shifting the focus of wifi security: beyond cracking your neighbor's wep key
TRANSCRIPT
![Page 1: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/1.jpg)
Shifting the Focus of WiFi Security:
Beyond cracking your neighbor's WEP key
![Page 2: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/2.jpg)
Who are we and why do you care?
Thomas “Mister_X” d'Otreppe de BouvetteFounder of Aircrack-ng
Rick “Zero_Chaos” FarinaAircrack-ng Team MemberEmbedded Development
![Page 3: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/3.jpg)
DISCLAIMER:
Some of the topics in this presentation may be used to break the law in new and exciting ways…
of course we do not recommend breaking the law and it is your responsibility to check your local laws and abide by them.
DO NOT blame us when a three letter organization knocks on your door.
![Page 4: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/4.jpg)
Contest
Find the AP We have hidden an AP somewhere in the
airwaves Report the frequency of operation and
mac address to win (Insiders and friends are not eligible)
![Page 5: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/5.jpg)
Spoils (first winner only)
Find the AP before the end of the talkFull price of Ubiquiti SRC wifi card
Find the AP before 1pm$50 towards a nice Atheros card
Find the AP after 1pmHearty handshake and a pat on the back
![Page 6: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/6.jpg)
History of WEP Attacks / Why it doesn’t work
Passively Sniff for a long timeSlow, not enough data, impatientNo more weak ivs
Replay/Injection AttacksFast but very noisySimple signaturesAP features that try to block (PSPF)
![Page 7: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/7.jpg)
History of WPA Attacks / Why it doesn’t work
Pre-shared keyRequires catching both sides of a quick
handshakeMust be in range of client and AP
EnterpriseNearly impossible to crack passivelyMost EAP types are difficult (at best) to MiTM
![Page 8: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/8.jpg)
The Well Guarded Door
Nearly 100% of attacks focus on the AP APs are getting more and more secure New features built into AP
PSPF / Client IsolationStrong Authentication / EncryptionLightweight controller based architecture
APs are no longer the unguarded back doorWell deployed with fore thought for securityWell developed industry best practices
![Page 9: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/9.jpg)
Take the Path of Least ResistanceAttack the Clients!
Tools have slowly appeared recently Difficult to use Odd requirements to make function
![Page 10: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/10.jpg)
Attacking Client WEP Key
Wep0ff Caffe-Latte Hirte Attack
![Page 11: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/11.jpg)
Attacking Client WPA Key
WPA-PSKNo public implementation
WPA-ENTFreeradius-wpe (thanks Brad and Josh!)Requires hardware AP
![Page 12: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/12.jpg)
Attacking the Client
Many Separate Tools Difficult to configure Typically sparsely documented Odd requirements and configurations
Until now…
![Page 13: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/13.jpg)
Introducing Airbase-ng
Full monitor mode AP simulation, needs no extra hardware
Merges many tools into one Also works in Ad-hoc mode New and improved, simplified implementations Easy, fast, deadly (to encryption keys at least)
![Page 14: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/14.jpg)
Airbase-ng Abilities
Evil Twin / Honey Pot Karma WEP attacks WPA-PSK attacks WPA-Enterprise attacks (coming soon)
![Page 15: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/15.jpg)
Airbase-ngFeatures Soft AP
WEP• Open/Shared auth• Caffe Latte• Hirte attack
Capture WPA/WPA2 handshake
Manipulate and resend packets
Encrypt/Decrypt packets
![Page 16: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/16.jpg)
Airbase-ng Features Filtering to avoid disturbing nearby networks
AP FiltersBSSIDsESSIDs
Client filtersMAC Filtering (allow/disallow)
![Page 17: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/17.jpg)
Airbase-ng Abilities
WPA Handshake capture: airbase-ng -W 1 -c 5 -z 2 -I 102 --essid myAP rausb0
Script to manipulate packets: airbase-ng –Y both rausb0 then start replay.py at1
Soft AP: airbase-ng –y –e myAP –c 5 –I 102 rausb0 ifconfig at0 up 192.168.0.254 ping/ssh/… it from the client
![Page 18: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/18.jpg)
What are you, a blackhat?
No seriously, this doesn’t promise a win There are ways to defend as well APs are finally being configured securely,
now clients must be as well
![Page 19: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/19.jpg)
Simple Defenses
Proper Secure Client Configurations Check the right boxes GPO
![Page 20: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/20.jpg)
A Step Beyond Crazy
WiFi Frequencies .11b/g 2412-2462 (US) .11a 5180-5320, 5745-5825 (US)
Does this look odd to anyone else?Does the card really not have the ability to
use 5320-5740?
![Page 21: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/21.jpg)
Licensed Bands Some vendors carry licensed radios Special wifi cards for use by military and
public safety Typically expensive Requires a license to even purchase Frequencies of 4920 seem surprisingly
close to 5180
![Page 22: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/22.jpg)
Can we do this cheaper?
Atheros and others sometimes support more channels
Allows for 1 radio to be sold for many purposes.
Software controls allowed frequencies
![Page 23: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/23.jpg)
Who Controls the Software?
Sadly, typically the chipset vendors Most wifi drivers in linux require binary
firmware This firmware controls regulatory
compliance as well as purposing
![Page 24: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/24.jpg)
What can we do?
Fortunately, most linux users don’t like closed source binaries
For many reasons, fully open sourced drivers are being developed
As these drivers become stable, we can start to play
![Page 25: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/25.jpg)
Let’s Play…
Madwifi-ng is driven by a binary HAL Ath5k is the next gen fully open source
driver Kugutsumen released a patch for
“DEBUG” regdomain Allows for all *officially* supported
channels to be tuned to
![Page 26: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/26.jpg)
Fun Comments in ath5k /* Set this to 1 to disable regulatory
domain restrictions for channel tests. * WARNING: This is for debuging only
and has side effects (eg. scan takes too * long and results timeouts). It's also
illegal to tune to some of the * supported frequencies in some
countries, so use this at your own risk, * you've been warned. */
![Page 27: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/27.jpg)
Comments (cont)
/* * XXX The tranceiver supports frequencies from 4920 to 6100GHz * XXX and from 2312 to 2732GHz. There are problems with the * XXX current ieee80211 implementation because the IEEE * XXX channel mapping does not support negative channel * XXX numbers (2312MHz is channel -19). Of course, this * XXX doesn't matter because these channels are out of range * XXX but some regulation domains like MKK (Japan) will * XXX support frequencies somewhere around 4.8GHz. */
![Page 28: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/28.jpg)
New Toys
Yesterday .11b/g 2412-2462 (US) .11a 5180-5320, 5745-5825 (US)
Today .11b/g 2192-2732 (DEBUG) .11a 4800-6000 (DEBUG)
![Page 29: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/29.jpg)
What is on these new freq?
2180.000 - 2200.000 Fixed Point-to-point (n-p)2200.000 - 2290.000 DoD2300.000 - 2310.000 Amateur2390.000 - 2450.000 Amateur2450.000 - 2500.000 Radio location2500.000 - 2535.000 Fixed SAT2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV2655.000 - 2690.000 Fixed SAT2690.000 - 2700.000 Radio Astronomy2700.000 - 2900.000 DoD
![Page 30: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/30.jpg)
Freq (cont)
4400.000 - 4990.000 DoD4990.000 - 5000.000 Meteo - Radio Astronomy5250.000 - 5650.000 Radio Location - Coastal Radar5460.000 - 5470.000 Radio Nav - General5470.000 - 5650.000 Meteo - Ground-based Radar5650.000 - 5925.000 Amateur5800.000 ISM5925.000 - 6425.000 Common Carrier and Fixed SAT
![Page 31: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/31.jpg)
Spectrum Analyzer
Fully tested frequenciesSadly they wouldn’t let me borrow the SA
Warning: This may differ from card to card I’ve already lost a few wifi cards…
![Page 32: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/32.jpg)
Limitations
Many real licensed implementations are broken Card reports channel 1 but is actually on
4920MHz This is done to make is easy to use existing
drivers This breaks many open source applications
![Page 33: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/33.jpg)
Airodump-ng
Airodump-ng now supports a list of frequencies to scan rather than channels
Only channels are shown in display, may be wrong
Strips vital header information off of packet so data saved from extended channels is useless
![Page 34: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/34.jpg)
Kismet
At time of writing is unable to handle most of the extended channels
Displays channels not frequencies Does save usable pcap files*
![Page 35: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/35.jpg)
Improvement Needed
Sniffers are too trusting, they believe what they see
Never intended to deal with oddly broken implementations such as channel number fudging
Sniffers need to be improved to report more reality, and less assumptions
![Page 36: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/36.jpg)
Improvements made!
After this talk was submitted, changes started happening
Kismet-newcore fully supports fun channels
Displays frequencies that packets are received on
Airodump-ng updates are being made now for release soon
![Page 37: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/37.jpg)
Final Thoughts
Remember everyone here is a white hat Please use your new found knowledge for
good not evil In the United States it is LEGAL to monitor
all radio frequencies Have fun…
![Page 38: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/38.jpg)
WEP cloaking Old hardware like wireless barcode
scanners
Insert chaff in the air to fool cracking tools
Good idea butUse half bandwidth => 300kb/sec with 11MbitSometimes packets doesn’t need to be filtered
to be cracked
![Page 39: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/39.jpg)
How to break it? No public documentation => analyze capture
files Every data packet is cloaked (at least packets
from the AP protected) Cloaked Packet size is the same as the original
packet Plays with Sequence Numbers. In most cases,
not the same as the original packet (cloaked SN = original +2 to -2)
Only data packets are cloaked (at least type 2, subtype 0)
Signal is not the same as the access point
![Page 40: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/40.jpg)
![Page 41: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/41.jpg)
Implementation No idea of the implementation => don’t
care about key used by the sensor (if any) or data used in cloaked packets (real or fake).
Apply filters to remove cloaked packetsSignalSequence numbersBase analysis on packets know not to be
cloakedCombine filters in a different order
![Page 42: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/42.jpg)
Implementation We know that all management and control frames
are uncloaked. Base filter:
If any packet with an unknown status has the same SN as one of the uncloaked packets then it’s cloaked
Signal filter: Get the average signal from uncloaked packets Allow a small margin of error Packets outside the margin should be cloaked
![Page 43: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/43.jpg)
Implementation
Code release soon, check the subversion.
![Page 44: Shifting the Focus of WiFi Security: Beyond cracking your neighbor's WEP key](https://reader035.vdocuments.net/reader035/viewer/2022062516/56649e355503460f94b246c9/html5/thumbnails/44.jpg)
Thanks
Updated Slide Presentation can be found at: http://www.aircrack-ng.org/defcon16.ppt
Bibliographyhttp://www.willhackforsushi.com/FreeRADIUS-WPE.
htmlWe will complete this and post this weekend