Wireless LANs are often the soft underbelly of an organization's network. Users and guests demand easy access, but corporate resources still need to be protected. An enterprise could break the bank with expensive tools and consultants trying to maintain compliance and minimize risk. The good news is that there are lots of excellent, well-documented open source (i.e., free) tools available to test and monitor your wireless network. And they don't even require a tin-foil hat.

1. Sweepin’ the
Clouds Away
Demystifying
Wireless Security
Using Open Source
Tools

2. Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect
and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as
security architecture and best practices.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/
@MrsYisWhy
www.linkedin.com/in/mchubirka/

3. Wireless Security Doesn’t Have To Be So Hard
• You don’t always need a
consultant or a commercial tool.
• All you need is the desire to
learn.
• Open source offers great
options.
• You can learn about Wifi security
by using open source hacking
tools against your own WLAN.

4. Build Your Toolkit
• Wireless devices that support RFMON (monitor-mode).
• OSX supports this by default, Windows does not.
• For Windows or running a Linux-based VM, you’ll need an external
device with the right drivers.
• Alfa USB devices are inexpensive alternatives to AirPcap and are also
suitable for injection, but not all models support both 2.4 and 5 GHz.
• Tablets will work, but you’ll need Android and plan to “root” it.
• Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which
gets harder with every update.

5. Why You Need Monitor-Mode
• Monitor-mode (RFMON) allows a
wireless interface the ability to
capture 802.11 WLAN frames
without being associated with a
network.
• This capability is essential for
performing reconnaissance
against a network.

6. Check hardware compatibility guides
for the tools you want to use. You’ll
need to be able to put your
tablet/phone in USB host mode. It may
require jailbreaking/rooting.

7. Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device
used by pentesters to gain a
backdoor into a target network.
• Can be used to perform a security
profile of your WLAN infrastructure.
• Also used as an inexpensive
monitoring tool.

8. Where You Can Get One
• Minipwner
• OG150
• PwnPi
Low cost open source
alternatives to Pwnie Express.

10. Roll Your Own
• Raspberry Pi
• Intel NUC
• TP-Link portable routers running
Open-Wrt.
• Pwnie Express even has a community
edition you can build yourself.

11. Available Tools
• Aircrack-NG
• SSLStrip
• Tor
• Ettercap
• Kismet

12. Get A Pineapple
An inexpensive wireless
network auditing tool.
Highly customizable
Wifi router, based on
Open-Wrt and Jasager.

13. Features
• Stealth man-in-the-middle access point.
• Tethering via mobile device or PC.
• Remote management with persistent SSH tunnels.
• Relay and deauth attacks

14. Wireshark Is Your Friend
But there are other
protocol analysis
tools available.
Example:
NetworkMiner

15. Wireshark in Monitor Mode

16. NetworkMiner Network Forensic Analysis Tool
Free and professional
editions – can be used
live or to parse PCAP
files. Focuses on
collecting data about
hosts.

17. Kali Linux is
filled with
Wireless
Tools

18. Pentoo and Backbox

19. Fun with Wifi
• Kismet
– An open source WIDS that works with any wireless devices
supporting monitor-mode.
• Aircrack-NG
– An open source reconnaissance, key-cracking and testing
tool.

20. Kismet

21. Aircrack-NG

22. inSSIDer –
notice any
similarities?

23. Miscellaneous Tools
• MDK3 – attack tool
• CoWPAtty – WPA cracking
tool
• Reaver – WPS attack tool
• WiFite – auditing tool

24. Some Basics
• Three types of WLAN frames
– Management
– Control
– Data
You can view all of these in a
protocol analyzer, but only if your
device supports monitor-mode.
You can successfully attack them,
but only if injection is supported.

25. What?
• SSID (service set identifier) is the name
of a network.
• BSSIDs (basic SSID) identify access
points and clients.
• An ESS (extended service set) consists
of BSSs

26. Wireless
Association
EAP occurs after this.

27. Passive Vs. Active WLAN Discovery
• Beacon frames are transmitted at regular intervals in
all WLAN networks for passive client discovery.
• Active WLAN discovery occurs when client station
sends Probe Request to AP and receives Probe
Response.
• Passive discovery is more appropriate for
reconnaissance.
• Kismet and Aircrack-NG are passive tools.

28. Who’s Out There?
Configuring a “monitor mode” wireless interface.
Airmon-ng start wlan0
Airodump-ng mon0

30. How To Find Hidden SSIDs
• Sniff in monitor-mode.
• Deauthenticate clients by injection with MDK3 or
Aireplay-NG.
• Look for probe response, association, or reassociation
packets in protocol analyzer.
• Beacon, Probe Request, Probe Response and
Association Request frames all contain the SSID.

31. Common Wireless Attacks
• Beating MAC filters with spoofing.
• Cracking WEP through weak IVs.
• Brute force against WPS.
• Brute force of WPA/WPA2 PSK.
• DoS deauth attacks.
• Evil Twin or Rogue access points.
• MITM with SSLstrip.
• Café Latte – client WEP attack.

32. Protecting the WLAN
• By understanding common attack
vectors, you can address
weaknesses in your infrastructure.
• WIPS use attack methods such as
deauths for rogue mitigation.

33. Caution
• In many countries it is unlawful to
interfere with wireless signals.
• Marriott was fined $600k in
October, 2014, for preventing
hotel and conference guests from
using personal hotspots, in
violation of section 333 of the
Communications Act of 1934.

34. 47 U.S. Code § 333 - Willful or malicious interference
No person shall willfully or maliciously interfere with or
cause interference to any radio communications of any
station licensed or authorized by or under this chapter or
operated by the United States Government.

35. Demo?

36. Resources
• Securitytube.net
• Hak5.org
• MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a-
self-powered-pentesting-box-/
• Pwn Pi http://www.pwnpi.com/
• Minipwner http://www.minipwner.com/
• Podcast episode, “How Do I Pwn Thee?”
http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn-
thee/

37. Questions?

38. Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Fozzie before Kermit.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@postmodernsecurity.co
m