Professional Documents
Culture Documents
Shifting The Focus of WiFi Security
Shifting The Focus of WiFi Security
Shifting The Focus of WiFi Security
WiFi Security:
Beyond cracking your
neighbor's WEP key
Who are we and why do you care?
Replay/Injection Attacks
Fast but very noisy
Simple signatures
AP features that try to block (PSPF)
History of WPA Attacks / Why it doesn’t work
Pre-shared key
Requires catching both sides of a quick
handshake
Must be in range of client and AP
Enterprise
Nearlyimpossible to crack passively
Most EAP types are difficult (at best) to MiTM
The Well Guarded Door
Nearly 100% of attacks focus on the AP
APs are getting more and more secure
New features built into AP
PSPF / Client Isolation
Strong Authentication / Encryption
Lightweight controller based architecture
APs are no longer the unguarded back door
Well deployed with fore thought for security
Well developed industry best practices
Take the Path of Least Resistance
Attack the Clients!
Tools have slowly appeared recently
Difficult to use
Odd requirements to make function
Attacking Client WEP Key
Wep0ff
Caffe-Latte
Hirte Attack
Attacking Client WPA Key
WPA-PSK
No public implementation
WPA-ENT
Freeradius-wpe(thanks Brad and Josh!)
Requires hardware AP
Attacking the Client
Many Separate Tools
Difficult to configure
Typically sparsely documented
Odd requirements and configurations
Until now…
Introducing Airbase-ng
Full monitor mode AP simulation, needs no
extra hardware
Merges many tools into one
Also works in Ad-hoc mode
New and improved, simplified implementations
Easy, fast, deadly (to encryption keys at least)
Airbase-ng Abilities
Evil Twin / Honey Pot
Karma
WEP attacks
WPA-PSK attacks
WPA-Enterprise attacks (coming soon)
Airbase-ng
Features
Soft AP
WEP
• Open/Shared auth
• Caffe Latte
• Hirte attack
Encrypt/Decrypt packets
Airbase-ng Features
Filtering to avoid disturbing nearby networks
AP Filters
BSSIDs
ESSIDs
Client filters
MAC Filtering (allow/disallow)
Airbase-ng Abilities
Soft AP:
airbase-ng –y –e myAP –c 5 –I 102 rausb0
ifconfig at0 up 192.168.0.254
ping/ssh/… it from the client
What are you, a blackhat?
No seriously, this doesn’t promise a win
There are ways to defend as well
APs are finally being configured securely,
now clients must be as well
Simple Defenses
Proper Secure Client Configurations
Check the right boxes
GPO
A Step Beyond Crazy
WiFi Frequencies
.11b/g2412-2462 (US)
.11a 5180-5320, 5745-5825 (US)
Does this look odd to anyone else?
Does the card really not have the ability to
use 5320-5740?
Licensed Bands
Some vendors carry licensed radios
Special wifi cards for use by military and
public safety
Typically expensive
Requires a license to even purchase
Frequencies of 4920 seem surprisingly
close to 5180
Can we do this cheaper?
Atheros and others sometimes support
more channels
Allows for 1 radio to be sold for many
purposes.
Software controls allowed frequencies
Who Controls the Software?
Sadly, typically the chipset vendors
Most wifi drivers in linux require binary
firmware
This firmware controls regulatory
compliance as well as purposing
What can we do?
Fortunately, most linux users don’t like
closed source binaries
For many reasons, fully open sourced
drivers are being developed
As these drivers become stable, we can
start to play
Let’s Play…
Madwifi-ng is driven by a binary HAL
Ath5k is the next gen fully open source
driver
Kugutsumen released a patch for
“DEBUG” regdomain
Allows for all *officially* supported
channels to be tuned to
Fun Comments in ath5k
/* Set this to 1 to disable regulatory
domain restrictions for channel tests.
* WARNING: This is for debuging only
and has side effects (eg. scan takes too
* long and results timeouts). It's also
illegal to tune to some of the
* supported frequencies in some
countries, so use this at your own risk,
* you've been warned. */
Comments (cont)
/*
* XXX The tranceiver supports frequencies from 4920 to 6100GHz
* XXX and from 2312 to 2732GHz. There are problems with the
* XXX current ieee80211 implementation because the IEEE
* XXX channel mapping does not support negative channel
* XXX numbers (2312MHz is channel -19). Of course, this
* XXX doesn't matter because these channels are out of range
* XXX but some regulation domains like MKK (Japan) will
* XXX support frequencies somewhere around 4.8GHz.
*/
New Toys
Yesterday
.11b/g2412-2462 (US)
.11a 5180-5320, 5745-5825 (US)
Today
.11b/g2192-2732 (DEBUG)
.11a 4800-6000 (DEBUG)
What is on these new freq?
2180.000 - 2200.000 Fixed Point-to-point (n-p)
2200.000 - 2290.000 DoD
2300.000 - 2310.000 Amateur
2390.000 - 2450.000 Amateur
2450.000 - 2500.000 Radio location
2500.000 - 2535.000 Fixed SAT
2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV
2655.000 - 2690.000 Fixed SAT
2690.000 - 2700.000 Radio Astronomy
2700.000 - 2900.000 DoD
Freq (cont)
Bibliography
http://www.willhackforsushi.com/FreeRADIUS-WPE.
html
We will complete this and post this weekend