Research on Karma Attack and principle of WiFi pineapple

WiFi fishing is a bad security threat, you can almost every day from TV, internet media to see the accidental connection of malicious WiFi caused large funds stolen cases, and the multimedia language is not surprisingly dead story style always can be the victim of the process of deletion to the extent of the supernatural. The opening is not to negate the dangers of WiFi, but to look at the threat of malicious wifi in an objective perspective.

First of all, according to the situation in our work, more than half of mobile apps have no ability to resist middlemen. User name password and so on a bunch of sensitive information always with you naked meet. The Upgrade bin file (Apk/so/script) not only protects against man-in-the-middle attacks, but does not even have integrity and tamper-proof checksum operations. Always be able to bring surprises ("Surprise" is the user, "HI" is the black-wide).

Start the chase.

Before referring to the Karma feature of WiFi pineapple, let's start by listing two ways we've known about WiFi fishing before:

First Class:

If you create a malicious hotspot called "Freewifi", wait for the user to actively click on the malicious WiFi connection.

Attacks in this manner are often less efficient.

Second Category:

Set up a hotspot with the same name connected to your phone so that your phone automatically searches for that WiFi and connects to it.

This approach is mainly focused on the open mode of hot, for example, WPA/PSK this encryption hotspot, unless you can master the original hotspot connection password, otherwise the STA and AP handshake process will fail, which originates from WPA's bidirectional authentication feature. The easiest to lay a gun is probably "CMCC".

We have mentioned two common types of WiFi fishing. Of course, in order to enhance the effect, often on the fish to sprinkle some "flavoring agent", that is, with some deception or DDoS attacks, so that it disconnects the original hotspot or switch channels to force it to connect to malicious hotspot.

Karma attack

We will discuss the third type of unusual form of WiFi fishing. Karma in WiFi pineapple provides this WiFi fishing feature, and of course this attack is not a WiFi pineapple proprietary.

What is Karma?

Karma is a way to respond to an STA (Wireless station, cell phone, tablet, etc) probe (Probe Request) by forging a bogus response packet (Probe Response). Let the client mistakenly believe that there is a WiFi hotspot in the range that has ever been connected, thereby cheating the client connection.

Through the above explanation we can conclude that the third type of fishing method and the first two compared with one of the biggest breakthrough: you can get STA once connected to the hot-spot SSID name, no longer passive and for.

Karma Demo

First we look at the attack effect on WiFi pineapple:

1. First turn on the Karma feature in WiFi Pineapple and don't need any special settings:

2. After a moment's notice, a large number of Probe request packet requests were found in the space, which was sent by the STA to detect the presence of a previously connected AP hotspot:

3. After a few moments, several devices have been tricked into forging hot spots:

Karma Analysis

In order to understand the technical details of the Karma attack, we decided to use "grab Dafa" directly to analyze the entire attack process.

1. First we take this cell phone as an example:

2. From the beginning of the attack to the success of the attack to capture the packet record, the first crawl is the STA (Wireless station, mobile phone, tablet, etc.) equipment issued by the probe Request packet (Probe request):

Below this package is sent by our test machine, the following SSID: "Tencent-tgrass WiFi" is exactly the AP hotspot that this phone has ever connected. The following probe request package is just one of the many Probe request packages issued by this phone (since the phone has been connected to more than 1 WiFi)

3. The AP (WiFi Pineapple) received a probe request packet from STA:

The AP sends a Probe response packet (Probe Response) to tell STA that "I'm near"

4. Immediately after the AP has issued a successful authentication request package (authentication):

Because the AP default hotspot is open (no password) form, so directly through the authentication, can be connected.

5. STA side: First receives the probe response packet (Probe Response) sent by the AP, and then receives the identity authentication through the package (authentication):

After the STA receives the two packets, it indicates that the AP is authenticated and can be accessed. So the STA sends an Access Request Packet (association request) to the AP for access:

6. After receiving the Access Request Packet (association request) from the STA, the AP responds to the Access Response Packet (Association Response):

7. Follow-up will also have a series of such as DHCP and other interactive communications, because the previous point has been karma problem points out, so the subsequent package is no longer listed ...

See here you may still not understand where led to the Karma attack. Please look up the 1th, 2 steps, the problem is here, according to the IEEE802.1X Standard, in the 2nd step the AP is not supposed to answer the STA sent the probe Request packet (Probe request) (only the SSID is: "Tencent-tgrass WiFi" The AP is authorized to answer this request).

But the APS here are forged by WiFi Pineapple, so do not comply with the IEEE802.1X standard, WiFi Pineapple for the space "Probe Request" package is to be accepted, according to a single full, and with the STA further handshake and access. So, here's the problem!

DIY a karma attack hotspot

Through the analysis we understand some of the details of karma, but also mentioned above Karma attack is not the WiFi Pineapple proprietary, we use a powerful tool to achieve this feature: Airbase-ng.

We chose to build this attack hotspot in Ubuntu with the help of two tools:

1. Aircrack-ng is used to forge the probe request probe packet, and the aircrack-NG Toolkit is very powerful 2. Dhcp-server provides support for STA's DHCP service

1. First we need to map the WLAN to a listening interface, execute the command airmon-ng start Wlan[n]:
After the mapping succeeds, you will see the following list of interfaces:

2. Then turn on the forged AP point, using Airbase-ng-p-C 30-v [interface]:

-P: Answer all the probe request packages. -C: Turn on the broadcast beacon package. -V: Prints detailed information.

About Beacon Package

Beacon packet is a kind of packet that the AP actively broadcasts its own hotspot information externally, so that we can see the nearby wifi in the WiFi list of the phone or computer.

A large number of probe request packages were received immediately after launch, very much:

Looking at the WiFi list, there are a lot of WiFi hotspots. These hotspots are the Wi-Fi hotspots that are connected to nearby devices, and airbase-ng the AP with the SSID of the same name through the probe request package issued by the nearby STA device to spoof the STA connection:

3. Look over the phone's wifi status, found to have been hooked, the hotspot is the phone has been connected to the 1 AP hotspot:
So far, DIY work is not all done! Why say that, you may have noticed that the phone has been stuck in "getting IP ..." quietly, because of the lack of support for DHCP services:

Note: The at0 in the ifconfig at0 up command must be executed before you see the 4th step

When Airbase-ng starts working, a virtualized interface called "At[n" is created in the system to serve the incoming STA.

4. So we're going to make a series of settings around this at0.

A). First set to assign an IP address and subnet mask to it:

// Start Interface 192.168. 3.1 255.255. 255.0 // assigning IP and masks 192.168. 3.0 255.255. 255.0 192.168. 3.1 // adds a route entry that is unified by 192.168.3.1 (AT0) to transmit data. 

b). Add 1 DHCP entries to/etc/dhcp/dhcpd.conf:

192.168. 3.0 255.255. 255.0  192.168. 3.2 192.168. 3.250 ; option Domain 8.8. 8.8  192.168. 3.1 ;}

c). Specify the interfaces= "" option in Etc/default/isc-dhcp-server as At0, and let DHCP service the interface:

d). Start the DHCP service entry to provide services as follows:

Service Isc-dhcp-server Start

Of course, if the service is already running, restart it:

Service Isc-dhcp-server Restart

After successful startup, you will see the following status

e). Next to turn on packet forwarding:

Modify a configuration file that is written directly with the echo command because only 1byte of data is in the file:

1 >/proc/sys/net/ipv4/ip_forward

f). Finally do some filtering on the firewall, you can simply switch off the firewall:

iptables-flushiptables-table nat-flushiptables-delete-chainiptables-table nat-delete-  -T-nat-a postrouting-o Eth0-j Masquerade

Finally, the phone can successfully connect the hotspot:

After grasping the bag with Wireshark, it is found that a large number of fish are hooked:

Attention:

The above actions should be done under root authority.

Karma Summary

Through the above analysis and demonstration we can draw:

1 . The efficiency of the Karma attack approach is that it proactively uses the SSID in space to forge spurious APs in real time, much more efficiently than traditional WiFi phishing attacks.  2. The place where the attack effect is optimal is outdoors, in which case the STA device is in an disconnected state, so it will not stop broadcasting the hot spots (entrained in the probe request package) to try to find, This is when Karma plays its power, and the user is attacked in a completely uninformed state.  3. Many apps do not have the ability to go below the middleman, and they can only be slaughtered for such phishing attacks.

Insufficient Karma

We mentioned above that the Karma attack is currently invalid for WPA/WPA2 for the following reasons:

1 when the STA connects to the open system hotspot, there is almost no authentication operation on both sides, so the STA is uniquely identified by the SSID in this case, and the SSID has no resistance under the Karma attack.  2. In comparison, wpa/WPA2 authentication method is much more cumbersome, and for two-way verification: that is, not only the AP to verify the STA, and in turn, STA also to verify the legality of the AP, of course, whether the legal basis is key.  3. So if Karma wants to disguise itself as an STA-connected WPA/WP2 encrypted AP, the verification process will not be completed unless the attacker obtains the password for the AP beforehand. For a detailed flow of WPA/WPA2, please refer to the relevant literature. We may also analyze them in subsequent articles.

Karma Defense

Currently tested, android4.x, WIN10 Mobile version (Developer Preview) will also be affected, the Iphone and Windows phone has not been tested.
The best way to solve this problem from the system and driver level is to disable active scanning and use passive listening to determine if there are any hot spots around the broadcast packet, so that the attacker cannot get the SSID, and it is impossible to forge it (in fact many devices will disable active scanning after entering power-saving mode).

For ordinary users, the most convenient solution is: go out of the WiFi function, or the phone is connected to the open hotspot record all deleted.

Reference documents

"802.11 wireless network authoritative guide" second Edition-Mattbew s.gast O ' Reilly Taiwan company translation

IEEE standard for information technology-telecommunications and information exchange between Systems-local and Metropoli Tan area Networks-Institute of electrical and Electronics Engineers, Inc.

Research on Karma Attack and principle of WiFi pineapple