Evil Twins...
Results 1 to 8 of 8

Thread: Evil Twins...

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024

    Evil Twins...

    http://www.e4engineering.com/story.a...d-a7bd9b6a4258

    Anyone read anything more interesting about "Evil Twins"? This is the first time I've heard of em, and they sound pretty interesting and definitly a security hazard. What could be done to thwart this sort of attack from your users? I mean, if someone sets up an evil twin, installs something on half of your users laptops, what do you do and how can you prevent it?
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  2. #2
    Member
    Join Date
    Jan 2004
    Posts
    69
    That's a brilliant idea. Is there any way to protect against that kind of attack?

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    The so called "evil twins" are simply a sophistication of the 'rogue access point'. Nowadays, when someone uses the term 'rogue access point' they're usually talking about unauthorized access points attached to the network. But it used to be describe an access point masquerading as one the user might trust, and used in a similar fashion.

    Pheh, fancy article, a snappy new name, and it's *news*.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    How do you guard against one? Normal wireless or shared network security practices. Would you go check your email, do some online banking, and log in to several web site accounts if you were at a huge lan party? Then why do it when connected to a public access point? Seriously, this is basic nework security discipline.

    If you do these things, you are at a huge risk. I know people who run packet sniffers at lan parties as a matter of habit. I've been known to observe traffic at public hotspots myself while testing a VPN tunnel.

    Evil Twin is just a new name for an old trick that's been sophisticated with 'phishing'.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,210
    This is a re-branding of a basic Man-in-the-Middle (MITM) attack.

    They're becoming quite common, especially with all of the HotSpots that are popping up everywhere. I've even seen such attacks attempted in different apartment complexes where I have friends.

    Such attacks are actually quite simple to do. A MITM attack, at the most basic level, is when an attacker fools both a sender and receiver into thinking they are communicating with one another when, in fact, the attacker is actually intercepting all traffic sent between the two devices. For wireless networks, the attacking device typically involves the use of a rogue access point (AP). First, the attacker deauthenticates the wireless client from the access point by spoofing their MAC address which was collected by sniffing the packets sent between the device and the access point. At the same time, the attacker notifies the client device that they were deauthenticated by spoofing the APís MAC address. This requires the client to reauthenticate with the AP. Instead of reassociating with the AP, however, the client authenticates with the rogue AP set up by the attacker while the rogue AP reassociates with the legitimate AP acting as the client. The rogue AP then grants to the clientís reassociation request, thereby becoming a go-between between the two devices. This allows the attacker to not only modify any packets sent or received by the client, but also intercept any authentication information such as WEP keys or WPA authentication schemes.

    The best way to prevent a MITM attack is to utilize server host authentication which prevents an attacker from being able to impersonate the access point because they do not have access to the APís private key. This is actually something which is currently being developed as part of the IEEE 802.11i standard.

    AJ

  6. #6
    Junior Member
    Join Date
    Jan 2005
    Posts
    2
    Avdven is right it is a reiteration of the well known man in the middle attack but with a different approach this one is using the fact that a wireless NIC is going to get connected by default to the closest and strongest signal emitting hot spot (AP) the only objection and is not really a objection ...that I have is that the AP is not necessary rogue it can be just a proxied amplified legal signal. To be more clear this is how it works the simplest method is to get a *nix machine modify the kernel parameters enable IP forwarding use a AP host software (i.e. OpenAP) so you can do a multipoint to multipoint wireless bridging, and you are ready to go... your machine will proxy and amplify the signal becoming the "preferred AP" for any of the innocent users that are trying to go wireless. Because of the way that WI-Fi connection works the already connected users will get disconnected ( the effect is called network connection flapping)without you having to do anything ( the weakest beacon header will be ignored being preferred the strongest ones))and they will "hop" to your "managed AP' from now on is just a childish joke to issue CA's ( this is already explained by avdven) proxy ssl/https/http connections, sniff traffic or even plant rootkits or back doors into your client machine by sending specially crafted packets.
    The way to protect yourself against this attack is: 1. Act with care and preventive don't use sensitive information through a wireless connection (easy but the most secure one)
    2. Check the settings of AP settings if possible: SSID, authentication method open/shared both easy to counterfeit or re- broadcast, WPA/ WPA-PSk/etc require additional skills and tools to be decrypted without using the same key a encrypted flaw of data will pass through the redirecting rogue AP so it will be more "secure" requiring decryption after sniffing and dumping data, check the Authenticity Certificate used by the AP (if used) and by the web site that you are visiting, be suspicious if flapping ocurres.
    Talking about 802.11i and Authentication Server...this is nice to have but I don't see *bucks or any other public available wireless free service provider deploying and AS server (like Radius... I hope avdven agrees because this would be useless and costly) or you having a PIX firewall between you and the hot spot in order to randomize the sequence number and issue a encrypted key for each communication session. 802.11i it is a great and pink option but really costly and requires thorough implementation as well as dedicated appliance or the attack is being done mostly public available AP's less likely on Enterprise where you can manage signal strength have a backend AS infrastructure or even have your AP in the DMZ. Another nice thing would be using md5 or DSS for each session so the authenticity can be guaranteed but these are only thoughts now....
    Any way like most of the attacks its simplicity makes it effective; just use wireless (read Internet) with care...and good luck.



    db

    P.S. AJ nice attack description but as everything on this world ...nothing is secure remember ..." I trust god all the rest ...better have MD5" ?

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    the AP is not necessary rogue it can be just a proxied amplified legal signal.
    Uhm, did you read the article? "...they've been tricked to connect to an attacker's unauthorised base station..."

    You are correct that another signal amplified with similar/identical settings could fool a user/system into believing it was the original AP. However, this article is talking specifically about the practice of intentionally "replacing" or washing-out the signal or presence of a legitimate AP, so the 'cyber criminal' can capture the users information, once they have authenticate (or been fooled into THINKING they authenticated, when they've really just given up their credentials.)

    So how does your 'proxied amplified signal' become 'legal'? A rogue access point means one of two things:
    #1 - unauthorized access point on a network, not under the control or sanction of the network's owners.
    #2 - an access point configured to look like another, legitimate access point, for the purpose of fooling users to connet to it and expose or share data.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    2
    I think that we are having a semantic issue..., what I said is that a proxy the signal w/o having SSID/channel altered and using as a gw the original AP that would be considered "legal signal" (that because you donít scam it) so if you want to regard it's ownership it will be rogue but what does ownership has to do with the signal in this case?
    This if you don't consider the CA/WPA etc. (factors that I already said will make evil twin deployment more difficult but NOT IMPOSSIBLE) that an attacker will have to accept from the public AP and will not be able to redirect toward the target, in this case having to issue it's own CA's etc. and scam the user to accept it or pray that the user is not a knowledgeable person. The reason that I didn't go too deep into the CA/encryption/secure type AP subject is because the evil twin is unlikely to happen with your home( think of somebody at your door powering an AP to overcome your one and trying to sniff your password and log the traffic)/enterprise AP due to distance between you and AP(home) meaning strength or signal limitations(Enterprise) and here we can talk about whatever 802.11i or similar secure wi-fi deployments you would like; this attack is more likely to happen when using a public wi-fi network, accessing a hot spot from anywhere but its proximity. I can not picture anybody going with a AP under his arm at whatever coffee shop looking for an outlet so he can power it up and start configuring there; this things do not work like this, they are being done without ringing the bell and publish it in the local newspaper (what do you think?).
    Now if we want to continue like this just for sake of argument and for whatever newspaper wrote, we can do it for ever. I just think that this would be useless... I am not going to dig into scam subject "...capture the users information, once they have authenticate (or I think that we are having a semantic issue..., what I said is that a proxy the signal w/o having SSID/channel altered and using as a gw the original AP that would be considered "legal signal" (that because you donít scam it) so if you want to regard it's ownership it will be rogue but what does ownership has to do with the signal in this case?
    This if you don't consider the CA/WPA etc. (factors that I already said will make evil twin deployment more difficult but NOT IMPOSSIBLE) that an attacker will have to accept from the public AP and will not be able to redirect toward the target, in this case having to issue it's own CA's etc. and scam the user to accept it or pray that the user is not a knowledgeable person. The reason that I didn't go too deep into the CA/encryption/secure type AP subject is because the evil twin is unlikely to happen with your home( think of somebody at your door powering an AP to overcome your one and trying to sniff your password and log the traffic)/enterprise AP due to distance between you and AP(home) meaning strength or signal limitations(Enterprise) and here we can talk about whatever 802.11i or similar secure wi-fi deployments you would like; this attack is more likely to happen when using a public wi-fi network, accessing a hot spot from anywhere but its proximity. I can not picture anybody going with a AP under his arm at whatever coffee shop looking for an outlet so he can power it up and start configuring there; this things do not work like this, they are being done without ringing the bell and publish it in the local newspaper (what do you think?).
    Now if we want to continue like this just for sake of argument and for whatever newspaper wrote, we can do it for ever. I just think that this would be useless... I am not going to dig into scam subject "...capture the users information, once they have authenticate (or been fooled into THINKING they authenticated, when they've really just given up their credentials.)" because this is out of the wireless subject or if you want is "common practice".
    There are methods to substitute an AP even if far from its location (by altering its signal strength and make available a stronger signal) but this is again out of the scope.
    At the end if you are familiar with wardriving and I believe you are, consider that evil twin is just a combination between a wireless MIM attack and wardiving as a method to find the targets.
    )" because this is out of the wireless subject or if you want is "common practice".
    There are methods to substitute an AP even if far from its location (by altering its signal strength and make available a stronger signal) but this is again out of the scope and to expesive to be done.
    At the end if you are familiar with wardriving (and I believe you are), consider that evil twin is just a combination between a wireless MIM and wardiving as a method to find the targets.
    Lastly what I said was enforcing and showing another side of what avdven said above... if there are more things that I can clarify please let me know and I will do it with pleasure.

    Take care and have it a great day.
    Regards

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •