1
00:00:02,670 --> 00:00:11,880
Evil twin attack is an interesting variant of client hack attack targets business Flum clients attackers

2
00:00:11,930 --> 00:00:19,390
have to set up an access point with an SS ID that is expected from a user the rogue access point has

3
00:00:19,390 --> 00:00:23,760
to emit a signal that's greater in strength than the legitimate access points.

4
00:00:27,040 --> 00:00:33,260
A user knows that Enterprise Networks are protected and they have to log in to connect.

5
00:00:33,270 --> 00:00:41,180
That's why a rogue access point will also employ a logging mechanism a radius server verifies user credentials

6
00:00:41,180 --> 00:00:42,890
and business networks.

7
00:00:46,070 --> 00:00:52,130
Our access point will also be a radius server client but unlike a legitimate radious server the evil

8
00:00:52,210 --> 00:00:56,670
server will authenticate all users regardless of submitted log ins and passwords.

9
00:01:02,140 --> 00:01:05,370
This means that users will always connect to our access points.

10
00:01:07,640 --> 00:01:13,100
Whether or not they will be granted Internet access depends on our access point configurations and our

11
00:01:13,100 --> 00:01:14,520
subsequent agenda.

12
00:01:16,450 --> 00:01:21,820
Until we physically connect our access point to a business network users will not be able to access

13
00:01:21,820 --> 00:01:26,240
the network.

14
00:01:26,260 --> 00:01:28,480
The damage however is already done.

15
00:01:29,450 --> 00:01:33,140
A user send his credentials to an attacker freely.

16
00:01:33,290 --> 00:01:42,020
He had to do it because a radius server client the access point had to send it to the server.

17
00:01:42,090 --> 00:01:47,460
The data will either be sent in clear text or as a challenge in response message depending on a radius

18
00:01:47,490 --> 00:01:50,570
configuration.

19
00:01:50,760 --> 00:01:55,080
If the protocol was used the data will be transmitted in clear text

20
00:01:58,400 --> 00:02:01,540
because an attacker is not trying to make his own life more difficult.

21
00:02:01,790 --> 00:02:10,040
He'll said his rogue access point and Radius server to use Pat radious clients negotiate different authentication

22
00:02:10,040 --> 00:02:14,450
levels from illest configured by an administrator.

23
00:02:14,560 --> 00:02:22,780
If the user agrees to use pap It's very simple from then on if it doesn't and goes on to negotiate a

24
00:02:22,780 --> 00:02:25,140
higher level authentication protocol.

25
00:02:25,360 --> 00:02:33,750
For example M-S chip the challenge in response message will be encrypted with the user password the

26
00:02:33,750 --> 00:02:35,700
encryption will have to be reversed.

27
00:02:36,750 --> 00:02:39,480
This operation will take us about 15 seconds

28
00:02:43,020 --> 00:02:43,650
at this point.

29
00:02:43,650 --> 00:02:45,870
An attacker is obtained the user credentials

30
00:02:48,620 --> 00:02:56,190
if he manages to physically connect to an enterprise network you can for example log in as the victim.

31
00:02:56,210 --> 00:03:01,300
The fact that a user is connected to an access point means that the attacker is fully able to control

32
00:03:01,310 --> 00:03:04,000
a client's.

33
00:03:04,030 --> 00:03:10,240
In this scenario we did not expect any need for major user activity the client was only expected to

34
00:03:10,240 --> 00:03:15,690
connect to an access point.

35
00:03:15,700 --> 00:03:19,170
What are the counter managers as a rule.

36
00:03:19,220 --> 00:03:25,260
You shouldn't only prove your identity to an access point the access point should also prove its identity

37
00:03:25,260 --> 00:03:28,600
to you by way of mutual authentication.

38
00:03:28,610 --> 00:03:31,670
This would help prevent impersonating a trusted access point

39
00:03:34,360 --> 00:03:41,360
mutual authentication can easily be configured in Windows systems locally or using group rules.

40
00:03:41,440 --> 00:03:46,060
You can see the latter configuration below.

41
00:03:46,120 --> 00:03:51,380
You can select in EAP settings whether you want to ensure the identities of an access point or radious

42
00:03:51,400 --> 00:03:55,490
server if it's checked.

43
00:03:55,490 --> 00:03:58,580
Select next to certificate to be used for verification

44
00:04:03,600 --> 00:04:08,900
a radius server is required to present its valid certificate that matches a certificate issued by a

45
00:04:08,900 --> 00:04:16,570
public certification authority a common error in managing Enterprise Networks is failing to require

46
00:04:16,570 --> 00:04:20,400
mutual authentication.

47
00:04:20,400 --> 00:04:26,890
Another problem is accepting all the certificates pre-installed in a Windows system.

48
00:04:26,890 --> 00:04:33,040
This means that to run an attack a potential intruder will only need to buy a valid certificate which

49
00:04:33,040 --> 00:04:36,760
costs about 100 dollars.

50
00:04:36,870 --> 00:04:42,260
You should only trust certificates that were issued by your certification authority.

51
00:04:42,270 --> 00:04:45,020
You also need to have your own public key infrastructure.