Shifting the Focus of WiFi Security

1
Shifting the Focus of WiFi Security

• Beyond cracking your neighbor's WEP key

2
Who are we and why do you care?

• Thomas Mister_X d'Otreppe de Bouvette
• Founder of Aircrack-ng
• Rick Zero_Chaos Farina
• Aircrack-ng Team Member
• Embedded Development

3
DISCLAIMER

• Some of the topics in this presentation may be
  used to break the law in new and exciting ways
• of course we do not recommend breaking the law
  and it is your responsibility to check your local
  laws and abide by them.
• DO NOT blame us when a three letter organization
  knocks on your door.

4
Contest

• Find the AP
• We have hidden an AP somewhere in the airwaves
• Report the frequency of operation and mac address
  to win
• (Insiders and friends are not eligible)

5
Spoils (first winner only)

• Find the AP before the end of the talk
• Full price of Ubiquiti SRC wifi card
• Find the AP before 1pm
• 50 towards a nice Atheros card
• Find the AP after 1pm
• Hearty handshake and a pat on the back

6
History of WEP Attacks / Why it doesnt work

• Passively Sniff for a long time
• Slow, not enough data, impatient
• No more weak ivs
• Replay/Injection Attacks
• Fast but very noisy
• Simple signatures
• AP features that try to block (PSPF)

7
History of WPA Attacks / Why it doesnt work

• Pre-shared key
• Requires catching both sides of a quick handshake
• Must be in range of client and AP
• Enterprise
• Nearly impossible to crack passively
• Most EAP types are difficult (at best) to MiTM

8
The Well Guarded Door

• Nearly 100 of attacks focus on the AP
• APs are getting more and more secure
• New features built into AP
• PSPF / Client Isolation
• Strong Authentication / Encryption
• Lightweight controller based architecture
• APs are no longer the unguarded back door
• Well deployed with fore thought for security
• Well developed industry best practices

9
Take the Path of Least ResistanceAttack the
Clients!

• Tools have slowly appeared recently
• Difficult to use
• Odd requirements to make function

10
Attacking Client WEP Key

• Wep0ff
• Caffe-Latte
• Hirte Attack

11
Attacking Client WPA Key

• WPA-PSK
• No public implementation
• WPA-ENT
• Freeradius-wpe (thanks Brad and Josh!)
• Requires hardware AP

12
Attacking the Client

• Many Separate Tools
• Difficult to configure
• Typically sparsely documented
• Odd requirements and configurations
• Until now

13
Introducing Airbase-ng

• Full monitor mode AP simulation, needs no extra
  hardware
• Merges many tools into one
• Also works in Ad-hoc mode
• New and improved, simplified implementations
• Easy, fast, deadly (to encryption keys at least)

14
Airbase-ng Abilities

• Evil Twin / Honey Pot
• Karma
• WEP attacks
• WPA-PSK attacks
• WPA-Enterprise attacks (coming soon)

15
Airbase-ngFeatures

• Soft AP
• WEP
• Open/Shared auth
• Caffe Latte
• Hirte attack
• Capture WPA/WPA2 handshake
• Manipulate and resend packets
• Encrypt/Decrypt packets

16
Airbase-ng Features

• Filtering to avoid disturbing nearby networks
• AP Filters
• BSSIDs
• ESSIDs
• Client filters
• MAC Filtering (allow/disallow)

17
Airbase-ng Abilities

• WPA Handshake capture
• airbase-ng -W 1 -c 5 -z 2 -I 102 --essid myAP
  rausb0
• Script to manipulate packets airbase-ng Y both
  rausb0 then start replay.py at1
• Soft AP
• airbase-ng y e myAP c 5 I 102 rausb0
• ifconfig at0 up 192.168.0.254
• ping/ssh/ it from the client

18
What are you, a blackhat?

• No seriously, this doesnt promise a win
• There are ways to defend as well
• APs are finally being configured securely, now
  clients must be as well

19
Simple Defenses

• Proper Secure Client Configurations
• Check the right boxes
• GPO

20
A Step Beyond Crazy

• WiFi Frequencies
• .11b/g 2412-2462 (US)
• .11a 5180-5320, 5745-5825 (US)
• Does this look odd to anyone else?
• Does the card really not have the ability to use
  5320-5740?

21
Licensed Bands

• Some vendors carry licensed radios
• Special wifi cards for use by military and public
  safety
• Typically expensive
• Requires a license to even purchase
• Frequencies of 4920 seem surprisingly close to
  5180

22
Can we do this cheaper?

• Atheros and others sometimes support more
  channels
• Allows for 1 radio to be sold for many purposes.
• Software controls allowed frequencies

23
Who Controls the Software?

• Sadly, typically the chipset vendors
• Most wifi drivers in linux require binary
  firmware
• This firmware controls regulatory compliance as
  well as purposing

24
What can we do?

• Fortunately, most linux users dont like closed
  source binaries
• For many reasons, fully open sourced drivers are
  being developed
• As these drivers become stable, we can start to
  play

25
Lets Play

• Madwifi-ng is driven by a binary HAL
• Ath5k is the next gen fully open source driver
• Kugutsumen released a patch for DEBUG regdomain
• Allows for all officially supported channels to
  be tuned to

26
Fun Comments in ath5k

• / Set this to 1 to disable regulatory domain
  restrictions for channel tests.
• WARNING This is for debuging only and has
  side effects (eg. scan takes too
• long and results timeouts). It's also illegal
  to tune to some of the
• supported frequencies in some countries, so
  use this at your own risk,
• you've been warned. /

27
Comments (cont)

• /
• XXX The tranceiver supports frequencies from
  4920 to 6100GHz
• XXX and from 2312 to 2732GHz. There are
  problems with the
• XXX current ieee80211 implementation because
  the IEEE
• XXX channel mapping does not support negative
  channel
• XXX numbers (2312MHz is channel -19). Of
  course, this
• XXX doesn't matter because these channels are
  out of range
• XXX but some regulation domains like MKK
  (Japan) will
• XXX support frequencies somewhere around
  4.8GHz.
• /

28
New Toys

• Yesterday
• .11b/g 2412-2462 (US)
• .11a 5180-5320, 5745-5825 (US)
• Today
• .11b/g 2192-2732 (DEBUG)
• .11a 4800-6000 (DEBUG)

29
What is on these new freq?
2180.000 - 2200.000 Fixed Point-to-point
(n-p) 2200.000 - 2290.000 DoD 2300.000 -
2310.000 Amateur 2390.000 - 2450.000
Amateur 2450.000 - 2500.000 Radio
location 2500.000 - 2535.000 Fixed
SAT 2500.000 - 2690.000 Fixed Point-to-point
(n-p), Instructional TV 2655.000 - 2690.000
Fixed SAT 2690.000 - 2700.000 Radio
Astronomy 2700.000 - 2900.000 DoD
30
Freq (cont)
4400.000 - 4990.000 DoD 4990.000 -
5000.000 Meteo - Radio Astronomy 5250.000 -
5650.000 Radio Location - Coastal Radar 5460.000
- 5470.000 Radio Nav - General 5470.000 -
5650.000 Meteo - Ground-based Radar 5650.000 -
5925.000 Amateur 5800.000
ISM 5925.000 - 6425.000 Common Carrier and
Fixed SAT
31
Spectrum Analyzer

• Fully tested frequencies
• Sadly they wouldnt let me borrow the SA
• Warning This may differ from card to card
• Ive already lost a few wifi cards

32
Limitations

• Many real licensed implementations are broken
• Card reports channel 1 but is actually on 4920MHz
• This is done to make is easy to use existing
  drivers
• This breaks many open source applications

33
Airodump-ng

• Airodump-ng now supports a list of frequencies to
  scan rather than channels
• Only channels are shown in display, may be wrong
• Strips vital header information off of packet so
  data saved from extended channels is useless

34
Kismet

• At time of writing is unable to handle most of
  the extended channels
• Displays channels not frequencies
• Does save usable pcap files

35
Improvement Needed

• Sniffers are too trusting, they believe what they
  see
• Never intended to deal with oddly broken
  implementations such as channel number fudging
• Sniffers need to be improved to report more
  reality, and less assumptions

36
Improvements made!

• After this talk was submitted, changes started
  happening
• Kismet-newcore fully supports fun channels
• Displays frequencies that packets are received on
• Airodump-ng updates are being made now for
  release soon

37
Final Thoughts

• Remember everyone here is a white hat
• Please use your new found knowledge for good not
  evil
• In the United States it is LEGAL to monitor all
  radio frequencies
• Have fun

38
WEP cloaking

• Old hardware like wireless barcode scanners
• Insert chaff in the air to fool cracking tools
• Good idea but
• Use half bandwidth gt 300kb/sec with 11Mbit
• Sometimes packets doesnt need to be filtered to
  be cracked

39
How to break it?

• No public documentation gt analyze capture files
• Every data packet is cloaked (at least packets
  from the AP protected)
• Cloaked Packet size is the same as the original
  packet
• Plays with Sequence Numbers. In most cases, not
  the same as the original packet (cloaked SN
  original 2 to -2)
• Only data packets are cloaked (at least type 2,
  subtype 0)
• Signal is not the same as the access point

40
(No Transcript)
41
Implementation

• No idea of the implementation gt dont care about
  key used by the sensor (if any) or data used in
  cloaked packets (real or fake).
• Apply filters to remove cloaked packets
• Signal
• Sequence numbers
• Base analysis on packets know not to be cloaked
• Combine filters in a different order

42
Implementation

• We know that all management and control frames
  are uncloaked.
• Base filter
• If any packet with an unknown status has the same
  SN as one of the uncloaked packets then its
  cloaked
• Signal filter
• Get the average signal from uncloaked packets
• Allow a small margin of error
• Packets outside the margin should be cloaked

43
Implementation

• Code release soon, check the subversion.

44
Thanks

• Updated Slide Presentation can be found at
  http//www.aircrack-ng.org/defcon16.ppt
• Bibliography
• http//www.willhackforsushi.com/FreeRADIUS-WPE.htm
  l
• We will complete this and post this weekend