Attacking WLAN users through rogue services, or why PSK is not the best choice for a hotel
In this post I want to share the story of one brilliantly simple attack, which I observed last year, and discuss the consequences. There will be no “meat” for hackers, but there will be:
In principle, everything is relevant for corporate networks, but for them I already wrote . And then the next post made me look at the problem from a slightly different angle.
First of all, I do not impose and do not urge to urgently run and buy cool Wi-Fi with WIPS and RTLS. Each situation will have its own nuances and priorities: some will be covered by a user agreement, some will simply not care about users, in some countries there will be no responsibility, some rather partial measures, someone else will have some nuances. I describe - everyone chooses himself.
The story happened to my colleague in the hotel where we stayed. I did not fall under the distribution just because by that time I had not connected to the hotel WLAN. The hotel provides free Wi-Fi to all its guests. The network is password-protected, PSK is issued on a piece of paper and changes every few months.
A colleague connects a laptop to the network, opens Firefox, writes the address of a well-known site. Instead of a site, a beautiful page appears with the header of the hotel’s site and a message like “Your browser is incompatible with the site you are trying to open. Install the patch from here . ” A colleague is impressed, launches Chrome - the same page. We connect to the network of Android and iPod Touch - the same. At the same time, the “patch” is always the same :) Downloading the “patch” - it is quite expected that the antivirus curses (we found 3 different types of malware).
')
In general, the plot is obvious - Albanian virus spreading phishing and a small hack on the network. The virus itself is of no interest - it is of interest to understand how all this works in order to get access to the Internet without a “patch”.
Through some simple research (at the level of ipconfig / ping) it was found out that sites can be accessed via IP. So the problem is in the DNS. By registering DNS 8.8.8.8 we got a fully functioning Internet. Now you can figure out how the attack works.
The following was clarified:
As you can see, everything is very simple and does not require special skills for implementation. Question: how many “ordinary people” will lead to this?
Also, it is strange that the attacker limited himself to a “patch” and did not draw the head pages of GMail / Bing / Facebook, etc. - it would be possible to gather up accounts, even with HTTPS: how many people pay attention to certificate curves or to the fact that they have just been redirected from HTTPS to HTTP? Although, if there are three Trojans in a car, they already gather everything together ...
When building any access network, it is important not only to protect this network and the wired infrastructure from the “excessive interest” of users, but also to protect some users from other, less decent ones. This is true for corporate (private) networks, and for public networks (hotspots, hotels, cafe-bars, restaurants, etc.). It should be remembered that “wireless security” is not only encryption: there must also be identification, authentication, traffic separation and much more. The attack described above is not the only pure wireless attack that no Firewall or IPS in the wired segment can detect. What to do to such a problem does not arise?
The simplest solution is to prohibit communication between users. Usually, this is done by turning on / off one tick in the WLAN settings (“Disable MU-to-MU communication”, Cisco PSPF and analogues). However, hotspot users do not always like this and may conflict with the goals of using the network (gaming parties, VoWLAN in corporate networks, etc.). Although - if it does not contradict - as has already been said, the easiest way to do this is to write this clause in the “terms of use”.
The best way is to disable DHCP, DNS, and (per company) and ARP responses in a wireless network. To do this, you need to have a firewall directly on the access point that can filter WLAN-to-WLAN traffic (periodically it is called the Wireless Firewall to emphasize differences from traditional FWs). For me, at one time it was a great surprise that some eminent vendors do not know how (and to this day).
DNS and DHCP responses are resolved only from wired hosts. ARP responses from clients are not needed at all - the dot still knows all the MAC addresses of clients (with association) and will be able to respond to requests through Proxy ARP, so at the same time the amount of spurious traffic on the network decreases.
Thus, we get rid of DHCP / DNS / ARP-spoofing, rogue DHCP / DNS, APR-poisoning, MiTM-attacks associated with them (and, probably, a lot more - add in comments).
Now, let's turn our attention to another aspect. So I found a fake server on the network. I can block it by MAC. But if the attacker is not a fool and periodically checks the activity of his mousetrap, he will notice, change the MAC, and everything will continue. In addition, knowing PSK, an attacker can throw packets into the network to users without even being connected to access points, and even with WPA2. For this you need to try hard, because in WPA / WPA2, key distribution is more complicated than in WEP, but it is possible . The only way to get rid of the adversary is to change the PSK. And then change it for all customers! And this, although it will repel the attack, will not allow to find and punish the attacker (if you do not use the positioning system). And what can we say about open hotspots?
Thus, in public networks, even if they are protected by PSK, as a network of our hotel, the attacker goes unpunished almost always.
Another thing is to use Captive Portal (only competently use) or 802.1x (at the same time it solves the problem with traffic injection, but in public networks it is difficult to use 802.1x). Each user receives an individual name and password to which the MAC address is associated with the login, the account runs for a limited time (in hotel systems, they build automation to bind to the list-statement). Thus, we can always figure out who is having fun, or, at least, who leaked the identification data.
Both of these nuances are extremely important in such a dangerous and exciting game as shifting responsibility. If you do not have a disclaimer in the user agreement (and not always this can be done, plus, you need to make sure that the user cannot access the network without agreeing with the rules for using the resource), if through your network there is hacking, porn, racism / violence propaganda and so forth, and if you cannot find the extreme one, they will appoint you to the extreme. That is why, as a result of violent rampant phishing on hotspots in Europe, mandatory identification of each user at the legislative level was introduced (most often, you need to enter a mobile number that receives SMS with an individual access code). It is clear that it is also possible to hide from this, but in this way the hotspot provider shifts the responsibility to the SIM card provider. Even without using authentication, the Captive Portal can, before giving access, show a screensaver with “resource usage rules” and force the user to tick “I accept the conditions”, which in many cases is enough from a legal point of view (and the user will not get rid of did not see the agreement). So, sometimes an open network with a Captive Portal can be safer than a closed network with PSK - for its owners :)
As an alternative, some vendors (Aerohive, Ruckus) implement non-standard “individual PSK” technology, where each client is given a unique key. Thus, the problems of user identification and mass change of PSK in case of its leakage are also solved. However, their availability in the CIS countries is very limited, and compatibility problems are sometimes observed.
In wireless networks, protecting wireless users from entire wireless attacks is just as important as protecting a wired segment. With the help of fairly simple technical tools, you can set up industrial-scale phishing and other attacks - and no wired Firewall / IPS will help.
There are technical measures to restrict the access of wireless users to other wireless users:
All of the above is relevant for any network (no one has canceled insider hacking), but it is especially important for public networks (hotspots, hotels, Cabaret, etc.) in terms of
I hope it was interesting.
- Plus one instructive bike to the collection “for conversations with users” for admins and security guards.
- Why do you need to protect not only LAN from WLAN in wireless networks, and why do we need so-called? Wireless Firewall.
- Recommendations on how to build a public Wi-Fi network to avoid such problems.
- Why in hotels and other public networks, even an unencrypted Captive Portal may be preferable to encrypting with PSK.
In principle, everything is relevant for corporate networks, but for them I already wrote . And then the next post made me look at the problem from a slightly different angle.
First of all, I do not impose and do not urge to urgently run and buy cool Wi-Fi with WIPS and RTLS. Each situation will have its own nuances and priorities: some will be covered by a user agreement, some will simply not care about users, in some countries there will be no responsibility, some rather partial measures, someone else will have some nuances. I describe - everyone chooses himself.
Prehistory
The story happened to my colleague in the hotel where we stayed. I did not fall under the distribution just because by that time I had not connected to the hotel WLAN. The hotel provides free Wi-Fi to all its guests. The network is password-protected, PSK is issued on a piece of paper and changes every few months.
Story
A colleague connects a laptop to the network, opens Firefox, writes the address of a well-known site. Instead of a site, a beautiful page appears with the header of the hotel’s site and a message like “Your browser is incompatible with the site you are trying to open. Install the patch from here . ” A colleague is impressed, launches Chrome - the same page. We connect to the network of Android and iPod Touch - the same. At the same time, the “patch” is always the same :) Downloading the “patch” - it is quite expected that the antivirus curses (we found 3 different types of malware).
')
In general, the plot is obvious - Albanian virus spreading phishing and a small hack on the network. The virus itself is of no interest - it is of interest to understand how all this works in order to get access to the Internet without a “patch”.
We understand
Through some simple research (at the level of ipconfig / ping) it was found out that sites can be accessed via IP. So the problem is in the DNS. By registering DNS 8.8.8.8 we got a fully functioning Internet. Now you can figure out how the attack works.
The following was clarified:
- In WLAN, there was another DHCP server (rogue DHCP), which issued the correct IP / mask / GW, but gave out its “own” DNS server instead of the correct provider.
- On the same host, the same DNS server was raised, which rezolvil all names in the same IP (which "by an incredible coincidence of circumstances" coincided with the IP of the DNS server).
- On the same IP, a web server was raised, which, in fact, showed the page and gave the file.
As you can see, everything is very simple and does not require special skills for implementation. Question: how many “ordinary people” will lead to this?
Also, it is strange that the attacker limited himself to a “patch” and did not draw the head pages of GMail / Bing / Facebook, etc. - it would be possible to gather up accounts, even with HTTPS: how many people pay attention to certificate curves or to the fact that they have just been redirected from HTTPS to HTTP? Although, if there are three Trojans in a car, they already gather everything together ...
Conclusions and solutions
When building any access network, it is important not only to protect this network and the wired infrastructure from the “excessive interest” of users, but also to protect some users from other, less decent ones. This is true for corporate (private) networks, and for public networks (hotspots, hotels, cafe-bars, restaurants, etc.). It should be remembered that “wireless security” is not only encryption: there must also be identification, authentication, traffic separation and much more. The attack described above is not the only pure wireless attack that no Firewall or IPS in the wired segment can detect. What to do to such a problem does not arise?
The simplest solution is to prohibit communication between users. Usually, this is done by turning on / off one tick in the WLAN settings (“Disable MU-to-MU communication”, Cisco PSPF and analogues). However, hotspot users do not always like this and may conflict with the goals of using the network (gaming parties, VoWLAN in corporate networks, etc.). Although - if it does not contradict - as has already been said, the easiest way to do this is to write this clause in the “terms of use”.
The best way is to disable DHCP, DNS, and (per company) and ARP responses in a wireless network. To do this, you need to have a firewall directly on the access point that can filter WLAN-to-WLAN traffic (periodically it is called the Wireless Firewall to emphasize differences from traditional FWs). For me, at one time it was a great surprise that some eminent vendors do not know how (and to this day).
DNS and DHCP responses are resolved only from wired hosts. ARP responses from clients are not needed at all - the dot still knows all the MAC addresses of clients (with association) and will be able to respond to requests through Proxy ARP, so at the same time the amount of spurious traffic on the network decreases.
Thus, we get rid of DHCP / DNS / ARP-spoofing, rogue DHCP / DNS, APR-poisoning, MiTM-attacks associated with them (and, probably, a lot more - add in comments).
Now, let's turn our attention to another aspect. So I found a fake server on the network. I can block it by MAC. But if the attacker is not a fool and periodically checks the activity of his mousetrap, he will notice, change the MAC, and everything will continue. In addition, knowing PSK, an attacker can throw packets into the network to users without even being connected to access points, and even with WPA2. For this you need to try hard, because in WPA / WPA2, key distribution is more complicated than in WEP, but it is possible . The only way to get rid of the adversary is to change the PSK. And then change it for all customers! And this, although it will repel the attack, will not allow to find and punish the attacker (if you do not use the positioning system). And what can we say about open hotspots?
Thus, in public networks, even if they are protected by PSK, as a network of our hotel, the attacker goes unpunished almost always.
Another thing is to use Captive Portal (only competently use) or 802.1x (at the same time it solves the problem with traffic injection, but in public networks it is difficult to use 802.1x). Each user receives an individual name and password to which the MAC address is associated with the login, the account runs for a limited time (in hotel systems, they build automation to bind to the list-statement). Thus, we can always figure out who is having fun, or, at least, who leaked the identification data.
Both of these nuances are extremely important in such a dangerous and exciting game as shifting responsibility. If you do not have a disclaimer in the user agreement (and not always this can be done, plus, you need to make sure that the user cannot access the network without agreeing with the rules for using the resource), if through your network there is hacking, porn, racism / violence propaganda and so forth, and if you cannot find the extreme one, they will appoint you to the extreme. That is why, as a result of violent rampant phishing on hotspots in Europe, mandatory identification of each user at the legislative level was introduced (most often, you need to enter a mobile number that receives SMS with an individual access code). It is clear that it is also possible to hide from this, but in this way the hotspot provider shifts the responsibility to the SIM card provider. Even without using authentication, the Captive Portal can, before giving access, show a screensaver with “resource usage rules” and force the user to tick “I accept the conditions”, which in many cases is enough from a legal point of view (and the user will not get rid of did not see the agreement). So, sometimes an open network with a Captive Portal can be safer than a closed network with PSK - for its owners :)
As an alternative, some vendors (Aerohive, Ruckus) implement non-standard “individual PSK” technology, where each client is given a unique key. Thus, the problems of user identification and mass change of PSK in case of its leakage are also solved. However, their availability in the CIS countries is very limited, and compatibility problems are sometimes observed.
Conclusion
In wireless networks, protecting wireless users from entire wireless attacks is just as important as protecting a wired segment. With the help of fairly simple technical tools, you can set up industrial-scale phishing and other attacks - and no wired Firewall / IPS will help.
There are technical measures to restrict the access of wireless users to other wireless users:
- Prohibit communication between them in general (supported by almost all manufacturers, but not always acceptable on the network)
- Prevent wireless users from sending replies to important network services: DHCP, DNS, ARP (much better, but not supported by all and may not save from more complex attacks)
- Use Captive Portal / 802.1x / PPSK to identify sources of attack or user data leaks
- Specialized Wireless IPS will help hide from other attacks.
- Positioning System (RTLS) allows you to determine the approximate physical location of the source
All of the above is relevant for any network (no one has canceled insider hacking), but it is especially important for public networks (hotspots, hotels, Cabaret, etc.) in terms of
- Attractiveness for clientele: “I / a friend hacked there - I won't go there anymore,” etc.
- Organizational questions: you can quickly solve a problem and find the culprit; perhaps one of his employees decided to "earn some money", etc.
- Legal issues: you can shift the responsibility if it presses.
I hope it was interesting.
Source: https://habr.com/ru/post/149661/
All Articles