590 likes | 716 Views
“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”. www.xkcd.com. “If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.”. www.xkcd.com.
E N D
“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.” www.xkcd.com
“If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.” www.xkcd.com
“I hear this is an option in the latest Ubuntu release.” …isn’t BackTrack 4 based on Ubuntu… www.xkcd.com
Spread your Spectrum 802.11 ObgYn
IEEE 802.11y • 802.11o is a reserved and unused letter • When I submitted this talk, I didn’t realize that 802.11y had been ratified • This really ruined my joke name… • Sadly, I don’t have an 802.11y card or driver so we will not be discussing 3650-3700MHz • I really hope this doesn’t disappoint anyone, I will try to make it up to you all next time…
Who am I and why do you care? • Rick “Zero_Chaos” Farina • Senior Wireless Security Researcher for AirTight Networks • Aircrack-ng Team Member • Embedded Development • Maverick Hunter Rank S
Now I'm back! • Today's Agenda • Freq Update • Updated patches • Updated information • Unusual Encryption • Like what? • How to detect it • Wireless Intrusion Detection and Prevention • What is it? • How it works
Standard DISCLAIMER: • Some of the topics in this presentation may be used to break the law in new and exciting ways… • of course I do not recommend breaking the law and it is your responsibility to check your local laws and abide by them. • DO NOT blame me when a three letter organization knocks on your door. • I am not an expert, this is all based on my research and dumb luck.
Contest • Find the AP • I have hidden an AP somewhere in the airwaves • Report the center frequency of operation, SSID, and mac address to win • (Insiders and friends are not eligible)
Spoils* (first winner only) • Find the AP before the end of the talk • Ubiquiti Super Range Cardbus wifi card • Your face in the video if you are right • Public embarrassment if you are wrong • Find the AP before 17:00 • $50 towards a nice Atheros card • Find the AP after 17:00 • Hearty handshake and a pat on the back *game may end early due to unforeseen hardware failure
We have discussed this before: • WiFi Frequencies • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745*-5825 (US) • (regulatory settings from kernel old reg) • Obviously makes no sense • Does the card really not have the ability to use 5320-5745? *DFS channels excluded due to driver limitations
Licensed Bands • Some vendors make special licensed radios • Special wifi cards for use by military and public safety • Typically very expensive • Frequencies of 4920 seem surprisingly close to 5180
Manufacturers are cheap • Atheros and others sometimes support more channels • Allows for 1 radio to be sold for many purposes. • Software controls allowed frequencies
Who Controls the Software? • Yesterday • Most wifi drivers in Linux require binary firmware of some kind • Controls anything the vendor wants • Today • More and more vendors are going fully open source
Who do we like for this stuff? Preferred Undesirable Intel Marvell Atheros Ralink Broadcom • Closed Source (sometimes buggy) Firmware. • Developers working with the community. • Ignores requests for chipset docs. • Releases completely closed source binary drivers. • Fully Open Source Drivers. • Developers working with the community.
Our Playground • Madwifi-ng was driven by a binary HAL • Ath5k is the fully open source driver now in the kernel • Kugutsumen released a patch for “DEBUG” regdomain • Allows for all *officially* supported channels to be tuned to
Fun Comments in ath5k • /* Set this to 1 to disable regulatory domain restrictions for channel tests. • * WARNING: This is for debuging only and has side effects (eg. scan takes too • * long and results timeouts). It's also illegal to tune to some of the • * supported frequencies in some countries, so use this at your own risk, • * you've been warned. */
Comments (cont) • /* • * XXX The tranceiver supports frequencies from 4920 to 6100GHz • * XXX and from 2312 to 2732GHz. There are problems with the • * XXX current ieee80211 implementation because the IEEE • * XXX channel mapping does not support negative channel • * XXX numbers (2312MHz is channel -19). Of course, this • * XXX doesn't matter because these channels are out of range • * XXX but some regulation domains like MKK (Japan) will • * XXX support frequencies somewhere around 4.8GHz. • */
New Toys • Yesterday • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745-5825 (US) • Today • Ubiquiti SRC • .11b/g 2192-2732 • .11a 4800-6000 • Linksys WPC55AG ver 1.3 • .11b/g 2277-2484 • .11a 4800-6000
Spectrum Analyzer • Fully tested frequencies • Sadly no one would let me borrow a SA • Warning: This will differ from card to card • I’ve already lost a few wifi cards…
What is on these new freq? 2180.000 - 2200.000 Fixed Point-to-point (n-p) 2200.000 - 2290.000 DoD 2300.000 - 2310.000 Amateur 2390.000 - 2450.000 Amateur 2450.000 - 2500.000 Radio location 2500.000 - 2535.000 Fixed SAT 2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV 2655.000 - 2690.000 Fixed SAT 2690.000 - 2700.000 Radio Astronomy 2700.000 - 2900.000 DoD
Freq (cont) 4400.000 - 4990.000 DoD 4990.000 - 5000.000 Meteo - Radio Astronomy 5250.000 - 5650.000 Radio Location - Coastal Radar 5460.000 - 5470.000 Radio Nav - General 5470.000 - 5650.000 Meteo - Ground-based Radar 5650.000 - 5925.000 Amateur 5800.000 ISM 5925.000 - 6425.000 Common Carrier and Fixed SAT
Limitations • Many real licensed implementations are broken • Card reports channel 1 but is actually on 4920MHz or some such • This is done to make it easy to use existing drivers • This breaks many open source applications
Airodump-ng • Airodump-ng now supports a list of frequencies to scan rather than channels • Only channels are shown in display, may be wrong • Strips vital header information off of packet so data saved from extended channels is useless
Improvement Was Needed • Sniffers were too trusting, they believed what they saw • Never intended to deal with oddly broken implementations such as channel number fudging • Sniffers had to mature to report more reality, and less assumptions
Kismet • Kismet-newcore fully supports frequency ranges • Displays channels AND frequency in display • Saves pcap files with usable headers • dragorn just generally rocks
Kismet-Newcore • Usable now in SVN from kismetwireless.net • Would have been a Kismet-Test1 release for Shmoocon but setting up freeradius sucks. Bad. • New UI, better logging, improved IDS features, *Plugins*, new mapping SW on its way • Autoconfig device support • Multiple protocol support via plugins – DECT cordless phone sniffing -dragorn
Kernel Regulatory Changes • “old reg” depreciated soon • Contains very few static regulatory domains • Built right into kernel • New userspace Central Regulatory Domain Agent • Userspace app called by udev named crda • Takes input from visible AP or user through iw • Sets accurate reg domain based on country • Uses separate wireless-regdb with contains country information
Ath5k frequency patches • Old ath5k patches • Completely removed tx • No way to control tx • If you are in any mode but monitor you ARE breaking the law • New Ath5k patches • No patch for old reg • crda controls which freq you can tx on • Able to use card safely within the law
Patch released • New ath5k patch released for vanilla kernel 2.6.28.x • I can't support every distro • Available from aircrack-ng svn • Included directions for required userspace tools • Patch available for wireless-regdb • US only (willing to add more on request) • Binary regulatory.bin will be made available • Willing to add capabilities for Licensed Professional and Amateur operations
Future Research in this Area • Kernel Acceptance • Need to fix a few minor bugs • Ath9k support • Yes, these can be extended as well • Ralink support • I've got a hot tip that these support much fun
Final Thoughts on Frequencies • Remember everyone here is a white hat • Please use your new found knowledge for good not evil • In the United States it is LEGAL to monitor all radio frequencies • Have fun…
Unusual Crypto • What do we know? • Kismet and Airodump-ng detect 802.11 encryptions • WEP/WEP+/DWEP/LEAP • WPA/WPA2 PSK/802.1x • EAP types used
Have you ever seen… • a WEP network invulnerable to replay? • Open AP that you cannot connect to? • 802.11 on Spectrum Analyzer but an empty pcap file?
Symbol Keyguard • “TKIP encryption implementation based on the forthcoming 802.11i standard” • “Kerberos V5 based mobile security” • “EAP/TLS with 802.1X port-based Network Access Control or RADIUS” • Really it is just pre-standard tkip • Replay prevention • Detected as WEP by Kismet and Airodump-ng • Thanks to pcap donations, Kismet is adding detection
Government Crypto (Type 3 or 4) • Type 4 • (Exportable) 40bit non-sense • Type 3 • Cranite • Appears defunct • Fortress • FIPS 140-2 • 802.11i
Huh? • Government Crypto Precursors to 802.11i • Cranite • Fortress • Hardware or software encryption/decryption • Strong encryption (Typically AES) • Strong Authentication (Typically certificates)
Government Crypto (Type 1) • Harris Secnet 11 • Intersil Prism 2 and Harris Sierra CryptoTM Module • Encrypts entire MPDU • Essentially Invisible • Harris Secnet 54 • Modular separation between encrypter and radio • Compatible with COTS equipment • Layer 2 and/or 3 encryption available