b-sides asheville 2014: wifi...wtf?!?!
DESCRIPTION
Talk given on June 7th, 2014 at B-Sides Asheville. A 30,000 foot overview of just what is possible in terms of wireless attacksTRANSCRIPT
![Page 1: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/1.jpg)
Wifi…..WTFIt’s broken, but how bad can it be?
![Page 2: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/2.jpg)
rbx@wifi:~# whoami● Tim Fowler● @roobixx● Project Engineer & Developer● Sabai Technology
![Page 3: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/3.jpg)
rbx@wifi:~# info● I am a Hacker● Christian● Frequent speaker at LUGs● SouthEast Linuxfest speaker● Founder of Docker Greenville● Open Source Advocate● If seen at Starbucks with a smile….run!
![Page 4: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/4.jpg)
rbx@wifi:~# wtf
WHY THis Talk??
![Page 5: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/5.jpg)
rbx@wifi:~# points ● Understanding Basic 802.11 Elements● Wireless Attacks & Impacts● Tools & Devices
![Page 6: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/6.jpg)
rbx@wifi:~# wtf
Part #1Basic Wireless Elements
![Page 7: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/7.jpg)
rbx@wifi:~# basic elementsModes● Master - Access Point or Base Station● Managed - Infrastructure Mode (Client)● Ad-Hoc - Peer to Peer● Mesh - Mesh Cloud/Network. Planned Ad-hoc● Repeater - Range Extender● Monitor (RFMON)
Note: NOT all chipsets are made the same. Depending on chipset and other factors your adapter may not support all 6 modes.
![Page 8: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/8.jpg)
rbx@wifi:~# basic elementsStates● State 1: Unauthenticated and Unassociated
● State 2: Authenticated but Unassociated
● State 3: Authenticated and Associated
![Page 9: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/9.jpg)
rbx@wifi:~# basic elementsFrames● Frames: Simply Data Packets
Typically made up of: Header, Payload, Integrity, Check (CRC)
● Frame Header:Source and Destination, Ethertype (What Protocol)
● Frame Check Sequence:CRC, Say that again?
![Page 10: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/10.jpg)
rbx@wifi:~# basic elementsFrame Types● Management Frames● Control Frames● Data Frames
![Page 11: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/11.jpg)
rbx@wifi:~# basic elementsManagement Frames
● Beacons○ Advertise the network, Specify SSID (network name), Channels and other capabilities
● Probes○ Probe Request - Are you my friend?○ Probe Response
- Includes capability info● Authentications
○ Authentication- Open, WEP (Shared), WPA, WPA2, WPA-Radius
○ Deauthentication● Associations
○ Association Request - Can we be friends?○ Association Response○ Disassociation
![Page 12: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/12.jpg)
rbx@wifi:~# basic elementsControl Frames● Request to Send - RTS: Can I speak?● Clear to Send - CTS: Sure! Everyone else
shut up.● Acknowledgement - ACK: Cool, I got what
you said ok.
![Page 13: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/13.jpg)
rbx@wifi:~# basic elementsData Frames
<insert data here>
![Page 14: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/14.jpg)
rbx@wifi:~# wtf
Part #2Wireless Attacks
![Page 15: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/15.jpg)
rbx@wifi:~# wtf
Wifi SUCKS!
![Page 16: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/16.jpg)
rbx@wifi:~# wtf
Wifi SUCKS!Okay, not really
![Page 17: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/17.jpg)
Attack Types● Availability Attacks● Access Control Attacks● Confidentiality Attacks ● Integrity Attacks● Authentication Attacks
rbx@wifi:~# attacks
![Page 18: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/18.jpg)
rbx@wifi:~# attacksAvailability Attacks● Deauthentication Flood - Client● Beacon Flood - Client● Authentication Flood - Access Point
Denial of S
ervice
![Page 19: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/19.jpg)
rbx@wifi:~# attacksAccess Control Attacks● Rogue Access Point(s)● Mac Spoofing● Ad Hoc Associations● Wardriving*
*Every attack should start here!
![Page 20: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/20.jpg)
rbx@wifi:~# attacksConfidentiality Attacks● MitM ● Evil Twin AP● Fake Captive Portal● Eavesdropping ● SSLStrip
![Page 21: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/21.jpg)
rbx@wifi:~# attacksIntegrity Attacks● Frame Injection● Frame Replay
![Page 22: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/22.jpg)
rbx@wifi:~# attacksAuthentication Attacks:● PSK Cracking● Shared Key Guessing - Vendor Defaults???● Login Credentials Gathering● If it has a password...we want it!
![Page 23: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/23.jpg)
rbx@wifi:~#
Rarely will you use a single attack but rather multiple attacks layered together to get desired
results.
![Page 24: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/24.jpg)
Beacon Floodmdk3 mon0 b -c 1
Authentication Floodmdk3 mon0 a -a <AP Mac Address>
Deauthentication Floodmdk3 mon0 d -b file.txt
rbx@wifi:~# examples
![Page 25: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/25.jpg)
Evil Twin APKarma is a B!%&^!!
Man in the MiddleSee previous statement about Karma!
No matter how I get you to connect to me...I am now in control!
rbx@wifi:~# examples
![Page 26: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/26.jpg)
rbx@wifi:~# wtf
Part #3Tools & Devices
![Page 27: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/27.jpg)
rbx@wifi:~# toolsTools● Wireshark● Kismet● Aircrack-ng Suite● Karma● Ettercap● MDK3● TCPDUMP● Wigle Wardriving App● DNSSpoof● Macchanger
● KisMAC● Cowpatty● Airpawn● Airsnarf● Dsniff● DNSpwn● SSLStrip● Fern-wifi-cracker● And MANY MANY MORE...
![Page 28: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/28.jpg)
rbx@wifi:~# devicesDevices● Wireless Adapters● Specialized Hardware● DIY Hardware
![Page 29: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/29.jpg)
rbx@wifi:~# devicesWireless Adapters● Only real requirement is that your wireless
adapter support Monitor mode and Frame Injection
● A fairly complete list of compatible chipsets can be found at aircrack-ng.org
![Page 30: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/30.jpg)
Wireless Adapters● Alfa AWUS036H -Realtek RL8187L● Alfa AWUS036NH - Ralink RT3070● TP-LINK TL-WN722N - Atheros AR9002U● Netgear WG111v2 - Realtek RL8187L● Netgear WG111v3 - Realtek RL8187B
rbx@wifi:~# devices
![Page 31: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/31.jpg)
rbx@wifi:~# devicesSpecialized Hardware● Wifi Pineapple Mark V● Pwnie Express Pwnpad● Pwnie Express Pwn Plug R2
![Page 32: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/32.jpg)
rbx@wifi:~# devicesDIY Hardware● Raspberry Pi running Kali linux + Wireless
adapter● Old Netbook, a laptop, tablet...● Anything that you can run linux on and use a
proper wireless adapter.
![Page 33: B-Sides Asheville 2014: Wifi...WTF?!?!](https://reader034.vdocuments.us/reader034/viewer/2022042607/5577bb18d8b42a1c068b4b5b/html5/thumbnails/33.jpg)
Questions??Thank You B-Sides Asheville!!!