Exploiting University Students Using Rogue Access Points
by Anonymous
A rogue access point is a wireless access point that has been installed on a network without permission.
It could just be an access point that was set up by a student or faculty member to provide wireless access in an area where none existed. Or, it could have a malicious objective like a man-in-the-middle attack where sensitive information could be stolen. Several years ago, my university installed 802.11 wireless access points throughout campus.
Unfortunately, the wireless is set up in a way that allows for rogue access points to be brought onto the network easily. The focus of the paper is explaining how rogue access points can be used in the university environment to exploit students and faculty workstations to gather sensitive data. First, I will examine the vulnerability. Second, I will describe the different attack vectors where one could exploit the vulnerability. Lastly, I will describe ways to collect sensitive data and how one could use the captured data.
As I mentioned, the university installed 802.11 APs around the campus. All of the access points communicate to the end devices with the same, unsecured SSID. By unsecured, I mean the access point is not secured with static WEP or WPA keys, or an enterprise authentication solution. In a corporate environment, you will find secured access points because the corporation is trying to keep unauthorized persons out of their network. However, in a university setting, they are trying to provide usability on their wireless so students and faculty can get on it without trouble. To allow usability, the university moved the authentication from the wireless protocol itself to a web based splash page asking for credentials.
When a user connects to the wireless, their web browser is automatically redirected to a SSL secured splash page where they are required to login to get access to the network. There is no client-side software to this login and it is based off of the machine's MAC/ IP address. Once logged in, they have access to the network and Internet.
My university also sells laptop computers that come customized with common settings and shortcuts that the student would find useful. One of these settings is adding the university's wireless network. This will allow any student who buys one of these laptops easy access onto the university's wireless network without him/her having to setup anything. This means that every laptop purchased from the student stores will automatically be looking for and trying to connect to an unsecured access point.
The laptops purchased at the student stores are not the only computers automatically looking for and trying to connect to the university's unsecured access point. Any laptop that has ever connected to the wireless will now have that wireless connection in its wireless profile. If the user is running Windows and is using Wireless Zero Configuration (WZC), then every wireless network ever connected to will be in the preferred networks list. The higher the connection is on the list, the higher its priority.
For example, if the user connected to the university's wireless in 2008, and in 2009 connected it to their new wireless router at home, then the laptop will connect to the university's SSID even if it sees their new wireless router as available. Since a lot of university students live in dorms their first year, the probability of having the university's SSID near the top of their preferred networks list is high.
If you merge the ideas from the last three previous paragraphs, then you end up with the vulnerability.
First, the APs are not secured. This means that a miscreant can create a rogue access point and everyone will automatically connect to it as though it was owned by the university. Second, all student laptops (and specifically those bought at the student store), will be actively looking for the university's wireless connection. Even further helping the miscreant is that the laptops bought from the student store list the university's wireless connection as the preferred connection. This means that they will connect to the university's wireless network even when they are not at the university. To gather information using a rogue access point, the miscreant has to figure out where students are when not at school. A good place to start would be their residence.
The first attack vector is apartment complexes. There are tons of apartment complexes around my university, housing 1000s of people. The majority of the people living in these apartments are students at the university. A good majority of university students have laptops with the SSID of university saved as a wireless profile. If someone sets up a rogue AP, then anyone in proximity will automatically connect to it.
The number of users who will connect to the rogue AP is based on how high the university's wireless profile is in the preferred network connections list. The longer one leaves the rogue AP on, the more users that will connect to it. More users will also connect to it when their computer is restarted and looks for available wireless connections.
Again, if the university's SSID is high in the preferred connections list, then it will connect to it if it sees it available. I will call this the most effective method because the miscreant will not be seen, and will never have to hide any of their equipment. This is also the setup where one could have the most equipment. Imagine three or four rogue APs each with high gain antennas positioned to pick up the most users.
The second attack vector is dormitories. My university did not extend the wireless throughout the dormitories, but instead installed APs only in the lobbies and study areas (basements). This means that above the basement, once the signal bleeds off, there are 100s of laptops looking for the university's SSID. If a miscreant sets up a rogue AP, one could easily grab a bunch of users instantly. In reality, one could just put the rogue AP in a car and mount the antennas on the roof. This would not provide the depth of coverage as the first method, but would be much easier to implement.
The third attack vector is on the campus. If the miscreant is brave, and believes that the data he/she wants to collect is on the physical campus, then he/she could setup a rogue AP in the ceiling using a laptop by itself, or the combination of a laptop and external AP. The issue of long term power is easily solved. All of these new "smart classrooms" have electrical outlets for the projectors above the ceiling tiles. Not only will the AP run forever, but it is hidden from view. The downside to this is that if the university is running any kind of rogue AP detection, and actively monitors it, the rogue will be found. However, the value of the data one could potentially gather might outweigh the risk. The primary reason for running a rogue at the university is to capture faculty data.
Along the same lines as putting a laptop in the ceiling, one could put it in a book bag wired to an Uninterruptible Power Supply (UPS). This would only last for a couple hours (depending on how much weight in batteries one wants to deal with), but is mobile and has little chance of someone ever finding it. Here is a scenario. Pretend you're a student and go into a large lecture hall. If you find a hall where they teach an IT subject, then the majority of the students will bring their laptop. Power up your book bag, and hope that they connect to you. If you get to class before they do and get your book bag powered up, then there will be a high probability they will connect to you because your device will have the best signal strength.
After a miscreant has set up the rogue access point, they can start collecting data. First, one would start by simply sniffing the traffic to determine which websites are being visited the most. From there, a local web and DNS server running on the laptop could be setup to serve phishing pages matching those sites. The reason for the phishing pages is that most credentials, at least ones that have any real value, will be sent across SSL. Creating a phishing site will guarantee the credentials, but may arouse suspicion if one doesn't pass them to a believable error page or if they never get the real website. To get around this problem, a cron job could be used.
Cron is a job scheduler for UNIX/Linux operating systems. One could create a job that rotates the DNS entries between the IP that points to the phished and real website. In terms of believable error pages, Facebook has a habit of going into maintenance mode and only prompting a user that they are in this mode once they try to log in. A phished Facebook page throwing the user to the fake maintenance message would be highly effective.
Another option is to phish the university's initial wireless splash page that requires logon. The credentials for the wireless are also what the student uses to access their email and other university websites. The first obstacle for the miscreant is getting onto the wireless network so that he/she can serve Internet access and not arouse suspicion. I mentioned before that wireless access is based off of the laptop's IP and MAC address. Simply sniffing the wireless will yield someone who is connected and possibly authenticated to the wireless. Then, by cloning their IP and MAC address, one is now logged into the wireless as someone else.
Now that the miscreant has phished some credentials, there are several things one can do with them. If he/she captured the credentials for the wireless splash screen, one now has access to the student's e-mail. Their e-mail address is the gateway to getting passwords to numerous other sites. For example, Facebook has a "Forgot your password?" page that will send an email to reset your password. There is a good chance this email will go to the student's university email address. For any captured credentials, there is a chance that the user uses the same password for other sites. For example, if one captures their Facebook password, then one might also have their MySpace password. The issue would now be guessing their username.
That's all. I have no insightful conclusion.
Go have fun!
Shouts to all who have supplied me with the resources to learn.