Captive Portal

Summary

Excerpt From wi-fi vulnerabilities part 1 Webinar
This Short Video, Presented by CTO, Dr. Brett Walkenhorst, Wiill Explain Captive Portal.
Dr. Brett Walkenhorst, CTO, explains an evil twin attack in the video below and how attackers trick clients into disclosing personal information. Under the pretense of regular maintenance or authentication, the attacker sets up a fake access point and requests that clients re-enter their personal information. Learn more in the video below

Video Transcript

Here's an example of an evil twin that issues a captive portal. So the way this works is at some point, as the evil twin, this device that I run is going to capture a client. How that happens, we'll talk about in a minute. There there's lots of ways.

Let's say I've got the client now, and and the client is connected to me. The evil twin is going to pretend it's an access point on a network you trust. Right? It's going to pretend that it's undergoing maintenance or for some reason it's just been rebooted or or something, and it's asking the client to reenter their credentials.

You have to be clever about this. Right? You you're not gonna fool anybody with this little green screen that I've shown at the upper right. But if you finesse it and you tailor it to look official, you can start to make this look pretty convincing that someone is gonna have to reestablish credentials with you, and this is just routine.

No big deal. Just maintenance is going on. We just gotta make sure that you are who you say you are. So I can make that sound legit. Well, if I'm a savvy user, I might realize that this could be a problem. So I'm gonna be a little bit wary.

I'm gonna see that splash page, and I'm gonna say, okay. That's nice, but I don't really trust you. I'm gonna just enter a stupid password. So they enter password as the password or whatever they want. Well, what I'm gonna do as an attacker is I'm gonna take that text that they submitted, and I'm going to run it through the hash functions gets concatenated with different data elements that through multiple hashings ultimately becomes a hash that is shared during that four way handshake.

So here's here's all I need. I need the SSID. I need the MAC address, which I'm getting, by the way, because this client is attached to me and I know the SSID because I'm emulating it. And then I need a passphrase. Once you submit the passphrase, I run it through this function And if it doesn't match the identifier that we use for verifying in the four way handshake, then I know you gave me the wrong password.

All I need is that four way handshake to validate whether the password you submitted is right. So it doesn't match. I go, sorry. Wrong password. Let's try that again, and I invite you to enter the real password. Well, maybe you're convinced at this point. Hey. It must know I got the wrong password, so I'll enter the real one now.

And once you do, I check it against the four way handshake. I know it's right. Now I've got credentials. I can use that to access the actual network as a client. I can also continue if I choose to stay in my position as a person in the middle and conduct that kind of an attack where you still trust me as your access point.

And at the same time, I've got a split personality with a client device that is connecting to the authorized network. So I can provide you all the network services that you're used to, but I've also got the credentials. And in my position, I can manipulate data or paths or or begin to inject malicious code into your client device through JavaScript injection or any number of things.

I'm in a great position to get all kinds of things done because I tricked you into giving up your credentials, and now I can give you everything you want and still be a person in the middle. So very evil twin is well named. It's an evil attack.