|
-
January 22nd, 2005, 04:04 AM
#1
Evil Twins...
http://www.e4engineering.com/story.a...d-a7bd9b6a4258
Anyone read anything more interesting about "Evil Twins"? This is the first time I've heard of em, and they sound pretty interesting and definitly a security hazard. What could be done to thwart this sort of attack from your users? I mean, if someone sets up an evil twin, installs something on half of your users laptops, what do you do and how can you prevent it?
[H]ard|OCP <--Best hardware/gaming news out there--|
pwned.nl <--Gamers will love this one  --|
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
-
January 22nd, 2005, 04:29 AM
#2
That's a brilliant idea. Is there any way to protect against that kind of attack?
-
January 22nd, 2005, 05:02 AM
#3
The so called "evil twins" are simply a sophistication of the 'rogue access point'. Nowadays, when someone uses the term 'rogue access point' they're usually talking about unauthorized access points attached to the network. But it used to be describe an access point masquerading as one the user might trust, and used in a similar fashion.
Pheh, fancy article, a snappy new name, and it's *news*.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 22nd, 2005, 05:20 AM
#4
How do you guard against one? Normal wireless or shared network security practices. Would you go check your email, do some online banking, and log in to several web site accounts if you were at a huge lan party? Then why do it when connected to a public access point? Seriously, this is basic nework security discipline.
If you do these things, you are at a huge risk. I know people who run packet sniffers at lan parties as a matter of habit. I've been known to observe traffic at public hotspots myself while testing a VPN tunnel.
Evil Twin is just a new name for an old trick that's been sophisticated with 'phishing'.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 22nd, 2005, 05:44 AM
#5
This is a re-branding of a basic Man-in-the-Middle (MITM) attack.
They're becoming quite common, especially with all of the HotSpots that are popping up everywhere. I've even seen such attacks attempted in different apartment complexes where I have friends.
Such attacks are actually quite simple to do. A MITM attack, at the most basic level, is when an attacker fools both a sender and receiver into thinking they are communicating with one another when, in fact, the attacker is actually intercepting all traffic sent between the two devices. For wireless networks, the attacking device typically involves the use of a rogue access point (AP). First, the attacker deauthenticates the wireless client from the access point by spoofing their MAC address which was collected by sniffing the packets sent between the device and the access point. At the same time, the attacker notifies the client device that they were deauthenticated by spoofing the AP’s MAC address. This requires the client to reauthenticate with the AP. Instead of reassociating with the AP, however, the client authenticates with the rogue AP set up by the attacker while the rogue AP reassociates with the legitimate AP acting as the client. The rogue AP then grants to the client’s reassociation request, thereby becoming a go-between between the two devices. This allows the attacker to not only modify any packets sent or received by the client, but also intercept any authentication information such as WEP keys or WPA authentication schemes.
The best way to prevent a MITM attack is to utilize server host authentication which prevents an attacker from being able to impersonate the access point because they do not have access to the AP’s private key. This is actually something which is currently being developed as part of the IEEE 802.11i standard.
AJ
-
January 28th, 2005, 05:04 AM
#6
Junior Member
-
January 28th, 2005, 05:44 AM
#7
the AP is not necessary rogue it can be just a proxied amplified legal signal.
Uhm, did you read the article? "...they've been tricked to connect to an attacker's unauthorised base station..."
You are correct that another signal amplified with similar/identical settings could fool a user/system into believing it was the original AP. However, this article is talking specifically about the practice of intentionally "replacing" or washing-out the signal or presence of a legitimate AP, so the 'cyber criminal' can capture the users information, once they have authenticate (or been fooled into THINKING they authenticated, when they've really just given up their credentials.)
So how does your 'proxied amplified signal' become 'legal'? A rogue access point means one of two things:
#1 - unauthorized access point on a network, not under the control or sanction of the network's owners.
#2 - an access point configured to look like another, legitimate access point, for the purpose of fooling users to connet to it and expose or share data.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 29th, 2005, 12:15 PM
#8
Junior Member
I think that we are having a semantic issue..., what I said is that a proxy the signal w/o having SSID/channel altered and using as a gw the original AP that would be considered "legal signal" (that because you don’t scam it) so if you want to regard it's ownership it will be rogue but what does ownership has to do with the signal in this case?
This if you don't consider the CA/WPA etc. (factors that I already said will make evil twin deployment more difficult but NOT IMPOSSIBLE) that an attacker will have to accept from the public AP and will not be able to redirect toward the target, in this case having to issue it's own CA's etc. and scam the user to accept it or pray that the user is not a knowledgeable person. The reason that I didn't go too deep into the CA/encryption/secure type AP subject is because the evil twin is unlikely to happen with your home( think of somebody at your door powering an AP to overcome your one and trying to sniff your password and log the traffic)/enterprise AP due to distance between you and AP(home) meaning strength or signal limitations(Enterprise) and here we can talk about whatever 802.11i or similar secure wi-fi deployments you would like; this attack is more likely to happen when using a public wi-fi network, accessing a hot spot from anywhere but its proximity. I can not picture anybody going with a AP under his arm at whatever coffee shop looking for an outlet so he can power it up and start configuring there; this things do not work like this, they are being done without ringing the bell and publish it in the local newspaper (what do you think?).
Now if we want to continue like this just for sake of argument and for whatever newspaper wrote, we can do it for ever. I just think that this would be useless... I am not going to dig into scam subject "...capture the users information, once they have authenticate (or I think that we are having a semantic issue..., what I said is that a proxy the signal w/o having SSID/channel altered and using as a gw the original AP that would be considered "legal signal" (that because you don’t scam it) so if you want to regard it's ownership it will be rogue but what does ownership has to do with the signal in this case?
This if you don't consider the CA/WPA etc. (factors that I already said will make evil twin deployment more difficult but NOT IMPOSSIBLE) that an attacker will have to accept from the public AP and will not be able to redirect toward the target, in this case having to issue it's own CA's etc. and scam the user to accept it or pray that the user is not a knowledgeable person. The reason that I didn't go too deep into the CA/encryption/secure type AP subject is because the evil twin is unlikely to happen with your home( think of somebody at your door powering an AP to overcome your one and trying to sniff your password and log the traffic)/enterprise AP due to distance between you and AP(home) meaning strength or signal limitations(Enterprise) and here we can talk about whatever 802.11i or similar secure wi-fi deployments you would like; this attack is more likely to happen when using a public wi-fi network, accessing a hot spot from anywhere but its proximity. I can not picture anybody going with a AP under his arm at whatever coffee shop looking for an outlet so he can power it up and start configuring there; this things do not work like this, they are being done without ringing the bell and publish it in the local newspaper (what do you think?).
Now if we want to continue like this just for sake of argument and for whatever newspaper wrote, we can do it for ever. I just think that this would be useless... I am not going to dig into scam subject "...capture the users information, once they have authenticate (or been fooled into THINKING they authenticated, when they've really just given up their credentials.)" because this is out of the wireless subject or if you want is "common practice".
There are methods to substitute an AP even if far from its location (by altering its signal strength and make available a stronger signal) but this is again out of the scope.
At the end if you are familiar with wardriving and I believe you are, consider that evil twin is just a combination between a wireless MIM attack and wardiving as a method to find the targets.
)" because this is out of the wireless subject or if you want is "common practice".
There are methods to substitute an AP even if far from its location (by altering its signal strength and make available a stronger signal) but this is again out of the scope and to expesive to be done.
At the end if you are familiar with wardriving (and I believe you are), consider that evil twin is just a combination between a wireless MIM and wardiving as a method to find the targets.
Lastly what I said was enforcing and showing another side of what avdven said above... if there are more things that I can clarify please let me know and I will do it with pleasure.
Take care and have it a great day.
Regards
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
but the most secure one)