SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Scripting Wifi Security Software Sharkfest 10 Mike Kershaw / Dragorn Aruba Networks / Kismet SHARKFEST ‘10 Stanford University June 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Where We're Going Why we'd script stuff Scripting Kismet Writing new tools Scripting LORCON Real world tools
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What's the point? Automation Alternate interfaces Logging Dynamic alerts Extremely fast prototype and tool development Real world security tools (Boring, but useful) (Exciting and scary!)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Kismet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Talking to Kismet Kismet is pretty easy to script But no-one seems to Actually 2 programs – kismet_server and kismet_client Talks over standard TCP And it's even a human-readable protocol, similar to IMAP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Where are you? Kismet listens to port 2501 by default Talk to it with netcat Or telnet Or any other TCP socket tools
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Kismet says “Hi there” Trying Connected to localhost. Escape character is '^]'. *KISMET: DRD1812 tuntap 1000 *PROTOCOLS: KISMET,ERROR,ACK,PROTOCOLS,CAPABILITY,TERMINATE,T IME,PACKET,STATUS,PLUGIN,SOURCE,ALERT,BTSCANDEV,D 15D4DEV,WEPKEY,STRING,GPS,BSSID,SSID,CLIENT,BSSID SRC,CLISRC,NETTAG,CLITAG,REMOVE,CHANNEL,SPECTRUM, INFO,BATTERY,CRITFAIL *TIME: *TIME: *TIME:
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Kismet sentences Consist of a *sentence type followed by space- delimited fields Fields which contain free-form text are buffered with \001 bytes *FOO f1 f2 f3 \001f4 with spaces\001 f5
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Commands Commands are !ID command parameters The ID may be incremented or repeating Kismet will include the ID in responses Useful for figuring out if a queued command completed
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Assumptions about you Kismet assumes some sentences MUST be handled by the client. *KISMET, *TIME, *ERROR, *ACK, *PROTOCOLS, *CAPABILITY, *TERMINATE This doesn't mean you have to do something smart Just that you have to not fail
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Umpteenth normal form Kismet protocols are vaguely like a normalized database When unknown numbers of dynamic records reference the same data, they are a separate sentence F.E. networks are stored as BSSID (primary data) and SSID (multiple SSID records indexed by BSSID)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What can you do Protocol fields are listed using the CAPABILITY command Different versions of Kismet may support different fields, your client can examine this Clients are expected to handle missing fields gracefully
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Getting data Similar to SQL, ALL fields or only SPECIFIC fields can be requested Fields may be requested in any order (and will be returned in that order) Enabled via the ENABLE command Client is responsible for handling de-mux of multiple protocol requests – Kismet will only listen to the last req
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Initial burst Kismet tracks things all the time Clients are only connected sometimes Non-realtime tracking records are sent in a burst when a sentence is enabled F.E. Enabling BSSID will cause Kismet to send all existing BSSID records Some protocols don't maintain history
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Down by the delta Once Kismet has sent the initial burst of old data New data is sent once per second as it changes F.E. A BSSID record will be sent every second while a network is in range The client is expected to merge this cleanly with existing known data
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Most useful *BSSID – Networks seen *SSID – Network SSID records *CLIENT – Wireless client records *GPS – (Obviously) GPS records *ALERT – Alerts / IDS functions
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Cheap ways to talk `netcat' Bash Sed Incomprensible but easy
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Talking with bash echo -e '\n!0 enable channel channel,packets' | nc localhost 2501 | awk 'BEGIN { CHN = 0; }; /CHANNEL:/ { chnum[CHN]=$2; chval[CHN]=$3; CHN=CHN+1; }; /TIME/ { if (CHN != 0) { printf("["); for (x = 0; x < CHN; x++) { printf("{\"id\":%s,\"value\":%s}", chnum[x], chval[x]); if (x < (CHN-1)) printf(",") } printf("]\n"); CHN=0; fflush(""); } };'
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Breaking it down echo -e '\n!0 enable channel channel,packets' Send a command to enable the CHANNEL sentence, with the fields 'channel' and 'packets'
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Breaking it down nc localhost 2501 Netcat is a great tool for talking to tcp (or UDP) network hosts from scripts
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Breaking it down awk 'BEGIN { CHN = 0; }; /CHANNEL:/ { chnum[CHN]=$2; chval[CHN]=$3; CHN=CHN+1; }; /TIME/ { if (CHN != 0) … Awk is a book in itself, but we begin by setting the # of channels to 0, then when we get the CHANNEL sentence recording it to an array When we get the TIME sentence we know we've gotten all the channels, so we output it
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Breaking it down printf("["); for (x = 0; x < CHN; x++) { printf("{\"id\":%s,\"value\":%s}", chnum[x], chval[x]); if (x < (CHN-1)) printf(",") } printf("]\n"); CHN=0; fflush(""); } };' More awk nastiness, basically just iterates through our array of channels and prints them At the end, flush the output
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 The result [{"id":1,"value":75202},{"id":2,"value":28589},{"id" :3,"value":8613},{"id":4,"value":6042},{"id":5,"va lue":9890},{"id":6,"value":27937},{"id":7,"value": 19615},{"id":8,"value":8644},{"id":9,"value": },{"id":10,"value":27690},{"id":11,"value":47546},{"id":48,"value":15994},{"id":149,"value": },{"id":165,"value":1},{"id":28928,"value": }] Kismet TCP socket to JSON for an AJAX channel display in 1 line of shell!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 How it works Kismet sends the TIME sentence once per second, so we can use it for timing We know if we see a TIME sentence, we've gotten all the channels Kismet knows about Normally we'd index by channel #, but this is hard in awk, so we cheat
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 More intuitive Ruby interface to Kismet People seem to like Ruby. I'm not sure I do If you don't, it's easy to port this to perl, python, etc – patches welcome! Committed to SVN already with examples
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Basic API setup Require 'kismet' Standard Ruby module Kis = Kismet.new(host, port) Defaults to localhost, 2501 Kis.connect Kis.run Connect and run as thread
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Subscribing Kismet.rb allows subscribing to sentences with callbacks Callbacks called with a dictionary of fields returned Secondary callbacks when a command completes (more on this soon)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Subscription kis.subscribe("bssid", ["bssid", "manuf", "channel"], Proc.new {|*args| bssidcb(*args)}) Subscribe to a sentence (“bssid”) with a list of fields, and a callback Ruby doesn't do function passing per se, so we use Proc to make a passable block. Bssidcb is our callback function
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Callback def bssidcb(proto, fields) puts "Kismet saw network #{fields['bssid']} manuf #{fields['manuf']} on channel #{fields['channel']}" end Callback function with sentence and fields Fields in hash indexed by name
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Ack callbacks Called when command completes When requesting a sentence with historical data, Kismet sends the historical data, then the ACK We can use this to trigger that we've gotten the complete current state It's a bit of a kluge but...
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Ack to die def bssiddiecb(text) $k.kill exit end Ack-cb just calls “exit” - we only want to list the networks we've seen so far
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Keep on trucking Kismet.rb runs the network code in a separate thread To keep running with subscribed callbacks, call the 'wait' function Will wait for the Kismet session to end (either naturally or via a kill command elsewhere)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What we've made easy Kismet to Syslog bridge (subscribe to ALERT and use Ruby logger) Kismet to JSON Programmatic handling of rogue networks Pretty much any arbitrary use of Kismet data
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 LORCON
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 LORCON Loss Of Radio CONtrol Writing the same code for different drivers sucks Writing the same code for different platforms sucks Hopefully LORCON doesn't suck
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 LORCON2 Unfortunately, LORCON kind of sucked LORCON2 API much cleaner Designed to match the libpcap API Really easy to use C, Ruby API, Python under development
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Super simple Automatically determines the type of card Automatically creates injection VAPs Supports sniff, inject, or sniff+inject where possible Send arbitrary bytes OR use the packet assembly API
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 It's even easy in C lorcon_driver_t *dri; lorcon_t *ctx; uint8_t packet[...]; dri = lorcon_auto_driver(“wlan0”); ctx = lorcon_create(“wlan0”, dri); lorcon_open_injmon(ctx); lorcon_set_channel(ctx, 6); lorcon_send_bytes(ctx, sizeof(packet), packet);
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 And it comes with ruby require "Lorcon2" pp Lorcon.version pp Lorcon.drivers pp Lorcon.find_driver("mac80211") pp Lorcon.auto_driver(“wlan0”) tx = Lorcon::Device.new(intf) tx.openinjmon()
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Goal: Simplicity There's a lot of weird modes you can put a card in Most of the time you just want inject+monitor Most of the time you just want to send bytes And it'd be nice if it worked like pcap
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Pcap + Lorcon def = Queue.new reader = Thread.new do wifi.each_packet << pkt } end Some TLC needed (see test.rb in Lorcon) but we integrate with each_packet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Simple in C, too void apitest_packet_hdlr(lorcon_t *context, lorcon_packet_t *packet, u_char *user) {... } dri = lorcon_auto_driver(interface); ctx = lorcon_create(interface, dri) lorcon_open_injmon(ctx) lorcon_loop(ctx, 0, apitest_packet_hdlr, NULL);
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Modeled on pcap_loop Lorcon handles pcap internals (if you want it to) lorcon_loop calls the provided function for each packet Easy access to dot3 via lorcon_packet_to_dot3
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Building packets In Ruby, Racket handles most of the packet assembly duties There are other packet builders too But a lot of them are REALLY REALLY slow Orders of magnitude slower No great dot11 generator, but Lorcon can translate dot3 automatically
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Racket L2 – Looks like ether response = Racket.new response.l2 = Ethernet.new(" ") response.l2.dst_mac = eth.src_mac response.l2.src_mac = eth.dst_mac response.l2.ethertype = 0x0800
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Racket L3 response.l3 = IPv4.new response.l3.src_ip = ip.dst_ip response.l3.dst_ip = ip.src_ip response.l3.protocol = ip.protocol response.l3.ttl = ip.ttl
SHARKFEST ‘10 | Stanford University | June 14–17, Lorcon injpkt = Lorcon::Packet.new() injpkt.dot3 = response.pack injpkt.bssid = pkt.bssid injpkt.direction = Lorcon::Packet::LORCON_FROM_DS; tx.inject(injpkt) or puts "Failed to inject: " + tx.error
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Lorcon Packet Forge Packet assembly made easy for Uses a linked list of temporary data Packets can be manipulated/appended at will Exported into an array for transmit
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 LCPF notes Lcpa_foo – Lorcon Packet Assembly, basic functions for manipulating packets Lcpf_foo – Lorcon Packet Forge, packet creation
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Building with LCPF metapack = lcpa_init(); tx80211_initpacket(&txpack); lcpf_randmac(sourcemac, 1); lcpf_randmac(bssidmac, 1); lcpf_80211headers(metapack, WLAN_FC_TYPE_DATA, WLAN_FC_SUBTYPE_DATANULL, 0x02, /* fcflags, FromDS */ 0x00, /* duration */, targetmac, bssidmac, sourcemac, NULL, /* addr4 */ 0, /* Fragment number */, 0); /* Sequence number */ lcpa_freeze(metapack, &txpack); stuff(); lcpa_free(metapack);
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What can we do now? Kismet + Lorcon + Ruby Selective interaction with networks “Aggresssive” IDS attacking rogue networks in your building “Renderman friendly network decloak” … Send a probe req to a SSID w/ suspected names, let Kismet decloak response
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Putting it in the real world (AKA “the fun part of the talk”)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Putting this in the real world Not a bunch of teenagers on MTV Already part of Metasploit LORCON + Ruby + MSF 220 lines of code All scripting code (native Ruby)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 The inspiration Wifi session hijacking About 5 years ago, Airpwn was debuted by Toast at Defcon TCP stream hijacking on Everyone forgot about this... Not just for shock porn!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Corps of Engineers Rerouting TCP streams “Ye Olde” 1990 shared media attack TCP is only “secure” against hijacking because the seq/ack numbers are random I see your seq/ack over wireless
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Anatomy of a Session Handshake (syn/synack/ack) Client-> Server “GET /foo HTTP/1.0” Seq 123 Ack 0 Server-> Client “HTTP headers, content” Seq 10 ack 189
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What it takes Lets add this to MSF LORCON + Lorcon-Ruby wrapper Racket (Ruby packet creator) Ruby-PCAP A little TLC
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 An evil session Handshake Client->Server (GET) MSF <-Client (Hijack data) MSF <-Client (FIN!) Server <-Client (Real data, ignored)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 In action msf > use auxiliary/spoof/wifi/airpwn msf auxiliary(airpwn) > set INTERFACE alfa0 INTERFACE => alfa0 msf auxiliary(airpwn) > set RESPONSE "Airpwn - MSF!" RESPONSE => Airpwn – MSF! msf auxiliary(airpwn) > run
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Results msf auxiliary(airpwn) > run [*] AIRPWN: Response packet has no HTTP headers, creating some. [*] Auxiliary module execution completed msf auxiliary(airpwn) > [*] AIRPWN: > HTTP GET [/files/racket/src/doc/] TCP SEQ
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 And because it's Ruby Fine tuning in YAML Regex matching Dynamic content generation File injection or fragment in runtime
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Step 3: Profit What does all this get us? Arbitrary HTTP content replacement
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Or in other words Full control of the DOM Control over forms Control over the browser environment Access to anything in the security context of the hijacked website
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Obviously scripted So we can replace content Big deal, what now? Nearly every web-2.0-y site uses gobs of background javascript What happens if we replace one of those?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 It's not news, it's JS
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Fragments of JS Especially attractive as a target Totally invisible to the user Multiple requests = multiple opportunies to land attack Run in same privilege domain as web page
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 I'm in your browser … Rewriting your DOM DOM – Document Object Model Programmatic representation of page content Once we're in the DOM we can anything
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
It's not stupid, it's advanced var embeds = document.getElementsByTagName('div'); for(var i=0; i < embeds.length; i++){ if (embeds[i].getAttribute("class") == "cnnT1Img") { embeds[i].innerHTML = "..."; } else if (embeds[i].getAttribute("class") == "cnnT1Txt") { embeds[i].innerHTML = "..."; }}
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 DOM is tasty What other mischief can we do? Rewrite all forms to proxy through a logger Rewrite all HTTPS to HTTP Poison content topical to a conference?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 HTTP, not so S var refs = document.getElementsByTagName('a'); for (var i = 0; i < refs.length; i++){ var rval = refs[i].getAttribute("href"); if (rval == null) { continue; } refs[i].setAttribute("href", rval.replace(/^ " }
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 This really matters This matters Like, a lot No, seriously
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Persistence pays off Who has read rsnakes VPN paper?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Quick cache Short version: Browsers have cache Cache sticks around Users don't notice When I own your TCP session I own your cache control
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 In control Client fed spiked JS file Malicious content Cache headers say “keep for 10 years” Malicious file is re-used every time they revisit the site From inside their company network!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Don't think it's a problem?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 What can we do now? User has spiked, cached file Browser will re-use it Iframe attacks? Kaminsky socket/sucket? New browser exploits? But a user would NEVER go to twitter at work, right?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Poison the well How many sites use Analytics? Loading urchin.js from the same url? And what happens if we poison that URL? For every site loading it
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Calling home to Mom Cache modified JS that loads content from an attacker-controlled server Maybe no good browser vulns this week? Wait for a browser 0day then flip the switch Everyone w/ cached callbacks gets owned
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 There are no innocents No website is “innocent” Websites that don't ask for logins are just as capable as feeding the browser exploits Any website can have browser-owning code
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Well aren't you clever I'm smart! I use a VPN! -or- I force my users to use a VPN via UAC This won't work against me!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Yeah, but... Yeah, it wouldn't work... Except your browser has no concept of security domains Something cached in an insecure domain... Is still cached in a secure domain!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 “Click OK to agree” Many hotspots have a landing page to agree to EULA Many landing pages are not encrypted Unencrypted page on an open network? Perfect target Now we can feed the user pre-VPN content
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Magic (h)8 ball If the attacker controls your pre-vpn landing page They control your browser They control what gets loaded Iframes? Pop-unders? AJAX?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Americas top 40 Attacker hijacks VPN landing page Injects code to load things over AJAX Loads the top 40 pages the victim may be likely to visit in the background Cache-poison page requested in the background
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Smarter JS Attacker can examine fetched content If poison code not present... Request it again! We will load your website And hit it with a brick We will not run out of bricks
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Frequent landings Take it one step further VPN can access internal pages too, right? We control L2, right? Soo....
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Dumb Network Stuff Can we use LORCON to attack other protocols? Sure can! Racing DNS isn't hard Capture query, set QR bit, supply our own response
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Your intranet is showing We control DNS We control page query We can be sure a request went through What stops us guessing pages like ?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Hint: Nothing Nothing! How about some JS that loads the original intranet content... Then crawls the DOM and ships it all off to the attacker via POST? Or rewrites your form DOMs to proxy out?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Summary Kismet is easy to talk to LORCON is easy to write for Open wifi is terrifying