power output to the wireless antenna, which increases the Wi-Fi signal strength. This will improve connections and speeds. 10. Create an ESSID; we used “PineappleWiFi”. 11. Set “Encryption Type” to “Disabled”. 12. Select the “Save Changes” button located on the bottom right of the page. 13. Select “Apply Changes” on the bottom of the page, wait for the device to apply the settings. 14. In your browser’s address bar type in 192.168.1.1:1471 15. Connect to Jasager using your Pineapple’s username and password a. Note by default the username is “admin” and password “pineapplesareyummy” 16. By default Karma, the back-end program powering Jasager’s functionality, is turned off. Enable it by selecting the “Change button” next to the line labeled “Karma is current: On/Off” 17. Jasager will now begin to automatically scan for computers looking for familiar wireless networks and initiate a connection with them. On the victim’s end it will appear as if they are connected to one of their preferred clients. 18. Under the “Connected Clients” section of the Jasager Interface Page you will see all devices connected to the Pineapple. Team Iota Modified Man-in-the-Middle Attack Page 6 Figure 3: Example of Connected Devices on Jasager 19. Choose a device, and under the “Commands” column select “Portscanner” from the dropdown list. Hit the “Execute” button. a. This will run a portscan of the client and the display the results in the log window, located in the bottom right quadrant. In the top right quadrant of the Jasager interface, “Status/Main Controls,” you can select SSIDs to exclude from Jasager’s attack list. This creates safe networks which will not be mimicked; it is useful for keeping yourself on your own network. From the “Commands” column of the “Connected Clients” quadrant, select “Add to SSID list” which will automatically add the SSID the client is connected through to the SSID whitelist. You can also enable MAC filtering by selecting the “Change” button on the line reading “MAC address filtering is currently: On/Off”. Below that you can add specific MAC addresses to the whitelist or select a connected client from the “Commands” column executing the “Kick MAC” command. Both methods whitelist a specific machine keeping it from being compromised, which is useful for keeping specific machines from being attacked. 20. At this point clients connected to the Pineapple are on the same local network as your machine. This allows for packet sniffing clients like Wireshark to be run, as well as exploit programs like Metasploit, and other penetration testing methods. Team Iota Modified Man-in-the-Middle Attack Page 7 Disconnecting Devices Currently Connected to a Network The above section described how to get new clients seeking wireless network access; it does not force clients already connected to a client to connect to your network. This section outlines how to use packet injection techniques to send deauthentication packets to clients. These deauthentication packets disconnect the client from the network they are currently connected to, forcing them to reconnect. At this point, the Jasager application mimics the client’s most preferred network forcing it to connect to your network on the Pineapple. 1. Boot up Backtrack Linux Version 4 Revision 2 2. Start the WICD-Curses interface to look for local wireless access points. Open the WICDCurses interface by going to Start -> Software -> Networking -> WICD-Curses 3. You should now see a list of access points in the area as well as some clients connected to them. The access point will be identified by the MAC address of the access point which can be found in the column labeled “BSSID”, you should take note of the wireless channel the device is operating on (1, 5, 6, 11, and 12 are the most common). 4. Place your wireless card into “monitor mode” by using Aircrack-ng a. Type “airmon-ng start [your NIC’s name – identified with wlan0 for the rest of the tutorial] –channel of the access point you’re deauthing 5. Begin injecting deauthentication packets to networks. a. Type “aireplay-ng -0 30 –a XX:XX:XX:XX:XX:XX (–c YY:YY:YY:YY:YY:YY) “interface” i. The -0 indicates we’re initiating a deauthentication attack ii. The 30 is the number of deauth packets we’re sending out, this can be any number (0 will send them out continuously) iii. –a followed by XX:XX:XX… is the MAC address of the access point you’re trying to deauthenticate devices from, it is found in the BSSID column above iv. You may use the –c YY:YY:YY… (without the parenthesis) operator to deauthenticate specific clients from the network, useful for targeting a single machine. Leave out this operator to deauthenticate all connected clients. v. “interface” is where the interface name of the card you’re using for the attack goes. It can be ath0 or mon0 but may vary based on the card you’re using, - you’ll see the interfaces name listed after running airmonng tool. 6. Either all clients associated with an access point or a targeted machine should now be disconnected from their current network. 7. The clients will attempt to reconnect to their preferred networks sending out a beacon request. This sends out packets asking if “is preferred network 1 here?” The Pineapple running Jasager will respond “yes, I am preferred network 1” and force a connection. 8. You can confirm a client’s connection by going back to the Jasager interface and checking under the “Connected Clients” section. Team Iota Modified Man-in-the-Middle Attack Page 8 Sources "Deauthentication [Aircrack-ng] ." Aircrack-ng. N.p., n.d. Web. 7 Feb. 2011. <http://www.aircrack-ng.org/doku.php?id=deauthentication>. Gardner, Jason. "Computer Hacking and Unauthorized Access Laws." NCSL Home. NCSL, May 2009. Web. 13 Apr. 2011. <http://www.ncsl.org/default.aspx?tabid=13494>. IEEE standard for Information technology telecommunications and information exchange between systems-- local and metropolitan area networks-- specific requirements.. New York, N.Y.: Institute of Electrical and Electronics Engineers, 2003. Print. Kitchen, Darren, and Shannon Morse. "Hak5 – Episode 705 – Airport WiFi Challenge and your Ultra Software Picks." Hak5 – Technolust since 2005. Revision 3 Networks, 17 Mar. 2010. Web. 5 Feb. 2011. <http://www.hak5.org/episodes/episode-705>. "Main Page - BackTrack Linux." BackTrack Linux – Penetration Testing Distribution. BackTrack Linux Team, n.d. Web. 5 Feb. 2011. <http://www.backtracklinux.org/wiki/index.php/Main_Page>. "Main Page - FON Wiki Beta."Main Page - FON Wiki Beta. N.p., n.d. Web. 7 Feb. 2011. <http://wiki.fon.com/wiki/Main_Page>. McBride, Thea. "What Trouble Can Computer Hacking Get You Into? | EHow.com." EHow. Web. 13 Apr. 2011. <http://www.ehow.com/facts_5965604_trouble-can-computer-hackinginto_.html>. Wood, Robin . "Jasager | Karma on the Fon - Installation." DigiNinja. N.p., n.d. Web. 7 Feb. 2011. <http://www.digininja.org/jasager/installation.php>. "Wireshark · Documentation." Wireshark · Go deep.. N.p., n.d. Web. 7 Feb. 2011. <http://www.wireshark.org/doc/>. Team Iota Modified Man-in-the-Middle Attack Page 9