Mana Tutorial: The Intelligent Rogue Wi-Fi Router

“Mana” by Dominic White (singe) & Ian de Villiers at Sensepost, is an amazing full feature evil access point that does, well, just about everything. Just install and run it and you will in essence receive Wi-Fi credentials or “Mana” from heaven!

Here is a link to the creator’s Defcon 22 presentation:

Not sure where to start with this one. Like other rogue Wi-Fi AP programs Mana creates a rogue AP device, but Mana does so much more.

It listens for computers and mobile devices to beacon for preferred Wi-Fi networks, and then it can impersonate that device.

Once someone connects to the rogue device, it automatically runs SSLstrip to downgrade secure communications to regular HTTP requests, can bypass/redirect HSTS, allows you to perform MitM attacks, cracks Wi-Fi passwords, grabs cookies and lets you impersonate sessions with Firelamb.

But that is not all; it can also impersonate a captive portal and simulate internet access in places where there is no access.

Mana is very effective and, well, pretty scary!

Before we get started, for best success use Kali Linux v.1.08.

And as always, this article is for educational purposes only, never try to intercept someone else’s wireless communications. Doing so is illegal in most places and you could end up in jail.

Mana Tutorial

** UPDATE ** – 10/21 – You can now install Mana in Kali by simply typing “apt-get install mana-toolkit”!

1. Download and unzip Mana from https://github.com/sensepost/mana.
2. Run the install script kali-install.sh.

Mana will then install libraries and other dependencies to work properly.

Once completed the install places the Mana program in the /usr/share/mana-toolkit directory, config files in /etc/mana-toolkit, and log files and captured creds in /var/lib/mana-toolkit.

3. Open the main config file /etc/mana-toolkit/hostapd-karma.conf

Here you can set several of the options including the default Router SSID which by default is “Internet”. Something like “Public Wi-Fi” may be more interesting. The other main setting here is “karma_loud” which sets whether mana impersonates all AP’s that it detects or not.

Lastly, all we need to do is run one of Mana’s program scripts located in usr/share/mana-toolkit/run-mana. The scripts are:

  • start-nat-simple.sh
  • start-noupstream.sh
  • start-nat-full.sh
  • start-noupstream-eap.sh

Mana Scripts

For this tutorial let’s just run Mana’s main “full” attack script.

4. Attach your USB Wi-Fi card (TL-WN722N works great).
5. Type “iwconfig” to be sure Kali sees it.

iwconfig

6. Type, “./start-nat-full.sh” to start Mana.

Mana then starts the evil AP, SSLstrip and all the other needed tools and begins listening for traffic:

Mana running

Once someone connects, Mana will display and store any creds and cookies detected as the victim surfs the web.

7. When done, press “Enter” to stop Mana

To check what you have captured run firelamb-view.sh to view captured cookie sessions:

Mana firelamb

This asks which session you want to try from the captured cookie sessions. It then tries to open the session in Firefox. If the user is still logged in you could take over their session.

You can also review the log files manually in /var/lib/mana-toolkit.

Mana works equally well against laptops and mobile devices. And the inherent trust of “preferred Wi-Fi networks” that most systems use makes this tool very effective at intercepting and impersonating wireless routers.

To defend against this type of attack turn off your wi-fi when not in use. Be very careful of using free or public Wi-Fi networks. Also, it would be best to perform any secure transactions over a wired LAN instead of using Wi-Fi!

If you enjoyed this tutorial and want to learn more about computer security testing, check out my new book, “Basic Security Testing with Kali Linux 2“.

Advertisements

Small Disposable Devices that Own Wi-Fi Networks with Help from DARPA

If you haven’t seen Brendan O’Connor’s security conference presentations on “Reticle and F-BOMB” you should really take the time out and check them out. It is a fascinating project on using low cost computer boards to create a disposal, bot-net like, distributable Wi-Fi spying system. 

Once deployed, the sub $50 devices can crack and use the target’s wireless network to communicate back to the attacker using encrypted channels. As explained the F-BOMB, or “Falling or Ballistically-launched Object that Makes Backdoors“, can be deployed by being thrown into the target’s complex, hidden inside other objects, or even delivered via quad rotor drone.

But what would an F-BOMB be without brains? And this is where Reticle comes in.

Reticle is the software brain behind the cheap hardware brawn. Basically it is “Leaderless Command and Control” software that combines several open source products that in essence create an intelligent, fault tolerant and fully encrypted remote spying platform.

And get this, the software part of the project was created with funding from DARPA, the government’s advanced DoD research organization. Reticle was created under DARPA’s Cyber Fast Track program. A program that helps get idea’s to functional tech with greatly reduced paperwork and overhead.

Here is Brendan’s Bsides Las Vegas 2012 provided on YouTube by Adrian Crenshaw (aka IronGeek):

(NSFW intro comment)


Later this month at Black Hat USA 2013 Brendan will talk about his latest creation of this technology called CreepyDOL.

According to the presentation overview:

“CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.”

Sounds cool, in a really creepy way!

So, check out Brendan’s Bsides video from last year, and if you are at Black Hat this month, be sure to stop in and check out his presentation!

Hacking Wi-Fi Networks with Fern, Kali and a Raspberry Pi

Fern Wifi Cracker 1

Wouldn’t it be cool to be able to test wireless network security using your Raspberry Pi? Well, thanks to Kali Linux, you can! With Kali you can scan for Wi-Fi networks and even perform active penetration testing using your $35 Raspberry Pi.

I just finished up another article for Hakin9 Magazine. In the article I covered using a Raspberry Pi to crack Wi-Fi security from install to basic pentesting.

With Kali you can use all the normal command line airmon-ng tools that you can use on a regular Linux machine. Fern is nice because it adds a graphical interface to the airmon-ng tools making things so much easier.

Let’s take a quick look at Fern:

(NOTE: As always, these techniques are for IT teams and computer security testers, never attack or attempt to access a network that you do not own or have permission to access.)

From the main menu (see picture above) just select your wireless card, then scan for access points. As they are found Fern lists them under the WEP or WPA Button.

Fern Wifi Cracker Detected

Clicking the associated button will display a list of the access points found. Then just select the one you want to test. You now have two attack options. You can select the Reaver WiFi Protected Setup (WPS) attack and a normal Association Key dictionary brute force attack :

Fern Wifi Cracker Detected 2

Fern works very well and is actually pretty responsive when run on a Raspberry Pi.

With the Pi being so small and cheap, this opens up some interesting options for professional penetration testers, especially when paired with a USB Wi-Fi adapter and a battery back.

For a lot more information on computer security, including bypassing the most common Wi-Fi security techniques, check out my new step-by-step tutorial book, “Basic Security Testing with Kali Linux”.