3

The company where I work gave my team a "Security Information" training today and at the end they presented a video that exemplifies how vulnerable an open wireless network is.

In this video the "hacker" went to a bar and set up a network with the same name of the bar network. When users connected to it and visited websites like Facebook, they got "redirected" to a trap website and the input credentials were stolen.

I searched for this "network with the same name" technique and got Evil Twin.

After the user has connected, how could the hacker redirect him to his trap page? Will the URL look different or can it show https://www.facebook.com and still be an other page?

Anders
  • 64,406
  • 24
  • 178
  • 215
G. Knoxx
  • 33
  • 2

1 Answers1

1

Because the victim is running through the attacker's network, the attacker can dictate the network settings, like what DNS is used or redirecting traffic.

So, yes, it is possible for the attacker to redirect DNS queries to Facebook to their own laptop's web server, and while the URL looks legitimate, the victim is actually using the attacker's web page.

Alternatively, the attack could simply record and replay all the traffic going through using a proxy, and the victim actually visits Facebook, but the attacker sees everything the victim sends, like usernames, passwords, files, pictures, etc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Could you tell me more about how it works when you say "simply record and replay all the traffic going through using a proxy"? How does the proxy let the attacker see the information sent? – G. Knoxx Mar 07 '17 at 14:42
  • The victim has to send their traffic to the attacker's computer first in order to get to the Internet (and then to Facebook). All that traffic can simply be literally recorded and inspected (and even manipulated!) by the attacker's machine, then sent on to Facebook. If the website normally uses TLS (HTTPS), the attacker can break this protection between himself and the victim, then repackage the traffic using HTTPS from his machine to Facebook. – schroeder Mar 07 '17 at 14:52
  • If you want to know more, you will have to read up on proxies, Firesheep, MITM, etc. Big topic. – schroeder Mar 07 '17 at 14:52
  • 1
    Doesn't the `https://` complicate this a bit? The rouge AP should not be able to MITM the traffic. – Anders Mar 07 '17 at 14:56
  • 1
    @Anders unless the proxy breaks TLS. Modern implementations in browsers can highlight when TLS has been broken, but it is technically still possible (*cough* IE8 *cough*). With the question being a neophyte's "how can it work?", I wanted to cover the threat landscape and not go into all the ways one can mitigate. – schroeder Mar 07 '17 at 15:15