Thursday, June 26, 2014

Evil Twin [GSM Style]

Now I have an Evil twin... lol not exactly what you think about me having another like me only evil hell no, in a security sense/point of view.... an evil twin from wikipedia [full article]

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.[1]
An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.
This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.[2]

works as above , now i actually saw a demo of this at AfricaHackOn (first information security conference in Africa) on the 28th of february 2014, where a hacker named Casper and D3crapt did the demo on stage to fake wi-fi connections and did a a major MITM attack on unsuspecting people, now with this knowledge, i found it quite interesting and i wanted to take this a notch further, and you know what :) .... I succeeded, now what i wanted to do, was simply achieve the same attack but not on a small scale factor as WIFI no... a bigger scale say GSM(SMS/VOICE/DATA/Mobile-Payment platform) [the whole 9 yards]

Did I make it? now i know thats the main question but lets look at MITM (Man In The Middle attack)

The man-in-the-middle attack (often abbreviated MITMMitMMIMMiMMITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).[citation needed]

Now with this given info we know what attack we are carrying out as Evil Twin really relies on MITM and most of all we do want data right? and all variables check out right?

lets see:

  • GSM: relies heavily on the same concept as wi-fi no actually wi-fi relies heavily on the same structure GSM was/is created on so if it works for wi-fi ...might work for GSM.
  • GSM: (for a successful MITM [A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof).]
  • Evil Twin (create a fake Broadcast channel/transmission unit)
  • MITM capture sessions, Data and even encryption methods
Now.... what works ... well long story short, everything alas.... 
Now Materials, 
Hardware .... in the case of Wi-Fi, Routers(broadcast station) in case of GSM ,SDR (software defined radios)
Now heres a tricky bit which i will throw in tonnes of comparison, now for SDRs we have

  • USRP---> Expensive (i kid you not) around 2500USD for a full good set ... after that it has enough documentation to set up, run, configure, tweak, create applications (so easy after purchasing it)has been ported to nearly every single platform out there (mac,linux and windows)
  • RTL/SDR---> Enters the familiar and easy to configure , cheap affordable RTL this is a DVB/TV usb tuner that will act as an SDR owww trust me its powerful and cheap at 20 USD or less, has a lot of documentation and has been ported to nearly every single platform out there (mac,linux and windows)
  • OsmocomBB---> This are specific devices used to run special firmwares that will do wild things on GSM frequency and when i say wild owwww i mean wild from acting as phones (calypso based (Motorola c113,115,139,123) this  phones are ultra cheap) with costs of 20 or less dollars) but the real price to pay is probably the part where you pay for the following.... nearly primitive code (oww its good code but oww you will pay for having a whole read up of how raw GSM works like ave been here for 14 or so months and ave not fully mastered the whole thing yet) , No documentation (ok there is but its new so expect a lot of few faults) in short not the best thing to start of as a noob (sadly[as this is what we will use])
  • Now there are other options (sadly i wont recommend them as yet as i am to get my hands on them [talking bout BladeRF HackRF and others])
ok so we have hardware and we have softwares which ave also listed with their hardwares,

what we need to do... i guess now its basically setup > run or what else?

ok we can learn but am already on my second full page scroll and we aint done nothing yet.... setup is easy if you ask me (ok it wasn't when i started but talk to me and i can give you a script to do all that :) alright) moving on....

After the setup, what do we expect :) ...

HAVOC.... ok ok am on sugar... lets relax...

Setup a Fake (evil twin capable of) Intercepting Mobile (Modem [GSM]) /Traffic hence: 

  • Location Disclosure (find victims vicinity)
  • SMS (uplink) capture (downlink can be done with RTL-SDR
  • VOICE (uplink) (same as above)
  • DATA (uplink and downlink)
  • Mobile-Payment Platform infiltration (yes its possible to hack both agent and client
  • Umm yes this is the best i think so far but i wont disclose further details (update sim-card details owww not simple things like contacts only even trivial things like the sim-card apps on it)
  • lastly falsify information (spoof) information to our captured assailants :)
So what did we just do there :) everything....

POC? you want it.... find me, buy me a big KFC lunch and i will sort you out, yes knowledge should be paid for with food and maybe an occasional bank account top-up like a donation but hey am #iOut.



No comments:

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...