38
Sweepin’ the Clouds Away Demystifying Wireless Security Using Open Source Tools

Demystifying Wireless Security Using Open Source Options

Embed Size (px)

Citation preview

Page 1: Demystifying Wireless Security Using Open Source Options

Sweepin’ the Clouds Away

Demystifying Wireless Security

Using Open Source Tools

Page 2: Demystifying Wireless Security Using Open Source Options

Who Am I?

• Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian.

• Analyst, blogger, B2B writer, podcaster.

• Researches and pontificates on topics such as security architecture and best practices.

[email protected]

http://postmodernsecurity.com

https://www.novainfosec.com/author/mrsy/@MrsYisWhywww.linkedin.com/in/mchubirka/

Page 3: Demystifying Wireless Security Using Open Source Options

Wireless Security Doesn’t Have To Be So Hard

• You don’t always need a consultant or a commercial tool.

• All you need is the desire to learn.

• Open source offers great options.

• You can learn about Wifi security by using open source hacking tools against your own WLAN.

Page 4: Demystifying Wireless Security Using Open Source Options

Build Your Toolkit

• Wireless devices that support RFMON (monitor-mode).

• OSX supports this by default, Windows does not.

• For Windows or running a Linux-based VM, you’ll need an external device with the right drivers.

• Alfa USB devices are inexpensive alternatives to AirPcap and are also suitable for injection, but not all models support both 2.4 and 5 GHz.

• Tablets will work, but you’ll need Android and plan to “root” it.

• Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which gets harder with every update.

Page 5: Demystifying Wireless Security Using Open Source Options

Why You Need Monitor-Mode

• Monitor-mode (RFMON) allows a wireless interface the ability to capture 802.11 WLAN frames without being associated with a network.

• This capability is essential for performing reconnaissance against a network.

Page 6: Demystifying Wireless Security Using Open Source Options

Check hardware compatibility guides for the tools you want to use. You’ll need to be able to put your tablet/phone in USB host mode. It may require jailbreaking/rooting.

Page 7: Demystifying Wireless Security Using Open Source Options

Pentest Dropboxes aka “Creepers”

• Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network.

• Can be used to perform a security profile of your WLAN infrastructure.

• Also used as an inexpensive monitoring tool.

Page 8: Demystifying Wireless Security Using Open Source Options

Where You Can Get One

• Minipwner

• OG150

• PwnPi

Low cost open source alternatives to Pwnie Express.

Page 9: Demystifying Wireless Security Using Open Source Options
Page 10: Demystifying Wireless Security Using Open Source Options

Roll Your Own

• Raspberry Pi

• Intel NUC

• TP-Link portable routers running Open-Wrt.

• Pwnie Express even has a community edition you can build yourself.

Page 11: Demystifying Wireless Security Using Open Source Options

Available Tools

• Aircrack-NG

• SSLStrip

• Tor

• Ettercap

• Kismet

Page 12: Demystifying Wireless Security Using Open Source Options

Get A Pineapple

An inexpensive wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.

Page 13: Demystifying Wireless Security Using Open Source Options

Features

• Stealth man-in-the-middle access point.

• Tethering via mobile device or PC.

• Remote management with persistent SSH tunnels.

• Relay and deauth attacks

Page 14: Demystifying Wireless Security Using Open Source Options

Wireshark Is Your Friend

But there are other protocol analysis tools available.

Example: NetworkMiner

Page 15: Demystifying Wireless Security Using Open Source Options

Wireshark in Monitor Mode

Page 16: Demystifying Wireless Security Using Open Source Options

NetworkMiner Network Forensic Analysis Tool

Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.

Page 17: Demystifying Wireless Security Using Open Source Options

Kali Linux is filled with Wireless

Tools

Page 18: Demystifying Wireless Security Using Open Source Options

Pentoo and Backbox

Page 19: Demystifying Wireless Security Using Open Source Options

Fun with Wifi

• Kismet

– An open source WIDS that works with any wireless devices supporting monitor-mode.

• Aircrack-NG

– An open source reconnaissance, key-cracking and testing tool.

Page 20: Demystifying Wireless Security Using Open Source Options

Kismet

Page 21: Demystifying Wireless Security Using Open Source Options

Aircrack-NG

Page 22: Demystifying Wireless Security Using Open Source Options

inSSIDer –notice any similarities?

Page 23: Demystifying Wireless Security Using Open Source Options

Miscellaneous Tools

• MDK3 – attack tool

• CoWPAtty – WPA cracking tool

• Reaver – WPS attack tool

• WiFite – auditing tool

Page 24: Demystifying Wireless Security Using Open Source Options

Some Basics

• Three types of WLAN frames

– Management

– Control

– Data

You can view all of these in a protocol analyzer, but only if your device supports monitor-mode. You can successfully attack them, but only if injection is supported.

Page 25: Demystifying Wireless Security Using Open Source Options

What?

• SSID (service set identifier) is the name of a network.

• BSSIDs (basic SSID) identify access points and clients.

• An ESS (extended service set) consists of BSSs

Page 26: Demystifying Wireless Security Using Open Source Options

Wireless Association

EAP occurs after this.

Page 27: Demystifying Wireless Security Using Open Source Options

Passive Vs. Active WLAN Discovery

• Beacon frames are transmitted at regular intervals in all WLAN networks for passive client discovery.

• Active WLAN discovery occurs when client station sends Probe Request to AP and receives Probe Response.

• Passive discovery is more appropriate for reconnaissance.

• Kismet and Aircrack-NG are passive tools.

Page 28: Demystifying Wireless Security Using Open Source Options

Who’s Out There?

Configuring a “monitor mode” wireless interface.

Airmon-ng start wlan0

Airodump-ng mon0

Page 29: Demystifying Wireless Security Using Open Source Options
Page 30: Demystifying Wireless Security Using Open Source Options

How To Find Hidden SSIDs

• Sniff in monitor-mode.

• Deauthenticate clients by injection with MDK3 or Aireplay-NG.

• Look for probe response, association, or reassociationpackets in protocol analyzer.

• Beacon, Probe Request, Probe Response and Association Request frames all contain the SSID.

Page 31: Demystifying Wireless Security Using Open Source Options

Common Wireless Attacks• Beating MAC filters with spoofing.

• Cracking WEP through weak IVs.

• Brute force against WPS.

• Brute force of WPA/WPA2 PSK.

• DoS deauth attacks.

• Evil Twin or Rogue access points.

• MITM with SSLstrip.

• Café Latte – client WEP attack.

Page 32: Demystifying Wireless Security Using Open Source Options

Protecting the WLAN

• By understanding common attack vectors, you can address weaknesses in your infrastructure.

• WIPS use attack methods such as deauths for rogue mitigation.

Page 33: Demystifying Wireless Security Using Open Source Options

Caution

• In many countries it is unlawful to interfere with wireless signals.

• Marriott was fined $600k in October, 2014, for preventing hotel and conference guests from using personal hotspots, in violation of section 333 of the Communications Act of 1934.

Page 34: Demystifying Wireless Security Using Open Source Options

47 U.S. Code § 333 - Willful or malicious interference

No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.

Page 35: Demystifying Wireless Security Using Open Source Options

Demo?

Page 36: Demystifying Wireless Security Using Open Source Options

Resources• Securitytube.net

• Hak5.org

• MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a-self-powered-pentesting-box-/

• Pwn Pi http://www.pwnpi.com/

• Minipwner http://www.minipwner.com/

• Podcast episode, “How Do I Pwn Thee?” http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn-thee/

Page 37: Demystifying Wireless Security Using Open Source Options

Questions?

Page 38: Demystifying Wireless Security Using Open Source Options

Where Can You Find Me?

Michele Chubirka

Spending quality time in kernel

mode.

Fozzie before Kermit.

http://postmodernsecurity.com

Twitter @MrsYisWhy

Google+ MrsYisWhy

[email protected]

m