On this post we are going to show you why you need to be careful when connecting to an open WiFi. These days, it’s quiet normal to be in an airport, coffee shop, etc., and find an open WiFi around. Who won’t connect? Exactly! However, as we are going to show you in this tutorial, a hacker could be the creator of that network and once you connect to it, you will be connected to a hacker’s network! As we show you in previous posts, you can easily find vulnerabilities in hosts of your local network using Cain & Abel and Kali Linux.
Want to know how they do this? Keep reading!
1. Setting up an open WiFi
For this experiment, we used our Asus-RT-N12E in repeater mode:
Then, we connect it to our AP:
We set the SSID as FREE_WIFI and we leave it open by not filling the password field:
Once it’s all set up, we connect one of our phones, as a victim would do in a coffee shop or other place where they want to use an open WiFi to browse:
2. Using Cain & Abel to found out some interesting data from the victim
We need to connect our PC to the open WiFi we created in order to be in the same network as the victim (in this case, we are simulating the victim with our own mobile phone):
In the repeater web user interface, we can check the MAC address of the connected devices. In this case, the LG smartphone:
We opened Cain and run an ARP spooffing so we found our phone:
From this point, all the traffic that our phone is requesting and sending will go through Cain (a Man in The Middle attack).
In order to show this, we will take our phone and browse on Amazon, Facebook… and of course, Cain will get this information:
Not only shows Cain the surfing we did, but it’s also able to get some certificates!
These certificates could be used to sign in the websites the victim visits while we perform the MiTM attack!
3. Sniffing packets using Kali Linux and the monitor mode
Again, in the repeater’s website we can easily find the MAC address of itself:
On Kali Linux, after running
airodump-ng -w capture.pcap wlan0mon
we can find our open WiFi in the list of detected APs (remember to check this post to learn how to do this on Kali Linux):
We disconnected a connected again our phone to the open WiFi, so its IP address changed:
and we can see in the pcap file, how the repeater sends an ARP to find out who has that IP:
Again, we surf a couple of websites. In this case the IP address 18.104.22.168 belongs to Facebook Ireland Ltd and the IP 22.214.171.124 to Facebook, Inc. California (we just navigate on Facebook, and these are the connections made). These communications use TLS protocols for secure transactions. You can see the “Clients Hello” and the “Change Cipher Spec” sent to the server to inform that from now, all the information sent will be authenticated:
Note that this 443 port is the same Cain detected when catching the certificates.
In this tutorial you have seen that, at least, a hacker can easily know what you are doing with your phone/PC while using the open WiFi. From there, the uses they give to this information are numerous and extremely dangerous for the victim. You saw they can sign in your Amazon and Facebook accounts, perform a more sophisticated Man in The Middle Attack… so, will you think twice before connecting to an open WiFi? 😉