Cool and Illegal Wireless Hotspot Hacks

| July 19, 2006

So, why write an article called “Cool and Illegal Wireless Hotspot Hacks” that details how to perform hotspot hacks?  Some would say it is irresponsible and enables those with ill intent to hack unsuspecting victim’s machines.  It really depends which way you look at it.  Would you rather be left in the dark on what types of attacks can occur, how they are performed and not know how to protect yourself against them?  Doing so would not make the threats go away; in part, you would simply be denying that they exist.  Surely, it is safer to be open and honest about the threats, understand how they can occur then become educated on and implement the appropriate countermeasures.  In large part, that is why my articles always detail not only how to perform the hacks, but really focus on how to protect against them.  The purpose is not to teach people how to hack, but rather to educate on how to prevent systems from being exploited.

Now, on with the hacks/cracks/techniques that you will hopefully find to be “cool,” informative and which are most certainly illegal.

The Wireless Hotspot Hacks

Wireless hotspots are everywhere.  With T-Mobile, Concourse, Wayport, etc., a mobile user can obtain connectivity quickly and easily in a wide variety of public locations.  Some of these hotspots are free and some of them require a fee or subscription.  Either way, you will continue to see how being in a public Wi-Fi hotspot poses the greatest security risk you will find.

Stealing Wi-Fi Hotspot Subscription Credentials

A big issue a few years back had to do with dial-related fraud in Russia.  Basically, usernames and passwords to dial accounts were being bought and sold on the black market and the owner’s of the stolen credentials were being hit with enormous usage charges.  In actuality, this still takes place.  With the onset of Public Wi-Fi locations, the threat of fraud and misuse has also moved to the stealing of wireless subscription credentials.

An easy and inexpensive method to steal wireless subscription credentials is by AP Phishing.  As it stands today, the only real methods a typical end-user has to determine if a wireless access point is valid is by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page.  Unfortunately for the end-user, both of these can be easily spoofed. Here’s how it’s done and no, you won’t have to carry a wireless access point around to do this.

Performing this technique requires two steps:

  • Setting up your computer to look like an actual Access Point broadcasting the appropriate SSID (T-Mobile, Wayport, etc.)
  • Having the walled-garden, or login page that your computer will display look like the real login page of the provider whose signal you are broadcasting

It’s not hard to make your computer broadcast the SSID of your choice, in an attempt to get a person to connect to you instead of a valid Wi-Fi hotspot SSID.  The problem with the ‘easy way’ is that the potential victim sees that this is an Ad-Hoc network and most people these days know not to connect to these.  So, we employ the use of Airsnarf by the Schmoo Group to make this signal look like it’s coming from an Access Point.  Essentially, we will be turning the laptop into an Access Point.

The most difficult part of using Airsnarf and other HostAP-reliant programs is finding a card that supports the HostAP drivers.  Personally, I use the Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna.  Both of these can be purchased from http://www.wlanparts.com/ (Thanks to Tom’s Networking for detailing this hardware info a while back).

Airsnarf consists of a number of configurable files that control how it operates.

 Cool and Illegal Wireless Hotspot Hacks - airsnarf.cfg

airsnarf.cfg file used to configure basic Airsnarf functionality

Cool and Illegal Wireless Hotspot Hacks - airsnarf.cfg pic2

airsnarf.cgi file

With Airnsnarf configured with default settings, it will display a default login page that looks like the following:

Cool and Illegal Wireless Hotspot Hacks - Default Login Page

This default page will take the username and password that is entered and dumped into a file where it can be read.

To make this attack really work, this login page needs to be modified to look just like a real Wi-Fi hotspot provider’s login.  Depending upon your HTML skills, you can either get real fancy or just stick to basics.  For this proof of concept, I’m going to keep it very simple.  Of course, it wouldn’t be difficult to go to a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider’s site and essentially copy-and-paste their graphics to make the login page look just like theirs.

Once Airsnarf is configured and the customer Login page is created, the attack can be launched.  Any airport, coffee shop, or other public area where people utilize their laptops will work.  To launch the attack, activate Airsnarf by typing the ./airsnarf command.  Below is an example of what you’ll see when the attack is launched.

Cool and Illegal Wireless Hotspot Hacks - Airsnarf waiting for connection

Airsnarf being launched and waiting for a connection

An end-user attempting to connect to the hotspot will see the SSID that was entered into the airsnarf.cfg file and use their computer to connect to that network.  Upon launching their browser, they will be prompted to enter their username and password.

Cool and Illegal Wireless Hotspot Hacks - Windows Zero Config showing T-Mobile

Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf

Cool and Illegal Wireless Hotspot Hacks - Fake Login Page

Fake Walled Garden/Login Page presented by Airsnarf

Once the user enters their credentials and hits the Login button, their credentials have been compromised and can be used by the person with ill-intent.  This could be only the beginning, though.  Commonly, users will utilize the same username and password for many different accounts/websites.  Consequently, the username and password that were just grabbed may enable a hacker to access the user’s e-mail, online banking, etc.

Cool and Illegal Wireless Hotspot Hacks - Credential Dumping

Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file

Another variation of this above trick is to change the SSID to something like “Free Public Wi-Fi,” at which point, you can change the login page to something creative, such as the following:

Cool and Illegal Wireless Hotspot Hacks - Creative Login Page

Without question, there will be users that will fall for this trick and you now have access to their e-mail.

Malicious Websites and Browser Exploits

Given the knowledge of the aforementioned exploits, a creative combination could be had.  What if the walled garden/login page in the previous exploit actually contained code that would exploit a user’s machine?  That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot.  An exploit that could take advantage of this is Microsoft’s relatively recent Create Text Range vulnerability.  All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.

Cool and Illegal Wireless Hotspot Hacks - Malicious Code

Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim’s machine just by that user viewing the webpage.

That would be “cool,” but we’re going to take it a step further.  What if people who were currently connected to the hotspot were “forced” to view a malicious page, regardless of the URL they entered into their browser?  That would be “cooler!”

This hack contains the following steps:

  • Creating a malicious webpage and serving-it-up on a laptop
  • Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
  • As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:) on the victim’s machine

So, the hacker goes to a Public Wi-Fi hotspot and connects to the network.  He then launches Metasploit to create the malicious webpage and serve-it-up.

Cool and Illegal Wireless Hotspot Hacks - msfconsole

Commands to use  Microsoft’s Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed

Cool and Illegal Wireless Hotspot Hacks - msfconsole 2

The setting of various options for the exploit

Cool and Illegal Wireless Hotspot Hacks - msfconsole 3

With all options set properly, the web page is served-up and ready to exploit the machine by running the “exploit” command

Now that there’s a machine on the hotspot network running a malicious webpage, it’s necessary to redirect traffic destined for the Internet to that website.

Cool and Illegal Wireless Hotspot Hacks - arpspoof

Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.

Cool and Illegal Wireless Hotspot Hacks - dnsspoof

Running dnsspoof, you can see that a user attempted to go to foxnews.com but was redirected to the malicious webpage.

Cool and Illegal Wireless Hotspot Hacks - Bad Page

This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat.  This page appears regardless of the URL entered by the end-user.  This page could look like and say anything.

Cool and Illegal Wireless Hotspot Hacks - netcat

The hacker then launches Netcat.  The C: is on the victim’s machine which is real bad news for the victim.  FYI – Windows XP Firewall and Symantec AV were running the entire time.

If you didn’t want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site.  With Metasploit, for example, the payload doesn’t have to be a reverse shell, you can have the malicious webpage download and execute a malicious file.  Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.

Cool and Illegal Wireless Hotspot Hacks - payload

Examples of possible Metasploit Payloads for ie_createtextrange exploit.

Now that we’ve seen the “cool” and illegal hacks, let’s talk about the real purpose of this article – Prevention!

Preventing the Hacks

There are basically two things to combating the previous hacks:

  • Taking measures to ensure a hotspot is valid
  • Protecting the machine against browser-based exploits

Ensuring a Hotspot is Valid

Validating a hotspot is extremely difficult for an end-user to do.  In fact, the only realistic method to do so is to use a wireless client designed to work with various hotspots that can use some sort of WISPr check to help ensure the Hotspot is what it says it is.  I used T-Mobile in the above example in large part because they are one of the few providers that can utilize this type of functionality.  In fact, the best solution I know for enterprises to protect against public hotspot AP Phishing for their mobile users is to use a client such as Fiberlink’s e360.  Using a client such as this provides two areas of protection:

  1. The hotspot signal itself can be validated
  2. The end-user doesn’t enter their credentials into a webpage which can be faked. They select a signal with the client and enter the credentials in that client.

Note that in the below graphic, a valid T-Mobile HotSpot is displayed as “Fiberlink Wireless Premium Powered by T-Mobile” as opposed to just “tmobile.”  That is because the client has determined that the particular hotspot in question is, in fact, a valid T-Mobile HotSpot.  If it were not valid a valid hotspot, the SSID would simply be displayed as it is being broadcast.

Cool and Illegal Wireless Hotspot Hacks - Display SSID

Client-based solution that helps mitigate risk by helping to validate a hotspot.

As mentioned in the second point, the user enters their credentials into the client not into a web-based form.  For many obvious reasons, this is significantly more secure.  With this particular client, both the username and password are immediately encrypted with 256-bit AES.

Cool and Illegal Wireless Hotspot Hacks - Enter Credentials Into Fake Client

The entering of credentials into a client as opposed to an easily spoofed webpage.

Protecting the Machine Against Browser-based Exploits

As with many exploits, the key is to have the mobile device be protected at all times.  To protect against these exploits, the mobile device needs to:

  • Have the latest security patches installed. This is increasingly difficult to do for corporations as laptops are spending less and less of their time connected to the corporate LAN. This is bad, since many corporations can only push patches to machines when they are on the LAN. Consequently, corporations need to employ solutions that can push patches down to mobile devices anytime they are connected to the Internet and without end-user interaction.
  • Be restricted from surfing the Internet or connecting wirelessly if they do not have the latest patches. This makes sense. If you are not secure enough to surf the Internet or connect to wireless hotspots, because you do not have a necessary patch, you shouldn’t be able to do so. In essence, you need to protect yourself from yourself. For corporations, they are beginning to look at functionality such as Cisco NAC to help with this. Unfortunately, Cisco NAC only quarantines on the LAN or Post-VPN. It won’t analyze the security posture of the mobile device or quarantine it if it doesn’t have the necessary patches until it is essentially too late. That’s why corporations need to implement solutions that will quarantine and remediate devices while the device is mobile, not just when they are VPNing into the corporate network. The logic for assessing the security posture and for quarantining needs to be on the endpoint itself!
  • Employ a program to protect against Zero Day type of attacks such as a Personal Firewall with IPS capabilities. As an example, even if the above machine weren’t patched, ISS’ Proventia would protect a machine against the aforementioned browser exploit.

Conclusion

I hope you’ve seen how easy it is to trick and exploit users when they are in a wireless environment.  I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.

Special thanks to the Metasploit Project and Schmoo Group.  The use of your tools in explaining how the exploits are performed and the work you have put into the development of these tools is invaluable and appreciated.

Be sure to create and account on EthicalHacker.net to automatically be informed via e-mail of new articles by this author.

Tags:

Category: Hoffman

Comments are closed.