If you really want to be scared about wifi, using airbase I can spoof your probes into thinking you're at home/work/school and your device will just automatically connect to me.
Lets say you go to starbucks and I've got my honeypot running, you will automatically connect to my laptop and I'll just spoof your probes into thinking I'm your network. While connected to my smartphone or even starbucks wifi I can see everything you do in clear text, spoof ssl, and then with driftnet see all the images you look at, and use ettercap to steal your sessions if need be.
And the best part, if I show up and starbucks is already full of people I'd like to play with, I can just deauthenticate them all for a moment, and when I turn off the kill switch they all connect to me. None the wiser.
No offense, but it doesn't sound like you know fully what you're talking about.
As someone else said, for WPA, you can't simply spoof the home base. You have to know whatever password the device is configured for. And even if you did know that, you'd have to spoof the same MAC address for most computers to communicate with the device, which is more likely to just break everyone's internet connection, since the whole communication protocol relies on MAC addresses being unique.
> And the best part, if I show up and starbucks is already full of people I'd like to play with, I can just deauthenticate them all for a moment, and when I turn off the kill switch they all connect to me. None the wiser.
Once again, the only way they're going to auto-connect to your network is if you have the same MAC address and password, and the interference would kill you. You're more likely to get fish on the hook if you make an AP with the same name and hope you trick some people who are frustrated with you shutting down the other network into trying it.
> Wifi security is a misnomer.
Not if you actually use WPA2, pick a good password, and make sure your users aren't connecting to random unsecured networks with the same name.
> No offense, but it doesn't sound like you know fully what you're talking about.
About that ...
MAC addresses are not checked unless you use an extra tool for this. For example, a large institution (university, company, etc) can have many access points, each with a unique MAC address. However the SSID is unique among all Access Points. Your device will only check the SSID, try to connect (using mutual authentication), but no MAC address checks take place. You don't need to know or use the MAC address of the target network to clone it. You can just use any MAC address you want, that is if you know the password of it, or are cloning an unprotected network.
Yeah, I wish I could edit my post, but I believe I was wrong about the MAC address needing to be the same. The major point is that the network needs to be unsecured and/or you already know the password. At that point, creating your own faux base station doesn't make a lot of sense when you can just sniff the packets on the wire or do arp poisoning to route traffic through you (if you want to modify traffic in real time, which is what I'm assuming he was referring to when talking about the SSL stuff).
Either way, Wi-Fi security certainly != "a misnomer."
That's fine, you can say no offense and then just say I don't know what I'm talking about, but I've used this all too often. The point of airbase-ng is to do all the things I described. You can read about what it's capable of here:
Starbucks, and most other 'portal' WiFi, is unencrypted. It would be nice if there were some (automated) method of 'upgrading' the connection (i.e. providing encryption without requiring the user to acquire and input a password). Maybe providing it over an SSL connection after you've agreed to the ToS?
The cheap (flawed, but better than nothing) way is to have the SSID be something like "Businessname Public (Password: iev8eiM9)" or similar, or just have it on a blackboard inside, which has the bonus of stopping people outside using it so easily.
The whole standard it a mess; it should have opportunistic encryption on open networks, then clients can display a warning if this doesn't happen for whatever reason ("Anything you send or receive over this network may be readable by others" or similar).
Wifi encryption is not going to help you much if anyone is able to connect to the network by just asking for the password, it won't protect you inside the network. If you want to be safe use a VPN or SSH tunnel onto a server you trust.
Sure it is. Each separate WPA connection involves a unique nonce (actually four, IIRC); my laptop and your laptop aren't using the same key even if we sign in with the same password. (This gets to the problem that WPA is being used for access control, which is not what it's actually "for", but that's a separate question.)
If you are sniffing the 802.11 frames (and you should assume someone is) and you catch the entire 4-way handshake and the nonce generation is predictable you could reverse-engineer it, but then again you can say the same thing about a TLS connection too.
All WPA or WPA2 secured networks use mutual authentication. Since you do not know the password of my home network, my device will refuse to connect to it. In particular the 4-way EAPOL handshake will fail, since the challenge-response algorithm detects that you don't know the password. This is "only" an issue if you have open networks in your Network List.
I do agree with you that 802.11 security is lacking, but it's not always as straight forward as you make it out to be.
It's early and I may be forgetting something....but assuming their home network isn't an open network, how would you get a client to authenticate to your rogue network? Even though the client would think it was the same network, authentication should fail because the client would attempt to use the stored credentials, and you almost certainly wouldn't know their passkey. Thus, causing the client to receive a message indicating an issue with authentication.
Are you inferring that you would brutal force the WPA2 passkey for their network with something like cowpatty? Are dictionary attacks really that easy to pull off these day? Mind you, it's been almost ten years since I've played around with WiFi cracking.
It's so much easier than you think. Your laptop sends out a probe asking if "home" ssid is there. My laptop says "yep, I'm home!" and it connects. As easy as that. It doesn't matter if your home network was WPA2 or PEAP, it connects you and you're good to go.
Usually in a place like starbucks the open wifi is open so I can just pretend to be that network and force everyone to connect to me instead.
I just checked my wireless controller to verify my thought process, and each time I switched wireless profiles (all of which are saved on my device) the 802.1x auth(EAPOL) process is used. I'm a little rusty on my wireless security, but wouldn't this same process occur for the rogue network?
Like you said though, if you sit in an area with existing open wireless, none of that will come into play.
Almost positive, I tested it on my machines and my friends laptops while in college. I remember it working because I could see the SSID that their machine connected to, which at the time was LEAP or PEAP authentication and they were able to browse the web without fail. Their machines were macs if that makes any difference.
So... my home network's SSID needs to be set to "home" for that to work? You are just spoofing an SSID? That's not so bad. Usually when TWC, ATT, etc, give you a router/modem it is set to some random string. A lot of people don't change that (lived in 7 apartments in 5 years), so you'd only grab the people that literally set their SSID to "home" then.
If your laptop is used to connecting to "home01284", it will send out a probe "hey home01284, are you out there?". Anyone nearby who gets this packet can respond, "yes, I'm home01284, connect to me!" They don't have to know a priori what SSID you were looking for, because your machine specifically advertises it.
If you're already connected to the same network/AP you can just ARP spoof[1] to MITM your victim, but any service halfway serious about security is already using HSTS[2] for some time now so SSL stripping/downgrade attacks are not going to work, well except of course for those Lenovo laptops equipped with SuperFish, thanks Lenovo!
What you're talking about works for unencrypted networks, but you can just grab that data off the air anyway. It won't work for WPA2.
>spoof ssl
Only if either they blindly accept invalid certs, or you somehow already installed a root CA on their boxen.
Sounds to me like you found an all-in-one tool, which doesn't make you understand how the process works or its limitations. I would agree that many wireless networks are hideously insecure (why I SSH tunnel my traffic when I'm on one), but it isn't that bad unless you're either running unauthenticated or using WEP.
Lets say you go to starbucks and I've got my honeypot running, you will automatically connect to my laptop and I'll just spoof your probes into thinking I'm your network. While connected to my smartphone or even starbucks wifi I can see everything you do in clear text, spoof ssl, and then with driftnet see all the images you look at, and use ettercap to steal your sessions if need be.
And the best part, if I show up and starbucks is already full of people I'd like to play with, I can just deauthenticate them all for a moment, and when I turn off the kill switch they all connect to me. None the wiser.
Wifi security is a misnomer.
Here is an example I made in 2008.
https://www.youtube.com/watch?v=Wx5vGfxBanI