Phishing Ideas
Well, I'm loving my phishing class. They encourage hands on experiments, and I've already got the opportunity to carry out something that should lead to publication! (More to come on that after I get approval, etc). However, the main reason I like the class is I get to tthink like a bad guy. Something I do a lot, just never carry out due to my preference for white hat hacking, as opposed to black hat.
Right now I'm playing around with DNS poisoning, first I'll be testing it on my home network, and then, again if I get approval, on the IU network.
Also, due to major insecurities in wireless networks, and the facts:
- America seems fascinated by them, and demand wireless internet whereever they go. Even Indianapolis is going to offer wireless anywhere you go in the city. Officials are hesitant to do it, not due to security, but they want to know who should pay for it.
- Most wireless networks are *not* a wireless ntwork, merely a wireless access point *to* a real network. As such you give up all security on your physical network when you attach a wireless access point. They are vulnerable, I'm not kidding.
I plan on pursuing a line of action to demonstrate just how vulnerable these networks are to phishing, and why wireless internet should not be the norm, but a special case, such that if you *were* to find it in the open, you'd know something was wrong.
The fun part of this is unsecured wifi portals, that let you set DNS, aka every frickin wireless router on a college campus, just about. You could set an admin password, and change the DNS server to point bank sites to a fake page. I won't go into any more detail, as it's an easy attack, and I don't want anyone to get good ideas from it. Hopefully I'll be able to get a paper on that subject as well.
Now, how can one stop rogue access points? My solution is quite clever, and after I talk it through with a professor here, I might even go looking for a patent, I'm not sure. So, it remains a secret for now.
