SlideShare a Scribd company logo

fingerprinting blackhat by pseudor00t

pseudor00t overflow
pseudor00t overflow

fingerprinting blackhat by pseudor00t

Internet
1 of 23
Download to read offline
Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
“Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
• Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
• Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
• Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaEC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxdohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaEC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxdohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Seminar V2
Seminar V2Seminar V2
Seminar V2Moustafa Najm
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)GulshanKumar368
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYLINE Corporation
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edgeSimon Elliston Ball
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For EngineersLeif Bloomquist
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionDatabricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxrosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics Deepak Kumar (D3)
 
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tpseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...pseudor00t overflow
 

More Related Content

Similar to fingerprinting blackhat by pseudor00t

Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)GulshanKumar368
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edgeSimon Elliston Ball
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionDatabricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxrosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 

Similar to fingerprinting blackhat by pseudor00t (20)

Seminar V2
Seminar V2Seminar V2
Seminar V2
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edge
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
 

More from pseudor00t overflow

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tpseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...pseudor00t overflow
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tpseudor00t overflow
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIApseudor00t overflow
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tpseudor00t overflow
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tpseudor00t overflow
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tpseudor00t overflow
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t pseudor00t overflow
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tpseudor00t overflow
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t pseudor00t overflow
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tpseudor00t overflow
 

More from pseudor00t overflow (15)

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00t
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
 
EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00t
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00t
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
 
Hacking Etico by pseudor00t
Hacking Etico by pseudor00tHacking Etico by pseudor00t
Hacking Etico by pseudor00t
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00t
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00t
 

Recently uploaded

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 

Recently uploaded (20)

VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 

fingerprinting blackhat by pseudor00t

  • 1. Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
  • 2. Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 3. Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
  • 4. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
  • 5. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 6. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 7. Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 8. Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 9. www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
  • 10. L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 11. www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
  • 12. www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
  • 13. www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
  • 14. So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 15. Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 16. Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 17. “Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
  • 18. • Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
  • 19. • Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 20. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
  • 21. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 22. • Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
  • 23. Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu