Mana Tutorial: The Intelligent Rogue Wi-Fi Router

“Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

** UPDATE ** – 10/21 – You can now install Mana in Kali by simply typing “apt-get install mana-toolkit”!

1. Download and unzip Mana from https://github.com/sensepost/mana.
2. Run the install script kali-install.sh.

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:

  • start-nat-simple.sh
  • start-noupstream.sh
  • start-nat-full.sh
  • start-noupstream-eap.sh

Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.

iwconfig

6. Type, “./start-nat-full.sh” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run firelamb-view.sh to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my new book, “Basic Security Testing with Kali Linux 2“.

Advertisements

Mapping Wi-Fi Signals by Light Painting Signal Strength

This is a couple years old, but is just amazing. It is the results of a project to time lapse photograph a representation of Wi-Fi signals using a 4 meter lighted rod. A bank of 80 lights on the rod represent Wi-Fi signal strength of a particular Wi-Fi network around a building. Time lapse photos are taken and when it is put together you get the amazing effect demonstrated in the video.

Very cool!

Thanks to Yuri Chemerkin’s blog for the heads up on this.

Wardrive shows Wireless Networks still Wide Open


A wardrive was performed at a recent computer security class in Texas. The results… stunning.

Wardriving usually consists of driving around in a vehicle searching for Wi-Fi Wireless networks using Aircrack-NG, Netstumbler, Kismet or another similar program. Information can be gleaned from available Wi-Fi networks including what type of security that they are using. It is the modern version of wardialing which was very popular in the 80’s and early 90’s where hackers would call blocks of numbers looking for a computer.

According to the graph, 13% of the Wi-Fi networks had no security at all.  And a whopping 45% were using WEP, which has been cracked a long time ago. Only 18% were using WPA2. So in effect, 58% of the detected networks would have been easy pickings for a hacker. They might as well have hung a big “Welcome!” sign on their network.

San Francisco did not fare much better:

 Here, 47% had either no security or easily defeated security. WPA is not 100% safe either, your safest route is the current WPA2.

I was actually shocked at the high percentage of unsecure Wi-Fi systems. With the dangers of Wi-Fi so well-known, it just doesn’t make sense. In fact for a product to even qualify for the Wi-Fi label, it must have WPA2 security. And that has been the standard since 2006!

You would think at this stage of the game, manufacturers would have taken the choice out of consumers hands and make the default security WPA2 out of the box.

Please check your Wi-Fi security settings to be sure that they are not set to “WEP” or worse yet, “None”. Also, if you have a wireless box that only supports WEP, it needs to be replaced with a newer, more secure version. When hackers scan your network from across the street, you want them to find a “No Admittance” sign!

(Photos courtesy of Sam Bowne. Sam has done amazing work in advancing the legitimacy of Ethical Hacking in mainstream academia. Check out his website at http://samsclass.info/)

Wi-Fi on School Bus?

How do you turn a rowdy bus into an extra study hall? Install Wi-Fi, according to the Valiz, Arizona school district in a NY Times article:

“It’s made a big difference,” said J. J. Johnson, the bus’s driver. “Boys aren’t hitting each other, girls are busy, and there’s not so much jumping around.”

Apparently, Arizona is not the only school district interested. The company that makes the router, Autonet Mobile, has sold them to Washington DC, Florida, and Missouri. A mobile wireless hotspot, interesting…