This repository contains a Proof of Concept (PoC) for demonstrating a simulated network environment where a victim device interacts with DNS, a Wi-Fi access point, and a Microsoft server over a secure HTTPS connection. Each component simulates real-world protocols like DNS resolution, TLS certification, and Diffie-Hellman key exchange.
- Python 3.6+
cryptographypackage
Install the required Python package using:
pip install cryptographyTo run this PoC, you’ll need four terminals (or terminal windows) set up in four different directories, each containing the relevant Python scripts.
Watch the 5-minute walkthrough or follow the steps below.
- Clone the repository:
git clone https://github.com/MFA-Phishing-MQP-WPI/RCA-PoC.git
-
Running each component: Open a new terminal for each directory and run the respective scripts:
Terminal 1 -
Microsoft Server/Fake Microsoft Server:cd RCA-PoC/Microsoft python3 microsoft_shell.pycd RCA-PoC/NotMicrosoft python3 microsoft_shell.py
Terminal 2 -
Wi-Fi Access Point:cd RCA-PoC/WiFi_Access_Point python3 access_point_shell.py [wap rwap] [OPTIONAL: -require_malicious_ca]
Terminal 3 -
DNS Server:cd RCA-PoC/DNS python3 dns_server.py
Terminal 4 -
Victim:cd RCA-PoC/Victim python3 victim_shell.pycd RCA-PoC/Victim python3 victim_shell.py -v
-
Expected Flow:
- In the case where the Wi-Fi Access Point is running in
WAPmode-
The
Victimfirst tries to connect to theaccess point.- The
access pointgrants thevictimaccess.
- The
-
The
victimconnects to theDNS serverthrough theaccess point, requesting to resolvelogin.microsoft.com.- The
DNS serverresponds with theportfor theMicrosoft server.
- The
-
The
Victimthen requests aTLS certificatefrom theMicrosoft server, which theaccess pointforwards. -
The
Victimverifies the certificate and initiates aDiffie-Hellman key exchange. -
Finally, the victim sends an
HTTPS-encrypted messageto theMicrosoft server, which decrypts the message and responds.✅ HTTPS SUCCESS 🔒
-
- In the case where the Wi-Fi Access Point is running in
RWAPmode-
The
Victimfirst tries to connect to theaccess point.- The
access pointgrants thevictimaccess.
- The
-
The
victimconnects to theDNS serverthrough theaccess point, requesting to resolvelogin.microsoft.com.- The
DNS serverresponds to theAccess Pointwith theportfor theMicrosoft server. - The
Access Pointedits the resolved port to theMalicious Serverand forwards the edited response to theVictim.
- The
-
The
Victimthen requests aTLS certificatefrom theMalicious serverthinking it's theMicrosoft Server, which theaccess pointforwards. -
The
Victimfails to verify the fake certificate and terminates the communication.❌ HTTPS FAILURE ❌
-
- In the case where the Wi-Fi Access Point is running in
RWAPmode with the-require_malicious_caflag-
The
Victimfirst tries to connect to theaccess point.- The
access pointdenies thevictimaccess due to a missing certificate.
- The
-
The
Victimrequests the missing certificate from theaccess point.- The
Victiminstalls themalicious CAreceived from theaccess point.
- The
-
The
Victimtries to connect to theaccess pointa second time.- The
access pointgrants thevictimaccess.
- The
-
The
Victimconnects to theDNS serverthrough theaccess point, requesting to resolvelogin.microsoft.com.- The
DNS serverresponds to theAccess Pointwith theportfor theMicrosoft server. - The
Access Pointedits the resolved port to theMalicious Serverand forwards the edited response to theVictim.
- The
-
The
Victimthen requests aTLS certificatefrom theMalicious serverthinking it's theMicrosoft Server, which theaccess pointforwards. -
The
Victimverifies the fake certificate using themalicious CAthat was installed when theVictimconnected to theaccess pointand initiates aDiffie-Hellman key exchange. -
Finally, the victim sends an
HTTPS-encrypted messageto theMalicious server, which decrypts the message and responds.✅ HTTPS SUCCESS 🔒
-
- In the case where the Wi-Fi Access Point is running in
The PoC is broken into four main components, each running in its own terminal session:
- Microsoft Server (
Microsoft): Acts as the target server, handling requests from the victim via the access point, providing TLS certificates, and securely communicating via Diffie-Hellman. - Wi-Fi Access Point (
WiFi_Access_Point): Intercepts and forwards communication between the victim and the Microsoft and DNS servers. - DNS Server (
DNS): Resolves the URL requested by the victim to an IP address and port. - Victim Device (
Victim): The main client initiating requests to resolve a URL, connect to the Microsoft server, authenticate via a TLS certificate, exchange keys, and establish a secure communication channel.
-
DNS Resolution: The victim requests the IP and port for
login.microsoft.comfrom the DNS server via the access point. The DNS server responds with the port of the Microsoft server. -
TLS Authentication: The victim requests the Microsoft server’s TLS certificate via the access point. The victim verifies the authenticity of the certificate.
-
Diffie-Hellman Key Exchange: The victim initiates a secure Diffie-Hellman key exchange with the Microsoft server, establishing a shared secret key.
-
Secure Communication: Using the shared key, the victim sends an encrypted HTTPS message to the Microsoft server, which decrypts it and responds.
This PoC simulates an environment where multiple interactions occur through a central access point, emulating a scenario where a Wi-Fi access point intermediates communication between a client and external servers. It demonstrates:
- DNS Resolution over an intermediary.
- TLS Certificate Verification and the role of certificates in authenticating a server.
- Diffie-Hellman Key Exchange to establish a secure session key.
- Encrypted Communication via HTTPS using the established session key.
This setup showcases how various protocols work together to establish secure and authenticated communication channels over a potentially untrusted network intermediary.
Note: This PoC is for demonstration purposes only. Do not deploy this code on live networks.