Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw Kismetwireless.net SHARKFEST '09 Stanford University June.

Similar presentations


Presentation on theme: "SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw Kismetwireless.net SHARKFEST '09 Stanford University June."— Presentation transcript:

1 SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw Kismetwireless.net SHARKFEST '09 Stanford University June 15-18, 2009

2 SHARKFEST '09 | Stanford University | June 15–18, 2009

3 Who? Mike Kershaw (sometimes aka Dragorn) Random OSS security developer (Kismet, Lorcon, Spectools, other stuff) Software Engineer at Aruba Networks in the Aruba Threat Labs and Aruba OSS Labs

4 SHARKFEST '09 | Stanford University | June 15–18, 2009 The Plan Speed-View of Old Kismet (boring) New Kismet (the good stuff) Spectrum Analysis Injection and Attacks Future work Q&A (aka “Audience does my work for me”)

5 SHARKFEST '09 | Stanford University | June 15–18, 2009 Origins of Kismet Sumer of 2001, Airsnort released for Prism2 cards Modified it to show SSIDs Asked if they wanted patches. They didn't. Got a Cisco card which didn't talk prism2 netlink anyhow Winter 2001, first Kismet release

6 SHARKFEST '09 | Stanford University | June 15–18, 2009 How Kismet does its voodoo Kismet places the device in monitor mode aka rfmon Subtly different from promisc mode Raw packets with the headers intact Gives us all packets the card sees, regardless of packet type or channel overlap

7 SHARKFEST '09 | Stanford University | June 15–18, 2009 The voodoo that it do (2) Seeing all the packets lets us: – Detect networks, even “cloaked” networks – Detect clients – Act as an layer-2 IDS – Collect and decode/decrypt at a later date – Be a completely undetectable passive observer

8 SHARKFEST '09 | Stanford University | June 15–18, 2009 Hello, my name is Detecting It's really easy to do. Really easy. Networks are fundamentally noisy. “Look at me! I'm a network! This is my name! Come talk to me!” Even weird networks with squelched beacons chat when someone joins Cloaked networks? Not so much.

9 SHARKFEST '09 | Stanford University | June 15–18, 2009 I'd like to talk to you Detecting clients is as easy as detecting networks, in monitor mode If a client is talking to a network, you'll see it. Every network a client looks for. “I'm looking for SomeHighProfileDotCom, are you my mommy?”

10 SHARKFEST '09 | Stanford University | June 15–18, 2009 Don't do that Snort is a great OSS IDS but doesn't have many rules for layer 2 Kismet already looks at all the packets anyhow Stateless IDS (fingerprints) Stateful (trends over time) Flooding, DHCP abuse, fuzzing/driver attacks, spoofing, etc

11 SHARKFEST '09 | Stanford University | June 15–18, 2009 The boring UI

12 SHARKFEST '09 | Stanford University | June 15–18, 2009 Still Boring

13 SHARKFEST '09 | Stanford University | June 15–18, 2009 Kismet-Newcore Project name of a total rewrite of the Kismet base, now Kismet RC2 and newer (hooray, releases!) Primary goal: Fix complaints about Kismet usability, config difficulties, etc Old code “grew” - New code is designed

14 SHARKFEST '09 | Stanford University | June 15–18, 2009 New stuff in Newcore Simpler configs Live adding of sources Smarter remote capture Better error handling New user interface Better IDS Plugins!

15 SHARKFEST '09 | Stanford University | June 15–18, 2009 The exciting UI

16 SHARKFEST '09 | Stanford University | June 15–18, 2009 More excitement

17 SHARKFEST '09 | Stanford University | June 15–18, 2009 Further Thrills

18 SHARKFEST '09 | Stanford University | June 15–18, 2009 Configuring Kismet Much easier now! New security model similar to wireshark; add user to 'kismet' group Source types autodetected in most situations – ncsource=wlan0 Run-time source adding Run-time configuration of UI

19 SHARKFEST '09 | Stanford University | June 15–18, 2009 Live Export Virtual network device with tun/tap Fake NIC Realtime export for any pcap-aware tool (wireshark, snort, packet-o-matic) Aggregate local and remote sources Homogenize packet headers

20 SHARKFEST '09 | Stanford University | June 15–18, 2009 Plugins (not airfresheners) Can do anything Kismet can do Define new capture sources and protocols (DECT? Zigbee? Spec-An?) Add new commands, IDS, logs Add new widgets to the user interface Visualize custom data

21 SHARKFEST '09 | Stanford University | June 15–18, 2009 Kismet + DECT Com-On-Air DECT PCMCIA Sniff cordless phones Adds a full non protocol to Kismet in plugins (in 800 lines!) Server and client plugins for logging and display

22 SHARKFEST '09 | Stanford University | June 15–18, 2009 Kismet + Dect (2)

23 SHARKFEST '09 | Stanford University | June 15–18, 2009 Kismet + Spec-An Spectrum analysis Uses Wi-Spy from MetaGeek Logs spectrum data to PPI spectrum header on pcap file Display spectrum in Kismet UI Correlate network events with spectrum history

24 SHARKFEST '09 | Stanford University | June 15–18, 2009 Kismet + Spec-An (2)

25 SHARKFEST '09 | Stanford University | June 15–18, 2009 Mapping Old map code kind of useless New map code in progress Works with “popular map service”, rhymes with “Foogle” Arbitrarily large images International support

26 SHARKFEST '09 | Stanford University | June 15–18, 2009 Mapping Oslo

27 SHARKFEST '09 | Stanford University | June 15–18, 2009 Mapping Zoom

28 SHARKFEST '09 | Stanford University | June 15–18, 2009 Picking a Platform If you can, Linux is the best bet – It's what I use, and it's what Kismet is written on LiveCD distros like Backtrack are easy Most cards have in-kernel drivers Some out-of-kernel drivers may still be needed (ralink 11n)

29 SHARKFEST '09 | Stanford University | June 15–18, 2009 Pick a platform (2): Windows AirPCAP is a must Only device with monitor mode on windows with public drivers May be possible to hack other drivers from commercial sniffers, but I like not being sued Cace supports OSS. Yay!

30 SHARKFEST '09 | Stanford University | June 15–18, 2009 Pick a platform (3): OSX Airport drivers work (Broadcom, Atheros, with Apple drivers) Old airport classic don't really work anymore USB will not work KisMac can do USB, but is unrelated to Kismet, uses embedded non-portable drivers

31 SHARKFEST '09 | Stanford University | June 15–18, 2009 Pick a Platform (4): Faking it Kismet requires direct access to hardware with native drivers Virtualization with USB passthrough can work (VMWare, KVM, Parallels, Virtualbox) No way to use cardbus/pci/internal/pcmcia cards.

32 SHARKFEST '09 | Stanford University | June 15–18, 2009 Related Tools Spectools – Spectrum Analysis for Cheap – Curses, GTK, network – Userspace USB drivers for Wi-Spy Lorcon – Loss Of Radio Control – Homogenizing injection across platforms – Same API for all drivers

33 SHARKFEST '09 | Stanford University | June 15–18, 2009 Spectools GPL drivers for Wi-Spy Developed with support from MetaGeek – they “get” open source! Works with all 3 Wi-Spy devices Network-compatible with Windows Find non interference like jamming attacks

34 SHARKFEST '09 | Stanford University | June 15–18, 2009 Spectrum Sniffing

35 SHARKFEST '09 | Stanford University | June 15–18, 2009 Sniffing 5GHz

36 SHARKFEST '09 | Stanford University | June 15–18, 2009 LORCON Platform and driver neutral Every driver has quirks; Do you write raw packets? Rtap? Prism? Big endian? Host endian? Most injection tools were custom written for specific (now outdated) drivers

37 SHARKFEST '09 | Stanford University | June 15–18, 2009 LORCON (2) Josh Wright and I decided per-driver custom apps sucks Any app using LORCON should work w/ any driver Functional modes provide “best fit” Basic packet crafting library Basic packet dissection (strip custom headers)

38 SHARKFEST '09 | Stanford University | June 15–18, 2009 LORCON (3) Ported several apps to LORCON as proof-of- concept AirPwn running on Windows with Airpcap TX? Sure, why not. Raw packets with Metasploit? Sounds like a good idea!

39 SHARKFEST '09 | Stanford University | June 15–18, 2009 Security Snake Oil: Cloaking SSID cloaking tries to hide the network SSID so clients can't connect Operative word: tries SSID is not a protected field! “Cloaking” simply hides the SSID in beacons. Good thing we see all the packets then!

40 SHARKFEST '09 | Stanford University | June 15–18, 2009 Snake Oil: Cloaking (2) Network->All: “I'm a network!” Client->All: “I'm looking for a few good networks. Who are you?” Network->All: “Not gonna tell you.” OtherClient->Network: “I want to join SomeCloakedNet” Network->Otherclient: “That sounds like me, come on in.”

41 SHARKFEST '09 | Stanford University | June 15–18, 2009 Snake Oil: Cloaking (3) All we have to do is wait for a client to join the network and capture the probe request/response Waiting sounds boring. I don't like boring. How about we send a packet from the network, to everyone, saying “Get out”?

42 SHARKFEST '09 | Stanford University | June 15–18, 2009 Snake Oil: Cloaking (4) FakeNet->All: “Get out, now.” All: “Oh no! I need to find a network!” Client->Network: “I'm looking for SomeCloakedNet again.” Network->Client: “Sure, come on in.”

43 SHARKFEST '09 | Stanford University | June 15–18, 2009 Snake Oil (5): MAC Filters “But”, someone says, “I don't need to turn on crypto, I have MAC filters!” No Oh, that's the MAC of your client? I'll just be joining now, thanks Besides, none of your data is encrypted You'll find out why this is a bad thing

44 SHARKFEST '09 | Stanford University | June 15–18, 2009 Gut-Punching Absurdly easy Management frames are completely unprotected It's shared media All the bad old days for layer 2 attacks live again I don't have to own the Internet, I own your Internet

45 SHARKFEST '09 | Stanford University | June 15–18, 2009 Strangers with candy Avoiding hostile networks requires users to be smart; Users are bad decision makers The OS won't help; Most like to join networks they've joined before Networks go “viral” and appear everywhere It's hard to tell what's real

46 SHARKFEST '09 | Stanford University | June 15–18, 2009 Catch the virus “HP setup” “Free Public Wifi” Once Windows has seen a network, it wants to see it again Can't find it? Make an ad-hoc network! I like free. I like wi-fi. Let me join! Now another system will advertise it

47 SHARKFEST '09 | Stanford University | June 15–18, 2009 Free public wiffey Create AP named “Free Public Wifi” Run “dnsmasq” ???? Profit! Windows happily joins the network Why yes, I am your POP3 server. Why thank you for that password.

48 SHARKFEST '09 | Stanford University | June 15–18, 2009 Making things worse: Karma Creating access points manually is really kind of a pain Isn't there an easier way? Modified drivers respond for every network requested “Are you FreePublicWifi?” Sure “Are you MyCorpNet?” Why not?

49 SHARKFEST '09 | Stanford University | June 15–18, 2009 Even worse: Karmetasploit Karma+Metasploit+Airbase Become any AP. Become EVERY AP Answer all DNS queries Spoof common services like HTTP Record all logins You wanted Facebook? How about I give you all the browser exploits instead. Tasty!

50 SHARKFEST '09 | Stanford University | June 15–18, 2009 Man-in-the-Middle Why just spoof HTTP? Why not give you a real connection and let you log in? (and then read your ) SSL? Just give them a fake cert. A user would never accept one of those, right? “You encrypted the login, but you didn't move the bodies!”

51 SHARKFEST '09 | Stanford University | June 15–18, 2009 Ignoring the network You know, after all, setting up this whole network framework just to attack a client is a big hassle Lets just rewrite their traffic in the air and own them that way Airpwn is underappreciated; Not just for serving shock-porn anymore!

52 SHARKFEST '09 | Stanford University | June 15–18, 2009 Creative editing Lots of sites include little stubs of JS Rhymes with “ShmaceHook” and “FlyMace” and “Glitter” Why not “enhance” them? Once you have JS exec inside the page domain, you win Layer 2 hijacking of open and WEP data

53 SHARKFEST '09 | Stanford University | June 15–18, 2009

54 Free candy inside Client->Server: “Give me a connection to :80” Attacker->Client: “I'm :80!” Attacker->Server: “I'm Client! I changed my mind.” Attacker->Client: “Have some candy”

55 SHARKFEST '09 | Stanford University | June 15–18, 2009 Constant interruptions Client->Server: “I want :80” Server->Client: “OK” Client->Server: “Give me /foo.js” Attacker->Client: “I'm Server, here's foo.js” Attacker->Server: “I'm Client. Go home.”

56 SHARKFEST '09 | Stanford University | June 15–18, 2009 Not done yet Client->Server: “I want :80 /foo.js” Server->Client: “Here's foo.js” Attacker->Client: “No, no, theres more.”

57 SHARKFEST '09 | Stanford University | June 15–18, 2009 Now I'm in your browser... … Rewriting your DOM What can we do? Anything we want Rewrite the page DOM to strip HTTPS Redirect links Replace text and images Send cookies to a remote system Remote-control the browser to do other stuff

58 SHARKFEST '09 | Stanford University | June 15–18, 2009 But it's just a little javascript var embeds = document.getElementsByTagName('div'); for(var i=0; i < embeds.length; i++){ if (embeds[i].getAttribute("class") == "cnnT1Img") { embeds[i].innerHTML = "..."; } else if (embeds[i].getAttribute("class") == "cnnT1Txt") { embeds[i].innerHTML = "..."; }}

59 SHARKFEST '09 | Stanford University | June 15–18, 2009

60 Cold, hard cache Discovered by Robert Hanson with VPNs Feed a client some javascript Set cache to infinity What happens when they go back to corporate HQ and load that? Yup... I just started running JS inside your corpnet a day later

61 SHARKFEST '09 | Stanford University | June 15–18, 2009 Funeral for WEP Who here uses WEP? If you raised your hand, now I'm going to yell WEP is flawed Very flawed Fatally flawed The corpse is stinking, bury it before the neighbors freak out

62 SHARKFEST '09 | Stanford University | June 15–18, 2009 Breaking WEP Used to take hours and hundreds of thousands of packets Now takes minutes and as few as 20,000 packets ARP injection is obvious but works really well Or just wait! Kismet-PTW plugin autocracks

63 SHARKFEST '09 | Stanford University | June 15–18, 2009 No, seriously Starting PTW attack with ivs. KEY FOUND! [ 59:69:6E:67:57 ] (ASCII: YingW )‏ Decrypted correctly: 100% real0m0.708s Cracked WEP in the wild with 30,000 ARP packets in less than a second; Took less than 2 minutes to generate packets via ARP injection WEP is so cheap to crack there is no reason not to try every 100 packets to see if there is enough statistical data to crack it now

64 SHARKFEST '09 | Stanford University | June 15–18, 2009 Home away from home Why wait for a client to find a network? Caffe Latte attack uses only the client Rewrite arp request to arp reply, send to client, repeat Cracked WEP and owned client in an airport. Or a bus. Whatever

65 SHARKFEST '09 | Stanford University | June 15–18, 2009 Attacking WPA At least it's better than WEP WPA-PSK is only as secure as the passphrase Passphrase + SSID + Length of SSID hashed into PMK PMK makes PTK per user Computing PMK is hard

66 SHARKFEST '09 | Stanford University | June 15–18, 2009 Look it up Computing PMK takes a while So lets calculate the PMK for every dictionary word plus the top 1000 SSIDs Dictonary lookups are fast Tables are big, but so what? We can accelerate with CUDA and FPGA

67 SHARKFEST '09 | Stanford University | June 15–18, 2009 Attacking TKIP TKIP was a stop-gap before 11i TKIP is RC4. Wait. Isn't WEP RC4? So doesn't... TKIP suck? Kind of. They made it better Per-packet keying, replay prevention, passphrase conversion standards, PTK renegotiation

68 SHARKFEST '09 | Stanford University | June 15–18, 2009 Countermeasures TKIP includes MIC countermeasures Invalid packets cause the network to go sulk in the corner and reset Two invalids in 60 seconds cause the network to go away We can still guess, but we have to guess slowly

69 SHARKFEST '09 | Stanford University | June 15–18, 2009 Unintended side effects QoS defined after TKIP Can re-order packets Each queue has a packet count This means we can re-use a packet from one queue in the other queues Four commonly used, but 12 more available

70 SHARKFEST '09 | Stanford University | June 15–18, 2009 Chop chop! Cut the last byte off the packet Fix the checksum Inject If we're wrong, nothing happens If we're right, we get a spoof alert! Wait 60 seconds, start on next byte

71 SHARKFEST '09 | Stanford University | June 15–18, 2009 Not quite dead yet Not a complete break; Slow, only gets us a few packets Once we get a few we could initiate a connection outside though... Beginning of the end Switch to WPA2 now before someone finishes the job on WPA1

72 SHARKFEST '09 | Stanford University | June 15–18, 2009 Attacking WPA-EAP Better than WPA-PSK Commonly found on corporate networks Many methods use PKI/TLS (SSL certificates) No good way to distribute certs to all clients at an institutional level Spotty OS clients

73 SHARKFEST '09 | Stanford University | June 15–18, 2009 I am who I say I am If UAC isn't used, deciding “good” certs can be in the hands of users Users always make good decisions, right? That SSL cert says “Veri$ign”, good 'nuff! (This is actually optimistic) Obviously that tennis player wants me to see her naked!

74 SHARKFEST '09 | Stanford University | June 15–18, 2009 Even the smart ones... Often the OS supplicant isn't helpful May not show all of the cert Even if it does... Self signed vs real? If two certs have a common root (Verisign?) the CN may not be compared anyhow

75 SHARKFEST '09 | Stanford University | June 15–18, 2009 Of course you're you Josh Wright and Brad Antoniewicz wrote a FreeRadius variant that accepts all logins Spoof a network and advertise PEAP “Cert looks good to me!” Combine with KARMA, own everyone who connects Harvest passwords

76 SHARKFEST '09 | Stanford University | June 15–18, PEAP gives us password as MSCHAPV2 If only there were a tool for that... like L0phtCrack Users also pick bad passwords That's the same password as my luggage!

77 SHARKFEST '09 | Stanford University | June 15–18, 2009 Future Plans More non plugins (Zigbee, RFID) More IDS Integrate WPA-PSK decryption Integrate WPA-EAP decryption with provided certificates

78 SHARKFEST '09 | Stanford University | June 15–18, 2009 Thanks, Q&A, Live Demo Thanks to CACE for having Sharkfest! Thanks to everyone who has helped test Kismet-Newcore on the long road to release Q&A


Download ppt "SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw Kismetwireless.net SHARKFEST '09 Stanford University June."

Similar presentations


Ads by Google