Upload
michele-chubirka
View
82
Download
2
Tags:
Embed Size (px)
Citation preview
Sweepin’ the Clouds Away
Demystifying Wireless Security
Using Open Source Tools
Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as security architecture and best practices.
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/@MrsYisWhywww.linkedin.com/in/mchubirka/
Wireless Security Doesn’t Have To Be So Hard
• You don’t always need a consultant or a commercial tool.
• All you need is the desire to learn.
• Open source offers great options.
• You can learn about Wifi security by using open source hacking tools against your own WLAN.
Build Your Toolkit
• Wireless devices that support RFMON (monitor-mode).
• OSX supports this by default, Windows does not.
• For Windows or running a Linux-based VM, you’ll need an external device with the right drivers.
• Alfa USB devices are inexpensive alternatives to AirPcap and are also suitable for injection, but not all models support both 2.4 and 5 GHz.
• Tablets will work, but you’ll need Android and plan to “root” it.
• Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which gets harder with every update.
Why You Need Monitor-Mode
• Monitor-mode (RFMON) allows a wireless interface the ability to capture 802.11 WLAN frames without being associated with a network.
• This capability is essential for performing reconnaissance against a network.
Check hardware compatibility guides for the tools you want to use. You’ll need to be able to put your tablet/phone in USB host mode. It may require jailbreaking/rooting.
Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network.
• Can be used to perform a security profile of your WLAN infrastructure.
• Also used as an inexpensive monitoring tool.
Where You Can Get One
• Minipwner
• OG150
• PwnPi
Low cost open source alternatives to Pwnie Express.
Roll Your Own
• Raspberry Pi
• Intel NUC
• TP-Link portable routers running Open-Wrt.
• Pwnie Express even has a community edition you can build yourself.
Available Tools
• Aircrack-NG
• SSLStrip
• Tor
• Ettercap
• Kismet
Get A Pineapple
An inexpensive wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.
Features
• Stealth man-in-the-middle access point.
• Tethering via mobile device or PC.
• Remote management with persistent SSH tunnels.
• Relay and deauth attacks
Wireshark Is Your Friend
But there are other protocol analysis tools available.
Example: NetworkMiner
Wireshark in Monitor Mode
NetworkMiner Network Forensic Analysis Tool
Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.
Kali Linux is filled with Wireless
Tools
Pentoo and Backbox
Fun with Wifi
• Kismet
– An open source WIDS that works with any wireless devices supporting monitor-mode.
• Aircrack-NG
– An open source reconnaissance, key-cracking and testing tool.
Kismet
Aircrack-NG
inSSIDer –notice any similarities?
Miscellaneous Tools
• MDK3 – attack tool
• CoWPAtty – WPA cracking tool
• Reaver – WPS attack tool
• WiFite – auditing tool
Some Basics
• Three types of WLAN frames
– Management
– Control
– Data
You can view all of these in a protocol analyzer, but only if your device supports monitor-mode. You can successfully attack them, but only if injection is supported.
What?
• SSID (service set identifier) is the name of a network.
• BSSIDs (basic SSID) identify access points and clients.
• An ESS (extended service set) consists of BSSs
Wireless Association
EAP occurs after this.
Passive Vs. Active WLAN Discovery
• Beacon frames are transmitted at regular intervals in all WLAN networks for passive client discovery.
• Active WLAN discovery occurs when client station sends Probe Request to AP and receives Probe Response.
• Passive discovery is more appropriate for reconnaissance.
• Kismet and Aircrack-NG are passive tools.
Who’s Out There?
Configuring a “monitor mode” wireless interface.
Airmon-ng start wlan0
Airodump-ng mon0
How To Find Hidden SSIDs
• Sniff in monitor-mode.
• Deauthenticate clients by injection with MDK3 or Aireplay-NG.
• Look for probe response, association, or reassociationpackets in protocol analyzer.
• Beacon, Probe Request, Probe Response and Association Request frames all contain the SSID.
Common Wireless Attacks• Beating MAC filters with spoofing.
• Cracking WEP through weak IVs.
• Brute force against WPS.
• Brute force of WPA/WPA2 PSK.
• DoS deauth attacks.
• Evil Twin or Rogue access points.
• MITM with SSLstrip.
• Café Latte – client WEP attack.
Protecting the WLAN
• By understanding common attack vectors, you can address weaknesses in your infrastructure.
• WIPS use attack methods such as deauths for rogue mitigation.
Caution
• In many countries it is unlawful to interfere with wireless signals.
• Marriott was fined $600k in October, 2014, for preventing hotel and conference guests from using personal hotspots, in violation of section 333 of the Communications Act of 1934.
47 U.S. Code § 333 - Willful or malicious interference
No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.
Demo?
Resources• Securitytube.net
• Hak5.org
• MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a-self-powered-pentesting-box-/
• Pwn Pi http://www.pwnpi.com/
• Minipwner http://www.minipwner.com/
• Podcast episode, “How Do I Pwn Thee?” http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn-thee/
Questions?
Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Fozzie before Kermit.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
m