Mana Tutorial: The Intelligent Rogue Wi-Fi Router

“Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

** UPDATE ** – 10/21 – You can now install Mana in Kali by simply typing “apt-get install mana-toolkit”!

1. Download and unzip Mana from https://github.com/sensepost/mana.
2. Run the install script kali-install.sh.

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:

  • start-nat-simple.sh
  • start-noupstream.sh
  • start-nat-full.sh
  • start-noupstream-eap.sh

Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.

iwconfig

6. Type, “./start-nat-full.sh” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run firelamb-view.sh to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my new book, “Basic Security Testing with Kali Linux 2“.

Advertisements

TrendMicro “Mythbusting Mac Security” Video

Great video by TrendMicro. A lot of users think because they have a Mac or Linux system that they are impervious to viruses. Macs and Linux machines are now as targeted as Windows based machines because of their increase in popularity. Security testing platforms like Backtrack include Linux and Mac shells that work just as well as their Windows counterparts.

And though the video mentions that only a small fraction of Mac users have a security program, I have where Linux based AV protection was actually WORSE than it’s Windows counterpart. When testing one of the Linux AV’s I was able to bypass it and gain a remote shell where the Windows version of the same AV actually caught the malware and stopped it.

Smart surfing, script blocking and e-mail safety goes a long way in protecting your system. Even if it is a Mac!  🙂

The Absurdity of Cloud Computing and Hosted Services

I’ve seen some crazy things in the IT world in the last 5 of my 20 years of experience in the field, but the push to move to cloud computing and hosted services has got to be the craziest thing I have seen so far. Please let me explain.

Times are bad right now, and companies are making hard decisions about their IT staffing and services. Somehow in the last 5 – 10 years or so, IT support seems to have gone from a mission critical status to being considered overhead. As other departments have had to do, significantly reduced IT departments are now supporting more devices, services and people with fewer staff.

As with other departments, older IT staff members have been “encouraged out the door” and replaced with fewer, lesser experienced staff. I have seen Unix server administrators put in charge of administrating Windows servers, even though they had no experience supporting them. Not sure of the executive thinking there – they are both servers, so they must be the same?

I have seen a high end Windows cluster server administrator who kept the executive and top engineering clusters of a major corporation running for years, be moved to be the sole support person for the corporate wide NAS servers. Though he had little to no experience with the NAS servers themselves, the storage group was dissolved beforehand and the one person remaining that he was replacing had already been placed in a new position, so there would be no training available. He was handed a user manual and told – “Good luck”.

I have seen a half empty building that was once full of corporate IT support staff. This was after several other buildings that were full of IT support staff were dissolved and consolidated into the one building. One part of the support staff that remained was told that their work week would be changing to a swing shift. They would be working 2nd shift for part of the week and 3rd shift for the remained of the week. The supervisor had the audacity to tell these former 1st shift workers that the new schedule would be better for their families.

I was told once by a distraught IT Director that he was informed by the corporate executives that the acceptable level of IT staff to employees is now 1 to 300. With all of these employees using computers or mobile devices, what happens when more than one critical system goes down at the same time? What happens to the quality of support when IT staff is flooded with requests and “emergencies”?

These are just a few things that I have seen or heard in the last few years, trust me there are many more. But what does these cutbacks and shifting of unqualified staff to critical positions have to do with cloud computing and hosted services?

Many companies are turning to online services to help cut costs and restore some level of IT support to their organizations. But what truly makes you think that these online services are not going through the same internal cutbacks and employee changes to cut costs of their own? How secure will your information really be with them? Your level of support?

If you can’t support your own IT, and who knows your business better than you, why would you think that external services can really do a better job? Don’t get me wrong, cloud computing and hosted services aren’t necessarily a bad thing. But making the decision solely for additional profit is not a wise move. Executive level decision makers really need to talk with (and listen to) their senior IT leadership to see if the move to hosted services would truly be a benefit or detriment to their company.