back to article This tool detects then ATTACKS evil twin access points

Mohamed Idris has created a tool to help network administrators discover and DoS rogue access points. The EvilAP Defender open source tool published to GitHub can be run by admins at intervals to determine if attackers are attempting to get their users to connect to malicious networks. Those evil twin attack networks are …

  1. This post has been deleted by its author

  2. Stuart 18
    Angel

    The legality bootnote can also be interpreted as a possible / likely cover for such a DOS:

    "against something you don't own"

    The underlying principle of any fake AP is to persuade people that it is the AP that you own. Of course it's demonstrable that you saw through the subterfuge but that would require the fake owner going public about his activities. In the more likely case that he doesn't want any more trouble you can just validly argue that you were carrying out a legitimate vulnerability to DoS attack on your own system!

    1. Anonymous Coward
      Anonymous Coward

      A DoS against an Evil Twin is like sending a DMCA notice for copyright infringement of your SSID.

  3. Shaha Alam

    prosecuted for dos against an intruder

    isn't it a strange legal system that such a prosecution could even take place.

    i imagine it's the same as being prosecuted for causing distress to a thief when you caught him and booted him out of your house.

    i guess it could be argued that the evil twin is not on your premises and technically not even on your network. i'm not sure what the legal defence is against that.

    1. Anonymous Coward
      Anonymous Coward

      Eye for an eye and the world goes blind

      Problem with DDoS attacking potential attackers is that you'll congest the network, causing others problems, without the guarantee that you have averted a future attack vector.

      Also others will see you as a DDoS'er and opening yourself to legitimate, if not legal, vigilante attacks.

      Some laws make sense.

  4. Anonymous Coward
    Holmes

    What about...

    So what's a clever alternative to DOSing?

    Why not use a few extra strategically placed probes to triangulate the perpetrator, by means of GPS on each probe and simple maths...

    Of course, the perp would have to be inside the area 'covered' by the probes. But I'm sure we could come up with a clever means of locating those outside... Wardriving for crime-stopping anyone?

  5. handle
  6. Old Handle
    Boffin

    Isn't changing a MAC address fairly easy?

    1. JCitizen
      Alert

      The MAC can be spoofed..

      I'd was sure I read these evil twin access points could reside on your own network. I can't see how you can get in trouble for Dos targets inside your own network.

    2. stizzleswick

      MAC can be spoofed easily

      I.e., just assign whichever you like to a virtual machine. But that might be a bad move because then some traffic might get mixed up between routers, leading to all kinds of confusion in network traffic. So if you want to intercept traffic, it would probably be better to use a different MAC from the one the router you're spoofing is using--otherwise, you might wake up the admins, who would come investigating after lost packages.

      I'm not an expert on this particular kind of attack, but that's my tuppence as a long-time sysadmin.

  7. Moha99sa

    There are no legal issues! The tool doesn't attack the hacker!

    Come on guys ... there are no legal issues with this :)

    The tool doesn't attack the hacker. It denies the users of the wireless network (my users) from connecting to the attacker machine! It sends what we call de-authentication packets to the users who may fall victim to the Evil Access Point (AP). This is exactly what the attacker does to enforce users to connect to his Evil AP. The attacker keeps sending these de-authentication packets to deny the users from connecting to their legitimate AP. This will enforce them to connect to his EvilAP.

    The tool does the same ... it sends these packets to the users of the legitimate network to enforce them to not connect to the Evil AP. This packet type doesn't affect the routers or any other networking devices. This packet is only understandable by wireless cards. It only asks the user to re-authenticate to the AP. Sending these packets for long time will keep the user de-authenticated. This way the attacker will not be able to get any connection from the users of the legitimate network until the Admin react to the EvilAP.

    1. Jim Cosser

      Re: There are no legal issues! The tool doesn't attack the hacker!

      Ok replying to a REALLY old thread here but I'm reading up on this in general.

      I agree you aren't attacking the AP as such but you would be denying anyone connecting to it, so is it no longer functioning? Are you denying service? Yes, obviously that is the point of the Deauth.

      So it is kind of a DoS on equip you don't own but for the greater good...I think it's grey at best.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019