Mana Tutorial: The Intelligent Rogue Wi-Fi Router

•October 16, 2014 • Leave a Comment

“Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

** UPDATE ** – 10/21 – You can now install Mana in Kali by simply typing “apt-get install mana-toolkit”!

1. Download and unzip Mana from https://github.com/sensepost/mana.
2. Run the install script kali-install.sh.

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:

  • start-nat-simple.sh
  • start-noupstream.sh
  • start-nat-full.sh
  • start-noupstream-eap.sh

Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.

iwconfig

6. Type, “./start-nat-full.sh” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run firelamb-view.sh to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my book, “Basic Security Testing with Kali Linux“.

Data Privacy Smoke and Mirrors

•September 26, 2014 • Leave a Comment

Data Privacy

As hardware and software manufacturers make public statements about hardening and protecting their services in the name of customer privacy, federal agencies speak out against it – let the smoke and mirrors game begin…

After Snowden revealed how deep tech company’s “data sharing” cooperation with the federal government has been, many of them are now making stands on protecting their customer’s data privacy. Google and Apple have announced that their latest operating systems will include encryption by default. According to the Washington Post, Apple has gone as far as stating that they will not be able to unlock an Apple device, even with a search warrant:

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data, so it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

As expected, government officials are coming out in protest of the tech giants move to protect data privacy. FBI Director James Comey recently told reporters that the move could hinder investigations and put lives at risk, “I’d hate to have people look at me and say, ‘Well how come you can’t save this kid?’ ‘How come you can’t do this thing?

In all honesty, this just appears to be a lot of smoke and mirrors. Manufacturers have worked hand-in-hand with law enforcement for a very long time, and most likely are not going to stop now, or anytime soon. Does anyone remember Cisco’s “Lawful Intercept?”

On Cisco’s website, Lawful Intercept is defined as:

… the process by which law enforcement agencies conduct electronic surveillance of circuit and packet-mode communications as authorized by judicial or administrative order. Countries throughout the world have adopted legislative and regulatory requirements for providers of public and private communication services (service providers) to design and implement their networks to support authorized electronic surveillance explicitly. International standards organizations have also developed standards to guide service providers and manufacturers in specific lawful intercept capabilities.”

Communication interception devices in use by the government (and apparently some law enforcement agencies) have the capability to intercept and analyze cell phone calls and other electronic signals, so having physical access to a device may not be as big as a priority as before. Even so, if someone can remotely access a device as the currently logged in user, certain data encryption is meaningless – the device will dutifully unencrypt the data for the remote user thinking it is in fact the legitimate user.

It would seem that this display of concern for data privacy is nothing more than a public display to regain consumer trust. As soon as access to a device is needed for a criminal case or terrorist incident, you better believe that a back door or other way to access needed data will be available.

 

Book Review: Kali Linux Network Scanning Cookbook

•September 15, 2014 • Leave a Comment

Everything you ever wanted to know about scanning (and then some)!

Kali Linux Network Scanning

Security Guru and trainer Justin Hutchens has recently released an exceptional book on network scanning with Kali Linux. The book starts out with the very basics of network scanning and progresses through stages to more advanced scans and even exploitation.

All the basics are present, like using Nmap, ARPing, Scapy and other tools to perform varied levels of discovery, port scanning and fingerprinting.  You are then masterfully shown how to greatly expand the capabilities and functions of these tools by using scripting.

But it doesn’t stop there, you then move on to using scanning tools and Burp Suite to perform Denial of Service attacks, SQL injection and Metasploit attacks. Because really what is a scanning book without including offensive attacks?  :)

The book is easy to read and follow using step-by-step instructions and screen views. It is setup in sections (called “Recipes”) so that if you want to know how to perform Layer 4 discovery using Scapy or DoS attacks with Nmap, you just go directly to that particular section.

I have worked with Justin on a couple projects and he is one of the most talented security teachers and authors that I have ever met. He covers material in this book that I have never seen covered anywhere else. If you have any interest in network scanning or want to learn a lot more about it, get this book!

Available at Packt Publishing and Amazon.com.

*** UPDATE *** The book version has some print quality issues that have been reported. The Electronic version has no known issues. Will provide more information when available. 

US Army Activates “Cyber Protection Brigade”

•September 8, 2014 • Leave a Comment

Army Cyber Brigade

On Friday the US Army activated what it is calling a “Cyber Protection Brigade”.

According to a post on Army.mil’s website:

“The Army is activating a Cyber Protection Brigade today, and discussing a new cyber branch that could be established as early as next month.

Command Sgt. Maj. Rodney D. Harris, Army Cyber Command, said the branch announcement could come as early as the second week of October, during the Association of the U.S. Army’s annual meeting.

The Cyber Protection Brigade is being activated by the U.S. Army Network Enterprise Technology Command at Fort Gordon, Georgia. It’s the first brigade of its kind in the Army and the nucleus of the new unit will be its cyber protection teams, according to the command.”

The cyber soldiers who are highly trained by the military will help defend the Army’s systems, but will also include offensive strike teams.

“The cyber teams will be roughly platoon-sized, but vary depending on their mission. The combat-mission or offense teams are larger, Harris said. The network defense or cyber-protection teams are mid-size.”

The Army may create a new cyber branch next month. It can take up to three years to train a NCO cyber leader, making it one of the longest training cycles. And with computer attacks increasing every day, the Army is focusing on obtaining and retaining troops who have cyber skills.

 

 
Follow

Get every new post delivered to your Inbox.

Join 284 other followers