Intro to CyberSecurity + Pumpkin Pi Rogue AP Attack

I’ve always had a fascination with Cybersecurity, an interest that peaked years ago, prior to being a software developer in coding bootcamp.

Tiffany Abraham
Dec 12, 2019 · 8 min read

All aspects interest me, from cyberactivism (‘hacktivism’) to elaborate military cyberattacks that sabotage nuclear weapon production via the destruction of centrifuges (Stuxnet). Today I hope to give you an idea of how easy it is to have your identity stolen along with a practical few first steps to improve your digital security. I’ll go into the basics of a man-in-the-middle attack using a Pumpkin Pi as a Rogue AP, to show you just how easy it is with some basic knowledge.

Photo by Clint Patterson on Unsplash

In CyberSec, a vulnerability is a weakness of some-type that can be exploited by a threat actor(attacker).

An exploit can be code that takes advantage of a vulnerability to execute an attack.

“Owned”: Owned is a slang word that originated among 1990s hackers, where it referred to “rooting” or gaining administrative control over someone else’s computer.

First, of many, Mr.Robot references (sorry not sorry)

On Public WiFi? Use a VPN or else.

VPN stands for Virtual Private Network, essentially a VPN creates a secure tunnel from your computer to the internet, adding a layer of security and privacy. This is extremely important when using public WiFi, as I’m about to show you how a trip to Starbucks could end in your identity being compromised via a man-in-the-middle attack.

MITM attack VS using a secure VPN (green line)

A man-the-the-middle (MITM) attack is essentially an attack where the attacker eavesdrops on your connection, intercepting your data and potentially capturing log-in credentials, banking information, and more. Using a VPN can protect your internet traffic from being snooped on by an attacker.

Choosing a VPN

Link: TechRadar comparison of VPN services(2019)

ExpressVPN: I currently use ExpressVPN, the Android app has a feature where you can choose to connect to a VPN whenever you’re not on a network you trust (NordVPN seems to have possibly dropped this feature). It’s widely considered one of the best VPNs you can get.

“[ExpressVPN is] The best all-round VPN service for speed, privacy and unblocking “ — TechRadar 2019

NordVPN: I also used to recommend NordVPN, although I no longer use their service after a server breach earlier this year; Nord kept the breach secret for months until a security researcher pressured them to disclose via twitter. Hacks are to be expected, but it’s the misleading marketing as ‘most secure VPN’ and lack of transparency makes ExpressVPN the clear choice.

The ‘Evil Twin’ Starbucks Attack Example

Knowing how attacks work is a crucial part of educating people who want to learn & potentially work in CyberSec. BUT, I do NOT encourage/promote/endorse illegal activities, IN ANY WAY. If you’re in a public place and want to experiment (especially if you’re naming an open network AP something misleading like ‘Starbucks’): MAKE SURE YOU HAVE LEGAL PERMISSION TO DO SO, otherwise: unconsenting phones could connect to it, which is potentially illegal (and not cool). Again, this is for CyberSecurity educational purposes only.

Pumpkin Pi
Image credit: Null-Byte

WiFi-Pumpkin is a framework for creating rogue access points for MITM attack.

My Raspberry Pi

Here’s a photo of my Raspberry PI running Kali Linux, notice it doesn’t have the wireless network adapter. (If you haven’t heard of Raspberry Pi’s potential, check these project ideas out.)

Rogue AP named ‘Free WiFi’

The attacker configures their rogue access point to have the SSID set to “Starbucks” and configures it to be an open unsecured network (allowing random potential victim devices to auto-connect).

Rogue AP diagram (source)

Let’s say you go into Starbucks, you sit down after getting your venti Toasted White Chocolate Mocha Frappuccino, and open up your laptop. Your computer automatically connects to the attackers rogue Starbucks, and as far as you know, you’re connected “privately”. Also, attackers can easily create a fake login page as well, one that looks just like the Starbucks login. You decide to check your bank account, and everything seems to be normal…but across the room, a nefarious person is listening in.

The attacker could easily use Pumpkin-Proxy plugins like keylogger; now they’ve got that password you use for way too many websites. Even if your password was amazingly well thought out, they would still have it, because it logs your keystrokes.

Another Mr.Robot GIF

Your identity and data: compromised, your SSN, DOB, credit card numbers, medical records, your most personal data: all on sale to the highest bidder on the dark web, on some .onion site.

The risk doesn’t stop there: the attacker can inject malious script into your browser via HTML or JavaScript using easily configurable pumpkin-proxy plugins. There’s many more intricate attacks that I won’t go into here, these are just to show how easy somebody could execute an attack.

Plugins mentioned above (keylogger, script injection, etc)

From there, the hacker can use that malicious script they injected as an entry point to install a remote access trojan (RAT) into your system. The hacker now can now access your system whenever they want, wherever they want, totally undetected. They can control/access your live web-cam, your live screen, hard-drive contents, your keystrokes, etc.

Even once you’ve disconnected from the attacker’s evil twin network and you’ve gone home, you’re still compromised. The hacker can still access everything because they installed a back-door into your system earlier.

They could take full control of your computer and install ransomware.

WannaCry ransomware screenshot — $300 worth of Bitcoin ransom

Ransomware is a type of malware, designed to deny access to a computer system or data until a ransom is paid. This is under threat of never decrypting your data (meaning you’re never getting your data back) or public release of sensitive data.

What You Can Do: 2FA, VPNs, and Password Managers

I will not be owned (fan-art) | Can you tell I like this show..?

As mentioned earlier: use a VPN when on unsecured networks. This can make it so the man in the middle attack isn’t successful. It creates a secure tunnel between your device and the VPN server, making your personal data much more secure.

LastPass

And are you somebody that re-uses passwords on multiple sites? That’s a huge NO-NO. Sign up for a password manager (like LastPass), then you can use a super-secure password (that you can remember) to keep all your other passwords safe. And many password managers have secure password generators, so you only have to remember that one master password. You can also use 2-Factor Authentication (2FA) to secure your password manager.

2FA is a security process that involves a user providing two factors of authentication. SMS 2FA is not recommended due to vulnerabilities like SIM jacking making it less secure, but it’s better than nothing. I personally use a YubiKey FIDO U2F USB micro.

Two-Factor requires a potential bad actor to first sign in with my secure password, then they’re prompted to insert + hold their finger on the physical USB authentication key, which only I have. This USB is verified by an encrypted token that can be re-generated and re-configured via YubiCo software. I also have my YubiKey and computer credentials setup to allow PIV(smart card) , so I can optionally log-in to my 2018 MacBook Pro via YubiKey insertion, followed by typing in a PIN; as an alternative to the biometric sensor.

If you don’t want to spend money on a USB key, use an app like Google Authenticator, or Authy. I use a 2FA app as a backup for some of my accounts, these work similarly to the USB key, after entering the initial password; you’re instead prompted to enter the time-sensitive 6 digit code from your authentication app of choice. Most 2FA apps use a Time-based One-time Password Algorithm (TOTP), regenerating new keys frequently and regularly. I prefer LastPass authenticator as it solves the very real issue of what happens if you lose your phone with all your 2FA codes on it, which is a miserable experience that I have dealt with before. LastPass Authenticator backs up your 2FA configuration securely and as a bonus, the LastPass password manager integrates smoothly with it.

I hope this blog post was both fascinating and educational, and I’ve included some great resources below for further reference.

Fantastic resources for further research:

The Startup

Get smarter at building your thing. Join The Startup’s +792K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Tiffany Abraham

Written by

Full-stack developer. Alumna of Flatiron School's Software Engineering Immersive bootcamp. Portfolio: https://tiffany-codes.com/

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Tiffany Abraham

Written by

Full-stack developer. Alumna of Flatiron School's Software Engineering Immersive bootcamp. Portfolio: https://tiffany-codes.com/

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store