ESP8266 and WIiFi PenTest

 

Petter Anderson Lopes[1]

Abstract: Mobile devices have become more and more powerful, these devices and their apps have become foundational tools. To improve productivity, these devices are begin integrated into the daily business process and operations of organizations. However, now organizations need establish security and compliance policies to support mobility and growing use of BYOD (Bring Your Own Device). The movement BYOD, is a trend that is gaining strength in the corporate environment. BYOD is a program that allows employees to use their personal devices to carry out their professional activities. With so much diversity in technology, it’s difficult to control what employees have access to, or applications that are installed on their devices. So, when the wireless network is being used, the risk is bigger. To benefit its customers, business establishments, department stores, like as coffee bar, shopping centers, share wireless network. This article aims to demonstrate different views on sniffing techniques in wireless networks. With the growing need to keep people connected, Wireless networks become the escape valve to address this demand. However, how exactly do these networks work? Issues related to the professional activities of digital analysis with the use of network sniffers, which are programs that have the function of capturing the packets that travel in the network, however it is evident the difficulty of staying safe in such an environment. Detect security flaws, allow for intrusions and data evasion, to simply and directly analyze information that travels on the network at any given time. Get sensitive data from users in a mixed environment, where everyone is connected to different devices, but using Wireless technology. How ARP table poisoning works and how to use it to collect sensitive information.

Keywords: Wireless. Sniff. Security. Attack. ARP.

1 INTRODUCTION

 

Wireless networks are already part of the majority of existing internet networks in the world, its ease of implementation as well as availability of signal of easy access, have made Wireless networks very popular.

Currently, due to the need to maintain a hybrid environment of wireless and wired connection, as well as make available to the students of the institution, it is necessary to evaluate the security of this structure. Wireless networks where everyone can access freely are exposed to various security issues, such as letting users show user data in case any malicious users use any sniffer program.

This article deals with the topic of vulnerability analysis in wireless networks, a subject that deals with questions related to the professional activities of digital analysis with the use of network sniffers, which are programs that have the function of capturing the packets that travel in the same domain of Collision where this tool is installed, used directly or indirectly to detect failures in information security, evaluating the methods of invasion and evasion of information that are related to this subject.

 

To test the concepts, the technique called Man-In-The-Middle was used with the aid of the ARP Poisoning technique for traffic interception in order to obtain a larger number of data while the sniffer is executed.

2 FRAMEWORK

2.1 Wireless Network

Wireless is the set of wireless technologies that can connect everything from office computers to household appliances. According to Tanenbaum (2003), wireless digital communication is not a new idea, since Guglielmo Marconi, in 1901, demonstrated wireless traffic from a telegraph transmitting information from a ship to the coast using Morse code, demonstrating the Idea of ​​the operation of wireless networks.

In a local area Network your job is important for portable computers to establish communication. Wireless networks become a viable alternative, making it difficult or even impossible to install fiber optic or metallic cables. According to Soares (1995).

On the other hand, for Pinheiro (2003), to meet the communication demand where the wired infrastructure can’t be applied wireless networks are solutions normally applied, because it is feasible due to the fact of having the same efficiency. However, one should evaluate the cost/benefit ratio so that it is always smaller than the unit, in order to make the enterprise feasible. However, for Cardoso (2005), cost reductions, customer satisfaction and work optimizations show how wireless technology becomes relevant to organizations.

2.2 Sniffers

 

According to Basta and Brown (2015), more commonly known as packet sniffer, it is an application developed to capture, monitor and filter the data packets that travel in a network. A sniffer can be used for both network analysis to detect problems and anomalies and to exploit vulnerabilities in open protocol implementations where data can be viewed in plain text.

Sniffers are recommended programs that work using a computer network interface in promiscuous mode, the use of sniffers to analyze the data packets in Pentest because it is almost impossible to detect it, and can run on any computer independent of its operating system platform.

According to Nakamura (2007), sniffing is a widely used technique, since some network and security administration tools use the same software they consist of capturing the packets that travel on the network and verifying its contents. Unethical users to identify sensitive information and exploit flaws in their protection use the same software that created to verify network problems.

Basically, there are 3 types of sniffer, the embedded ones that come installed in the operating system such as Network Monitor (embedded in Windows) and TcpDump (embedded in Linux), commercial scanners that by definition must be purchased and have some personalized support and free sniffers like for example Wireshark that do not generate cost.

According to the authors Basta and Brown (2015), basically sniffers can work with all TCP / IP model network protocols [4], however to observe network traffic the sniffer uses the network interface card (NIC) Being responsible for receiving the traffic in the network segment in which it is. In this way, the traffic can only be read in the network segment in which the computer is connected, requiring, in turn, other techniques to obtain the communication of the other segments.

According to Basta and Brown (2015), a sniffer consists of 5 basic components, which are:

A) Hardware.

B) Capture drive.

C) Buffer.

D) Decoder.

E) Package analysis.

Hardware or NIC: is the network card itself that can be wired or Wireless.

Capture Driver: is the program responsible for capturing network traffic from the hardware, it filters the information and stores it in buffer.

Buffer: after capturing the data, the sniffer stores them in a buffer in memory. If the buffer becomes full then there may be a buffer overflow, however there is still a second way of storing the information, it is called a round-robin technique that generates a circular buffer where older data will be replaced by newer ones.

Decoder: responsible for transforming binary data into more readable information for humans.

Package analysis: this can be in real-time that is all the steps are executed until they arrive at the analysis and displayed at runtime to the user.

3 METHODOLOGY, PROCEDURES, TECHNIQUES AND TOOLS

 

Various techniques can be used to attack a Wireless Network, but to produce this material was used Deauthentication Attack and Evil Twin with ESP8266 wireless card. A software to explore vulnerabilities called zANTI from Zimperium, was installed on a Smartphone with rooted Android.

“zANTI is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network”, Zimperium 2017.

3.1 Delimitation of population or object of study and/or sampling

The analysis took place in a real network, the study object was Corporative Network whit BYOD. This is a real case of Penetration Test however this paper was prepared only for educational purposes and all data have been changed to preserve the organization’s security.

4 RESULTS

4.1 Challenge

The owner of the organization requested a PenTest, however, the purpose is to explore only the wireless network. One of the prerequisites was to demonstrate how an attacker (who could be a client in training) could deploy some mechanism for industrial espionage where it could damage services, obtain credentials and other privileged information, only using the first temporary credential offered to Customers. Another requirement was to demonstrate how an employee with a smartphone can be a threat and gain insider information.

4.2 Penetration test execution

 

The pentest was initiated by the second requirement using the zANTI software, where the main purpose was to show how an employee or visitor using only a smartphone could obtain or change information over the WiFi network. An MITM was run using the ARP Spoofing technique.

C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_20170803-224227.png C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_20170803-224442.png C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_20170803-224505.png C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_20170803-224553.png C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot_20170803-224616.png

Above, you can see the corresponding zANTI screens, and all information capture options. Simply connect to the WiFi network to access this information. Usually corporate networks do not have SSL certificates, so the calls to Intranet WEB Systems are HTTP and not HTTPS, so it is very easy to capture valid credentials.

After running the tests with this tool, simple present the logs to the contractor. In this tool the procedures are completely automated, and does not require deep knowledge, thus making the risk much greater, since any user with minimum knowledge can cause great damage.

ESP8266 was used to carry out the exploitation phase where espionage was proven. To produce this material was used Deauthentication Attack and Evil Twin with ESP8266 wireless card. Typically, devices are configured to automatically connect to known Wi-Fi networks, this can be considered a problem for Information Security.

C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\esp8266-size.jpg

ESP8266 little size

Designed by Espressif Systems the ESP8266 is a low-cost SoC (System on Chip) Wi-Fi chip with full TCP/IP stack, the purpose is access to the Wi-Fi network. ESP8266 is capable of hosting an application or download all the WiFi network functions of another application processor.

C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\esp8266-types.jpg

Others models

For an attack using a Fake AP, just make the device believe that it is connecting to a legitimate network. To perform this attack, we can use deauthentication, where all possible devices will be disconnected, so just start an open Fake AP, so that the devices automatically reconnect to this AP, if this happens successfully, just start capturing packets using the Wireshark.

The IEEE 802.11 (Wi-Fi) protocol contains a so-called authentication framework that is used as management frameworks to disconnect links between stations and access points. Based on the fact that management boards are generally not encrypted, it is fairly easy to perform authentication attacks using a WiFi device, forging the MAC address of the access point.

To perform deauthentication procedure, the framework esp8266-deauther was used, the entire installation and configuration procedure is detailed in the official link Https://github.com/danthegoodman1/esp8266-deauther. With this device it is also possible to develop a Jammer (signal blocker), in this way it is possible to compromise the availability of communication services.

This powerbank was used with ESP8266, with a voltage regulator.

C:\Users\Petter\AppData\Local\Microsoft\Windows\INetCache\Content.Word\powerbank.jpg

An Evil Twin is a fraudulent Wi-Fi access point that appears to be legitimate, set up to eavesdrop on wireless communications, and may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing. Usually a false access point is configured to receive the same SSID and BSSID as a nearby Wi-Fi network, so it is also configured to transmit Internet traffic to the legitimate access point while simultaneously monitoring the victim’s connection, or requests reauthentication to obtain the credentials of the victim.

5 FINAL CONSIDERATIONS

Currently, the connection setup proposals that Wireless provides occur at a speed greater than the security of those devices themselves can track. Likewise, companies are obliged to provide access to their employees and customers, either to make the work more practical, where each one can bring his own equipment to work or to facilitate the integration between several wireless equipment’s.

We can also observe that the techniques presented can be used in all types of wireless connection and because it is a communication protocol, the attack will be successful regardless of the operating system. It is not difficult to imagine the damage that can be caused, such as information leakage, services interruption.

Other issues not covered in this article, such as the IoT (Internet of Things), where mixed with BYOD, can cause great damage to both business and the citizen, imagine such an attack in a Hospital or even in a residence.

 

6 REFERENCES

BASTA, Alfred, BASTA, Nadine, BROWN, Mary. Segurança de Computadores e Testes de Invasão. Tradução: Lizandra Magnon de Almeida. Cengage Learning Edições LTDA, 2015.

CARDOSO, L. M. Implantação da Tecnologia sem fio integrada à Filosofia de Trabalho JIT: um estudo de caso. In: CONGRESSO DE INICIAÇÃO E PRODUÇÃO CIENTÍFICA, 8., 2005. Anais eletrônicos… São Paulo, São Bernardo do Campo: METODISTA, 2005.

ESP8266 Deauther. Available at: < https://github.com/spacehuhn/esp8266_deauther >. Accessed: August, 04, 2017.

NAKAMURA, E. T., & GEUS, P. L. Segurança de Redes em Ambientes Cooperativos. SÃO PAULO: NOVATEC, 2007.

PINHEIRO, J. M. S. Guia Completo de Cabeamento de Redes. Rio de Janeiro: Campus, 2003.

SOARES, F. G.; LEMOS, G.; COLCHER, S. Redes de Computadores: das LANs, MANs e WANs às redes ATM. 2. ed. Rio de Janeiro: Elsevier, 1995.

TANENBAUM, A. S. Redes de Computadores. 4. ed. Rio de Janeiro: Campus, 2003.

Zanti Mobile Penetration Testing. Available at: < https://www.zimperium.com/zanti-mobile-penetration-testing >. Accessed: August, 04, 2017.