1 / 44

Shifting the Focus of WiFi Security:

Shifting the Focus of WiFi Security:. Beyond cracking your neighbor's WEP key. Who are we and why do you care?. Thomas “Mister_X” d'Otreppe de Bouvette Founder of Aircrack-ng Rick “Zero_Chaos” Farina Aircrack-ng Team Member Embedded Development. DISCLAIMER:.

leigh
Download Presentation

Shifting the Focus of WiFi Security:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key

  2. Who are we and why do you care? • Thomas “Mister_X” d'Otreppe de Bouvette • Founder of Aircrack-ng • Rick “Zero_Chaos” Farina • Aircrack-ng Team Member • Embedded Development

  3. DISCLAIMER: Some of the topics in this presentation may be used to break the law in new and exciting ways… of course we do not recommend breaking the law and it is your responsibility to check your local laws and abide by them. DO NOT blame us when a three letter organization knocks on your door.

  4. Contest • Find the AP • We have hidden an AP somewhere in the airwaves • Report the frequency of operation and mac address to win • (Insiders and friends are not eligible)

  5. Spoils (first winner only) • Find the AP before the end of the talk • Full price of Ubiquiti SRC wifi card • Find the AP before 1pm • $50 towards a nice Atheros card • Find the AP after 1pm • Hearty handshake and a pat on the back

  6. History of WEP Attacks / Why it doesn’t work • Passively Sniff for a long time • Slow, not enough data, impatient • No more weak ivs • Replay/Injection Attacks • Fast but very noisy • Simple signatures • AP features that try to block (PSPF)

  7. History of WPA Attacks / Why it doesn’t work • Pre-shared key • Requires catching both sides of a quick handshake • Must be in range of client and AP • Enterprise • Nearly impossible to crack passively • Most EAP types are difficult (at best) to MiTM

  8. The Well Guarded Door • Nearly 100% of attacks focus on the AP • APs are getting more and more secure • New features built into AP • PSPF / Client Isolation • Strong Authentication / Encryption • Lightweight controller based architecture • APs are no longer the unguarded back door • Well deployed with fore thought for security • Well developed industry best practices

  9. Take the Path of Least ResistanceAttack the Clients! • Tools have slowly appeared recently • Difficult to use • Odd requirements to make function

  10. Attacking Client WEP Key • Wep0ff • Caffe-Latte • Hirte Attack

  11. Attacking Client WPA Key • WPA-PSK • No public implementation • WPA-ENT • Freeradius-wpe (thanks Brad and Josh!) • Requires hardware AP

  12. Attacking the Client • Many Separate Tools • Difficult to configure • Typically sparsely documented • Odd requirements and configurations Until now…

  13. Introducing Airbase-ng • Full monitor mode AP simulation, needs no extra hardware • Merges many tools into one • Also works in Ad-hoc mode • New and improved, simplified implementations • Easy, fast, deadly (to encryption keys at least)

  14. Airbase-ng Abilities • Evil Twin / Honey Pot • Karma • WEP attacks • WPA-PSK attacks • WPA-Enterprise attacks (coming soon)

  15. Airbase-ngFeatures • Soft AP • WEP • Open/Shared auth • Caffe Latte • Hirte attack • Capture WPA/WPA2 handshake • Manipulate and resend packets • Encrypt/Decrypt packets

  16. Airbase-ng Features • Filtering to avoid disturbing nearby networks • AP Filters • BSSIDs • ESSIDs • Client filters • MAC Filtering (allow/disallow)

  17. Airbase-ng Abilities • WPA Handshake capture: airbase-ng -W 1 -c 5 -z 2 -I 102 --essid myAP rausb0 • Script to manipulate packets: airbase-ng –Y both rausb0 then start replay.py at1 • Soft AP: • airbase-ng –y –e myAP –c 5 –I 102 rausb0 • ifconfig at0 up 192.168.0.254 • ping/ssh/… it from the client

  18. What are you, a blackhat? • No seriously, this doesn’t promise a win • There are ways to defend as well • APs are finally being configured securely, now clients must be as well

  19. Simple Defenses • Proper Secure Client Configurations • Check the right boxes • GPO

  20. A Step Beyond Crazy • WiFi Frequencies • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745-5825 (US) • Does this look odd to anyone else? • Does the card really not have the ability to use 5320-5740?

  21. Licensed Bands • Some vendors carry licensed radios • Special wifi cards for use by military and public safety • Typically expensive • Requires a license to even purchase • Frequencies of 4920 seem surprisingly close to 5180

  22. Can we do this cheaper? • Atheros and others sometimes support more channels • Allows for 1 radio to be sold for many purposes. • Software controls allowed frequencies

  23. Who Controls the Software? • Sadly, typically the chipset vendors • Most wifi drivers in linux require binary firmware • This firmware controls regulatory compliance as well as purposing

  24. What can we do? • Fortunately, most linux users don’t like closed source binaries • For many reasons, fully open sourced drivers are being developed • As these drivers become stable, we can start to play

  25. Let’s Play… • Madwifi-ng is driven by a binary HAL • Ath5k is the next gen fully open source driver • Kugutsumen released a patch for “DEBUG” regdomain • Allows for all *officially* supported channels to be tuned to

  26. Fun Comments in ath5k • /* Set this to 1 to disable regulatory domain restrictions for channel tests. • * WARNING: This is for debuging only and has side effects (eg. scan takes too • * long and results timeouts). It's also illegal to tune to some of the • * supported frequencies in some countries, so use this at your own risk, • * you've been warned. */

  27. Comments (cont) /* * XXX The tranceiver supports frequencies from 4920 to 6100GHz * XXX and from 2312 to 2732GHz. There are problems with the * XXX current ieee80211 implementation because the IEEE * XXX channel mapping does not support negative channel * XXX numbers (2312MHz is channel -19). Of course, this * XXX doesn't matter because these channels are out of range * XXX but some regulation domains like MKK (Japan) will * XXX support frequencies somewhere around 4.8GHz. */

  28. New Toys • Yesterday • .11b/g 2412-2462 (US) • .11a 5180-5320, 5745-5825 (US) • Today • .11b/g 2192-2732 (DEBUG) • .11a 4800-6000 (DEBUG)

  29. What is on these new freq? 2180.000 - 2200.000 Fixed Point-to-point (n-p) 2200.000 - 2290.000 DoD 2300.000 - 2310.000 Amateur 2390.000 - 2450.000 Amateur 2450.000 - 2500.000 Radio location 2500.000 - 2535.000 Fixed SAT 2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV 2655.000 - 2690.000 Fixed SAT 2690.000 - 2700.000 Radio Astronomy 2700.000 - 2900.000 DoD

  30. Freq (cont) 4400.000 - 4990.000 DoD 4990.000 - 5000.000 Meteo - Radio Astronomy 5250.000 - 5650.000 Radio Location - Coastal Radar 5460.000 - 5470.000 Radio Nav - General 5470.000 - 5650.000 Meteo - Ground-based Radar 5650.000 - 5925.000 Amateur 5800.000 ISM 5925.000 - 6425.000 Common Carrier and Fixed SAT

  31. Spectrum Analyzer • Fully tested frequencies • Sadly they wouldn’t let me borrow the SA • Warning: This may differ from card to card • I’ve already lost a few wifi cards…

  32. Limitations • Many real licensed implementations are broken • Card reports channel 1 but is actually on 4920MHz • This is done to make is easy to use existing drivers • This breaks many open source applications

  33. Airodump-ng • Airodump-ng now supports a list of frequencies to scan rather than channels • Only channels are shown in display, may be wrong • Strips vital header information off of packet so data saved from extended channels is useless

  34. Kismet • At time of writing is unable to handle most of the extended channels • Displays channels not frequencies • Does save usable pcap files*

  35. Improvement Needed • Sniffers are too trusting, they believe what they see • Never intended to deal with oddly broken implementations such as channel number fudging • Sniffers need to be improved to report more reality, and less assumptions

  36. Improvements made! • After this talk was submitted, changes started happening • Kismet-newcore fully supports fun channels • Displays frequencies that packets are received on • Airodump-ng updates are being made now for release soon

  37. Final Thoughts • Remember everyone here is a white hat • Please use your new found knowledge for good not evil • In the United States it is LEGAL to monitor all radio frequencies • Have fun…

  38. WEP cloaking • Old hardware like wireless barcode scanners • Insert chaff in the air to fool cracking tools • Good idea but • Use half bandwidth => 300kb/sec with 11Mbit • Sometimes packets doesn’t need to be filtered to be cracked

  39. How to break it? • No public documentation => analyze capture files • Every data packet is cloaked (at least packets from the AP protected) • Cloaked Packet size is the same as the original packet • Plays with Sequence Numbers. In most cases, not the same as the original packet (cloaked SN = original +2 to -2) • Only data packets are cloaked (at least type 2, subtype 0) • Signal is not the same as the access point

  40. Implementation • No idea of the implementation => don’t care about key used by the sensor (if any) or data used in cloaked packets (real or fake). • Apply filters to remove cloaked packets • Signal • Sequence numbers • Base analysis on packets know not to be cloaked • Combine filters in a different order

  41. Implementation • We know that all management and control frames are uncloaked. • Base filter: • If any packet with an unknown status has the same SN as one of the uncloaked packets then it’s cloaked • Signal filter: • Get the average signal from uncloaked packets • Allow a small margin of error • Packets outside the margin should be cloaked

  42. Implementation Code release soon, check the subversion.

  43. Thanks • Updated Slide Presentation can be found at: http://www.aircrack-ng.org/defcon16.ppt • Bibliography • http://www.willhackforsushi.com/FreeRADIUS-WPE.html • We will complete this and post this weekend

More Related