Shifting the Focus of WiFi Security:

1
We need a special holiday to honor the countless
kind souls with unsecured networks named
'linksys'.
www.xkcd.com
2
If you're not cool enough to do it manually, you
can look up tools like Upside-Down-Ternet for
playing games with people on your wifi.
www.xkcd.com
3
I hear this is an option in the latest Ubuntu
release.
isnt BackTrack 4 based on Ubuntu
www.xkcd.com
4
(No Transcript)
5
802.11 ObgYn

• Spread your Spectrum

6
IEEE 802.11y

• 802.11o is a reserved and unused letter
• When I submitted this talk, I didnt realize that
  802.11y had been ratified
• This really ruined my joke name
• Sadly, I dont have an 802.11y card or driver so
  we will not be discussing 3650-3700MHz
• I really hope this doesnt disappoint anyone, I
  will try to make it up to you all next time

7
Who am I and why do you care?

• Rick Zero_Chaos Farina
• Senior Wireless Security Researcher for AirTight
  Networks
• Aircrack-ng Team Member
• Embedded Development
• Maverick Hunter Rank S

8
You might remember me from such things as
9
Walking into my own talk late at Defcon 16
10
Rudely interrupting other people's talks...
11
...and inciting hackers to riot
12
Now I'm back!

• Today's Agenda
• Freq Update
• Updated patches
• Updated information
• Unusual Encryption
• Like what?
• How to detect it
• Wireless Intrusion Detection and Prevention
• What is it?
• How it works

13
Standard DISCLAIMER

• Some of the topics in this presentation may be
  used to break the law in new and exciting ways
• of course I do not recommend breaking the law and
  it is your responsibility to check your local
  laws and abide by them.
• DO NOT blame me when a three letter organization
  knocks on your door.
• I am not an expert, this is all based on my
  research and dumb luck.

14
Contest

• Find the AP
• I have hidden an AP somewhere in the airwaves
• Report the center frequency of operation, SSID,
  and mac address to win
• (Insiders and friends are not eligible)

15
Spoils (first winner only)

• Find the AP before the end of the talk
• Ubiquiti Super Range Cardbus wifi card
• Your face in the video if you are right
• Public embarrassment if you are wrong
• Find the AP before 1700
• 50 towards a nice Atheros card
• Find the AP after 1700
• Hearty handshake and a pat on the back

game may end early due to unforeseen hardware
failure
16
We have discussed this before

• WiFi Frequencies
• .11b/g 2412-2462 (US)
• .11a 5180-5320, 5745-5825 (US)
• (regulatory settings from kernel old reg)
• Obviously makes no sense
• Does the card really not have the ability to use
  5320-5745?

DFS channels excluded due to driver limitations
17
Licensed Bands

• Some vendors make special licensed radios
• Special wifi cards for use by military and public
  safety
• Typically very expensive
• Frequencies of 4920 seem surprisingly close to
  5180

18
Manufacturers are cheap

• Atheros and others sometimes support more
  channels
• Allows for 1 radio to be sold for many purposes.
• Software controls allowed frequencies

19
Who Controls the Software?

• Yesterday
• Most wifi drivers in Linux require binary
  firmware of some kind
• Controls anything the vendor wants
• Today
• More and more vendors are going fully open source

20
Who do we like for this stuff?
Preferred Undesirable
Intel Marvell
Atheros Ralink
Broadcom

• Closed Source (sometimes buggy) Firmware.
• Developers working with the community.

• Ignores requests for chipset docs.
• Releases completely closed source binary drivers.

• Fully Open Source Drivers.
• Developers working with the community.

21
Our Playground

• Madwifi-ng was driven by a binary HAL
• Ath5k is the fully open source driver now in the
  kernel
• Kugutsumen released a patch for DEBUG regdomain
• Allows for all officially supported channels to
  be tuned to

22
Fun Comments in ath5k

• / Set this to 1 to disable regulatory domain
  restrictions for channel tests.
• WARNING This is for debuging only and has
  side effects (eg. scan takes too
• long and results timeouts). It's also illegal
  to tune to some of the
• supported frequencies in some countries, so
  use this at your own risk,
• you've been warned. /

23
Comments (cont)

• /
• XXX The tranceiver supports frequencies from
  4920 to 6100GHz
• XXX and from 2312 to 2732GHz. There are
  problems with the
• XXX current ieee80211 implementation because
  the IEEE
• XXX channel mapping does not support negative
  channel
• XXX numbers (2312MHz is channel -19). Of
  course, this
• XXX doesn't matter because these channels are
  out of range
• XXX but some regulation domains like MKK
  (Japan) will
• XXX support frequencies somewhere around
  4.8GHz.
• /

24
New Toys

• Yesterday
• .11b/g 2412-2462 (US)
• .11a 5180-5320, 5745-5825 (US)
• Today
• Ubiquiti SRC
• .11b/g 2192-2732
• .11a 4800-6000
• Linksys WPC55AG ver 1.3
• .11b/g 2277-2484
• .11a 4800-6000

25
Spectrum Analyzer

• Fully tested frequencies
• Sadly no one would let me borrow a SA
• Warning This will differ from card to card
• Ive already lost a few wifi cards

26
What is on these new freq?
2180.000 - 2200.000 Fixed Point-to-point
(n-p) 2200.000 - 2290.000 DoD 2300.000 -
2310.000 Amateur 2390.000 - 2450.000
Amateur 2450.000 - 2500.000 Radio
location 2500.000 - 2535.000 Fixed
SAT 2500.000 - 2690.000 Fixed Point-to-point
(n-p), Instructional TV 2655.000 - 2690.000
Fixed SAT 2690.000 - 2700.000 Radio
Astronomy 2700.000 - 2900.000 DoD
27
Freq (cont)
4400.000 - 4990.000 DoD 4990.000 -
5000.000 Meteo - Radio Astronomy 5250.000 -
5650.000 Radio Location - Coastal Radar 5460.000
- 5470.000 Radio Nav - General 5470.000 -
5650.000 Meteo - Ground-based Radar 5650.000 -
5925.000 Amateur 5800.000
ISM 5925.000 - 6425.000 Common Carrier and
Fixed SAT
28
Limitations

• Many real licensed implementations are broken
• Card reports channel 1 but is actually on 4920MHz
  or some such
• This is done to make it easy to use existing
  drivers
• This breaks many open source applications

29
Airodump-ng

• Airodump-ng now supports a list of frequencies to
  scan rather than channels
• Only channels are shown in display, may be wrong
• Strips vital header information off of packet so
  data saved from extended channels is useless

30
Improvement Was Needed

• Sniffers were too trusting, they believed what
  they saw
• Never intended to deal with oddly broken
  implementations such as channel number fudging
• Sniffers had to mature to report more reality,
  and less assumptions

31
Kismet

• Kismet-newcore fully supports frequency ranges
• Displays channels AND frequency in display
• Saves pcap files with usable headers
• dragorn just generally rocks

32
Kismet-Newcore

• Usable now in SVN from kismetwireless.net
• Would have been a Kismet-Test1 release for
  Shmoocon but setting up freeradius sucks. Bad.
• New UI, better logging, improved IDS features,
  Plugins, new mapping SW on its way
• Autoconfig device support
• Multiple protocol support via plugins DECT
  cordless phone sniffing
• -dragorn

33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
Kernel Regulatory Changes

• old reg depreciated soon
• Contains very few static regulatory domains
• Built right into kernel
• New userspace Central Regulatory Domain Agent
• Userspace app called by udev named crda
• Takes input from visible AP or user through iw
• Sets accurate reg domain based on country
• Uses separate wireless-regdb with contains
  country information

38
Ath5k frequency patches

• Old ath5k patches
• Completely removed tx
• No way to control tx
• If you are in any mode but monitor you ARE
  breaking the law
• New Ath5k patches
• No patch for old reg
• crda controls which freq you can tx on
• Able to use card safely within the law

39
Patch released

• New ath5k patch released for vanilla kernel
  2.6.28.x
• I can't support every distro
• Available from aircrack-ng svn
• Included directions for required userspace tools
• Patch available for wireless-regdb
• US only (willing to add more on request)
• Binary regulatory.bin will be made available
• Willing to add capabilities for Licensed
  Professional and Amateur operations

40
Future Research in this Area

• Kernel Acceptance
• Need to fix a few minor bugs
• Ath9k support
• Yes, these can be extended as well
• Ralink support
• I've got a hot tip that these support much fun

41
Final Thoughts on Frequencies

• Remember everyone here is a white hat
• Please use your new found knowledge for good not
  evil
• In the United States it is LEGAL to monitor all
  radio frequencies
• Have fun

42
Unusual Crypto

• What do we know?
• Kismet and Airodump-ng detect 802.11 encryptions
• WEP/WEP/DWEP/LEAP
• WPA/WPA2 PSK/802.1x
• EAP types used

43
Have you ever seen

• a WEP network invulnerable to replay?
• Open AP that you cannot connect to?
• 802.11 on Spectrum Analyzer but an empty pcap
  file?

44
Symbol Keyguard

• TKIP encryption implementation based on the
  forthcoming 802.11i standard
• Kerberos V5 based mobile security
• EAP/TLS with 802.1X port-based Network Access
  Control or RADIUS
• Really it is just pre-standard tkip
• Replay prevention
• Detected as WEP by Kismet and Airodump-ng
• Thanks to pcap donations, Kismet is adding
  detection

45
(No Transcript)
46
Government Crypto (Type 3 or 4)

• Type 4
• (Exportable) 40bit non-sense
• Type 3
• Cranite
• Appears defunct
• Fortress
• FIPS 140-2
• 802.11i

47
Huh?

• Government Crypto Precursors to 802.11i
• Cranite
• Fortress
• Hardware or software encryption/decryption
• Strong encryption (Typically AES)
• Strong Authentication (Typically certificates)

48
Unencrypted ?
49
Does this look unencrypted to you?
50
Government Crypto (Type 1)

• Harris Secnet 11
• Intersil Prism 2 and Harris Sierra CryptoTM
  Module
• Encrypts entire MPDU
• Essentially Invisible
• Harris Secnet 54
• Modular separation between encrypter and radio
• Compatible with COTS equipment
• Layer 2 and/or 3 encryption available

51
Invisible?

• / Allow CRC errors
  through /
• if (rs.rs_status
  AR5K_RXERR_CRC)
• goto accept

Super Special thanks to dragorn for writing this
in like 6 seconds for me
52
Pcap beg

• Am I looking for something that you have?
• Do you know of an encryption that I didnt
  mention?
• Have you found something just plain odd?
• SEND ME PCAPS
• sidhayn_at_gmail.com

53
WIDS/WIPS

• Wireless Intrusion Detection System
• Early products
• Noise maker
• Wireless Intrusion Prevention System
• Later Products
• Log events
• Auto-classify devices
• Prevent wireless threats in real time

54
Hybrid vs Overlay

• Hybrid
• Access Points double as Sensors
• Typically ignores client behavior
• Every tick spent doing security mean no data
  transport
• No additional hardware to buy
• Some of these can be fixed by deploying as
• Overlay
• Dedicated Sensors to handle security
• Spends 100 of time focusing on security
• Additional hardware required

55
Auto-Classification
56
How does it work?
CAM Table
001122334455
Client 001122334455
001122334455

• Example of a switch polling based method of
  wired status detection

Not all systems use this method
57
Final WIPS Thoughts

• You are not invisible
• Corporations and Organizations are monitoring
  wifi
• You are not invincible
• Automatic Threat Remediation
• Automatic Location Tracking
• Even odd frequencies may not be safe
• Many WIPS monitor extended channel sets

58
Pentoo

• A great platform to launch wireless attacks
• LiveCD
• Based on a Gentoo
• Safe to install
• Updates often
• www.pentoo.ch

59
Thanks

• Contact me if
• You have a license or country you wish added to
  the Ath5k patches
• You have pcaps of an unusual encryption used
  commonly with wifi
• sidhayn_at_gmail.com
• Try Pentoo ?
• www.pentoo.ch