What's a Pumpkin Honeypot and why you should probably be using a VPN when you're on free Wi-Fi

So to start off I repurposed the first honeypot I had created a couple of months ago.
This was quite similar to flashing the microSD the first time so I won't go into the details again. You can read more about Kali for Raspberry PI here. This is really cool because once you flash the Kali image onto the SSD with the addition of a battery pack you have now created a portable Kali machine that is ready to take with you on all sorts of adventures. Please remember to only test on things that you have permission to do so. An easy way is to just test against your own devices and I will show a few examples below of some fun things I found going a little deeper into my security research on Wi-Fi. So in the first honeypot I created before I had simple logging capabilities if a rogue device where to connect to my access point. I had at least a mac address and minimal information about the device. So that was interesting but I wanted to go a bit further and see what else you could do. I decided for this next example to not try and reinvent the wheel but rather to see what are some cool tools I could find to help me further understand how this whole Wi-Fi thing works more in depth. There are many tools to explore still but I found this one in particular to be very interesting. It is called WiFiPumpkin3 and you can take a look by grabbing a free copy over on github. They have done away with the graphical user interface which has given way to the command line based version. This makes its use slightly more technical but does allow for more granular control, automation and custom configurations.


And to start off you can name your WiFi any emoji you want which is fun. So now that I connected to the newly created access point nothing really seems off. I went and visited my website at jasongardner.us and started clicking around. Great, we were able to spin up a new wifi access point with the raspberry pi in a minute once wifipumpkin3 was loaded on the Raspberry Pi. However, that's not all that just happened. 


So within wifipumpkin3 there is 'sniffkin' which is sniffing the traffic flowing through the honeypot. Here the rogue access point we have created is now allowing devices to connect and browse the web but we are also logging what websites and IP addresses the device is connecting to. That's probably not what you expected when you were just connecting to a free Wi-Fi now is it. Here is another module within wifipumpkin3 that I thought was very interesting. Here this is creating a captive portal so when a device connects to the rogue access point users are greeted with a portal requesting a username and password. You may have seen this on a campus, hotel or even at a Starbucks. The danger here is that this page can be made to look like any login portal anywhere. So when users connect and enter their usernames and passwords then they are not putting those where they think they are. 



So here you see that the user has successfully logged into the captive portal on their iPhone. They have unwittingly entered their credentials on a fake login page to use the free Wi-Fi. 


As you can see this is just an example and the user 'Admin' with a a password of 'test' is logged in the system. Now the user will connect and not only have the credentials they use to access the local free wifi were logged then any subsequent internet browsing will be logged as well. Well, why am I telling you this? This all seems a bit troubling and makes me think that I shouldn't use free Wi-Fi anymore anywhere. I'm saying that more so that you can be aware of what's out there. I think that by being aware, you can take the proper steps to protect yourself and safeguard your usage of the internet and keep some of your privacy intact from attackers. Sometimes you have to think like an attacker to protect yourself from an attacker. So what can you do? Should you really just leave your phone off the next time you're at the airport or at a hotel? Of course not. Just use a VPN. A VPN will create a tunnel of sorts for your data to travel across the internet safely, securely and privately. All someone would be able to see even if they are sitting right there in the middle of your connection would be scrambled messages and that perhaps you are connecting to a VPN. I decided to investigate this a bit further to see how encrypted or protected my internet usage was with a VPN. Here I am using NordVPN on an iPhone. 

You can grab the latest version of Wireshark here. Wireshark allows you to analyze and look at network traffic. Here we are looking at the interface wlan0 which is the Wi-Fi interface where the rogue access point is broadcasting from. By looking at interface wlan0 we are able to see everything going to and from the iPhone and the honeypot. One unexpected thing I found here is that although most of my internet traffic was being routed through the VPN and was therefore encrypted not all app data was going through the VPN tunnel. In fact an observer could see that I'm also listening to music on Spotify. However, at least the important internet traffic like emails and banking are protected which is good. So although the VPN may not work 100% correctly all the time, you are getting an infinitely greater amount of privacy by using the VPN when traveling or visiting new places that you are unfamiliar with where there could be a rogue access point. Again, though to clarify you should not do this against devices you do not own or have the permission to test against. I am showing you this more as a warning of what is out there and why you should be careful when connecting to unknown Wi-Fi and to use a VPN whenever you can.



So is there anything else you can do. Yes, there is one more thing I thought of in this analysis that I don't think it would be complete without and that is - location. Yes, what is the real point of detecting a nefarious device that is connecting if you are then not able to localize yet. Find it? How, it is invisible? Not really. I found another very interesting tool for android phones. This doesn't exist for iOS yet, but I hope that is in the works somewhere. This app is called WiGLE WIFI Wardriving. With this app using the phones GPS and maps we are able to do wireless site surveys that show us precisely where a device is based on an SSID or mac address. This can even help you locate Bluetooth devices. So here I wanted to confirm that my device was indeed correctly connected to the Wi-Fi honeypot and the location is correct and I can confirm I'm connected to the right device. This can also be used to find the device by mac address that was initially logged in our first honeypot. So we have also gone a layer deeper with the wireless site surveys and can now not only identify nefarious devices that have connected but we have a way of finding the location of the devices.





Comments

Popular posts from this blog

Automated Exploitation of a Bluetooth vulnerability that leads to 0-click code execution

Sniffing GSM traffic on a private cellphone network

Raspberry Pi WiFi Honeypot 🍯