WEBVTT

00:00.270 --> 00:03.410
This is the wireless access point for my little office here.

00:03.420 --> 00:10.440
Total seminars and not that big of an office so we only need one AP and this guy is passing out an SS

00:10.440 --> 00:12.450
ID of private say.

00:12.630 --> 00:13.350
And it works great.

00:13.350 --> 00:19.440
We've got WPA to encryption on their big long shared keys so it's very very hard to crack them.

00:19.440 --> 00:26.250
But what would happen if somebody came into the office you know that Bob over in sales and he doesn't

00:26.250 --> 00:30.480
like how good of a signal he's getting over there he doesn't want to bother the I.T. Department is not

00:30.480 --> 00:33.310
evil Bob's just a little dumb.

00:33.330 --> 00:38.880
So Bob comes in and he gets one of these little home routers from his local computer store and he takes

00:38.880 --> 00:43.440
this and he plugs it in to my wired network.

00:43.440 --> 00:45.180
Now think about that for a minute.

00:45.180 --> 00:47.520
Now again Bob is not evil he's just dumb.

00:47.580 --> 00:55.830
But what you've just done is you've given people access to the network via an an authorized access point.

00:55.830 --> 01:04.160
So we call this a rogue AP So a rogue AP is nothing more than an authorized access point so they happen

01:04.160 --> 01:06.230
innocently enough and it does happen.

01:06.240 --> 01:08.940
Now if this happened we would know fairly quickly.

01:08.940 --> 01:16.060
Number one Bob would be shooting out an SS ID of links this or whatever the default as his ID is there.

01:16.060 --> 01:19.930
This thing's probably got a built in DHC server be messing up the network.

01:20.010 --> 01:24.740
Passing out some crazy like when they need to 168 out one IP address range.

01:24.900 --> 01:29.920
And we would yell at Bob shake his finger and make him buy lunch the next day.

01:30.030 --> 01:33.560
But what if we took it another step.

01:33.620 --> 01:41.330
What if we took this access point and instead of just innocently plugging it in.

01:41.330 --> 01:45.590
What if we intentionally gave it the SS ID of private.

01:45.590 --> 01:49.290
Well you now have what's known as an evil twin.

01:49.390 --> 01:53.630
Now rogue access points and evil twins don't have to be devices like this.

01:53.630 --> 01:58.560
As long as you have some type of Internet service so people don't know that they're on the wrong thing.

01:58.640 --> 01:59.950
You can get away with that.

01:59.960 --> 02:06.260
I can take this phone right here make it a hotspot and give it an SS ID of private people could get

02:06.260 --> 02:07.670
on the internet with this thing.

02:07.670 --> 02:12.080
They couldn't get to my actual network because of that plugged in on my network and whoever has this

02:12.080 --> 02:14.130
phone is going to get a really big bill.

02:14.210 --> 02:17.580
But this could easily be an evil twin.

02:17.580 --> 02:20.740
We can also be a rogue access point if you don't do it on purpose.

02:20.750 --> 02:26.600
So what I want to talk about is some of the fun that we can have with evil twins in particular.

02:26.600 --> 02:33.950
Now what I've got here is so I've got my access point and I've got my laptop right here that's running

02:33.950 --> 02:39.080
Cali Linux and built in Akali Linux are a lot of tools that I'm going to assume you have the right network

02:39.080 --> 02:39.680
card.

02:39.770 --> 02:43.830
I can make this thing look at Barksdale taste like an access point.

02:44.000 --> 02:45.190
Everything I need.

02:45.200 --> 02:50.450
The problem that I have here is that everybody's still connecting to this physical access point.

02:50.510 --> 02:55.300
So a really easy way to take care of that is to get one of these.

02:55.330 --> 02:59.740
This is what we call NATO 2:11 jammer.

03:00.220 --> 03:04.960
OK it's not NATO 11 jammer it's really just a piece of styrofoam with a stick stuck in it.

03:04.990 --> 03:11.110
And the reason it is is because 10:42 jammers are completely illegal in the United States so I don't

03:11.110 --> 03:13.270
have one but here's a picture of a few.

03:13.270 --> 03:14.830
So your idea of what they look like

03:17.600 --> 03:21.410
now if I have one of these jammers I can do some very interesting things.

03:21.410 --> 03:26.030
These jammers for example can be programmed a million different ways I can set this jammer up to jam

03:26.030 --> 03:31.960
the entire 2.4 gigahertz spectrum and if everybody was running just on 2.4 gigahertz.

03:32.000 --> 03:34.700
You've got the best denial of service you've ever seen in your life.

03:34.700 --> 03:40.170
I could knock everybody off completely but we can do stuff that's a little bit more sophisticated.

03:40.310 --> 03:46.430
One of the things that we can do is I can take this jammer and I can program it to be on channel 6 so

03:46.430 --> 03:52.550
I can do a quick survey using either my phone or a regular laptop and I can see that private is currently

03:52.550 --> 03:54.010
on channel 6.

03:54.080 --> 04:00.790
So as long as I'm close enough to jam the signal I can drop this jammer down and jam up Channel 6.

04:00.800 --> 04:07.730
In the meantime my little laptop over here who's an evil twin of private is now on channel say channel

04:07.780 --> 04:15.470
one and any wireless device is designed that if a particular channel messes up it jumps and looks for

04:15.470 --> 04:18.100
the SS ID on a different channel.

04:18.110 --> 04:20.600
Now if I don't have the username and passcode.

04:20.630 --> 04:21.420
No big deal.

04:21.470 --> 04:26.870
I'm going to have to do is as soon as they link into this I can have a redirect page pop up it says

04:27.320 --> 04:35.450
welcome to private please enter the passcode and count on at least 15 percent of all people to not realize

04:35.450 --> 04:37.160
that that's not the right way to do it.

04:37.160 --> 04:37.880
Bingo.

04:37.880 --> 04:39.620
I've got myself the code.

04:39.740 --> 04:45.710
The cool part about this is that again I'll provide Internet access here just as well so I could put

04:45.710 --> 04:48.670
a cellular win card in here whatever I might want to do.

04:48.890 --> 04:54.710
And for a lot of people they're not going to realize that they're not on the correct wireless network

04:54.710 --> 04:55.360
anymore.

04:55.520 --> 05:00.170
And I have now generated what's known as an absolute perfect man in the middle attack.

05:00.170 --> 05:00.830
Absolutely.

05:00.830 --> 05:02.930
Go into Google do whatever you want to do.

05:03.020 --> 05:08.030
In the meantime I'm running wireshark or something like that and monitoring everything that's taking

05:08.030 --> 05:14.990
place in terms of traffic between you and whoever else you might want to talk to the downside to this

05:14.990 --> 05:20.180
type of attack is that it needs one of these and wireless jammers really are difficult to get here in

05:20.180 --> 05:20.960
the United States.

05:20.960 --> 05:24.760
They are federally illegal but you don't really need it.

05:24.770 --> 05:29.990
We can get rid of this completely and instead do something called a D authentication attack.

05:29.990 --> 05:31.280
Let me show you how that works.

05:31.280 --> 05:37.550
So here's my little network here's my wireless access point that's broadcasting out on say Channel 6

05:37.910 --> 05:44.330
and the SS ideas stuff now right here is just one of my many clients and he's made a good connection

05:44.570 --> 05:45.430
to this guy.

05:45.620 --> 05:52.580
And what I can do is using the right tools so let me go and bring in my evil Kalli laptop that's running

05:52.760 --> 05:54.390
with the cool wireless NIC.

05:54.560 --> 06:00.410
I can actually run programs that will show me all of the clients that are authenticated to this particular

06:00.410 --> 06:02.030
wireless access point.

06:02.360 --> 06:08.870
And I can then use that information to send out what are known as the authentication or more quickly

06:08.870 --> 06:10.880
known as dieoff commands.

06:10.970 --> 06:18.290
These commands basically tell those clients that they need to get off of this wireless network.

06:18.290 --> 06:19.790
They'll get off the network.

06:19.970 --> 06:25.460
And then what we want them to do is then to connect to us and then once again our man in the middle

06:25.460 --> 06:32.120
attack is running perfectly rogue access points are a real problem whether it's an unintentional innocent

06:32.180 --> 06:37.670
rogue access point or somebody doing something very dangerous by creating an evil twin.

06:37.670 --> 06:41.220
They can be a real problem on our wireless networks.