Shifting the Focus of WiFi Security: - Aircrack-ng

Report
Shifting the Focus of
WiFi Security:
Beyond cracking your
neighbor's WEP key
Who are we and why do you care?

Thomas “Mister_X” d'Otreppe de Bouvette
 Founder

of Aircrack-ng
Rick “Zero_Chaos” Farina
 Aircrack-ng
Team Member
 Embedded Development
DISCLAIMER:
Some of the topics in this presentation
may be used to break the law in new and
exciting ways…
of course we do not recommend breaking
the law and it is your responsibility to
check your local laws and abide by them.
DO NOT blame us when a three letter
organization knocks on your door.
Contest
Find the AP
 We have hidden an AP somewhere in the
airwaves
 Report the frequency of operation and
mac address to win
 (Insiders and friends are not eligible)

Spoils (first winner only)

Find the AP before the end of the talk
 Full

Find the AP before 1pm
 $50

price of Ubiquiti SRC wifi card
towards a nice Atheros card
Find the AP after 1pm
 Hearty
handshake and a pat on the back
History of WEP Attacks / Why it doesn’t work

Passively Sniff for a long time
 Slow,
not enough data, impatient
 No more weak ivs

Replay/Injection Attacks
 Fast
but very noisy
 Simple signatures
 AP features that try to block (PSPF)
History of WPA Attacks / Why it doesn’t work

Pre-shared key
 Requires
catching both sides of a quick
handshake
 Must be in range of client and AP

Enterprise
 Nearly
impossible to crack passively
 Most EAP types are difficult (at best) to MiTM
The Well Guarded Door
Nearly 100% of attacks focus on the AP
 APs are getting more and more secure
 New features built into AP

 PSPF
/ Client Isolation
 Strong Authentication / Encryption
 Lightweight controller based architecture

APs are no longer the unguarded back door
 Well
deployed with fore thought for security
 Well developed industry best practices
Take the Path of Least Resistance
Attack the Clients!
Tools have slowly appeared recently
 Difficult to use
 Odd requirements to make function

Attacking Client WEP Key
Wep0ff
 Caffe-Latte
 Hirte Attack

Attacking Client WPA Key

WPA-PSK
 No

public implementation
WPA-ENT
 Freeradius-wpe
(thanks Brad and Josh!)
 Requires hardware AP
Attacking the Client
Many Separate Tools
 Difficult to configure
 Typically sparsely documented
 Odd requirements and configurations

Until now…
Introducing Airbase-ng
Full monitor mode AP simulation, needs no
extra hardware
 Merges many tools into one
 Also works in Ad-hoc mode
 New and improved, simplified implementations
 Easy, fast, deadly (to encryption keys at least)

Airbase-ng Abilities
Evil Twin / Honey Pot
 Karma
 WEP attacks
 WPA-PSK attacks
 WPA-Enterprise attacks (coming soon)

Airbase-ng
Features

Soft AP

WEP
•
•
•
Open/Shared auth
Caffe Latte
Hirte attack

Capture WPA/WPA2 handshake

Manipulate and resend packets

Encrypt/Decrypt packets
Airbase-ng Features

Filtering to avoid disturbing nearby
networks

AP Filters
 BSSIDs
 ESSIDs

Client filters
 MAC
Filtering (allow/disallow)
Airbase-ng Abilities

WPA Handshake capture:
airbase-ng -W 1 -c 5 -z 2 -I 102 --essid myAP
rausb0

Script to manipulate packets: airbase-ng
both rausb0 then start replay.py at1

Soft AP:
airbase-ng –y –e myAP –c 5 –I 102 rausb0
 ifconfig at0 up 192.168.0.254


ping/ssh/… it from the client
–Y
What are you, a blackhat?
No seriously, this doesn’t promise a win
 There are ways to defend as well
 APs are finally being configured securely,
now clients must be as well

Simple Defenses
Proper Secure Client Configurations
 Check the right boxes
 GPO

A Step Beyond Crazy

WiFi Frequencies
 .11b/g
2412-2462 (US)
 .11a 5180-5320, 5745-5825 (US)

Does this look odd to anyone else?
 Does
the card really not have the ability to
use 5320-5740?
Licensed Bands
Some vendors carry licensed radios
 Special wifi cards for use by military and
public safety
 Typically expensive
 Requires a license to even purchase
 Frequencies of 4920 seem surprisingly
close to 5180

Can we do this cheaper?
Atheros and others sometimes support
more channels
 Allows for 1 radio to be sold for many
purposes.
 Software controls allowed frequencies

Who Controls the Software?
Sadly, typically the chipset vendors
 Most wifi drivers in linux require binary
firmware
 This firmware controls regulatory
compliance as well as purposing

What can we do?
Fortunately, most linux users don’t like
closed source binaries
 For many reasons, fully open sourced
drivers are being developed
 As these drivers become stable, we can
start to play

Let’s Play…
Madwifi-ng is driven by a binary HAL
 Ath5k is the next gen fully open source
driver
 Kugutsumen released a patch for
“DEBUG” regdomain
 Allows for all *officially* supported
channels to be tuned to

Fun Comments in ath5k
/* Set this to 1 to disable regulatory
domain restrictions for channel tests.
 * WARNING: This is for debuging only
and has side effects (eg. scan takes too
 * long and results timeouts). It's also
illegal to tune to some of the
 * supported frequencies in some
countries, so use this at your own risk,
 * you've been warned. */

Comments (cont)
/*
* XXX The tranceiver supports frequencies from 4920 to 6100GHz
* XXX and from 2312 to 2732GHz. There are problems with the
* XXX current ieee80211 implementation because the IEEE
* XXX channel mapping does not support negative channel
* XXX numbers (2312MHz is channel -19). Of course, this
* XXX doesn't matter because these channels are out of range
* XXX but some regulation domains like MKK (Japan) will
* XXX support frequencies somewhere around 4.8GHz.
*/
New Toys

Yesterday
 .11b/g
2412-2462 (US)
 .11a 5180-5320, 5745-5825 (US)

Today
 .11b/g
2192-2732 (DEBUG)
 .11a 4800-6000 (DEBUG)
What is on these new freq?
2180.000
2200.000
2300.000
2390.000
2450.000
2500.000
2500.000
2655.000
2690.000
2700.000
-
2200.000
2290.000
2310.000
2450.000
2500.000
2535.000
2690.000
2690.000
2700.000
2900.000
Fixed Point-to-point (n-p)
DoD
Amateur
Amateur
Radio location
Fixed SAT
Fixed Point-to-point (n-p), Instructional TV
Fixed SAT
Radio Astronomy
DoD
Freq (cont)
4400.000
4990.000
5250.000
5460.000
5470.000
5650.000
5800.000
5925.000
-
4990.000 DoD
5000.000 Meteo - Radio Astronomy
5650.000 Radio Location - Coastal Radar
5470.000 Radio Nav - General
5650.000 Meteo - Ground-based Radar
5925.000 Amateur
ISM
- 6425.000 Common Carrier and Fixed SAT
Spectrum Analyzer

Fully tested frequencies
 Sadly

they wouldn’t let me borrow the SA
Warning: This may differ from card to card
 I’ve
already lost a few wifi cards…
Limitations
Many real licensed implementations are broken
 Card reports channel 1 but is actually on
4920MHz
 This is done to make is easy to use existing
drivers
 This breaks many open source applications

Airodump-ng
Airodump-ng now supports a list of
frequencies to scan rather than channels
 Only channels are shown in display, may
be wrong
 Strips vital header information off of packet
so data saved from extended channels is
useless

Kismet
At time of writing is unable to handle most
of the extended channels
 Displays channels not frequencies
 Does save usable pcap files*

Improvement Needed
Sniffers are too trusting, they believe what
they see
 Never intended to deal with oddly broken
implementations such as channel number
fudging
 Sniffers need to be improved to report
more reality, and less assumptions

Improvements made!
After this talk was submitted, changes
started happening
 Kismet-newcore fully supports fun
channels
 Displays frequencies that packets are
received on
 Airodump-ng updates are being made now
for release soon

Final Thoughts
Remember everyone here is a white hat
 Please use your new found knowledge for
good not evil
 In the United States it is LEGAL to monitor
all radio frequencies
 Have fun…

WEP cloaking

Old hardware like wireless barcode
scanners

Insert chaff in the air to fool cracking tools

Good idea but
 Use
half bandwidth => 300kb/sec with 11Mbit
 Sometimes packets doesn’t need to be
filtered to be cracked
How to break it?

No public documentation => analyze capture
files
 Every
data packet is cloaked (at least packets
from the AP protected)
 Cloaked Packet size is the same as the original
packet
 Plays with Sequence Numbers. In most cases,
not the same as the original packet (cloaked SN
= original +2 to -2)
 Only data packets are cloaked (at least type 2,
subtype 0)
Implementation
No idea of the implementation => don’t
care about key used by the sensor (if any)
or data used in cloaked packets (real or
fake).
 Apply filters to remove cloaked packets

 Signal
 Sequence
numbers
 Base analysis on packets know not to be
cloaked
 Combine filters in a different order
Implementation


We know that all management and control
frames are uncloaked.
Base filter:
 If
any packet with an unknown status has the
same SN as one of the uncloaked packets then
it’s cloaked

Signal filter:
 Get
the average signal from uncloaked packets
 Allow a small margin of error
 Packets outside the margin should be cloaked
Implementation

Code release soon, check the subversion.
Thanks

Updated Slide Presentation can be found at:
http://www.aircrack-ng.org/defcon16.ppt

Bibliography
 http://www.willhackforsushi.com/FreeRADIUS-
WPE.html
 We will complete this and post this weekend

similar documents