hacking the friendly skies shmoocon - jan 2006 simple nomad nomad mobile research centre

45
Hacking the Friendly Skies Hacking the Friendly Skies ShmooCon - Jan 2006 ShmooCon - Jan 2006 Simple Nomad Simple Nomad n n omad omad m m obile obile r r esearch esearch c c entre entre

Upload: reina-eades

Post on 29-Mar-2015

217 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Hacking the Friendly SkiesHacking the Friendly Skies

ShmooCon - Jan 2006ShmooCon - Jan 2006Simple NomadSimple Nomad

nnomad omad mmobile obile rresearch esearch ccentreentre

Page 2: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Hello…Hello…

• SN is with NMRC• SN is with Vernier Networks• SN is jaded and bitter

Page 3: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Disclaimer: Why Not TDisclaimer: Why Not To Do This

• Legalities• We have a bad enough reputation anyway

Page 4: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

AgendaAgenda

• Background• Attacking• Collected data• Conclusion• The Future• BTW, Bluetooth is not really covered, and is its

own unholy monster

Page 5: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

BackgroundBackground

Page 6: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

How This Started

• Weather delays• Cancelled flights• Layovers• Gadgets and toys• Idle hands

Page 7: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

There Is No In-Flight HotSpot

• Why are SSIDs called linksys, dlink, tmobile, hpsetup, 2wire etc showing up where they are clearly not?

• Can I talk to these devices?• Can I attack these devices?

Page 8: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Airline Background

• 10,000 foot rule on using approved electronics• No approved electronic devices during

takeoff/landing for one simple reason – to keep your row clear in the event of an emergency

• This is the same reason you have to stow your tray tables and put your seat back in its full upright position

Page 9: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

AttackingAttacking

Page 10: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Second Warning

• Don’t do this shit• If you must, do it in the terminal

– During delays, there is more opportunity

Page 11: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Contributing Factors

• Laptops with built-in WiFi• Excellent Windows wireless integration• Connectivity friendliness of Windows in general

Page 12: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

IPv4 Link-Local Addresses

• RFC 3927 – “Dynamic Configuration of IPv4 Link-Local Addresses”

• If DHCP fails to provide an IP address, interfaces with Link-Local configurations will auto-assign an address in the 169.254.0.0/16 range

• Link-Local is on by default on all interfaces on all Windows platforms, including wireless interfaces

Page 13: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Microsoft Implementation of RFC 3927

• Example here is XP• Start -> Connect To -> Show all connections• Right click on wireless connection• Internet Protocol (TCP/IP) -> Properties• Two things to look for (and they are the default)

– General -> Obtain an IP address automatically is checked– Alternate Configuration -> Automatic private IP address is

checked

• These two together help spell disaster• Details of Microsoft’s implementation under the covers

are in RFC 3927 in appendix A.4

Page 14: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

The Magically Appearing SSID

• User boots up laptop• Wireless is enabled• Ethernet is disconnected, a (short) timeout occurs• Wireless is enabled, tries to find “default” SSID• Default SSID is not found, no DHCP server answers, Link-Local

is used• IP address is assigned from 169.254.0.0/16 range per RFC 3330,

this is APIPA (Automatic Private IP Address)• Built-in laptop becomes an ad-hoc network using “default” SSID• PC now says it is “tmobile” or “linksys” or “dlink”, and broadcasts

its SSID as such• How?

Page 15: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Magically Appearing Networks

• Users boot up laptops• The first one up becomes the potential “SSID leader”• As additional laptops come up and can’t find their

default (re: last) SSID to connect to, they may or may not connect

• Windows stores all SSIDs you have connected to in Registry

• If you have the SSID leader’s beaconing SSID in your Registry, you could connect

• Even if you don’t, if only one SSID around, you could also connect

• Wee, automagic little clusterfuck of targetry goodness• Multiple SSID leaders can emerge, hours of attack fun!

Page 16: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Warning From RFC 3927

• From RFC 3927, section 5, paragraph 3:

NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks.

Page 17: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Authors of RFC 3927

Oops!

Network Working Group S. CheshireRequest for Comments: 3927 Apple ComputerCategory: Standards Track B. Aboba Microsoft Corporation E. Guttman Sun Microsystems March 2005

Page 18: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Attack Time

• Attach to that “tmobile” Ad-hoc Peer-to-Peer network• If Windows, make sure YOU have Alternate Configuration

hard-wired to a 169.254.0.0/16 address• If Unix, assign yourself a 169.254.0.0/16 address• Get victim laptop’s IP address

– ARP for it, sniff (it is Windows, it will eventually chat NetBIOS to you), etc

• Ping it, you may have to set up a default route on Unix• Nmap, Nessus, dsniff, Cain & Abel, Metasploit

Framework, etc etc• ()wnage, biatch

Page 19: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Attack Time on Short Flights

• Configure a DHCP server on your laptop• Attach to that “tmobile” Ad-hoc Peer-to-Peer

network• Give victim his laptop’s IP address

– APIPA/Link-Local systems will periodically check for a DHCP server

• Nmap, Nessus, dsniff, Cain & Abel, Metasploit Framework, etc etc

• Quicker ()wnage, biatch

Page 20: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Attack Time Using KARMA

• Run KARMA on your laptop• KARMA answers all SSID requests saying “yes, I

really am that SSID you’re looking for”• Conceivably every laptop on the plane (or terminal,

or commuter train) could be compromised• Thorough ()wnage

KARMA by Dino and K2 - http://www.theta44.org/karma/

Page 21: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Don’t Forget To Sniff

• SMB traffic including cached creds etc

Page 22: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Evil Fake AP

• Do “recon” with laptop, PDA etc in terminal waiting for flight

• Determine most popular SSID• Set up fake AP with that SSID• Offer up a DNS server• Resolve EVERYTHING to your address• Hello LM/NTLM hashes

Page 23: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Add Honeypot Technology

• Sniff for probes to IMAP/POP3– Remember, you DNS server will say you are that

server

• Run Honeypot mail server• Accept (and log) every user and password

Page 24: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Idle Hands

• Change background image• Find pr0n on target, make that the background image

– You’re backdoored the system, literally

• Launch MP3s with Parental Advisory lyrics– Rap, death metal, industrial (make a political statement)– Launch when cluebag goes to the lavatory for maximum effect

• Launch MP3 real loud that says, “wow this porn is hot!” and then launch hot .avi, .mpg, or .wmv

• Launch MP3 that says, “how much for a lavatory quickie, bitch?” during the drink service

• Install a server and serve up pr0n to the rest of the aircraft– Repeat earlier bullet item on multiple machines

• Cover your tracks! Upload your tools, attack other machines, then attack your own machine (plausible deniability)

Page 25: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Collected DataCollected Data

Page 26: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Atlanta, GA Midweek

• Largest city in the region, lots of businesses• Weather delay, sat on tarmac in DFW ½ mile from

terminal for 1 hour while thunderstorm passed• MD80 aircraft, half full flight, 8 laptops out and running• 2 ad-hoc networks• 3 live targets, 2 Windows XP, 1 Windows 2000

– Windows XP fully patched with firewalling– Windows 2000 vulnerable to MS05-039

Page 27: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Charlotte, NC Midweek

• Heavy banking/insurance town• Weather delay, target-rich environment in Charlotte

(dozens of ad-hoc networks) at the gate before flight• MD80 aircraft, full flight, 12 laptops out and running• 5(!) ad-hoc networks• 5 live targets, 2 Windows XP, 1 Windows 2003, 2

Windows 2000– Only Windows 2003 fully patched with firewall– Rest vulnerable to MS05-017 and/or MS05-039

Page 28: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

ToorCon 7 Return Flight, Monday Morning

• In terminal, very few laptops out (it was fucking 6am), only 1 ad-hoc network named tmobile

• 757 aircraft, full flight, 22 laptops out and running• 1 ad-hoc network formed named 249143• 2 additional nodes had attached to it (apparently clueless

they had done so)• 3 live targets - 2 Windows XP, 1 Windows 2000

– Windows 2000 vulnerable to MS05-039• Dlink technician (no I am not making this up, overheard him talking)

– Windows XP Pro, vulnerable to MS05-017– Windows XP at SP1, vulnerable to MS05-017

• This guy was across the aisle, VP of a physical security company, w00t!

Page 29: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

SJC - DFW, Tuesday Afternoon

• In terminal, 5 laptops out, 3 ad-hoc networks, 1 named linksys

• MD80 aircraft, half-full flight, 14 laptops out and running• 4 ad-hoc networks named MSFTWAN, GoldenTree, Fly

Aloha, and orange• Orange had WEP turned on (?)• 4 live targets – 2 Windows XP Pro, 2 Windows 2000

– Windows XP Pro firewalled, probably SP2 (orange), fingerprinted using visual reconnaissance

– Windows XP SP0 or SP1, patched up but 2 open shares (one had pr0n)

– Both Windows 2000 vulnerable to MS05-039– 1 Windows 2000 had a web server running

• MSFTWAN? Certainly not….

Page 30: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Best Target Locations

• Airline 31337 Flyx0r clubs, but this is regular laptop-to-laptop hacking

• Business commuter flights– Early Monday flights are best– Major business hauls

• Eg LGA – DCA, EWR – BOS, ORD – LAX, HOU – ATL especially in and out of high tech areas

– Get a seat near front part of coach• Road warriors request these seats in advance to get off the plane

quicker• Aircraft with limited power outlets usually have outlets there• Better able to visually shoulder-surf during recon phase, helps with

OS detection• Flights with lower passenger loads will have road warriers in First

Class due to upgrades

Page 31: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Contributing Factors

• Bad weather/delays means increased laptop usage in terminal– Rain dance or l33t weather-controlling satellite

ownage can help you

• Certain airports have no wireless– Charlotte, NC for example– Virtually all non-WEP/WPA SSIDs are ad-hoc

Page 32: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

ConclusionsConclusions

Page 33: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Why This Happens

• Configuration for talking to infrastructure, no problems• Once you can’t find infrastructure linksys or tmobile, you

will attach to ad-hoc versions if available• From this point on you will auto-assign an ad-hoc network

with that SSID– It is a configuration “virus”, currently operating in the wild

Page 34: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

What’s Bad

• Alternate Configuration on wireless– Turn off your wireless, bad monkey, no banana– It should be off unless really needed

• Works wherever sheeple laptop users gather and there is no wireless (hotels and convention centers without available wireless, commuter trains, etc)

Page 35: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

What’s Good

• Easy workarounds– Turn off your wireless connection when not in use (duh)– Set your wireless to only talk to infrastructure networks

(advanced settings)– Personal firewalls will help, and on XP SP1 or later make sure

the firewall is on– WEP on an adhoc network is possible

• Per the Microsoft Security Response Center, patches will be included in the next service pack releases to prevent the auto-advertising of adhoc networks– In spite of lame nature of attack (and it is pretty lame), Microsoft

took it seriously

Page 36: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Quick WiFi Detection for Passengers and Flight Crews

• Digital Hotspotter (<$100) will detect signal strength, show SSID, encryption or not, and channel

• Kensington WiFi Finder Plus (<$30) will detect the presence of WiFi and Bluetooth

Page 37: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

The FutureThe Future

Page 38: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

FCC vs. FAA

• FCC says cell phone/wifi is ready for use on planes• FAA has still not approved the technology• Without push from the airlines, the FAA is unlikely to

budge soon• AA, United, and Delta were ready to start the push for

pico cell-based cellular service on airplanes in 2001– Unfortunately 9/11 happened and they all lost money, and the

technology is very expensive

• Watch the cellphone usage issue for planes (1/5 the cost to implement), wifi will follow

• Last “cellular interference” study to concluded in 2006

Page 39: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Flying With Big Brother

• DHS and DOJ both want the ban on cellphone/wifi on planes to remain in effect

• If implemented, DHS and DOJ want the ability to monitor ALL traffic– Prevent cabin-to-cabin/air-to-ground/air-to-air terrorist

coordination

• This added measure would increase the cost of implementing the infrastructure immensely

Page 40: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Inflight Broadband Basics

• Available now on limited flights– Non-US carriers– Overseas flights only

• Typically private class C for passengers• Uses a combination of satellites and 5 ground locations

to move packets back and forth• Approximately $30 USD for unlimited usage during a 6+

hour flight

Page 41: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Inflight Broadband Adopters

• Three Vendors– Connexion, Tenzing (SMS, email only), and Sky Way

• Various airlines are involved– British Airways– Japan Airlines– Lufthansa– SAS– Singapore Airlines– Nippon Airways– Southeast Airlines– Executive Charter

Page 42: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Inflight Broadband Issues

• Expensive to implement (roughly $400k per plane)– US-based airlines are not buying it

• Currently little to no security implemented– Security solutions cost extra, and the airlines aren’t buying it

• Disputable legality of in-flight air-to-air or air-to-ground hacking– Attacker in 15A, victim in 17D – mid-Pacific/Atlantic and who is to

blame?– You are over international waters, no clear jurisdiction – Think “cruise ship enters international waters, the casino now

legally opens”– Does this apply to laptop-to-laptop hacking mid-flight?

Page 43: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

Additional Inflight Issues

• Windows CE 2003 and Boeing Aircraft– As we speak Boeing is disabling Bluetooth, which was enabled

by default– No I am not kidding, Windows CE

• WTF!? Bluetooth??!? Windows CE!!?!– Can you say “backdoor” so ground personnel can land a hijacked

plane via AutoLand and/or RoboLander?

• Imagine a terrorist with a Bluetooth gun aimed at a plane after take-off

• Imagine an instruction of “please go to -2000 feet in 15 minutes kthxbye”

• BTW have a safe flight home from ShmooCon!

Page 44: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

ThanksThanks

Page 45: Hacking the Friendly Skies ShmooCon - Jan 2006 Simple Nomad nomad mobile research centre

FIN, BiatchezFIN, Biatchez

Images © 2005, 2006 NMRC www.nmrc.org

Thanks to NMRC folks for feedbackPhoto session by Duy Nguyen and Amy

Lee MuirArt Manipulation by WeaselNMRC Fetish Model – Bethany