Date post: | 10-Jun-2015 |
Category: |
Technology |
Upload: | tim-fowler |
View: | 208 times |
Download: | 4 times |
Wifi…..WTFIt’s broken, but how bad can it be?
rbx@wifi:~# whoami● Tim Fowler● @roobixx● Project Engineer & Developer● Sabai Technology
rbx@wifi:~# info● I am a Hacker● Christian● Frequent speaker at LUGs● SouthEast Linuxfest speaker● Founder of Docker Greenville● Open Source Advocate● If seen at Starbucks with a smile….run!
rbx@wifi:~# wtf
WHY THis Talk??
rbx@wifi:~# points ● Understanding Basic 802.11 Elements● Wireless Attacks & Impacts● Tools & Devices
rbx@wifi:~# wtf
Part #1Basic Wireless Elements
rbx@wifi:~# basic elementsModes● Master - Access Point or Base Station● Managed - Infrastructure Mode (Client)● Ad-Hoc - Peer to Peer● Mesh - Mesh Cloud/Network. Planned Ad-hoc● Repeater - Range Extender● Monitor (RFMON)
Note: NOT all chipsets are made the same. Depending on chipset and other factors your adapter may not support all 6 modes.
rbx@wifi:~# basic elementsStates● State 1: Unauthenticated and Unassociated
● State 2: Authenticated but Unassociated
● State 3: Authenticated and Associated
rbx@wifi:~# basic elementsFrames● Frames: Simply Data Packets
Typically made up of: Header, Payload, Integrity, Check (CRC)
● Frame Header:Source and Destination, Ethertype (What Protocol)
● Frame Check Sequence:CRC, Say that again?
rbx@wifi:~# basic elementsFrame Types● Management Frames● Control Frames● Data Frames
rbx@wifi:~# basic elementsManagement Frames
● Beacons○ Advertise the network, Specify SSID (network name), Channels and other capabilities
● Probes○ Probe Request - Are you my friend?○ Probe Response
- Includes capability info● Authentications
○ Authentication- Open, WEP (Shared), WPA, WPA2, WPA-Radius
○ Deauthentication● Associations
○ Association Request - Can we be friends?○ Association Response○ Disassociation
rbx@wifi:~# basic elementsControl Frames● Request to Send - RTS: Can I speak?● Clear to Send - CTS: Sure! Everyone else
shut up.● Acknowledgement - ACK: Cool, I got what
you said ok.
rbx@wifi:~# basic elementsData Frames
<insert data here>
rbx@wifi:~# wtf
Part #2Wireless Attacks
rbx@wifi:~# wtf
Wifi SUCKS!
rbx@wifi:~# wtf
Wifi SUCKS!Okay, not really
Attack Types● Availability Attacks● Access Control Attacks● Confidentiality Attacks ● Integrity Attacks● Authentication Attacks
rbx@wifi:~# attacks
rbx@wifi:~# attacksAvailability Attacks● Deauthentication Flood - Client● Beacon Flood - Client● Authentication Flood - Access Point
Denial of S
ervice
rbx@wifi:~# attacksAccess Control Attacks● Rogue Access Point(s)● Mac Spoofing● Ad Hoc Associations● Wardriving*
*Every attack should start here!
rbx@wifi:~# attacksConfidentiality Attacks● MitM ● Evil Twin AP● Fake Captive Portal● Eavesdropping ● SSLStrip
rbx@wifi:~# attacksIntegrity Attacks● Frame Injection● Frame Replay
rbx@wifi:~# attacksAuthentication Attacks:● PSK Cracking● Shared Key Guessing - Vendor Defaults???● Login Credentials Gathering● If it has a password...we want it!
rbx@wifi:~#
Rarely will you use a single attack but rather multiple attacks layered together to get desired
results.
Beacon Floodmdk3 mon0 b -c 1
Authentication Floodmdk3 mon0 a -a <AP Mac Address>
Deauthentication Floodmdk3 mon0 d -b file.txt
rbx@wifi:~# examples
Evil Twin APKarma is a B!%&^!!
Man in the MiddleSee previous statement about Karma!
No matter how I get you to connect to me...I am now in control!
rbx@wifi:~# examples
rbx@wifi:~# wtf
Part #3Tools & Devices
rbx@wifi:~# toolsTools● Wireshark● Kismet● Aircrack-ng Suite● Karma● Ettercap● MDK3● TCPDUMP● Wigle Wardriving App● DNSSpoof● Macchanger
● KisMAC● Cowpatty● Airpawn● Airsnarf● Dsniff● DNSpwn● SSLStrip● Fern-wifi-cracker● And MANY MANY MORE...
rbx@wifi:~# devicesDevices● Wireless Adapters● Specialized Hardware● DIY Hardware
rbx@wifi:~# devicesWireless Adapters● Only real requirement is that your wireless
adapter support Monitor mode and Frame Injection
● A fairly complete list of compatible chipsets can be found at aircrack-ng.org
Wireless Adapters● Alfa AWUS036H -Realtek RL8187L● Alfa AWUS036NH - Ralink RT3070● TP-LINK TL-WN722N - Atheros AR9002U● Netgear WG111v2 - Realtek RL8187L● Netgear WG111v3 - Realtek RL8187B
rbx@wifi:~# devices
rbx@wifi:~# devicesSpecialized Hardware● Wifi Pineapple Mark V● Pwnie Express Pwnpad● Pwnie Express Pwn Plug R2
rbx@wifi:~# devicesDIY Hardware● Raspberry Pi running Kali linux + Wireless
adapter● Old Netbook, a laptop, tablet...● Anything that you can run linux on and use a
proper wireless adapter.
Questions??Thank You B-Sides Asheville!!!