Download - Wireless Network Risks and Controls
![Page 1: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/1.jpg)
Wireless Network Risks and ControlsOffensive Security Tools, Techniques, and Defenses
13 March 2015 – CactusCon 2015 – Phoenix, AZ
Presented by: Ruihai FangBishop Foxwww.bishopfox.com
![Page 2: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/2.jpg)
Introduction/Background
2
GETTING UP TO SPEED
![Page 3: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/3.jpg)
Used to be a PainLots to of heavy things to carry
3
![Page 4: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/4.jpg)
Kali VM and USB Adapter
4
N O W E A S Y
• Kali Linux VM + TP-LINK - TL-WN722N (USB)
+
![Page 5: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/5.jpg)
Laptops, Netbooks (easier to conceal), and adapters
Asus EEPc
TP-Link Adapter Capable of attaching a YAGI antenna
![Page 6: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/6.jpg)
YAGI Antennas – Directional
Very good for attacking from a distance, like from the comfort of your hotel room.
![Page 7: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/7.jpg)
Wireless Tools
7
Discovery
• Supported operating systems
• Supported wireless protocols
• Active vs. passive scanning
• Packet capturing and decoding
• Distinguishes between AP, ad hoc, and client devices
• Statistics and reporting capabilities
• User interface
• Price
![Page 8: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/8.jpg)
NirSoft Wireless Tools
8
W I N D O W S H A C K I N G T O O L S
• NirSoft – WirelessNetView
• NirSoft – WifiInfoView
• NirSoft – Wireless Network Watcher
![Page 9: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/9.jpg)
inSSIDer Wi-Fi Scanner
9
W I N D O W S H A C K I N G T O O L S
![Page 10: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/10.jpg)
Aircrack-ng Suite
10
L I N U X H A C K I N G T O O L S
![Page 11: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/11.jpg)
Kismet
11
L I N U X H A C K I N G T O O L S
![Page 12: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/12.jpg)
Cracking WPA2-PSK with Pyrit
12
![Page 13: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/13.jpg)
Pyrithttps://code.google.com/p/pyrit/
Pyrit allows to create massive databases, pre-computing part of the IEEE 802.11 WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA and OpenCL, it is currently by far the most powerful attack against one of the world's most used security-protocols.
![Page 14: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/14.jpg)
During Recon Find What Channel Your Target Is On and Capture Only on That Channel to Increase Your Chances of Getting a Valid WPA Handshake
CorpWiFi9 on Channel 6
![Page 15: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/15.jpg)
Passive Monitoring with Kismet
Running Kismet for 12 hours will capture lots of packets and PCAP files can be large.
![Page 16: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/16.jpg)
WPA 4-Way Handshake
![Page 17: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/17.jpg)
DEMO
17
![Page 18: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/18.jpg)
Decrypting WPA Packet Captures with Found Key in Wireshark
![Page 19: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/19.jpg)
Before and After Decryption in Wireshark
Before Applying WPA Key
After Applying WPA Key
![Page 20: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/20.jpg)
Wi-Fi Pineapple
20
WIRELESS PENETRATION TESTING ROUTER
![Page 21: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/21.jpg)
Features
21
• Wireless Jamming (De-auth Attack)• Man-in-the-Middle attack• DNS Spoof on lure client• Web base management • Tether via Mobile Broadband • Battery power and portable
WHAT CAN IT DO?
![Page 22: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/22.jpg)
Methodology
22
Social Engineering
1. Karma (Rogue AP)
2. DNS Spoof & MITM
3. Phishing
![Page 23: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/23.jpg)
Auto-Association
23
PROBLEM TO EXPLOIT
![Page 24: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/24.jpg)
Karma
24
• Listen to wireless probes from nearby wireless devices• Impersonate as the requested wireless AP
HOW DOES IT WORK?
![Page 25: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/25.jpg)
Karma
25
ROGUE AP
![Page 26: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/26.jpg)
reddit.com
DNS Spoof
26
• Modify DNS records and point to a malicious site• Man-in-the-middle between the victim and Internet
POISONING YOUR DNS
reddit.com
Malicious site
![Page 27: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/27.jpg)
Phishing
• Clone the official website (reddit.com)
• Implement key logger
• Deploy malware or backdoor on the forged website
• Compromise the victim
27
PHISHING ATTACK
![Page 28: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/28.jpg)
DEMO
28
![Page 29: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/29.jpg)
1. Disable the “Connect Automatically” setting on all unsecured wireless networks.
2. Use DNS Crypt or Google DNS.
3. Don’t connect to any unsecured or unknown wireless network.
4. Use a trusted VPN tunnel to encrypt the traffic on public network.
MitigationThings that you should be doing
29
![Page 30: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/30.jpg)
Raspberry Pi
30
F R U I T Y W I F I
• Raspberry Pi – cheap alternative (~$35)
• Fruity WiFi – Raspberry Pi version of the WiFi Pineapple
![Page 31: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/31.jpg)
Mobile WiFiSecurity Tools
31
![Page 32: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/32.jpg)
Popular Mobile WiFi Hacking Tools
WiFi Sniffing on Android in Monitor Modehttp://www.kismetwireless.net/android-pcap/
Password Sniffing & Session Hijacking Using dSploithttp://dsploit.net/
https://code.google.com/p/iphone-wireless/wiki/Stumbler
iphone-wireless
![Page 33: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/33.jpg)
More Discreet Monitoring Using Alpha 1 802.11b/g
Model Number AWUS036H. This uses the RTL8187 Wireless Chipset.
![Page 34: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/34.jpg)
#wifisecurityselfie
Monitor mode in places laptops can’t go! Like someone else’s data center, telcos, power substations, or just places you plain should not be.
![Page 35: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/35.jpg)
Android PCAP Monitor Mode on a Galaxy S3
![Page 36: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/36.jpg)
Arp Spoofing & Detection
88:32:9b:0b:a8:06 is actually the Android
Phone pretending to be the default gateway at
192.168.1.254
![Page 37: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/37.jpg)
![Page 38: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/38.jpg)
Web Session Hijacking using dSploit
![Page 39: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/39.jpg)
PwnPad
39
N E X U S 7 P E N T E S T D E V I C E
![Page 40: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/40.jpg)
Defenses
40
A V O I D B E I N G P R O B E D
![Page 41: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/41.jpg)
Defenses
41
R E C O M M E N D A T I O N S
• Conduct regular wireless assessments
• Employ strong encryption and authentication methods
• Employ wireless IDS/IPS
• Secure wireless clients (laptops, phones, …)
![Page 42: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/42.jpg)
Defenses
42
R E C O M M E N D A T I O N S
Use “wireless checks” of network vulnerability scanners
![Page 43: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/43.jpg)
Defenses
43
R E C O M M E N D A T I O N S
Physically track down rogue access points and malicious devices
![Page 44: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/44.jpg)
RFID Hacking Tools
44
P E N T E S T T O O L K I T
![Page 45: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/45.jpg)
How a Card Is Read
45
P O I N T S O F A T T A C K
Card Reader
Controller
Wiegand output
Host PC
EthernetCard Broadcasts 26-37 bit card number
Reader Converts card data to “Wiegand Protocol” for transmission to the controller
No access decisions are made by reader
Controller Binary card data “format” is decoded
Makes decision to grant access (or not)
Host PC Add/remove card holders, access privileges
Monitor system events in real time
![Page 46: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/46.jpg)
Methodology
46
3 S T E P A P P R O A C H
1. Silently steal badge info
2. Create card clone
3. Enter and plant backdoor
![Page 47: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/47.jpg)
Distance Limitations
47
A $ $ G R A B B I N G M E T H O DExisting RFID hacking tools only work whena few centimeters away from badge
![Page 48: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/48.jpg)
Custom PCB
48
T A S T I C R F I D T H I E F
Custom PCB – easy to plug into any type of RFID badge reader
![Page 49: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/49.jpg)
Programmable Cards
Cloning to T55x7 Card using Proxmark3
• Simulate data and behavior of any badge type
• HID Prox Cloning – example:
• Indala Prox Cloning – example:
• T55x7 Cards
• Q5 cards (T5555)
![Page 50: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/50.jpg)
Thank You
50
Bishop Fox – see for more info: http://www.bishopfox.com/@bishopfox
![Page 51: Wireless Network Risks and Controls](https://reader034.vdocuments.us/reader034/viewer/2022042620/626466e5b377c61b8b528320/html5/thumbnails/51.jpg)
We’re hiring!
51