Download
1 / 78
780 likes | 1.09k Views
. Who?. Mike Kershaw (sometimes aka Dragorn)Random OSS security developer (Kismet, Lorcon, Spectools, other stuff)Software Engineer at Aruba Networks in the Aruba Threat Labs and Aruba OSS Labs. The Plan. Speed-View of Old Kismet (boring)New Kismet (the good stuff)Spectrum Analysis802.11 Injection and AttacksFuture workQ
E N D
2.
3. Who? Mike Kershaw (sometimes aka Dragorn)
Random OSS security developer (Kismet, Lorcon, Spectools, other stuff)
Software Engineer at Aruba Networks in the Aruba Threat Labs and Aruba OSS Labs
4. The Plan Speed-View of Old Kismet (boring)
New Kismet (the good stuff)
Spectrum Analysis
802.11 Injection and Attacks
Future work
Q&A (aka Audience does my work for me)
5. Origins of Kismet Sumer of 2001, Airsnort released for Prism2 cards
Modified it to show SSIDs
Asked if they wanted patches. They didn't.
Got a Cisco card which didn't talk prism2 netlink anyhow
Winter 2001, first Kismet release
6. How Kismet does its voodoo Kismet places the device in monitor mode aka rfmon
Subtly different from promisc mode
Raw 802.11 packets with the headers intact
Gives us all packets the card sees, regardless of packet type or channel overlap
7. The voodoo that it do (2) Seeing all the packets lets us:
Detect networks, even cloaked networks
Detect clients
Act as an 802.11 layer-2 IDS
Collect and decode/decrypt at a later date
Be a completely undetectable passive observer
8. Hello, my name is 802.11 Detecting 802.11
It's really easy to do. Really easy.
Networks are fundamentally noisy.
Look at me! I'm a network! This is my name! Come talk to me!
Even weird networks with squelched beacons chat when someone joins
Cloaked networks? Not so much.
9. I'd like to talk to you Detecting 802.11 clients is as easy as detecting networks, in monitor mode
If a client is talking to a network, you'll see it.
Every network a client looks for. I'm looking for SomeHighProfileDotCom, are you my mommy?
10. Don't do that Snort is a great OSS IDS but doesn't have many rules for 802.11 layer 2
Kismet already looks at all the packets anyhow
Stateless IDS (fingerprints)
Stateful (trends over time)
Flooding, DHCP abuse, fuzzing/driver attacks, spoofing, etc
11. The boring UI
12. Still Boring
13. Kismet-Newcore Project name of a total rewrite of the Kismet base, now Kismet-2009-05-RC2 and newer (hooray, releases!)
Primary goal: Fix complaints about Kismet usability, config difficulties, etc
Old code grew - New code is designed
14. New stuff in Newcore Simpler configs
Live adding of sources
Smarter remote capture
Better error handling
New user interface
Better IDS
Plugins!
15. The exciting UI
16. More excitement
17. Further Thrills
18. Configuring Kismet Much easier now!
New security model similar to wireshark; add user to 'kismet' group
Source types autodetected in most situations
ncsource=wlan0
Run-time source adding
Run-time configuration of UI
19. Live Export Virtual network device with tun/tap
Fake 802.11 NIC
Realtime export for any pcap-aware tool (wireshark, snort, packet-o-matic)
Aggregate local and remote sources
Homogenize packet headers
20. Plugins (not airfresheners) Can do anything Kismet can do
Define new capture sources and protocols (DECT? Zigbee? Spec-An?)
Add new commands, IDS, logs
Add new widgets to the user interface
Visualize custom data
21. Kismet + DECT http://www.dedected.org
Com-On-Air DECT PCMCIA
Sniff cordless phones
Adds a full non-802.11 protocol to Kismet in plugins (in 800 lines!)
Server and client plugins for logging and display
22. Kismet + Dect (2)
23. Kismet + Spec-An Spectrum analysis
Uses Wi-Spy from MetaGeek
Logs spectrum data to PPI spectrum header on pcap file
Display spectrum in Kismet UI
Correlate network events with spectrum history
24. Kismet + Spec-An (2)
25. Mapping Old map code kind of useless
New map code in progress
Works with popular map service, rhymes with Foogle
Arbitrarily large images
International support
26. Mapping Oslo
27. Mapping Zoom
28. Picking a Platform If you can, Linux is the best bet It's what I use, and it's what Kismet is written on
LiveCD distros like Backtrack are easy
Most cards have in-kernel drivers
Some out-of-kernel drivers may still be needed (ralink 11n)
29. Pick a platform (2): Windows AirPCAP is a must
Only device with monitor mode on windows with public drivers
May be possible to hack other drivers from commercial sniffers, but I like not being sued
Cace supports OSS. Yay!
30. Pick a platform (3): OSX Airport drivers work (Broadcom, Atheros, with Apple drivers)
Old airport classic don't really work anymore
USB will not work
KisMac can do USB, but is unrelated to Kismet, uses embedded non-portable drivers
31. Pick a Platform (4): Faking it Kismet requires direct access to hardware with native drivers
Virtualization with USB passthrough can work (VMWare, KVM, Parallels, Virtualbox)
No way to use cardbus/pci/internal/pcmcia cards.
32. Related Tools Spectools
Spectrum Analysis for Cheap
Curses, GTK, network
Userspace USB drivers for Wi-Spy
Lorcon
Loss Of Radio Control
Homogenizing injection across platforms
Same API for all drivers
33. Spectools GPL drivers for Wi-Spy
Developed with support from MetaGeek they get open source!
Works with all 3 Wi-Spy devices
Network-compatible with Windows
Find non-802.11 interference like jamming attacks
34. Spectrum Sniffing
35. Sniffing 5GHz
36. LORCON Platform and driver neutral
Every driver has quirks; Do you write raw packets? Rtap? Prism? Big endian? Host endian?
Most injection tools were custom written for specific (now outdated) drivers
37. LORCON (2) Josh Wright and I decided per-driver custom apps sucks
Any app using LORCON should work w/ any driver
Functional modes provide best fit
Basic packet crafting library
Basic packet dissection (strip custom headers)
38. LORCON (3) Ported several apps to LORCON as proof-of-concept
AirPwn running on Windows with Airpcap TX? Sure, why not.
Raw packets with Metasploit? Sounds like a good idea!
http://802.11ninja.net
39. Security Snake Oil: Cloaking SSID cloaking tries to hide the network SSID so clients can't connect
Operative word: tries
SSID is not a protected field!
Cloaking simply hides the SSID in beacons.
Good thing we see all the packets then!
40. Snake Oil: Cloaking (2) Network->All: I'm a network!
Client->All: I'm looking for a few good networks. Who are you?
Network->All: Not gonna tell you.
OtherClient->Network: I want to join SomeCloakedNet
Network->Otherclient: That sounds like me, come on in.
41. Snake Oil: Cloaking (3) All we have to do is wait for a client to join the network and capture the probe request/response
Waiting sounds boring. I don't like boring.
How about we send a packet from the network, to everyone, saying Get out?
42. Snake Oil: Cloaking (4) FakeNet->All: Get out, now.
All: Oh no! I need to find a network!
Client->Network: I'm looking for SomeCloakedNet again.
Network->Client: Sure, come on in.
43. Snake Oil (5): MAC Filters But, someone says, I don't need to turn on crypto, I have MAC filters!
No
Oh, that's the MAC of your client? I'll just be joining now, thanks
Besides, none of your data is encrypted
You'll find out why this is a bad thing
44. Gut-Punching 802.11 Absurdly easy
Management frames are completely unprotected
It's shared media
All the bad old days for layer 2 attacks live again
I don't have to own the Internet, I own your Internet
45. Strangers with candy Avoiding hostile networks requires users to be smart; Users are bad decision makers
The OS won't help; Most like to join networks they've joined before
Networks go viral and appear everywhere
It's hard to tell what's real
46. Catch the virus HP setup Free Public Wifi
Once Windows has seen a network, it wants to see it again
Can't find it? Make an ad-hoc network!
I like free. I like wi-fi. Let me join!
Now another system will advertise it
47. Free public wiffey Create AP named Free Public Wifi
Run dnsmasq
????
Profit!
Windows happily joins the network
Why yes, I am your POP3 server. Why thank you for that password.
48. Making things worse: Karma Creating access points manually is really kind of a pain
Isn't there an easier way?
Modified drivers respond for every network requested
Are you FreePublicWifi? Sure
Are you MyCorpNet? Why not?
49. Even worse: Karmetasploit Karma+Metasploit+Airbase
Become any AP. Become EVERY AP
Answer all DNS queries
Spoof common services like HTTP
Record all logins
You wanted Facebook? How about I give you all the browser exploits instead. Tasty!
50. Man-in-the-Middle Why just spoof HTTP? Why not give you a real connection and let you log in? (and then read your email)
SSL? Just give them a fake cert. A user would never accept one of those, right?
You encrypted the login, but you didn't move the bodies!
51. Ignoring the network You know, after all, setting up this whole network framework just to attack a client is a big hassle
Lets just rewrite their traffic in the air and own them that way
Airpwn is underappreciated; Not just for serving shock-porn anymore!
52. Creative editing Lots of sites include little stubs of JS
Rhymes with ShmaceHook and FlyMace and Glitter
Why not enhance them?
Once you have JS exec inside the page domain, you win
Layer 2 hijacking of open and WEP data
53.
54. Free candy inside Client->Server: Give me a connection to 1.2.3.4:80
Attacker->Client: I'm 1.2.3.4:80!
Attacker->Server: I'm Client! I changed my mind.
Attacker->Client: Have some candy
55. Constant interruptions Client->Server: I want 1.2.3.4:80
Server->Client: OK
Client->Server: Give me /foo.js
Attacker->Client: I'm Server, here's foo.js
Attacker->Server: I'm Client. Go home.
56. Not done yet Client->Server: I want 1.2.3.4:80 /foo.js
Server->Client: Here's foo.js
Attacker->Client: No, no, theres more.
57. Now I'm in your browser...
Rewriting your DOM
What can we do? Anything we want
Rewrite the page DOM to strip HTTPS
Redirect links
Replace text and images
Send cookies to a remote system
Remote-control the browser to do other stuff
58. But it's just a little javascript var embeds = document.getElementsByTagName('div');
for(var i=0; i < embeds.length; i++){ if (embeds[i].getAttribute("class") == "cnnT1Img") { embeds[i].innerHTML = "..."; } else if (embeds[i].getAttribute("class") == "cnnT1Txt") { embeds[i].innerHTML = "..."; }}
59.
60. Cold, hard cache Discovered by Robert Hanson with VPNs
Feed a client some javascript
Set cache to infinity
What happens when they go back to corporate HQ and load that?
Yup... I just started running JS inside your corpnet a day later
61. Funeral for WEP Who here uses WEP?
If you raised your hand, now I'm going to yell
WEP is flawed
Very flawed
Fatally flawed
The corpse is stinking, bury it before the neighbors freak out
62. Breaking WEP Used to take hours and hundreds of thousands of packets
Now takes minutes and as few as 20,000 packets
ARP injection is obvious but works really well
Or just wait!
Kismet-PTW plugin autocracks
63. No, seriously Starting PTW attack with 29645 ivs.
KEY FOUND! [ 59:69:6E:67:57 ] (ASCII: YingW )?
Decrypted correctly: 100%
real 0m0.708s
Cracked WEP in the wild with 30,000 ARP packets in less than a second; Took less than 2 minutes to generate packets via ARP injection
WEP is so cheap to crack there is no reason not to try every 100 packets to see if there is enough statistical data to crack it now
64. Home away from home Why wait for a client to find a network?
Caffe Latte attack uses only the client
Rewrite arp request to arp reply, send to client, repeat
Cracked WEP and owned client in an airport. Or a bus. Whatever
65. Attacking WPA At least it's better than WEP
WPA-PSK is only as secure as the passphrase
Passphrase + SSID + Length of SSID hashed into PMK
PMK makes PTK per user
Computing PMK is hard
66. Look it up Computing PMK takes a while
So lets calculate the PMK for every dictionary word plus the top 1000 SSIDs
Dictonary lookups are fast
Tables are big, but so what?
We can accelerate with CUDA and FPGA
67. Attacking TKIP TKIP was a stop-gap before 11i
TKIP is RC4. Wait. Isn't WEP RC4?
So doesn't... TKIP suck?
Kind of. They made it better
Per-packet keying, replay prevention, passphrase conversion standards, PTK renegotiation
68. Countermeasures TKIP includes MIC countermeasures
Invalid packets cause the network to go sulk in the corner and reset
Two invalids in 60 seconds cause the network to go away
We can still guess, but we have to guess slowly
69. Unintended side effects QoS defined after TKIP
Can re-order packets
Each queue has a packet count
This means we can re-use a packet from one queue in the other queues
Four commonly used, but 12 more available
70. Chop chop! Cut the last byte off the packet
Fix the checksum
Inject
If we're wrong, nothing happens
If we're right, we get a spoof alert!
Wait 60 seconds, start on next byte
71. Not quite dead yet Not a complete break; Slow, only gets us a few packets
Once we get a few we could initiate a connection outside though...
Beginning of the end
Switch to WPA2 now before someone finishes the job on WPA1
72. Attacking WPA-EAP Better than WPA-PSK
Commonly found on corporate networks
Many methods use PKI/TLS (SSL certificates)
No good way to distribute certs to all clients at an institutional level
Spotty OS clients
73. I am who I say I am If UAC isn't used, deciding good certs can be in the hands of users
Users always make good decisions, right?
That SSL cert says Veri$ign, good 'nuff! (This is actually optimistic)
Obviously that tennis player wants me to see her naked!
74. Even the smart ones... Often the OS supplicant isn't helpful
May not show all of the cert
Even if it does... Self signed vs real?
If two certs have a common root (Verisign?) the CN may not be compared anyhow
75. Of course you're you Josh Wright and Brad Antoniewicz wrote a FreeRadius variant that accepts all logins
Spoof a network and advertise PEAP
Cert looks good to me!
Combine with KARMA, own everyone who connects
Harvest passwords
76. 1 2 3 4 5 PEAP gives us password as MSCHAPV2
If only there were a tool for that... like L0phtCrack
Users also pick bad passwords
That's the same password as my luggage!
77. Future Plans More non-802.11 plugins (Zigbee, RFID)
More IDS
Integrate WPA-PSK decryption
Integrate WPA-EAP decryption with provided certificates
