Wireless NetworkRisks and ControlsOffensive Security Tools, Techniques, and Defenses

22 January 2015 – ISACA Phoenix Chapter – Phoenix, AZ

Presented by:Ruihai FangDan PetroBishop Foxwww.bishopfox.com

Introduction/Background

2

GETTING UP TO SPEED

Used to be a PainLots to of heavy things to carry

3

Kali VM and USB Adapter

4

N O W E A S Y

• Kali Linux VM + TP-LINK - TL-WN722N (USB)

+

Laptops, Netbooks (easier to conceal),and adapters

Asus EEPc

TP-Link AdapterCapable of attaching aYAGI antenna

YAGI Antennas – Directional

Very good for attacking from adistance, like from the comfort ofyour hotel room.

Antenna Connector Cables are Necessary

WiFi Hacking Using Android Phones

StarTech Micro USBOn-the-go Adapter

Alfa 1000mW 1W 802.11b/g USBWiFi Adapter. Uses RTL8187 Chipset.

Samsung Galaxy S3

Wireless Hacking Tools

9

ACROSS VARIOUS OS’S

Wireless Tools

10

Discovery

• Supported operating systems

• Supported wireless protocols

• Active vs. passive scanning

• Packet capturing and decoding

• Distinguishes between AP, ad hoc, and clientdevices

• Statistics and reporting capabilities

• User interface

• Price

NirSoft Wireless Tools

11

W I N D O W S H A C K I N G T O O L S

• NirSoft – WirelessNetView

• NirSoft – WifiInfoView

• NirSoft - Wireless Network Watcher

inSSIDer Wi-Fi Scanner

12

W I N D O W S H A C K I N G T O O L S

Aircrack-ng Suite

13

L I N U X H A C K I N G T O O L S

Kismet

14

L I N U X H A C K I N G T O O L S

Kismac

15

M A C O S X H A C K I N G T O O L S

inSSIDer for Mac

16

M A C O S X H A C K I N G T O O L S

Wi-Fi Pineapple

17

W IRELESS PENETRATION TESTING ROUTER

Features

18

• Wireless Jamming (De-auth Attack)• Man-in-the-Middle attack• DNS Spoof on lure client• Web base management• Tether via Mobile Broadband• Battery power and portable

W HAT CAN IT DO?

Specs

19

• Atheros AR9331 SoC at 400MHz

• 802.11 b/g/n 150 Mbps wireless

• 2x Ethernet, one PoE (Power-Over-Ethernet)capable

• USB 2.0 for expanded storage, WiFi Interfaceand Mobile Broadband

• Fast Linux Kernel 3.2 based Jasager Firmware

THE HARDWARE

Methodology

20

Social Engineering

1. Karma (Rogue AP)

2. DNS Spoof & MITM

3. Phishing

Auto-Association

21

PROBLEM TO EXPLOIT

Karma

22

• Listen to wireless probes from nearby wirelessdevices

• Impersonate as the requested wireless AP

HOW DOES IT W ORK?

Karma

23

ROGUE AP

reddit.com

DNS Spoof

24

• Modify DNS records and point to a malicious site• Man-in-the-middle between the victim and

Internet

POISONING YOUR DNS

reddit.com

Malicious site

Phishing

• Clone the officialwebsite (reddit.com)

• Implement key logger

• Deploy malware orbackdoor on theforged website

• Compromise thevictim

25

PHISHING ATTACK

DEMO

26

1. Disable the “Connect Automatically” setting on allunsecured wireless networks.

2. Use DNS Crypt or Google DNS

3. Don’t connect to any unsecured or unknownwireless network

4. Use a trusted VPN tunnel to encrypt the traffic onpublic network

MitigationThings that you should be doing

27

Raspberry Pi

28

F R U I T Y W I F I

• Raspberry Pi – cheap alternative (~$35)

• Fruity WiFi – Raspberry Pi version of the WiFi Pineapple

Easy-creds

29

AUTOMATING W IFI CLIENT ATTACKS

Dumping Keys

30

CLIENT EXPLOITING

Cracking WPA2-PSK with Pyrit

31

Using Kismet We’ve Decided on ourTarget Network

Pyrithttps://code.google.com/p/pyrit/

Pyrit allows to create massive databases,pre-computing part of the IEEE 802.11WPA/WPA2-PSK authentication phase ina space-time-tradeoff. Exploiting thecomputational power of Many-Core- andother platforms through ATI-Stream, Nvidia CUDA and OpenCL, it iscurrently by far the most powerful attackagainst one of the world's most usedsecurity-protocols.

During Recon Find What Channel Your Target is on and Capture only on thatChannel to Increase Your Chances of Getting a Valid WPA Handshake

CorpWiFi9 onChannel 6

Passive Monitoring with Kismet

Running Kismet for 12 hours will capturelots of packets and PCAP files can belarge.

DEMO

36

Stripping a PCAP File with Pyrit

Randomly Captured WPA2 HandshakeAfter Running Kismet for 12 hours in

my apartment

A Typical Windows 7 Wireless ClientUsing WPA2

WPA 4-Way Handshake

WPA 4-Way Handshake

Decrypting WPA Packet Captures withFound Key in Wireshark

Before and After Decryption inWireshark

Before Applying WPA Key

After Applying WPA Key

Mobile WiFiSecurity Tools

44

Popular Mobile WiFi Hacking Tools

WiFi Sniffing on Android in Monitor Modehttp://www.kismetwireless.net/android-pcap/

Password Sniffing & SessionHijacking Using dSploithttp://dsploit.net/

https://code.google.com/p/iphone-wireless/wiki/Stumbler

iphone-wireless

More Discreet Monitoring UsingAlpha 1 802.11b/g

Model NumberAWUS036H. This usesthe RTL8187 WirelessChipset.

Android PCAP Monitor Mode on aGalaxy S3

Arp Spoofing & Detection

88:32:9b:0b:a8:06 isactually the Android

Phone pretending to bethe default gateway at

192.168.1.254

Web Session Hijacking using dSploit

PwnPad

51

N E X U S 7 P E N T E S T D E V I C E

Defenses

52

A V O I D B E I N G P R O B E D

Defenses

53

R E C O M M E N D A T I O N S

• Conduct regular wireless assessments

• Employ strong encryption and authenticationmethods

• Employ wireless IDS/IPS

• Secure wireless clients (laptops, phones, …)

Defenses

54

R E C O M M E N D A T I O N S

Use “wireless checks” of network vulnerabilityscanners

Defenses

55

R E C O M M E N D A T I O N S

Physically track down rogue access points andmalicious devices

Thank You

56

Bishop Fox – see for more info:http://www.bishopfox.com/