You think your Wifi is Safe?

Transcript

1. You think your Wifi is Safe? Rob Gillen @argodev

2. CodeStock is proudly partnered with: Send instant feedback on this

   session via Twitter: Send a direct message with the room number to @CodeStock d codestock 406 This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide. RecruitWise and Staff with Excellence - www.recruitwise.jobs

3. wintellect.com Founded by top experts on Microsoft – Jeffrey Richter,

   Jeff Prosise, and John Robbins – our mission is to help our customers achieve their goals through advanced software-based consulting and training solutions. Consulting & Debugging • Architecture, analysis, and design services • Full lifecycle custom software development • Content creation • Project management • Debugging & performance tuning Training • On-site instructor-led training • Virtual instructor-led training • Devscovery conferences Design • User Experience Design • Visual & Content Design • Video & Animation Production what we do who we are how we do it consulting training debugging design

4. Don’t Be Stupid The following presentation describes real attacks on

   real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on systems that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.

5. Disclaimer The content of this presentation represents my personal views

   and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.

6. Overview • Pre-Requisite Knowledge • Various Security Approaches • Tools

   and Attacks

7. Required Gear • Network Adapter that supports “Monitor” mode. –

   Equivalent to promiscuous mode on a normal NIC • Windows, MAC, or Linux – Linux tools tend to be more readily available

8. Wireless Packet Frames • Management Frames – Authentication – De-authentication

   – Association Request – Association Response – Re-association Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response • Control Frames – Request to Send (RTS) – Clear to Send (CTS) – Acknowledgment (AWK) • Data Frames

9. Packet Sniffing • Filters: – wlan.fc.type • == 0 (mgmt

   frames) • == 1 (control frames) • == 2 (data frames) – wlan.fc.subtype • == 8 (beacons) • (wlan.fc.type == 0) && (wlan.fc.subtype == 8)

10. Packet Sniffing • Determine the channel of the network we

    are interested in – required for sniffing data packets – airodump-ng • iwconfig mon0 channel 11 (demo pre/post)

11. Packet Injection • aireplay-ng – Inject packets onto a specific

    wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association

12. Regulatory Issues • Available Channels • Radio Power Levels –

    iw reg set US – iw reg set BO

13. DEMO: HIDDEN SSID

14. DEMO: Hidden SSID • Show packet capture with the SSID

    • Hide SSID • Prove it is now hidden • Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery • Probe Request/Probe Response packets

15. DEMO: MAC FILTERS

16. DEMO: MAC Filters • Enable MAC Filtering on the WAP

    • Prove that a client cannot connect • Use airodump-ng to show associated clients • Use macchanger to spoof the whitelisted address and connect.

17. DEMO: SHARED KEY AUTHENTICATION

18. DEMO: Shared Key Authentication • Illustration (steal picture from Wikipedia/netgear?)

    • Configured AP for Shared Key/Update Client • Use airodump-ng to capture/log the authentication scheme + keystream – Wait for valid client or send deauth pkt • Use aireplay-ng to pass back the captured auth pkt • TIP: DOS by filling up AP tables (wrapper around airreplay-ng)

19. DEMO: WEP ENCRYPTION

20. DEMO: WEP Encryption • Capture data packets (ARP) from a

    known/trusted client (airodump-ng) • Replay them/re-inject between 10- 100,000 times (aireplay-ng) • Crack them (aircrack-ng) • “Guaranteed” crack

21. DEMO: WPA/2 ENCRYPTION

22. DEMO: WPA/2 Encryption • Vulnerable to dictionary attacks • Collect

    authentication handshake • Select dictionary file and run the cracker • Works for WPA, WPA2, AES, TKIP

23. Tools

24. Tools • Jasegar (Pineapple IV) • I can be anything

    you want me to be

25. Man-In-The-Middle

26. Man-In-The-Middle

27. Man-In-The-Middle

28. Man-In-The-Middle

29. Tools • Reaver Pro (WPS Exploit) • 4-10 hours and

    your network is mine

30. What is Safe? • Stop using Wi-Fi • Avoid open

    Wi-Fi networks • Always use SSL • Use VPN • Disable Auto-Connect… on *all* devices • Hard/complex network keys • WPA-Enterprise / RADIUS / PEAP / EAP-TTLS • Disable WPS!

31. Equipment List • Two Laptops • Any Wireless Access Point

    • Alfa Card http://www.amazon.com/gp/product/B002BFMZR8 • Yagi Antenna http://www.amazon.com/gp/product/B004L0TKW4 • Reaver Kit http://hakshop.myshopify.com/products/reaver -pro • WiFi Pinapple http://hakshop.myshopify.com/collections/fro ntpage/products/wifi-pineapple

32. Learning More • http://www.securityfocus.com • http://www.aircrack-ng.org • http://raulsiles.com/resources/wif i.html •

    http://www.willhackforsushi.com

33. Questions/Contact Rob Gillen [email protected] http://rob.gillenfamily.net @argodev