SensePost demos WiFi attacks at DefCon

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 25 Aug 2014
SensePost's Mana toolkit automates wireless attacks, says SensePost CTO Dominic White.
SensePost's Mana toolkit automates wireless attacks, says SensePost CTO Dominic White.

New attacks against wireless networks are capable of automatically exploiting vulnerable users. This was shown via a toolkit developed by local security firm SensePost, and demonstrated at DefCon in Las Vegas by Dominic White and Ian de Villiers. The toolkit impressed the audience with a comprehensive suite of attacks and compromises.

The new toolkit, dubbed Mana, fully automates the processes of discovery, spoofing, cracking, exploitation, interception and analysis. "There are vulnerabilities at every layer of the WiFi protocol," White said. "To an attacker, it feels like you should be able to just pull credentials out of the air. But the tools don't work as well as they used to."

Some of that is due to tightening of security on devices, he adds. Manufacturers, particularly of mobile phones and tablets, have taken steps to improve security. Devices poll much less frequently, making it more difficult to detect and spoof a user's preferred networks, for example. Apple iOS devices are expected to implement MAC randomisation, which will change a device's network device identification, making it more difficult to track and attack a user.

Unfortunately, none of the improvements are really effective, White said. SensePost's research uncovered numerous new ways to attack wireless networks, and his team was able to create new or updated tools with the new capabilities.

For example, he explained, iPhones no longer probe for a known hidden wireless network unless there is at least one hidden network present - that is an attempt to cut back on a device broadcasting its preferred network list. So Mana broadcasts a fake, hidden wireless network, which then prompts iPhones to look for known networks.

Unfortunately, laptops have had few of these updates, White says, meaning that laptop users, such as the majority of enterprise users, are particularly vulnerable.

Automated tools

To create Mana, White and De Villiers took existing tools, many of which had fallen into disrepair or become obsolete, and updated the entire toolchain into an automated bundle. The result is a toolkit which automates every level of attack against wireless targets, ending up with captured credentials, intercepted traffic, and persistence.

One of the new tools in the Mana arsenal is Firelamb. SensePost created Firelamb, an update to the Firesheep tool which captures social media credentials but is no longer updated. Firelamb takes this one step further, gathering credentials and creating an easy interface to exploit stolen credentials.

While a few of the attacks may prompt users with a security warning, these are easily socially engineered around, White said. Unfortunately, fixing the flaws, and hardening wireless networks to protect against an automated attack tool like Mana, may require changes by manufacturers.

On the upside, security professionals can make use of the toolkit to examine their own environments, checking for vulnerabilities, rogue users and access points, and checking for weak credentials.

Eyes in the sky

The SensePost team also demonstrated a surveillance tool in Las Vegas. Snoopy is a tool created by SensePost capable of tracking a user's mobile device using a multitude of fingerprints ? wireless, Bluetooth, and others. An updated version of Snoopy has seen it evolve into a fully-fledged modular toolkit, similar to the popular hacking framework Metasploit.

SensePost demonstrated how a small computing device running Snoopy, mounted on an aerial drone, can invisibly track users from the air. This could be useful for marketing, tracking users at a concert, for example, or it could be used to track protesters involved in mass action.

It can also identify high-value targets by correlating movements across multiple events - by deploying Snoopy at multiple locations where a politician or celebrity is known to be, then analysing the narrowing subset of devices present at each. This opens the door for more targeted attacks, such as those demonstrated in the wireless capabilities of Mana.

Mana in a nutshell

The range of tools in Mana is wide-ranging, but the toolkit makes attacks eminently simple. The kit can be run on a Linux device or in a virtual machine, needing only a suitably capable wireless interface card.

A single command launches a series of tools, starting by investigating wireless clients and networks in the area. Clients are forcibly disconnected if already associated with a network, and then encouraged to reconnect to a fake access point controlled by the toolkit.

Credentials are captured and decrypted. A man-in-the-middle attack gives clients the appearance of an Internet connection, and traffic is then captured and analysed.

The toolkit can also create a fake WiFi hotspot service to dupe users into connecting, and new capabilities can push network profiles or digital certificates to a target device, allowing easier attacks against encrypted traffic.

Download and evaluate the Mana toolkit from SensePost's GitHub repository.