Presentation is loading. Please wait.

Presentation is loading. Please wait.

“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps.

Published byMary Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps."— Presentation transcript:

1 “All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps

2 Agenda Windows XP Wireless Auto Configuration (WZCSVC) Wireless Client Attack Tool Creating an ALL SSIDs network (L1) Creating a virtual network (L2+) Exploiting client-side application vulnerabilities (L5) Demo All your layer are belong to us

3 Wireless Auto Configuration Algorithm First, Client builds list of available networks Send broadcast Probe Request on each channel

4 Wireless Auto Configuration Algorithm Access Points within range respond with Probe Responses

5 Wireless Auto Configuration Algorithm If Probe Responses are received for networks in preferred networks list: Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: Specific Probe Requests are sent for each preferred network in case networks are “hidden”

6 Wireless Auto Configuration Algorithm If still not associated and there is an ad- hoc network in preferred networks list, create the network and become first node Use self-assigned IP address (169.X.Y.Z)

7 Wireless Auto Configuration Algorithm Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected Otherwise, wait for user to select a network Continue scanning for networks

8 Attacking Wireless Auto Configuration Attacker spoofs disassociation frame to victim Client sends broadcast and specific Probe Requests again Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)

9 Attacking Wireless Auto Configuration Attacker creates network MegaCorp with HostAP driver

10 Attacking Wireless Auto Configuration Victim associates to attacker’s fake network Even if preferred network was WEP (XP SP 0) Attacker can supply DHCP, DNS, …, servers

11 Wireless Auto Configuration Attacks A. Attacker can join created ad-hoc network Sniff network to discover self-assigned IP (169.X.Y.Z) and attack B. Create a more Preferred Network Spoof disassociation frames to cause clients to restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request C. Create a stronger signal for currently associated network While associated to a network, clients sent Probe Requests for same network to look for stronger signal You can be 0wned while watching a DVD on a plane!

12 A Tool to Automate the Attack Track clients by MAC address Identify state: scanning/associated Record preferred networks by capturing Probe Requests Display signal strength of packets from client Target specific clients and create a network they will automatically associate to Compromise client and let them rejoin original network Connect back out over Internet to attacker Launch worm inside corporate network Etc. “Kismet” for wireless clients

13 L1: Creating An ALL SSIDs Network Can we attack multiple clients at once? Want a network that responds to Probe Requests for any SSID PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver Can modify driver to accept Associations for any SSID Can use second card to sniff for Probe Requests and forge Probe Responses Custom firmware would be better

14 L2: Creating a FishNet Want a network where we can observe clients in a “fishbowl” environment Once victims associate to wireless network, will acquire a DHCP address We run our own DHCP server We are also the DNS server and router

15 FishNet Services When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action Our custom DNS server replies with our IP address for every query We also run “trap” web, mail, chat services Fingerprint client software versions Steal credentials Exploit client-side application vulnerabilities

16 Fingerprinting FishNet Clients Automatic DNS queries wpad.domain -> Windows _isatap -> Windows XP SP 0 isatap.domain -> Windows XP SP 1 teredo.ipv6.microsoft.com -> XP SP 2 Automatic HTTP Requests windowsupdate.com, etc. User-Agent String reveals OS version Passive OS fingerprinting (p0f)

17 L5: Exploiting FishNet Clients Fake services steal credentials Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN) Reject authentication attempts using non-cleartext commands Many clients automatically resort to cleartext when non-cleartext is not supported Attack VPN clients…

18 Client-Side Application Vulnerabilities Recent client-side vulnerabilities Microsoft JPG Processing (GDI+) Mozilla POP3 Heap Overflows GDK Pixbuf XPM Vulnerabilities … Exploits can make use of fingerprinting info

19 DEMO

Download ppt "“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps."

Similar presentations

Wireless LAN Security Understanding and Preventing Network Attacks.

Wireless LAN Security Understanding and Preventing Network Attacks.
IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
7/31/2002Black Hat 2002, Las Vegas NV Advanced 802.11 Attack Mike Lynn & Robert Baird.

7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Mike Lynn & Robert Baird.
Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.

Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598.

Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Wi-Fi Structures.

Wi-Fi Structures.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Handoff Delay for 802.11b Wireless LANs Masters Project defense Anshul Jain Committee: Dr. Henning Schulzrinne, Columbia University Dr. Zongming Fei, University.

Handoff Delay for b Wireless LANs Masters Project defense Anshul Jain Committee: Dr. Henning Schulzrinne, Columbia University Dr. Zongming Fei, University.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
Design Wireless Network 2

Design Wireless Network 2
1 Configuring Linksys Wireless Router Prof. Valencia Community College.

1 Configuring Linksys Wireless Router Prof. Valencia Community College.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Similar presentations

Ads by Google