Showing posts with label CRACK. Show all posts
Showing posts with label CRACK. Show all posts

Wi-Jacking: Accessing your neighbour’s WiFi without cracking

UPDATE (5th September 2018). Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do.  This makes the exploit much closer to a phishing attack and much less likely to succeed.
It is important to note that the latest version of Opera is still vulnerable as of 2018-09-05, but will hopefully also be quickly patched. This is a positive response from Google and is great to see following our original report to them in March 2018.
As per our originally-proposed solution, it would also be great to see Microsoft adjust captive portals in Windows to behave in a similar way to those in MacOS (separate browser) and for router manufacturers to enforce HTTPS management by defaults on their devices. These changes would further limit this vector of attack.

Original Article:

During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks.
The browser behaviour relates to saved credentials. When credentials are saved within a browser, they are tied to a URL and automatically inserted into the same fields when they are seen again. The accepted home router weakness is simply the use of unencrypted HTTP connections to the management interfaces.
By combining these two components it was possible to gain access to various networks without cracking a single handshake, which is the currently most-used method of gaining access to a WPA/WPA2 network but requires a weak passphrase. The attack should work on most networks, but there are a few pre-requisites that need to be met for the attack to succeed:
  • There MUST be an active client device on the target network
  • Client device MUST have previously connected to any other open network and allowed automatic reconnection
  • Client device SHOULD* be using a Chromium-based browser such as Chrome or Opera
  • Client device SHOULD** have the router admin interface credentials remembered by the browser
  • Target network’s router admin interface MUST be configured over unencrypted HTTP
auto-connect to open wifiremember router admin password
Without those five pre-requisites, the attack is not possible. However, those are all somewhat likely occurrences given that most browsers prompt users to save credentials automatically. The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.
*Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based. With Chrome it is significantly more seamless.
**If the router’s admin interface credentials are not saved, it is still possible to attempt to guess default values
It is also important to note that the attack has been demonstrated against home routers by extracting the WiFi key directly from the web interface. However, other devices can be targeted if they have a semi-predictable URL that is exposed over unencrypted HTTP. Many IoT devices fit into this category but none were specifically tested here.
Before getting to the meat of the attack, we are assuming that you are already familiar with the Karma/Jassager attack. Karma is used in part of the workflow and if you are not familiar with it, consider reading the following article:

Now for the actual walkthrough


Step 1. Bring the client device onto a network we control:

The first step is to start sending deauthentication requests with aireplay-ng and with the Karma attack using ‘hostapd-wpe’, both with an Alfa AWUS036NHA.
connected to home wifi
deauth attack
connected to open network

Step 2. Trigger the browser to load our URL:

We did this with ‘dnsmasq’ and a Python script. When we see a HTTP request, we create a response redirecting to our URL and serve our own page.
The URL and served page are different depending on the router we’re targeting. We can detect which URL/Page pair to send based on BSSID and ESSID or just take a guess, the range of options is limited anyway.
There are some extra options for redirection too. By default, we allow HTTPS through untouched and wait for an HTTP request. But if this is taking too long, triggering captive portal detection on Windows will automatically launch the default browser at a URL we specify. However, there are limitations to triggering a captive portal, primarily against MacOS, which launches a separate browser specific to dealing with captive portals, preventing us from accessing stored credentials.
portal flask app
wifi credential capturing page

Step 3. Steal the autocomplete credentials:

This is where things get interesting. When our page loads, the browser makes two initial checks.
  1. Does our URL origin match the router’s admin interface origin (protocol & IP address/hostname)
  2. Do the input fields on the page match what the browser remembers of the router’s interface
If these two checks pass, then the browser automatically populates our page with the saved credentials. In this case, the router’s admin details. Naturally these input fields are completely hidden from the target.
If the target is using Chrome, there is one more step: The Chromium feature “PasswordValueGatekeeper” requires a user to interact with the page in some way. A click anywhere on the page is fine, and after the click we can harvest the credentials.
If the target is using Firefox, Internet Explorer, Safari or Edge, then we can’t have the input fields hidden. The attack would still work, but only if the target clicks on our form field and select their credentials from the drop-down instead. At this point the attack is mostly social engineering.
But let’s not stop here, these credentials are almost useless right now. There’s even a good chance we might have guessed them before we even started the attack (for example, admin:password) but we can’t use them from our current position on the outside of the network.

Step 4. Send the target to their home WiFi

Once we have the credentials, we want the target to keep our page open just a little longer. At this point we stop our Karma attack, releasing the target back to their own network.
connected to home wifi
Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript. We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need. In most WiFi routers that we tested, we could extract the WPA2 PSK directly from the web interface in plaintext, negating the entire need to capture a handshake to the network. But if a router hides the key, we could enable WPS with a known key, create a new access point or anything else we can do from within the router’s interface.
We wouldn’t even need to know the HTML structure of the router’s interface. We could just grab the entire page DOM, send it home and extract anything useful by hand. Using BeEF Project it would also be possible to proxy through to the page, granting the attacker access to the router interface as if they were logged in directly.
credentials captured

Solution

Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target.
The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.
The most complete solution would be to implement HTTPS with trusted keys and certificates on these devices. But this requires support for custom HTTPS certificates as well as your own certificate management infrastructure, in an enterprise this is commonplace but for home users this is extremely unlikely. Vendors might consider implementing HTTPS on their devices by default, but those keys could simply be stolen by anyone with one of the devices by reverse-engineering the firmware.
Microsoft could also make the process more difficult to exploit by using a separate captive portal browser instead of simply launching the default browser similar to how MacOS behaves.

Disclosure Timeline

Chromium:
  • SureCloud: Disclosed March 2nd
  • Chromium: Response Received March 2nd (“working as designed”)
Microsoft
  • SureCloud: Disclosed March 27th
  • SureCloud: Chase Sent April 13th
  • [Microsoft’s messages were all being flagged as spam]
  • Microsoft: Response Received May 25th (Clarification requested)
  • SureCloud: Clarification Sent June 4th
  • Microsoft: Case opened June 5th
  • Microsoft: Requested disclosure details June 6th
  • SureCloud: Clarification sent June 6th
  • Microsoft: Flagged for consideration, but no immediate action June 21st
Asus
  • SureCloud: Disclosed March 21st
  • Asus: Responded March 22nd (Discussing with engineers)
  • SureCloud: Discussing solutions April 4th
  • SureCloud: Sent notice to publish May 25th
  • Asus: Discussing solutions June 11th
  • SureCloud: Discussing solutions and notice to publish July 11th
Following the discussions with ASUS, it’s became clear we’d exhausted all options for ethical disclosure with this Proof of Concept.

References

While this was only discovered after disclosing to Chromium, someone named Chris had beaten us to the underlying idea. We have however taken it much further and demonstrated a real-world attack.
Our submission (merged into original): https://bugs.chromium.org/p/chromium/issues/detail?id=818156

Tools

All the tools used to perform the attack are standard components of Kali except for router specific payloads themselves and the selection script.
A copy of the scripts we’ve used can be found here:
These are Proof of Concept only and the community will no doubt take this attack much further. The long-term goal is to build a module for the WiFi Pineapple to automate the attack, with this is expected in the coming months.

Video

Mitigations


As highlighted we are exploiting ‘by design’ features, which will hopefully change with public release of this article. However, in the meantime there are a few key steps that can be taken to help protect yourself:
  • Only login to your router using a separate browser or incognito session
  • Clear your browser’s saved passwords and don’t save credentials for unsecure HTTP pages
  • Delete saved open networks and don’t allow automatic reconnection
  • As it is nearby impossible to tell if this attack has already happened against your network, change your pre-shared keys and router admin credentials ASAP. Again, use a separate/private browser for the configuration and choose a strong key.



via surecloud

Wi-Fi security may be cracked, and it's a very, very bad thing... Have we said that this is bad?



Wi-Fi, the wireless data transfer technology practically all of us use on a daily basis, is in trouble. 

The WPA2 security protocol, a widespread standard for Wi-Fi security that's used on nearly every Wi-Fi router, has apparently been cracked. 
The details on the security exploit, which is called KRACK, or Key Reinstallation Attacks, are to be released at 8am ET Monday on the site www.krackattacks.com.
But according to a new advisory by US-CERT, via Ars Technica, there are "several key management vulnerabilities" in WPA2, allowing for "decryption, packet replay, TCP connection hijacking, HTTP content injection." The worst part? These are "protocol-level issues," meaning that "most or all correct implementations of the standard will be affected."
We'll know more when the details about KRACK are released, but if it turns out that one can use this exploit in a fairly simple and reliable way, then this is one of the biggest online security threats ever.  
To see why, one has to go just a little bit back into the past. Wi-Fi used to be secured with a standard called WEP, which was found to be vulnerable to a multitude of attacks, many of which don't require the attacker to have physical access to the Wi-Fi equipment or even be connected to the network. Over time, tools that make these attacks simple have been developed, and now, if your Wi-Fi is protected by WEP, there's a choice of simple mobile and desktop apps that crack your password in seconds (no matter how long or complicated it is). 
Because of these issues, WEP was mostly replaced with WPA and, later, WPA2, which are far more secure. Though there were ways to crack a WPA2-protected Wi-Fi router, if your password was long and complicated enough, it made it a lot harder or nearly impossible to do. 
(For completeness' sake, one hacking tool, called Reaver, can crack WPA2-protected routers no matter the password, but it's fairly simple to protect your router — you simply have to turn off a feature called WPS.)
If this latest vulnerability is similar to the way WEP is vulnerable — and it looks like it is at the moment — then it won't matter how strong a password you chose. This would make hundreds of millions of routers out there, used by individuals and businesses alike, open to hackers. It would mean that, if you care about security, you should not use Wi-Fi at all until this is fixed. At the very least, you should use HTTPS connections whenever possible, and a good VPN might add another layer of security.
And fixes for these types of things don't come easy. Some routers will probably get a firmware update, but a lot of home users might not know how to apply it, or be aware that this is a threat. Again, going back to the time when WEP was cracked in 2001, it took years for ISPs to start shipping routers with WPA and WPA2 enabled as default, leaving many customers wide open to attacks.  
We'll know more after the announcement today; stay tuned for updates. 

Wi-Fi Technologies: Emerging Business Models

Consumer use of Wi-Fi is on a steep rise. With the coming 5G era, Wi-Fi's role as a core technology in service providers' network strategy will be further strengthened, but it will also face uncertainties as the use of unlicensed spectrums by mobile operators becomes more prevalent.
This industry report provides analysis of Wi-Fi technologies and emerging business models related to public Wi-Fi hotspot services.

Key Topics

• Consumer use of Wi-Fi and hotspot services 
• The entry of Wi-Fi-first mobile service providers and the potential impact on mobile operators' business 
• New Wi-Fi standards and the growing use of Wi-Fi technologies in mobile operators' HetNet network strategy 
• Global forecast of revenues from public Wi-Fi hotspot services targeting both consumers and business customers 

Hilarious Wifi names

optimum wifi

optimum wifi

Access Video Sites


Bypass Work Restrictions.

100% Free - Download Now!

{KeyWord:VPN for WiFi}

Fast, Free, Secure VPN for WiFi.

Protect Your Data - Download Now!


See his secret online profiles now!

 

router spy software




FTC Says Hotel WiFi is Dangerous

Recently, the FTC posted an article on their website stating that hotel WiFi is dangerous and that users should not assume that just because they pay for Internet access that their connection is secure.
We couldn’t agree more. In fact, I have been stating this fact since we launched PRIVATE WiFi nearly five years ago. This is an important topic because hotel travelers rank WiFi access at hotels as the number one amenity that they look for when booking hotel rooms.

Why Hotel WiFi is Dangerous

The FTC’s announcement is important because many travelers assume that using a WiFi network at a hotel is the same as logging into their network at home. That’s a dangerous view, because in actuality the risks in accessing a WiFi network at a hotel are exponentially greater than those experienced at home or in an enterprise setting.
Here’s the unvarnished truth about hotel WiFi networks: they are completelyunsecured. Here’s another fun fact: when hotel WiFi networks get hacked, they don’t usually find out until months after.
There are two kinds of risks you should be aware regarding hotel WiFi networks:
  • All public WiFi networks are inherently insecure. Nothing new here, as I have been saying this for years, but it bears repeating: if a WiFi network is public, that means anything you do online can be tracked and captured. And this includes almost all hotel WiFi networks.
  • Even fully wired Ethernet connections are unsafe. This means even if you are plugging your computer directly into the hotel’s network, you are still in danger of being hacked.
The truth is that it’s difficult to make public WiFi safe, and most hotels are trading security for a WiFi network that is easy to login to and provides them a steady revenue stream. These facts are reflected in the recent Marriott WiFi debacle, in which the hotel conglomerate intentionally blocked personal WiFi hotspots of all guests. The brand maintained that it was doing this to protect guest security on WiFi networks but in reality, they were looking to protect their bottom line.
No matter which hotel you stay, or whether the purpose of your trip is business or pleasure, security on WiFi is up to you.

What the FTC Says You Should Do to Protect Yourself

The FTC offers pretty good advice on what you can do to protect yourself when accessing a hotel WiFi network. Below are some of the tips they offer:
  • When you have finished using an account, be sure to log out of that account.
  • Do not use the same password for all of your accounts. It could give someone who gains access to one of your accounts access to all of them.
  • Many web browsers alert users who try to visit fraudulent websites or download malicious programs. Pay attention to these warnings, and keep your browser and security software up-to-date.
  • If you regularly need to access online accounts through public WiFi networks, you may want to use a virtual private network (VPN).
I couldn’t agree more with that last point. Only a VPN like PRIVATE WiFi encrypts all your Internet communication from being intercepted by others, whether on a WiFi or Ethernet network.
This is a good rule to live by: never rely on hotels (or any other WiFi provider) to protect you when you use their networks. Never assume that any network is safe, and especially don’t assume that just because you paid for access to it.
No one else is looking out for your security when you use WiFi networks. You need to protect yourself.





Will an 802.11ac Router Do Anything for My in Home Wifi

Will an 802.11ac router do anything for my in home wifi if the only device I have that uses a 5GHz antenna is my iPad 2? Even backwards compatible, the AC benefits are really only likely to be visible with 5GHz devices, right?

The iPad 2 does not support 802.11ac, only 11n.  So it will benefit from 5GHz on 11n at least.