KARMA/MANA

Summary

Excerpt From wi-fi Vulnerabilities Part 1 Webinar
Learn About KARMA/MANA in the video below.
Dr. Brett Walkenhorst, CTO, discusses the tactics and development of evil twin attacks, focusing on the Karma/Mana family of attacks. In the video below, he describes how attackers use clients’ probe requests to position themselves as trusted networks. In order to maximize the likelihood of acquiring clients, the “Loud Mana” version continuously beacons out all accumulated network information.

Video Transcript

There's a family of attacks that I I mentioned before, karma slash mana. I'm just gonna walk through these very briefly to give you a feel for what is possible with an evil twin. So I set up a device. I'm listening to what's going on out in the environment, and I've got multiple clients out there that are sending probe requests out into the ether.

So there's client a who who sends a probe request. Is Linksys out there? And as my evil twin, I'm just gonna say, yep. I'm Linksys. I can help you. And there's another client says, is is Starbucks there? And I say, yep. That's me. I'm Starbucks. And another client says, is my favorite very secure corporate network there?

And I say, yes. I'm your very favorite secure corporate network. And I I try to capture all these clients and position myself as man in the middle to conduct attacks from there. So this can be successful. As time went by, and this was several years ago, clients began to ignore probe responses from access points when that access point hadn't previously sent a beacon.

So this was to get around the karma attack. If you've never beaconed that you are that network, then why should I trust you? So that's a pretty smart move. So clients got a little smarter, firmware got updated, people patched their devices, hopefully. And then the bad guys got smarter too, and they said, well, that's nice that you did that.

But guess what? Instead of responding to your probe request right away, I hear your probe request. I know that you've got Starbucks in your preferred networks list. So I'll just wait a little bit. I heard your probe request. I'll add that to my list. And now I'm gonna start beaconing out.

I'm Starbucks. Anybody there? I'm Starbucks. I'm Starbucks. And after a few of those, maybe you send me a probe request and I respond. And you trust me because I've sent out beacons even though I used your first probe request to figure out that I should be beaconing. So that's pretty smart.

And so now we can capture clients even though they got a little smarter. So now vendors start changing things a little bit so that clients stop sending so many directed probe requests. And this is particularly true for open networks. You're still gonna have to send some, but maybe you don't send all of them and maybe you just don't ever send one for an open network because, again, the evil twin is so much easier to establish when there's no encryption involved.

Now the story is I'm not gonna send you all my stuff, but chances are decent that there are some devices in the vicinity that the networks in their p and l may have some overlap with networks in my p and l. And so even though I'm a little smarter now, there's networks nearby where that evil twin can capture information about networks that I might have in my P and L that could eventually compromise me.

So the variation on a theme here, it was called loud manna that basically says anything that I've heard, I've heard all these networks, I compile this list, I'm gonna beacon out all of it constantly. And chances are that even if you didn't say that you've associated with Starbucks before, there's somebody nearby that is gonna tell me that Starbucks is there, and so I'm just gonna use that and and be beaconing it out.

And chances are you're gonna end up sending me a probe request and try to associate with me.