KARMA KARMA Attacks Radioed Machines Automatically Kurt GrutzmacherGarrett Gee BayLISA – 02/18/06.

Slides:



Advertisements
Similar presentations
Overview How to crack WEP and WPA
Advertisements

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security Awareness Chapter 5 Wireless Network Security.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
How To Not Make a Secure Protocol WEP Dan Petro.
Network Security Testing Techniques Presented By:- Sachin Vador.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Security Awareness: Applying Practical Security in Your World
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Wireless Networking. Wi-Fi or Uses radio waves (like cell phones, tv and radio). Just like wired networking except without the wires. A hot spot.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.
Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.
Securing a Wireless Network
Norman SecureSurf Protect your users when surfing the Internet.
195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved Mike Meyers’ CompTIA A+ ® Guide to 802: Managing and Troubleshooting PCs Fourth Edition (Exam.
Ch. 5 – Access Points. Overview Access Point Connection.
Wireless Hotspot Security
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Ft. Smith Evil Twin Access Points: For fun but no profit.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!
Presented by: Dr. Munam Ali Shah
Environment => Office, Campus, Home  Impact How, not Whether A Checklist for Wireless Access Points.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified
Wireless Networking & Security Greg Stabler Spencer Smith.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Attacking Automatic Wireless Network Selection Dino A. Dai Zovi and Shane A. Macaulay
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Security Presented by Colby Carlisle. Wireless Networking Defined A type of local-area network that uses high-frequency radio waves rather than.
Securing A Wireless Home Network. Simple home wired LAN.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Wireless Ethernet Programming
Instructor Materials Chapter 6 Building a Home Network
Wireless Technologies
Wireless Network Security
Wireless LAN Security 4.3 Wireless LAN Security.
802.11b Wireless Network Security
WLAN Security Antti Miettinen.
Network hardening Chapter 14.
Presentation transcript:

KARMA KARMA Attacks Radioed Machines Automatically Kurt GrutzmacherGarrett Gee BayLISA – 02/18/06 (Slides loving ripped from

2/18/06KARMA2 Who we are Penetration testers for a large financial institution in the Bay area Many years combined experience in performing assessments, red teaming, exploring vulnerabilities, etc.

2/18/06KARMA3 Hackers, Meet Microsoft "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."lured a Windows laptop onto a malicious wireless network

2/18/06KARMA4 KARMA History First shown at PACSEC’04 ImmunitySec Shindig 01/17/05 Microsoft BlueHat CanSec/Core’05 IEEE Information Assurance Workshop Still updating, refining, improving…

2/18/06KARMA5 Motivation behind KARMA Wireless networks are becoming secure –Improved Encryption systems (WPA) –MAC address filtering –Hidden networks (SSID cloaking) Mobile clients bridge across time –Connect to secure AND insecure networks (conferences, hotels, airports, café) –Can be compromised on an airplane and spread to secure work network –Security of the most secure network depends upon the security of the lease secure network

2/18/06KARMA6 More Motivation Paradigm shift to new wireless threat –Attacking the wireless client Nightmare scenario –Target: Identify wireless clients –Position: Get on same network as victim –Attack: Exploit client-side vulnerabilities to install persistent agent –Subvert: Agent gives attacker remote access to secure networks that client connects to

2/18/06KARMA7 Recent Wireless Research ShmooCon’06 –“Wi-Fi trickery, or how to secure, break and have fun with Wi-Fi” by Laurent Butti and Franck Veysset –“VoIP WiFi phone security analysis” by Shawn Merdinger –“The Church of Wi-Fi presents: An Evil Bastard, A Rainbow and a Great Dane!” by Renderman, Thorn, Dutch, and Joshua Wright –“Hacking the Friendly Skies” by Simple Nomad –“Bitchslapping Wireless IDS/IPS appliances” by Eldon Sprickerhoff

2/18/06KARMA8 Automatic Wireless Network Selection Its purpose is to (re)connect to trusted known wireless networks Operating System maintains list of Trusted/Preferred wireless Networks –Records the SSID and Encryption method Preferred networks are automatically connected when available –Windows: Continuously searches when the wireless card is on and not associated to another network –MacOSX: Search only when user logs on or when returning from sleep mode.

2/18/06KARMA9 WindowsXP Wireless Auto Configuration Algorithm Client builds a list of available networks –Send broadcast Probe Request on each channel

2/18/06KARMA10 Access Points within range respond with Probe Responses Wireless Auto Configuration Algorithm

2/18/06KARMA11 If Probe Responses are received for networks in preferred networks list: –Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: –Specific Probe Requests are sent for each preferred network in case networks are “hidden” Wireless Auto Configuration Algorithm

2/18/06KARMA12 Wireless Auto Configuration Algorithm If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node –Uses self-assigned IP address ( Y.Z)

2/18/06KARMA13 Wireless Auto Configuration Algorithm Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected Otherwise, wait for user to select a network or preferred network to appear –Set card’s desired SSID to random 32-char value, Sleep for minute, and then restart algorithm

2/18/06KARMA14 Weaknesses in Wireless Auto Configuration Information Disclosure –Specific Probe Requests reveal SSIDs of preferred networks Spoofing –Unencrypted networks are identified and authenticated only by SSID Unintended Behavior –An ad-hoc network in Preferred Networks List turns a wireless client into an Access Point

2/18/06KARMA15 Getting Ready for Attack Join ad-hoc network created by target –Sniff network to discover self-assigned IP ( Y.Z) Create a stronger signal for currently associated network –While associated to a network, clients send Probe Requests for same network to look for stronger signal Create a (more) Preferred Network –Spoof disassociation frames to cause clients to restart scanning process –Sniff Probe Requests to discover Preferred Networks –Create a network with SSID from Probe Request

2/18/06KARMA16 Attacking Auto Configuration Attacker spoofs disassociation frame to victim Client sends broadcast and specific Probe Requests again –Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)

2/18/06KARMA17 Attacking Auto Configuration Attacker creates a rogue access point with SSID MegaCorp

2/18/06KARMA18 Attacking Auto Configuration Victim associates to attacker’s fake network –Even if preferred network was WEP (XP SP 0) Attacker can supply DHCP, DNS, …, servers Attacker exerts a significant amount of control over victim

2/18/06KARMA19 Improving the Attack Parallelize –Attack multiple clients at once Expand scope –Act as any networks that any client is looking for Simplify –Don’t require learning preferred networks before beginning attack Increase availability –Attack continuously

2/18/06KARMA20 Performing the Attack Laptop runs software base station –Possibly with antenna, amplifiers AP responds to any Probe/Assoc Request Clients within range join what they think is one of their Preferred Networks –Client A thinks it is on “linksys” –Client B thinks it is on “t-mobile” –Client C thinks it is on “hhonors” Any client with at least one unencrypted preferred network will join if no legitimate preferred networks are present

2/18/06KARMA21 Back to Wireless Auto Config Remember how SSID is set to random value? The card sends out Probe Requests for it We respond w/ Probe Response Card associates Host brings interface up, DHCPs an address, etc. Verified on Windows XP SP2 w/ PrismII and Orinoco (Hermes) cards Fixed in Longhorn

2/18/06KARMA22 Vulnerable PNL Configurations If there are no networks in the Preferred Networks List, random SSID will be joined If all networks in PNL are encrypted, random SSID will have left-over WEP configuration (attacker will have to guess key) –We supply the challenge, victim replies with challenge XOR RC4 keystream –Our challenge is … –We get first 144 bytes of keystream for a given IV If there are any unencrypted networks in PNL, host will associate to our modified Access Point.

2/18/06KARMA23 Apple MacOS X MacOS X AirPort (but not AirPort Extreme) has similar issues MacOS X maintains list of trusted wireless networks –User can’t edit it, it’s an XML file base64-encoded in another XML file When user logs in or system wakes from sleep, a probe is sent for each network –Only sent once, list isn’t continuously sent out –Attacker has less of a chance of observing it If none are found, card’s SSID is set to a dynamic SSID – With 40-bit WEP enabled –… but to a static key After waking from sleep, SSID is set to “dummy SSID” –Will associate as plaintext or 40-bit WEP with above key MacOS X 10.4 (“Tiger”) has GUI to edit list of trusted wireless networks

2/18/06KARMA24 Defenses? Keep wireless card turned off when not using a wireless network Only keep secure networks in Preferred Networks List Remove insecure network from PNL immediately after done using it Prevent mobile clients from connecting to sensitive networks

2/18/06KARMA25 Lets get some KARMA Track clients by MAC address –Identify state: scanning/associated –Record preferred networks by capturing Probe Requests –Display signal strength of packets from client Allows targeting a specific client –Create a network they will automatically associate to Identify insecure wireless clients that will join rogue networks “Kismet” for wireless clients

2/18/06KARMA26 KARMA Probe Monitor

2/18/06KARMA27 KARMA Wireless and client-side attack and assessment toolkit Modules attack multiple layers as hostile server or Man- in-the-Middle –802.11: Modified MADWiFi driver answers all Probe/Assoc Requests –DHCP: Rogue DHCP server points client at our DNS server –DNS: Rogue DNS Server responds to all queries with our IP address –POP3/FTP: Servers capture plaintext credentials –HTTP: Attack web server redirects any query to browser exploits or acts as transparent proxy

2/18/06KARMA28 DEMO?

2/18/06KARMA29 …and in conclusion Demonstrated weaknesses and vulnerabilities in Automatic Wireless Network Selection –Allows attacker to put victim on hostile subnet Firewalls commonly on by default, but clients still initiate a lot of traffic –Automatic updates –Browsing (NetBIOS, Rendezvous/Bonjour) Rise in client-side vulnerabilities Mobile clients are a risk to secure networks Assess risk of wireless clients with KARMA –

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.