Presentation is loading. Please wait.

Presentation is loading. Please wait.

“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”

Similar presentations

Presentation on theme: "“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”"— Presentation transcript:

1 “We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”

2 “If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.”

3 “I hear this is an option in the latest Ubuntu release.” …isn’t BackTrack 4 based on Ubuntu…


5 802.11 ObgYn Spread your Spectrum

6 IEEE 802.11y 802.11o is a reserved and unused letter When I submitted this talk, I didn’t realize that 802.11y had been ratified This really ruined my joke name… Sadly, I don’t have an 802.11y card or driver so we will not be discussing 3650- 3700MHz I really hope this doesn’t disappoint anyone, I will try to make it up to you all next time…

7 Who am I and why do you care? Rick “Zero_Chaos” Farina  Senior Wireless Security Researcher for AirTight Networks  Aircrack-ng Team Member  Embedded Development  Maverick Hunter Rank S

8 You might remember me from such things as:

9 Walking into my own talk late at Defcon 16

10 Rudely interrupting other people's talks...

11 ...and inciting hackers to riot

12 Now I'm back! Today's Agenda  Freq Update Updated patches Updated information  Unusual Encryption Like what? How to detect it  Wireless Intrusion Detection and Prevention What is it? How it works

13 Standard DISCLAIMER: Some of the topics in this presentation may be used to break the law in new and exciting ways… of course I do not recommend breaking the law and it is your responsibility to check your local laws and abide by them. DO NOT blame me when a three letter organization knocks on your door. I am not an expert, this is all based on my research and dumb luck.

14 Contest Find the AP I have hidden an AP somewhere in the airwaves Report the center frequency of operation, SSID, and mac address to win (Insiders and friends are not eligible)

15 Spoils* (first winner only) Find the AP before the end of the talk  Ubiquiti Super Range Cardbus wifi card  Your face in the video if you are right  Public embarrassment if you are wrong Find the AP before 17:00  $50 towards a nice Atheros card Find the AP after 17:00  Hearty handshake and a pat on the back *game may end early due to unforeseen hardware failure

16 We have discussed this before: WiFi Frequencies .11b/g 2412-2462 (US) .11a 5180-5320, 5745*-5825 (US)  (regulatory settings from kernel old reg) Obviously makes no sense  Does the card really not have the ability to use 5320-5745? *DFS channels excluded due to driver limitations

17 Licensed Bands Some vendors make special licensed radios Special wifi cards for use by military and public safety Typically very expensive Frequencies of 4920 seem surprisingly close to 5180

18 Manufacturers are cheap Atheros and others sometimes support more channels Allows for 1 radio to be sold for many purposes. Software controls allowed frequencies

19 Who Controls the Software? Yesterday  Most wifi drivers in Linux require binary firmware of some kind  Controls anything the vendor wants Today  More and more vendors are going fully open source

20 Who do we like for this stuff? PreferredUndesirable Atheros Ralink Intel Marvell Broadcom  Fully Open Source Drivers.  Developers working with the community.  Closed Source (sometimes buggy) Firmware.  Developers working with the community.  Ignores requests for chipset docs.  Releases completely closed source binary drivers.

21 Our Playground Madwifi-ng was driven by a binary HAL Ath5k is the fully open source driver now in the kernel Kugutsumen released a patch for “DEBUG” regdomain Allows for all *officially* supported channels to be tuned to

22 Fun Comments in ath5k /* Set this to 1 to disable regulatory domain restrictions for channel tests. * WARNING: This is for debuging only and has side effects (eg. scan takes too * long and results timeouts). It's also illegal to tune to some of the * supported frequencies in some countries, so use this at your own risk, * you've been warned. */

23 Comments (cont) /* * XXX The tranceiver supports frequencies from 4920 to 6100GHz * XXX and from 2312 to 2732GHz. There are problems with the * XXX current ieee80211 implementation because the IEEE * XXX channel mapping does not support negative channel * XXX numbers (2312MHz is channel -19). Of course, this * XXX doesn't matter because these channels are out of range * XXX but some regulation domains like MKK (Japan) will * XXX support frequencies somewhere around 4.8GHz. */

24 New Toys Yesterday .11b/g 2412-2462 (US) .11a 5180-5320, 5745-5825 (US) Today  Ubiquiti SRC.11b/g 2192-2732.11a 4800-6000  Linksys WPC55AG ver 1.3.11b/g 2277-2484.11a 4800-6000

25 Spectrum Analyzer Fully tested frequencies  Sadly no one would let me borrow a SA Warning: This will differ from card to card  I’ve already lost a few wifi cards…

26 What is on these new freq? 2180.000 - 2200.000 Fixed Point-to-point (n-p) 2200.000 - 2290.000 DoD 2300.000 - 2310.000 Amateur 2390.000 - 2450.000 Amateur 2450.000 - 2500.000 Radio location 2500.000 - 2535.000 Fixed SAT 2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV 2655.000 - 2690.000 Fixed SAT 2690.000 - 2700.000 Radio Astronomy 2700.000 - 2900.000 DoD

27 Freq (cont) 4400.000 - 4990.000 DoD 4990.000 - 5000.000 Meteo - Radio Astronomy 5250.000 - 5650.000 Radio Location - Coastal Radar 5460.000 - 5470.000 Radio Nav - General 5470.000 - 5650.000 Meteo - Ground-based Radar 5650.000 - 5925.000 Amateur 5800.000 ISM 5925.000 - 6425.000 Common Carrier and Fixed SAT

28 Limitations Many real licensed implementations are broken Card reports channel 1 but is actually on 4920MHz or some such This is done to make it easy to use existing drivers This breaks many open source applications

29 Airodump-ng Airodump-ng now supports a list of frequencies to scan rather than channels Only channels are shown in display, may be wrong Strips vital header information off of packet so data saved from extended channels is useless

30 Improvement Was Needed Sniffers were too trusting, they believed what they saw Never intended to deal with oddly broken implementations such as channel number fudging Sniffers had to mature to report more reality, and less assumptions

31 Kismet Kismet-newcore fully supports frequency ranges Displays channels AND frequency in display Saves pcap files with usable headers dragorn just generally rocks

32 Kismet-Newcore Usable now in SVN from Would have been a Kismet-Test1 release for Shmoocon but setting up freeradius sucks. Bad. New UI, better logging, improved IDS features, *Plugins*, new mapping SW on its way Autoconfig device support Multiple protocol support via plugins – DECT cordless phone sniffing -dragorn





37 Kernel Regulatory Changes “old reg” depreciated soon  Contains very few static regulatory domains  Built right into kernel New userspace Central Regulatory Domain Agent  Userspace app called by udev named crda  Takes input from visible AP or user through iw  Sets accurate reg domain based on country  Uses separate wireless-regdb with contains country information

38 Ath5k frequency patches Old ath5k patches  Completely removed tx  No way to control tx  If you are in any mode but monitor you ARE breaking the law New Ath5k patches  No patch for old reg  crda controls which freq you can tx on  Able to use card safely within the law

39 Patch released New ath5k patch released for vanilla kernel 2.6.28.x  I can't support every distro Available from aircrack-ng svn Included directions for required userspace tools Patch available for wireless-regdb  US only (willing to add more on request)  Binary regulatory.bin will be made available  Willing to add capabilities for Licensed Professional and Amateur operations

40 Future Research in this Area Kernel Acceptance  Need to fix a few minor bugs Ath9k support  Yes, these can be extended as well Ralink support  I've got a hot tip that these support much fun

41 Final Thoughts on Frequencies Remember everyone here is a white hat Please use your new found knowledge for good not evil In the United States it is LEGAL to monitor all radio frequencies Have fun…

42 Unusual Crypto What do we know? –Kismet and Airodump-ng detect 802.11 encryptions WEP/WEP+/DWEP/LEAP WPA/WPA2 PSK/802.1x EAP types used

43 Have you ever seen… a WEP network invulnerable to replay? Open AP that you cannot connect to? 802.11 on Spectrum Analyzer but an empty pcap file?

44 Symbol Keyguard “TKIP encryption implementation based on the forthcoming 802.11i standard” “Kerberos V5 based mobile security” “EAP/TLS with 802.1X port-based Network Access Control or RADIUS” Really it is just pre-standard tkip Replay prevention Detected as WEP by Kismet and Airodump-ng Thanks to pcap donations, Kismet is adding detection


46 Government Crypto (Type 3 or 4) Type 4 –(Exportable) 40bit non-sense Type 3 –Cranite Appears defunct –Fortress FIPS 140-2 –802.11i

47 Huh? Government Crypto Precursors to 802.11i –Cranite –Fortress Hardware or software encryption/decryption Strong encryption (Typically AES) Strong Authentication (Typically certificates)

48 Unencrypted ?

49 Does this look unencrypted to you?

50 Government Crypto (Type 1) Harris Secnet 11 –Intersil Prism 2 and Harris Sierra Crypto TM Module –Encrypts entire MPDU –Essentially Invisible Harris Secnet 54 –Modular separation between encrypter and radio –Compatible with COTS equipment –Layer 2 and/or 3 encryption available

51 Invisible? + /* Allow CRC errors through */ + if (rs.rs_status & AR5K_RXERR_CRC) { + goto accept; + } *Super Special thanks to dragorn for writing this in like 6 seconds for me

52 Pcap beg Am I looking for something that you have? Do you know of an encryption that I didn’t mention? Have you found something just plain odd? SEND ME PCAPS

53 WIDS/WIPS Wireless Intrusion Detection System –Early products –“Noise maker” Wireless Intrusion Prevention System –Later Products –Log events –Auto-classify devices –Prevent wireless threats in real time

54 Hybrid vs Overlay Hybrid –Access Points double as Sensors –Typically ignores client behavior –Every tick spent doing security mean no data transport –No additional hardware to buy –Some of these can be fixed by deploying as… Overlay –Dedicated Sensors to handle security –Spends 100% of time focusing on security –Additional hardware required

55 Auto-Classification

56 How does it work? “Example of a switch polling based method of wired status detection”* *Not all systems use this method 00:11:22:33:44:55 CAM Table 00:11:22:33:44:55 Client 00:11:22:33:44:55

57 Final WIPS Thoughts You are not invisible –Corporations and Organizations are monitoring wifi You are not invincible –Automatic Threat Remediation –Automatic Location Tracking Even odd frequencies may not be safe –Many WIPS monitor extended channel sets

58 Pentoo A great platform to launch wireless attacks LiveCD Based on a Gentoo Safe to install Updates often

59 Thanks Contact me if –You have a license or country you wish added to the Ath5k patches –You have pcaps of an unusual encryption used commonly with wifi Try Pentoo

Download ppt "“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”"

Similar presentations

Ads by Google