1 / 59

“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”

“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”. www.xkcd.com. “If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.”. www.xkcd.com.

glenys
Download Presentation

“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.” www.xkcd.com

  2. “If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.” www.xkcd.com

  3. “I hear this is an option in the latest Ubuntu release.” …isn’t BackTrack 4 based on Ubuntu… www.xkcd.com

  4. Spread your Spectrum 802.11 ObgYn

  5. IEEE 802.11y • 802.11o is a reserved and unused letter • When I submitted this talk, I didn’t realize that 802.11y had been ratified • This really ruined my joke name… • Sadly, I don’t have an 802.11y card or driver so we will not be discussing 3650-3700MHz • I really hope this doesn’t disappoint anyone, I will try to make it up to you all next time…

  6. Who am I and why do you care? • Rick “Zero_Chaos” Farina • Senior Wireless Security Researcher for AirTight Networks • Aircrack-ng Team Member • Embedded Development • Maverick Hunter Rank S

  7. You might remember me from such things as:

  8. Walking into my own talk late at Defcon 16

  9. Rudely interrupting other people's talks...

  10. ...and inciting hackers to riot

  11. Now I'm back! • Today's Agenda • Freq Update • Updated patches • Updated information • Unusual Encryption • Like what? • How to detect it • Wireless Intrusion Detection and Prevention • What is it? • How it works

  12. Standard DISCLAIMER: • Some of the topics in this presentation may be used to break the law in new and exciting ways… • of course I do not recommend breaking the law and it is your responsibility to check your local laws and abide by them. • DO NOT blame me when a three letter organization knocks on your door. • I am not an expert, this is all based on my research and dumb luck.

  13. Contest • Find the AP • I have hidden an AP somewhere in the airwaves • Report the center frequency of operation, SSID, and mac address to win • (Insiders and friends are not eligible)

  14. Spoils* (first winner only) • Find the AP before the end of the talk • Ubiquiti Super Range Cardbus wifi card • Your face in the video if you are right • Public embarrassment if you are wrong • Find the AP before 17:00 • $50 towards a nice Atheros card • Find the AP after 17:00 • Hearty handshake and a pat on the back *game may end early due to unforeseen hardware failure

  15. We have discussed this before: • WiFi Frequencies • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745*-5825 (US) • (regulatory settings from kernel old reg) • Obviously makes no sense • Does the card really not have the ability to use 5320-5745? *DFS channels excluded due to driver limitations

  16. Licensed Bands • Some vendors make special licensed radios • Special wifi cards for use by military and public safety • Typically very expensive • Frequencies of 4920 seem surprisingly close to 5180

  17. Manufacturers are cheap • Atheros and others sometimes support more channels • Allows for 1 radio to be sold for many purposes. • Software controls allowed frequencies

  18. Who Controls the Software? • Yesterday • Most wifi drivers in Linux require binary firmware of some kind • Controls anything the vendor wants • Today • More and more vendors are going fully open source

  19. Who do we like for this stuff? Preferred Undesirable Intel Marvell Atheros Ralink Broadcom • Closed Source (sometimes buggy) Firmware. • Developers working with the community. • Ignores requests for chipset docs. • Releases completely closed source binary drivers. • Fully Open Source Drivers. • Developers working with the community.

  20. Our Playground • Madwifi-ng was driven by a binary HAL • Ath5k is the fully open source driver now in the kernel • Kugutsumen released a patch for “DEBUG” regdomain • Allows for all *officially* supported channels to be tuned to

  21. Fun Comments in ath5k • /* Set this to 1 to disable regulatory domain restrictions for channel tests. • * WARNING: This is for debuging only and has side effects (eg. scan takes too • * long and results timeouts). It's also illegal to tune to some of the • * supported frequencies in some countries, so use this at your own risk, • * you've been warned. */

  22. Comments (cont) • /* • * XXX The tranceiver supports frequencies from 4920 to 6100GHz • * XXX and from 2312 to 2732GHz. There are problems with the • * XXX current ieee80211 implementation because the IEEE • * XXX channel mapping does not support negative channel • * XXX numbers (2312MHz is channel -19). Of course, this • * XXX doesn't matter because these channels are out of range • * XXX but some regulation domains like MKK (Japan) will • * XXX support frequencies somewhere around 4.8GHz. • */

  23. New Toys • Yesterday • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745-5825 (US) • Today • Ubiquiti SRC • .11b/g 2192-2732 • .11a 4800-6000 • Linksys WPC55AG ver 1.3 • .11b/g 2277-2484 • .11a 4800-6000

  24. Spectrum Analyzer • Fully tested frequencies • Sadly no one would let me borrow a SA • Warning: This will differ from card to card • I’ve already lost a few wifi cards…

  25. What is on these new freq? 2180.000 - 2200.000 Fixed Point-to-point (n-p) 2200.000 - 2290.000 DoD 2300.000 - 2310.000 Amateur 2390.000 - 2450.000 Amateur 2450.000 - 2500.000 Radio location 2500.000 - 2535.000 Fixed SAT 2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV 2655.000 - 2690.000 Fixed SAT 2690.000 - 2700.000 Radio Astronomy 2700.000 - 2900.000 DoD

  26. Freq (cont) 4400.000 - 4990.000 DoD 4990.000 - 5000.000 Meteo - Radio Astronomy 5250.000 - 5650.000 Radio Location - Coastal Radar 5460.000 - 5470.000 Radio Nav - General 5470.000 - 5650.000 Meteo - Ground-based Radar 5650.000 - 5925.000 Amateur 5800.000 ISM 5925.000 - 6425.000 Common Carrier and Fixed SAT

  27. Limitations • Many real licensed implementations are broken • Card reports channel 1 but is actually on 4920MHz or some such • This is done to make it easy to use existing drivers • This breaks many open source applications

  28. Airodump-ng • Airodump-ng now supports a list of frequencies to scan rather than channels • Only channels are shown in display, may be wrong • Strips vital header information off of packet so data saved from extended channels is useless

  29. Improvement Was Needed • Sniffers were too trusting, they believed what they saw • Never intended to deal with oddly broken implementations such as channel number fudging • Sniffers had to mature to report more reality, and less assumptions

  30. Kismet • Kismet-newcore fully supports frequency ranges • Displays channels AND frequency in display • Saves pcap files with usable headers • dragorn just generally rocks

  31. Kismet-Newcore • Usable now in SVN from kismetwireless.net • Would have been a Kismet-Test1 release for Shmoocon but setting up freeradius sucks. Bad. • New UI, better logging, improved IDS features, *Plugins*, new mapping SW on its way • Autoconfig device support • Multiple protocol support via plugins – DECT cordless phone sniffing -dragorn

  32. Kernel Regulatory Changes • “old reg” depreciated soon • Contains very few static regulatory domains • Built right into kernel • New userspace Central Regulatory Domain Agent • Userspace app called by udev named crda • Takes input from visible AP or user through iw • Sets accurate reg domain based on country • Uses separate wireless-regdb with contains country information

  33. Ath5k frequency patches • Old ath5k patches • Completely removed tx • No way to control tx • If you are in any mode but monitor you ARE breaking the law • New Ath5k patches • No patch for old reg • crda controls which freq you can tx on • Able to use card safely within the law

  34. Patch released • New ath5k patch released for vanilla kernel 2.6.28.x • I can't support every distro • Available from aircrack-ng svn • Included directions for required userspace tools • Patch available for wireless-regdb • US only (willing to add more on request) • Binary regulatory.bin will be made available • Willing to add capabilities for Licensed Professional and Amateur operations

  35. Future Research in this Area • Kernel Acceptance • Need to fix a few minor bugs • Ath9k support • Yes, these can be extended as well • Ralink support • I've got a hot tip that these support much fun

  36. Final Thoughts on Frequencies • Remember everyone here is a white hat • Please use your new found knowledge for good not evil • In the United States it is LEGAL to monitor all radio frequencies • Have fun…

  37. Unusual Crypto • What do we know? • Kismet and Airodump-ng detect 802.11 encryptions • WEP/WEP+/DWEP/LEAP • WPA/WPA2 PSK/802.1x • EAP types used

  38. Have you ever seen… • a WEP network invulnerable to replay? • Open AP that you cannot connect to? • 802.11 on Spectrum Analyzer but an empty pcap file?

  39. Symbol Keyguard • “TKIP encryption implementation based on the forthcoming 802.11i standard” • “Kerberos V5 based mobile security” • “EAP/TLS with 802.1X port-based Network Access Control or RADIUS” • Really it is just pre-standard tkip • Replay prevention • Detected as WEP by Kismet and Airodump-ng • Thanks to pcap donations, Kismet is adding detection

  40. Government Crypto (Type 3 or 4) • Type 4 • (Exportable) 40bit non-sense • Type 3 • Cranite • Appears defunct • Fortress • FIPS 140-2 • 802.11i

  41. Huh? • Government Crypto Precursors to 802.11i • Cranite • Fortress • Hardware or software encryption/decryption • Strong encryption (Typically AES) • Strong Authentication (Typically certificates)

  42. Unencrypted ?

  43. Does this look unencrypted to you?

  44. Government Crypto (Type 1) • Harris Secnet 11 • Intersil Prism 2 and Harris Sierra CryptoTM Module • Encrypts entire MPDU • Essentially Invisible • Harris Secnet 54 • Modular separation between encrypter and radio • Compatible with COTS equipment • Layer 2 and/or 3 encryption available

More Related