Like most transformational technologies, WiFi has both a positive and negative side. The ease of use offered to the user by a modern WiFi device is matched only by the ease in which it can be exploited by an attacker. With the proliferation of mobile computing, its never been more important to make sure client devices are connecting only to approved networks; but unfortunately, its also never been easier for attackers to make sure that doesn’t happen.
One technique which can be used to lure unsuspecting WiFi users is known as an EvilAP. This is a collection of software and appropriate hardware which allows for the creation of a rogue access point that is indistinguishable from a legitimate WiFi network to the casual observer.
Once a client has connected to such a network (often without the user’s knowledge), the attacker has full control of all information going into and out of the device, and can deploy various tools to modify or monitor the victim’s communication. From the perspective of the victim, their usage of the Internet will be unhindered, and it’s unlikely they’ll ever suspect they’ve been compromised.
Setting up a rogue access point and running the appropriate tools to capture a victim's credentials is trivially easy with modern software and penetration testing products. Using the Pwnie Express Pwn Pad tablet, a rogue access point and associated network monitoring tools can deployed in literally seconds while remaining mobile during the entirety of the operation.
To start, simply connect up the included external WiFi adapter and tap the “EvilAP” icon under the “Wireless Tools” folder on the Pwn Pad main screen. This will bring up a dialog asking which interface you’re currently using the connect to the Internet. Here you’ll have the option of using a cellular connection, the Pwn Pad’s internal WiFi, or even a USB connected Ethernet device.
Once you’ve selected your source interface, you’ll then be asked what you want to call this rogue AP. You can hit the Enter key to go with the default “Public_Wireless”, or enter your own SSID. Next, you can enter what channel you want to run the AP on. The default (Channel 1) should be fine here, as there’s generally not as much traffic on the lower channels.
At this point you need to decide if you want to run in the so-called aggressive or static mode. Aggressive mode will net you more results, but it can be overwhelming in high traffic areas, as you’ll get connections from all devices rather than just those with the matching SSID.
Finally, you’ll be asked which beacon rate you want to use. Try the default of 30 to start with, but this value can be adjusted up or down a bit if you find you’re having trouble keeping clients connected.
The hard part’s over, now it’s time to layer attacks on top of our fake access point and start collecting data.
From the “Attack Tools” folder on the home screen, tap the “SSL Strip” icon, and choose which interface you want to sniff on (for each tool, you’ll want to select the EvilAP interface, at0).
Head back to the Pwn Pad’s main screen and open up the “Network Tools” folder, where you’ll find the next two tools, “Strings Watch” and “Dsniff”. For both tools, select the at0 interface and confirm you want to log results.
That’s it. Now with just a swipe of your finger you can switch between terminal windows running the various tools and watch the results as they flow through the Pwn Pad in real-time. Results will also be stored in /opt/pwnix/captures/passwords/ for later analysis, so you won’t even have to watch the screen.
The Pwn Pad running an EvilAP in a crowded public place like a coffee shop will likely result in a log file brimming with credentials from multiple users and services in a relatively short time. Since the victim’s experience using the Internet was not significantly different than normal, there’s little chance anyone who connects to the EvilAP will ever question its legitimacy until it’s too late.