This is the second in a new series called "Hello, Friend". In this series, FIREFX's US Army trained Cyber-Experts will tackle common and emerging cyber-threats and cyber awareness and try to keep it at a level that anyone (even a non-hacker) can understand. Our goal with this series is to better educate you and help you and your clientele become a "Hard Targets" to hack.
If you have questions regarding this or other cyber-security threats please feel free to email or call us directly.
"Hello Friend... Pineapples, VPNs, And The Man In The Middle"
Pineapples can be used in selective, targeted attacks to compromise individuals or organizations, or they can be used to infect mass targets at large public gathering places with open network such as hotels, airports and coffee shops. these target rich environments allow hackers to infect large groups of users for later exploitation. Hacked accounts can be either manually exploited later or sold in blocks for Bitcoin on the dark web.
Have you or any of your clients ever used public WiFi at a hotel, airport, coffee shop, or store? Then you may be susceptible to an automated Man-In-The-Middle (MiTM) Attack that can hack your computer in a matter of minutes with a Fully Undetectable (FUD) exploit running in the background. How might you ask? By using one of the hacking communities favorite tools... a WiFi Pineapple.
Basically Wifi Pineapple (https://wifipineapple.com/)is a WiFi honeypot that allows users to carry out MiTM attacks. WiFi Pineapples can cost as low as $99. Connected clients’ traffic go through the attacker which makes the attacker capable of pulling a number of tricks. The WiFi Pineapple is equipped with 2 radios it can work in client mode meaning it can piggyback on a nearby legitimate WiFi network and bridge the victim’s connections.
MiTM attacks make it possible for hackers to potentially see or manipulate Internet traffic which the user believes to be private. Almost any type of Internet connection can be hacked in this way, if the end user is compromised or the platform itself is vulnerable. MiTM attacks allow hackers to insert themselves between the user and the website or service she is trying to use. This allows them to read the victim’s emails, see what websites they’re visiting, steal valuable personal information, or impersonate the user by stealing session cookies, passwords and more.
KARMA: At the heart of the pineapple lies a nifty attack tool called KARMA. It works by exploiting trusting devices to probe requests and responses. The KARMA attack takes advantage of your wireless devices that send probe requests to determine which wireless networks are nearby. The attack is relatively straightforward, but I find that some pictures can help illustrate the situation. First, let's look at an association that is proper and secure:
The Wi-Fi access point periodically sends out a beacon frame that indicates the network SSID, which identifies the Wi-Fi network. When a client system receives a beacon frame with an SSID that it remembers, it may associate with the wireless network.
Now let's look at a client system that is tricked by KARMA:
Rather than passively monitoring beacon frames from access points, the client here sends out a probe request for networks that it knows about. The KARMA attack becomes obvious. The attacker simply needs to listen for the client to send a probe and respond as the SSID that the client requested. The impact is that a client system may connect to a network other than the one the user expects. At this point, the attacker can perform MiTM or other attacks on the client system.
Your wireless devices, by default, constantly try to connect to the last networks they were on. To accomplish this they actively scan their wireless neighborhood by sending out probe requests. (A probe request is a special frame sent by a client station requesting information from either a specific access point, specified by SSID, or all access points in the area, specified with the broadcast SSID.)
Normally, access points (AP) that don’t broadcast the requested SSID just ignore the probe request. The correct AP responds with a probe response and the client initiates association with the AP again. That’s how we connect to our home or work network as soon as we arrive. That is convenient and user-friendly but the malicious devices running Karma attack can break this “honor-code” based system. The pineapple responds to whatever AP the device is asking for therefore deceiving it into believing they are home, in a coffee shop, airport or hotel.
EVIL/INFERNAL TWIN: Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. this can also be implemented with a Pineapple WiFi device.
The evil twin AP is an access point that looks and acts just like a legitimate AP and entices the end-user to connect to our access point. This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.
The Infernal Twin is an automated Evil Twin tool that will automatically collect a mass information and dump them into files to be used later. This allows the hacker to sit back and enjoy their coffee at the coffee shop or watch their favorite show in the hotel room while hacking everyone around them.
MAN IN THE MIDDLE ATTACK: Once the hackers as used the KARAM or Evil Twin technique to compromise you, they will launch a MiTM attack. A MiTM attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. The MiTM attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late.
Sometimes referred to as a session hijacking attack, MiTM has a strong chance of success when using tools like the WiFi Pineapple where the attacker can impersonate each party to the satisfaction of the other.
A common method of executing a MiTM attack involves distributing malware that provides the attacker with access to a user’s Web browser and the data it sends and receives during transactions and conversations. Once the attacker has control, he can redirect users to a fake site that looks like the site the user is expecting to reach. The attacker can then create a connection to the real site and act as a proxy in order to read, insert and modify the traffic between the user and the legitimate site. Online banking and e-commerce sites are frequently the target of MITM attacks so that the attacker can capture login credentials and other sensitive data.
Since this typically affects devices out in the public, all of your security devices at the home or office can't protect you for a Pineapple attack. And worse yet, once your wireless device is infected, it can spread malware across your network infrastructure upon re-introduction to your "secure" wireless network at home or the office.
Avoid Connecting To Open Networks:
If you are in the habit of using open WFfi networks one day you might come across one of those pineapples in your coffee shop and hand over your data unknowingly to a guy sitting in the table next to you! Even without this risk you should never use networks that you have no control over but this kind of risk makes it even more important. Of course if you travel and rely on Hotel and Airport open wireless connections, then;
Clear out any open WiFi networks that your system remembers:
The steps to perform this action will vary from platform to platform. It is important to realize that any open network that you have ever connected to during the life of your system can open it up to KARMA attack right now. Note that some platforms, such as Apple IOS, only allow users to forget WiFi networks that are nearby at the time.
Always Use A VPN Connection:
If you must use open networks, always use a VPN. When you are using VPN your traffic is encrypted and sent through a secure channel. In this case, even if an attacker is able to get your traffic they will not be able to make any sense of it.
Pay attention to the WiFi networks that your device connects to:
With most platforms, the WiFi status simply indicates "connected" or "not connected" unless you dig into the details. Especially since WiFi connections can fluctuate, it can be impractical to click into the WiFi details constantly. Some applications can help indicate, without requiring clicks, the current WiFi status, such as which SSID the system is connected to.
Disable WiFi when you're not using it:
Leaving WiFi enabled constantly causes an increased attack surface. Whether it's KARMA or other WiFi-related attacks, leaving WiFi off when it is not required can help to keep a system safer.
Wireless networks provide great convenience to us but comes with risks and vulnerabilities (as all conveniences in IT). The hardware is getting smaller and more powerful everyday so the tools like WiFi Pineapple are getting more threatening. It’s important to keep an eye on what kind of risks are out there and learn how to avoid those risks.