17

I have watched a hak5 YouTube that they did make people connect to their wifipineapple (a WiFi Honey pot) , and they stored the Wi-Fi hotspots, those the phone used to connect to.

The historical hotspots are many. I am wondering how they made it. If they simulated the SSID, should they replace it with another one seconds later?

Here's the Youtube video

dotslash
  • 387
  • 3
  • 4
  • 13

2 Answers2

28

You can't simply Force a client, but to trick him!

As long as the device's WiFi is running, it keeps sending probe requests, searching for your previous connected networks. Using some software like airodump-ng, you can easily sniff out those probes.
Then the attacker may create a similar evil twin using the BSSID and ESSID gathered from the previous probes.

So, as the device sees the pre-saved network up again, it re-connects thinking it is the legit network.

However, there is something to be aware of:
Only works with public networks. This does not work with secured networks unless you already know the security phrase.

Important note:
This attack also can be done to pre-saved networks with passphrase, if the passphrase is weak enough to be cracked. steps are:

  1. Create the evil twin networks using the BSSID, ESSID AND the same auth type of the spoofed network "WPA, WPA2 or WEP"
  2. The client will try to connect to the network providing the passphrase challenge
  3. The authentication won't work obviously, but you can sniff the challenge
  4. Using some cracking tool, you can crack the phrase
  5. Re-create the network using the new passphrase

Now the client will connect to the spoofed network even if it has some security level, so it's always a good idea to use a strong phrases!

Eibo
  • 2,485
  • 3
  • 19
  • 32
  • You are right. Do you mean that all the pre-saved SSID should not have password in this scenario? Coz we can't simply know other pre-saved hotspot passwords. All the public networks shouldn't have password, right? – dotslash Jul 04 '16 at 06:43
  • Yes. all the pre-saved public networks are presenting a way to preform this kind of attacks, but you must know that even the secured networks are maybe vulnerable, if the key is compromised. – Eibo Jul 04 '16 at 06:47
  • I see. So the wifipineapple may just scan all the probes in the air and create different no-password SSID, those clients used to connect to, periodically, say every 5 minutes? So in this way, all the phones in this area can connect to the cloned router in a while. What would you think? – dotslash Jul 04 '16 at 06:54
  • Of course, any device that's scanning for the same network will connect to your spoofed AP. – Eibo Jul 04 '16 at 06:57
  • Nice. It would be awesome, if there are some open source projects like that. Thank you – dotslash Jul 04 '16 at 07:01
  • Don't know about any project, but you can use Kali Linux tools. also, see the edit in my answer. – Eibo Jul 04 '16 at 07:11
  • What you say isn't technically true. For example on my laptop I disable "connect automatically to this network". The wifi still sends probes and lists which networks are available but *it does not try to connect to them automatically*. So you can create your honeypot network but my laptop will not connect to it unless *I* want it to. I don't know whether mobiles offer the same configuration option but they probably should. – Bakuriu Jul 04 '16 at 10:37
  • In laptops, the solution is like what you've said, and in mobiles, you have to select `forget network` option. After all, this attack is relying on the automatic connection feature, and not all user are disabling it like you've done. – Eibo Jul 04 '16 at 10:42
  • @Bakuriu Like what @Emadeddin said, this seductive method is only suitable for mobiles, mostly ( when in test, all my phones phished ) . For laptop, it would diverse. `forget network` is the option to avoid auto-connecting to the cloned hotspot for mobiles. And I heard that some mobile firewall apps did have regime control over WiFi connections. But mostly people don't install these apps. – dotslash Jul 04 '16 at 19:07
8

There are a few methods that could have been used:

  1. Devices of all sorts that use WiFi connection usually have a setting that lets the device connect automatically when the same SSID is out there. This is usually set by default and users do not usually turn it off.
    Hak5 generated a list of many many public WiFi SSID's (Ex: "MacDonald's free wifi") that the devices probably connected to at some point in their life time.
    Then the devices connect to the AP since they recognize the SSID.
    Note:

    • This is a setting that can be turned off easily or even a simple "Forget this network" solves the issue.
    • Some devices also have a settings that tells the device to connect automatically to any open WiFi. You can imagine the issue here...
  2. Another method is to scan the local area for all WiFi connections and duplicate the exact ones using their SSID and MAC address and then create a stronger signal forcing the connected devices to move to your AP (They see it as the same one).

  3. Some devices also send out requests searching for specific WiFi connection that they have in their history in order to reconnect. These requests can be captured and used against the device by faking the AP the device is requesting.

Note: These methods will only work using a open WiFi network that does not require a passphrase. If you do wish to spoof an AP with a passphrase, it would have to be the same passphrase as the original AP.

Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • Nice. So can I assume that if the no-paasword WiFi SSID is the same as the one used be connected, say, McDonald, the phone would re-connect to it no matter it's another router actually? Right? – dotslash Jul 04 '16 at 06:28
  • Mostly. Some devices also do MAC & SSID comparing. – Bubble Hacker Jul 04 '16 at 06:30
  • Thanks. I did a test minutes ago. It turned out phones nowadays re-connect to the WiFi with the same SSID, even they are different router. For the next consideration, should the SSID be changed every several seconds to let all phones connect to it? – dotslash Jul 04 '16 at 06:37
  • @dotslash I didn't understand your question... – Bubble Hacker Jul 04 '16 at 06:38
  • I read your method 2. If we don't have the cloned hotspot passphrase, will the phone connect to pentester's cloned router, which has no password this time? – dotslash Jul 04 '16 at 06:47
  • @dotslash, That will not work because the user will try to connect with the security key that worked with the original AP. I will point that out in my answer. – Bubble Hacker Jul 04 '16 at 06:49
  • @dotslash If you set up your AP with the same passphrase as the original, this would work. – Bubble Hacker Jul 04 '16 at 06:51