Transcript for:
Wifi Network Attacks and How to Stay Safe

How do hackers attack wifi networks? Are you safe? Is yours vulnerable in this video? We'll break that down. I'll show you how three levels of hackers, a noob, a hipster, and a pro will attack a wifi network. We're going to simulate this at Bear Cave Coffee, a delightful coffee shop in downtown Mesquite, Texas. We'll break down every attack showing you how it works and how you can keep yourself safe. Get your coffee ready. Let's do this again. Three levels of hackers, noob, hipster, and pro will waltz in and try to attack their targets, the wifi network and the individual people in that coffee shop. Just try to sit there and enjoy their coffee PORs schmucks. Now, disclaimer, I will be displaying and demoing real wifi attacks. You should not use any of these on anyone without explicit permission. Now, if you want to test them out in your house, on your friends and family with permission, go for it. Have fun practice, teach. Otherwise, don't do this to anybody. You will get in trouble. This is illegal. Now the first attack is stupid, easy to do, but super effective. It's called a man in the middle attack and honestly, you'll never even know what's happening. So check this out, the noob, he walts into the coffee shop, happy go lucky, not even shy about what he's about to do. All he needs for this attack is a laptop and that's it. He watched a few YouTube videos and learned how to install Cali Linux, a professional hacking operating system, which is pretty cool. Now, like most public places in coffee shops, there's free wifi. No need to hack into it, which by the way, you can hack into a wifi network and get the password. I'll show you how to do that here in a moment. But the wifi password's right there on the wall. He connects to it and begins to find his victims. Again, this is stupid easy. He fires up, call Linux and with one command launches a tool called Better Cat. Now the new hacker's going to start with a bit of recon. The first stage of any good hack, they'll turn on net probing, enabling him to scan the current wifi network and find targets. And then he'll type in net show to see what he's found. It's his lucky day. There's his target right there. Now it's time for the man in the middle attack. Again, scary, effective. Here's what's happening on the wifi network. At the coffee shop, we have our target just sitting there chilling on his laptop, drinking coffee. His laptop is connected to the wifi router, and every time he wants to visit a website, I tell the router, Hey, I want to go to network chuck.com, and the router connects it, focusing on the fact that the conversation's happening right now between the target and the wifi router, how it should be. But the new hacker wants to get in the middle of this conversation, and that's exactly what he does. Check this out. What the new packer wants to do here is first he wants to trick the wifi router. Is he going to tell him, Hey, the target, we'll call the target Bob, because I'm getting tired of saying the target. Bob's not over there anymore. I'm Bob. Anything you had to say to Bob, you say to me, and that's what he does. This is called arp spoofing. ARP is what devices use in a network to discover where things are. So if the wifi router is in a crowded room, let's say a party and he wants to find Bob, he'll send an art message. Bob, where are you? And Bob hearing that message will say, I'm by the bathroom. So now the wifi router knows where Bob is and he can send Bob a message or keep talking to him or whatever. But in this situation, the hacker's going to mess with the ARP communication. The wifi router thinks Bob's in the bathroom, but the hacker's going to come in and just yell, Hey, wifi router, I'm Bob and I'm by the stairs and the router, let's face it, he's kind of a dumb dumb. So he is like, okay, you're Bob now. And then the attacker does the same thing to Bob. He goes, Hey Bob, I'm the router. I'm by the stairs. And he sends his a malicious art packet to Bob and your device. It's kind of a dumb dumb, so it's going to believe it. So now do you see what's happened? The target thinks the hacker is the router. So when he wants a website, he's going to send it to the hacker and the hacker will forward it along. No big deal. He'll send it to the router. That way things seem to work like usual, and that's kind of the goal here. You don't want the target to know he's being hacked. Now, on the flip side, when the wifi router is ready to send the network, chuck.com webpage back to Bob, he thinks Bob is the attacker and the attacker has effectively placed himself right in the middle. He's the man in the middle. Let's do that right now. The attacker will set up his ARP by setting it to full duplex mode and then he'll specify his target. The guy identified in his probing earlier. So now with that said, all he has to do is turn ARP spoofing on with one command. And before I do that, I want to open up a packet capture program called Wire Shark. What this will do is actually capture everything it's seeing going across the network. And because all the network between the target and the router are going through the hacker here, we're going to see a lot. So I'm going to start tracking or capturing on WLAN zero, the interface he is working on. I'm going to look for an IP source address of what was the IP address again? 1 9 6. You'll watch this flood in as I take over turning on our spoofing. Boom. Did you see that? Now I'm seeing everything. Every bit of internet this person's visiting is coming through me. I can see it. I'm the hacker. Now, in case you didn't know if I changed my filter to DNS, I'll just go to network chuck.com. You can see right there all the requests coming through. I can see every website being visited. Now what's scary is the new hacker didn't have to know what ARP spoofing is or how a man in the metal attack works. He just had to follow a tutorial online and hit a few keys on his keyboard. That's it. But honestly, kind of harmless if he doesn't have the correct skills to take it further, because while he does have control of your traffic and he can do some crazy stuff to you, he probably doesn't know how to do that. But in the hands of a real hacker, better watch out. Now, I'm going to stop this real quick and show you what happens if nor VPN is being used. I'm going to reset my capture here. So no spoofing, I can't see anything. Just a few messages going across the network. The target will connect to nor VPN, and this is kind of crazy. Watch this. We'll turn our spoofing back on at a hundred percent is working. Notice here on Wireshark, every message kind of looks the same. It's between my target and one destination, which is nor VPN, and then the protocol is wire guard. What's happening here is every bit of the target's traffic is being encrypted and hidden from the attacker. The hacker can't see anything. This is nonsense. You can't do anything with it. The wire guard protocol encrypts it to where you can't see inside of it. So even though you may be the target of a man in the middle attack, if you're connected to VPN, you kind of foil the attacker's. Plants can't touch it. Connect to VPN. Now, this right here is probably the scariest attack. It's called an evil twin attack, and twins are already scary. You add an evil one, I'm done. But seriously, this one is crazy effective. And again, not that hard to do as an attacker even for a new that. Here's what makes the evil twin attacks so evil and why pretty much anyone can fall for it, including me without even knowing it. How it works is you have your standard wifi network. So let's say a bear cave coffee. The evil is simply that. It's a copy of it that looks just like it operating on the same wireless channel, and if the hacker's really good, we'll have the same wireless password that's coming up in a moment. And the goal is to try and get you to connect to the evil one instead of the good one. And looking at these two wireless networks, how would you know they're going to show up the same way on your phone in your laptop? You wouldn't know. That's the evil part. Now, for the nube, it is a bit more difficult. He'll need a few more YouTube tutorials and a special wifi adapter, one that can go into monitor mode like this alpha network adapter. The good news for humanity is that getting that set up is kind of hard, if not just frustrating. So the Nube will sit there for a while, maybe get frustrated trying to install the drivers. So we'll let him figure that out and we'll move on to the hipster hacker and how he might set up an evil twin attack. Now, the hipster, he's cool, man. He doesn't need any special wifi hacking gear. In fact, he's always carrying, he always has wifi hacking gear with him in the form of a flipper. Zero. It can do a lot, including hacking your wifi. And look at this hipster hacker, you would never know, right? He's just there to sip some coffee and read a novel or so you think The hipster nonchalantly walks into the coffee shop and finds a place where he can hide his flipper zero. He connects his ES ESP 32 dev board or a wifi dev board flash with the Marauder firmware, enabling the flipper zero to do crazy wifi attacks, and he simply just kind of hides it on a bookshelf somewhere behind some stuff. No one's going to notice this. He then sits down, pulls out his phone and remotely controls the flipper Zero. Now the hipster hacker's already done the hard work of getting the flipper zero set up to be able to do wireless hacks. Once it's set up, it's super easy to just do it. It goes through a simple menu, turns on an evil twin, and even adds a captive portal. What is that? You've seen it before. You go to a coffee shop like Starbucks or an airport and you connect to the wifi, immediately a webpage pops up prompting you to either accept terms before you connect or maybe even log in, or if you're at a hotel, you put your hotel room number in, and once you finish that process, you're connected to the wifi. It's a normal thing used for good purposes. Not here though. The flipper zero can spin up a captive portal pretending to be anything. Maybe Google may be Facebook and you not realizing you're connecting to an evil twin network will put in your credentials, which are immediately fed to the hipster hacker, and he's got your password and your email, and he can do whatever he wants with it. Now, the downside with the flipper zero is if a target connects to the wifi network, it's broadcasting the evil twin, it can't give it internet. So as the target, you'll know immediately like, oh my gosh, this wifi network is not working. It can't go to anything. So you disconnect. This is where the pro comes in and this, oh my gosh, the pro is so scary. So the pro, he walks into the coffee shop and he orders coffee, got his hoodie on, doesn't want to be seen, doesn't want to be known. This is the first time he's been outside in three years. So naturally he finds a shadowy dark corner in the coffee shop to hang out and prepare his wireless attack. He pulls out this crazy spider looking contraption called a wifi, pineapple enterprise, a device tailor made to hack wifi networks and its specialty is evil twin attacks. The professional hacker will start with screwing in the million antennas it uses to attack. He'll then connect to its very nice friendly web interface and start doing a bit of recon, scanning the entire wireless network around it, literally catching everything. And with one click, you can identify the network he wants to impersonate and become an evil twin of, and it becomes an evil twin just like this. The scary. Part, this is that devices do sometimes a loose connection to the wifi router, go to the bathroom, come out, it reconnects leave, come back, it reconnects. And as long as the wifi pineapple is broadcasting a stronger signal, you're going to connect to hemp. That's what your devices are built to do. Prioritize a stronger signal. So it's really easy for that massive spider looking device to have a stronger signal than anything else around it. Now, it's not just that. Maybe you don't connect to wifi. Maybe your 5G on your cell phone is good. You don't have to worry about that. You don't connect to wifi. You're too smart for that, not with the wifi pineapple. It can make you connect to a wifi even when you don't want to. Here's a scenario. Last year you were at a conference in Vegas, no cell signal in that conference, but they did have free wifi. Let's say it was a coffee convention. Obviously I go to those, not really. It was called coffee, wifi, whatever. It was open. You connected to it, you used it, you left Vegas, you're done. Now, what you don't know, what you don't realize is that wireless network, your phone remembers it, and everywhere you go, your phone is sending out probes saying, Hey, coffee conference network. Are you here? Because it's always wanting to connect. That's how it auto connects to your home network and your work network. It's sending out probes and when it's like, oh, I found one, it auto connects, if you have that setting configured. Okay, Chuck, what's your point? Okay, well, a year later you come into Bear Cave coffee. Your phone still remembers that Vegas conference coffee, wireless thing, and it's sending out probes. The wifi pineapple listens for those probes, all the probes, every wireless connection your phone remembers and is looking for the wifi pineapple grabs it makes an evil twin of it and broadcast it. I don't know why. Just this, the wifi pineapple movement. So your phone, if it's configured to automatically connect to a network, we'll see that network and go, Hey, buddy, long time, no see, let's connect. And it connects. Did you do it? No, your phone did the wifi, pineapple took care of it for you, and now you're connected to a hacker's network. You're compromised without even trying. How terrifying is that? That probing feature is insane, and it literally grabs all the wifi networks it can find and broadcast those casting a wide net catching whatever it can. And once you're connected, the hacker can do whatever he wants, especially a pro hacker, the captive portal. Yeah, I can do that. What's crazy is the pro hacker that took him five minutes, not even that, it was a few clicks. It's automated. Often they have a script that runs a little playbook. They come in, they click and it just goes and it does it. And then looking back at the new hacker, he eventually figured out how to install the drivers for his alpha network adapter, and he installed a few tools to get this thing going. He uses a tool called DNS Mask to run DHCP, which will hand out IP addresses and to run DNS, which will help his targets actually reach websites on the internet. And then he'll launch host a PD, another really fun Linux tool, which will just launch a wireless network, not a thin air, in this case, it's evil. He's matching the SSID and a channel name to be the exact same. So you'll accidentally connect to it. And for the pro and new packer, once you're connected to their network, I'm telling you they can do whatever they want. One of the cool things they can do, and when I say cool, I mean terrifying is they can spoof your DNS. Now we just talk about DNS. It stands for domain name system and it's essential with how the internet works. When you go to visit a website, let's say target.com, your computer has no idea how to get to target.com because it's looking for an IP address somewhere in a data center, somewhere else in the world. target.com is just like a nickname, a friendly name. So we don't have to type in IP addresses in our URL bar. So to make that thing easier for us, have DNS servers. So we say, Hey, DNS server, I want to go to target.com. And he says, okay, let me look up where that IP address is. And then he tells your computer, Hey, this is the IP address for that thing, that thing your owner wanted to visit. That happens for every single thing you visit target.com, facebook.com, google.com. It has to do a DNS lookup, find out what the IP address is and then it can go to that. The scary part about this is that the DNS server is the hacker's computer. It's the nubes computer. It's the wifi pineapple sitting there, and the hacker can make that DNS server respond in any way it wants. So you try to go to target.com, the DNS server can go, you know what? Target's not over there where it actually is. target.com is actually on a server. I just made a fake website. I even used a tool to clone the website. So it looks just like Target. And when you visit that, you won't even realize you type in target.com, I tell you, it's here. You get there, it looks the same. You think you're fine, right? No. Now this attack is called DNS spoofing. It's very common and often hard to notice. Now, it's unique about this site is that it's running the beef framework, meaning that I now have control as the hacker of your browser. And I can do some crazy things like send you weird messages, I can rickroll you. And these are all just fun things. More nefarious things would be like controlling your webcam, getting all your website logins escalating, and getting more access to your PC and the hands of a skill hacker. That's a lot. And while some of these attacks are more advanced, what I've just kind of demonstrated isn't that hard to learn and do so what's your protection nor VPN? Use the VPN please. Because even if you connect to an evil twin network, a wifi network owned and operated by a hacker trying to get you, if you're connected to nor VPN, you're traffic's encrypted, they can't see it. And if you're really paranoid, you can do double VPN onion over VPN and the attacker can't spoof your DNS. All your DNS queries are encrypted and secure when you're connected to nor VPN. Now, what if you're not connected? What if you forget nor VPN still has your back for the worst case scenarios, they got some new threat protection. So like this option right here, I'm going to enable it right now. Even when you're not connected to VPN, it'll protect you from cyber threats. So things like malware trackers, even has file protection prevents you from downloading malicious things. So even if the attacker is trying to get you to download malware and get a more serious foothold in your system, having more VPN there and present on your computer with this setting enabled can help protect you. But best case scenario, you're connecting to nor v pn and you're protected all across the board. If you head on over to nor vpn.com/network chuck, they get a crazy deal insane discount and for bonus months for free. Now, let's talk about wifi password cracking. How can a hacker get access to your wifi network and figure out your wifi password? Because maybe they just want to steal your wifi. Maybe they're your neighbor and they're on your wifi, you don't even know it. Or they're trying to get access to your network so they can do more things like a man in the middle attack, or maybe it's a business network and they want to attack your servers and stuff. That's a real thing. And for the professional hacker who's trying to really do some crazy evil twin attacks, having that wifi password for your network is going to make it a lot more effective. So how does a hacker crack a password? It's actually not too crazy. Check this out. We'll start with the new. He'll come in. He's going to use what's called the Air Crack NG suite. He'll first put his alpha network adapter into monitor mode by doing airon NG WN zero start. This allows his wifi adapter instead of just connecting to a wireless network, it can now listen and even do kind of attacking things. I'll show you here in a bit something called a D off attack. It's kind of awesome. He'll type an IW config just to make sure it is up and running and in monitor mode. Now, sometimes other processes on your Calli Linux computer can interfere with that typing in air mode, NG check kill will check and kill those processes if there is something there. Now it's time to start the monitoring with one command arrow dump NG WLAN zero using the switch dash a BG to monitor all types of wireless channels, 2.4 and five gigahertz. He'll start monitoring and he can see everything, all the wireless networks in the vicinity, everything he can reach. And since he is at Bear Cave Coffee, he immediately recognizes and locates Bear Cave Coffee, the wireless network with that network identified, he wants to go deeper and research more. Using the same command as earlier, arrow dump ng, he'll specify the Mac address or the station address of the AP or the wireless router, the channel it's operating on, and to specify a file to dump that information at. And finally, the wireless interface, WN zero. Now, he is going to keep this up and running and capturing for a while because what he's looking for is this a four-way handshake, capturing the special four-way. Handshake will give him all he needs to crack the wireless password. Now, what is that? Whatever your device connects to a wireless access point, or when you walk into a new place you see wireless and you try to connect, it's going to do a little howdy do between itself and the wireless network. Four separate messages. It's this exchange of the four messages that authenticate your phone to the ap, the access point. They're also called E APO messages or E-A-P-O-L. And again, once captured, the hacker can take that information and find out your password. Maybe now he could just sit there and wait for someone to come in and try to connect. And this is also assuming the wireless password isn't broadcasted on the wall or something he's trying to crack into it. So if he's not patient and he doesn't want to wait, he can use what's called a de authentication attack. And this attack is kind of crazy. He can actually force any phone, laptop or device on the wireless network to lose its connection to authenticate from the wireless network. He doesn't have to be connected to it, he just has to be adjacent to it. Now, this is abusing something that is common in a wireless network. The wifi router often might send a D off message to its clients to say, Hey, you need to reconnect. For whatever reason, it's a real thing. But the hacker can abuse that by sending his own DO messages pretending to be the wifi router to the clients. And what are they going to do? They're going to listen. They're like, oh, I'm just going to disconnect. And then reconnect. So if the airplay and G command, the nube does that, he can either target one individual person that he scanned and recon or the entire network and all clients get authenticated all at once. And when he does that, bam, he does capture a four-way handshake when they try to reconnect. And then he ends his capture. He sees the EA poll message, I think I'm saying that right. He stops it and now he can go about cracking it for the hipster. It's even easier. He's got his flipper zero. He places it down somewhere. He scans the network around him with a few simple button presses on his phone, right? It's so crazy easy. He chooses his target. He runs a de authentication attack, immediately starts capturing raw package from the network. And hopefully, fingers crossed, he also captured a four-way handshake. Now again, shutting light on the fact that the flipper zero is so compact, it looks like a toy. No one's going to notice you're hacking anything. I love that about the flipper zero. It's also the most terrifying thing about the flipper zero. And then of course, the professional hacker, he's a bit more obvious, but he's hiding. So it doesn't matter. He's professional and his attack is a lot easier. When he enables scanning for his wifi pineapple enterprise, it automatically is set to start receiving all the handshakes it can. And with a few clicks, he can just say, Hey, deauth, this network, deauth this client, and it captures it seamlessly within moments. It's super easy for the professional. Now, whether you're a noob, hipster or pro, we're all going to end up here. You're going to have a packet capture file with a four-way handshake. Now, just so you know, having the four-Way handshake doesn't mean you have the wifi password, but it doesn't mean you have the ingredients to figure it out. So for example, let's say we have our four messages, the four-way handshake, 1, 2, 3, 4. The way the hacker might try to figure out the password with this four-way handshake is guessing a lot. Let's take a password, like password 1, 2, 3 and combine it with the ingredients and the four-way handshake and see if that password can successfully decrypt one of the messages and the four-way handshake that we know that's the correct password. Now, it's a lot more complex than this, but that's essentially what we're doing. And the software we're about to use is going to guess lots of passwords over and over and over and over and over again until we finally find one that does the job. It's like you got to lock and you're trying a bunch of different keys to see which one will unlock it. And of course, the first thing we'll need is a big bag of keys or a big bag of passwords. Otherwise, no one has a word list or a password word list. A list filled with hundreds, sometimes thousands of passwords that will try and try and try over time. And depending on how strong and powerful your computer is, is how fast we can try these passwords. Now, the new packer, he's going to try this. What he's not very experienced, and he'll probably fail. He's going to use a default word list. A list of passwords previously may be used by people in the wild discovered through other hacks and things. It's actually a popular list called Rock U, and it does contain a ton of passwords. So he'll extract that, try to crack it with the air crack command. I notice it's going to take a while, and there's no guarantee the password actually exists in that database. That's a finite list of passwords. This is where the hipster and the professional hacker are going to differ a bit. They're more experienced. They know that the password will probably be uniquely pertinent to the place they're trying to attack, and they'll use that to their advantage. And this is a bunch of super cool tools. First, they'll use a tool called Well cool, and that I did not do that on purpose. I promise they'll use Cool to crawl the website of the coffee shop to find all the keywords that might be used in a password, and it'll output that to a list. How cool is that? We'll then use a tool called Pi Pal, which will look through that word list and find words that'll probably really be used in a password. Identifying the top 10. And I'll use some special Linux food to put that into a nice and neat list that we can use with our next tool. And this is a custom tool that we built ourselves or the hipster and professional hacker did. It's a Python script that's going to go through this list and combine all the words in different ways. And finally, with our word list, we'll do the same thing as a new hacker did, just with a more targeted list, taking less time and giving us higher odds of discovering the password. And within half a second, we find the password is mesquite coffee. We got it. Now, this is very simplistic what I showed you here, but it's an example of how someone might discover a if they can do the same thing, like profiling your house, discovering more about you. And once they have that wifi password, they can connect to your wifi, use it all they want, or connect to it and do some bad stuff. Making a really, really, really evil twin or doing lots of other things like gaining footholds in your servers, getting all your files. You name it, it can be done. So let's talk about safety and security. What can you do to protect yourself first and foremost as an individual, as a user, protecting your own internet traffic and your own data? VPN nor VPN? Check it out. Link below beyond VPN. What about your own wifi network or your business' network? The first thing you can do is just have a strong wifi password randomly generated characters that have nothing to do with you. Yeah, it's a pain to share it, I get it. But you got to do what you got to do. Security does come at a price, but it's a lot cheaper than the consequences of not having it. Now, beyond that, there's really not much else you can do, especially against evil twin attacks or a man in the middle attacks, unless you have more enterprise hardware. There are enterprise wifi networks out there that can do some cool stuff. One thing is they can do host isolation for all the host connecting to your networks. So man in the middle attack can't even happen. They can't talk or connect to anyone else on that network. Can't happen as far as evil twin attacks, much harder to deal with, but a lot of these smart enterprise wireless networks can actually look out for its similar SSIDs or the same SSD as the networks they're broadcasting and alert you or try to stop them with their own kind of wifi mitigation attacks. It's very cool. Anyways, that's wifi. I'm about to travel with my family to Japan. I'm using these techniques to protect myself and look out for people. Mainly just connecting all my kids and my family and myself to VPN while I'm traveling. That's all I got. I'll catch you guys next time.