Your SlideShare is downloading. ×
0
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

DevLink - WiFu: You think your wireless is secure?

2,164

Published on

Slides from my talk at DevLink on Wireless Security

Slides from my talk at DevLink on Wireless Security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,164
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. You think your Wifi is Safe? Rob Gillen @argodev
  • 2. Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescribed would be considered ILLEGALif attempted on systems that you donot have explicit permission to testand attack. I assume no responsibilityfor any actions you perform based onthe content of this presentation orsubsequent conversations. Pleaseremember this basic guideline: Withknowledge comes responsibility.
  • 3. DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not endorsed by, orrepresentative in any way of myemployer nor is it intended to be aview into my work or a reflection onthe type of work that I or my groupperforms. It is simply a hobby andpersonal interest and should beconsidered as such.
  • 4. Credits• Almost nothing in this presentation is original to me.• BackTrack 5 Wireless Penetration Testing Beginners Guide (PACKT Publishing)• HAK5, Darren Kitchen, et. al.• The guy sitting at Starbucks last night• The Internet (et. al.)
  • 5. Overview• Pre-Requisite Knowledge• Various Security Approaches• Tools and Attacks
  • 6. Required Gear• Network Adapter that supports “Monitor” mode. – Equivalent to promiscuous mode on a normal NIC• Windows, MAC, or Linux – Linux tools tend to be more readily available• Comfort at the command line
  • 7. Today’s Lab• Host Machine: – Laptop, Windows 7, hard-wired to AP – presentation, AP configuration• Attacker: – VM, BackTrack 5 SR1, Alfa AWUS036H• Victim: – VM, Mint 13, Netgear USB WiFi Nic• Access Point: – Linksys WRT310Nv1
  • 8. Wireless Packet Frames• Management Frames • Control Frames – Authentication – Request to Send – De-authentication (RTS) – Association Request – Clear to Send (CTS) – Association Response – Acknowledgment (AWK) – Re-association • Data Frames Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response
  • 9. Packet Sniffing• Filters: – wlan.fc.type • == 0 (mgmt frames) • == 1 (control frames) • == 2 (data frames) – wlan.fc.subtype • == 4 (probe requests) • == 5 (probe response) • == 8 (beacons)• (wlan.fc.type == 0) && (wlan.fc.subtype == 8)
  • 10. Packet Sniffing• Determine the channel of the network we are interested in – required for sniffing data packets – airodump-ng• iwconfig mon0 channel 1
  • 11. Packet Injection• aireplay-ng – Inject packets onto a specific wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association
  • 12. Wireless Channels• 802.11 a,b,g,n slice up their spectrum into channels• Channels are padded by whitespace• 802.11b on 2.4GHz uses 22MHz wide channels• 5 MHz unused spectrum buffers each channel
  • 13. Channels and Overlap • Channel 1: Centered at 2.412 GHz begins at 2.400 and ends at 2.422 GHz • Channel 2: Centered at 2.417 begins 5MHz past Channel 1’s beginning • Channel 3: Centered at 2.422 GHz begins 5MHz past Channel 2’s beginning • Channels 1, 6, 11, and 14 are discreteImage Source: Wikipedia http://en.wikipedia.org/wiki/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg
  • 14. Regulatory Issues• Available Channels – US: 1-11 – Everywhere Else: 1-13 – Japan: 1-14• Radio Power Levels – iw reg set US (up to 20) – iw reg set BO (up to 30)
  • 15. De-authentication Packets • Polite way to disconnect a client from the network • Gives everyone a chance to free memory • Hackers best friendContent for this slide taken from WiFi workshop, NoiseBridge, presented by Darren Kitchenhttp://hak5.org/episodes/hak5-1122
  • 16. DEMO: HIDDEN SSID
  • 17. DEMO: Hidden SSID• Show packet capture with the SSID• Hide SSID• Prove it is now hidden• Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery• Probe Request/Probe Response packets
  • 18. DEMO: MAC FILTERS
  • 19. DEMO: MAC Filters• Enable MAC Filtering on the WAP• Prove that a client cannot connect• Use airodump-ng to show associated clients• Use macchanger to spoof the whitelisted address and connect.
  • 20. DEMO: WEP ENCRYPTION
  • 21. DEMO: WEP Encryption• Capture data packets (ARP) from a known/trusted client (airodump-ng)• Replay them/re-inject between 10- 100,000 times (aireplay-ng)• Crack them (aircrack-ng)• Guaranteed crack
  • 22. DEMO: WPA/2 ENCRYPTION
  • 23. Image via PacktPubhttp://www.packtpub.com/article/backtrack-5-attacking-the-client
  • 24. DEMO: WPA/2 Encryption• Vulnerable to dictionary attacks• Collect authentication handshake• Select dictionary file and run the cracker• Works for WPA, WPA2, AES, TKIP
  • 25. Toolshttp://www.metageek.net/products/inssider/
  • 26. Tools • Jasegar (Pineapple IV) • I can be anything you want me to behttp://hakshop.myshopify.com/products/wifi-pineapple
  • 27. Man-In-The-Middle
  • 28. Man-In-The-Middle
  • 29. Man-In-The-Middle
  • 30. Man-In-The-Middle
  • 31. Tools• Reaver Pro (WPS Exploit)• 4-10 hours and your network is mine
  • 32. What is Safe?• Stop using Wi-Fi – Avoid open Wi-Fi networks – Always use SSL – Use 3G (ref: OpenBTS) – Disable Auto-Connect… on *all* devices – Hard/complex network keys – WPA-Enterprise / RADIUS / PEAP / EAP-TTLS – Disable WPS!• BYO-Encryption – Use VPN – SSH Tunnel (change your endpoint)• Encrypted “Public” WiFI
  • 33. Equipment List• Two Laptops• Any Wireless Access Point• Alfa Card http://www.amazon.com/gp/product/B002BFMZR8• Yagi Antenna http://www.amazon.com/gp/product/B004L0TKW4• Reaver Kit http://hakshop.myshopify.com/products/reaver -pro• WiFi Pinapple http://hakshop.myshopify.com/collections/fro ntpage/products/wifi-pineapple
  • 34. Learning More• http://www.securityfocus.com• http://www.aircrack-ng.org• http://raulsiles.com/resources/wif i.html• http://www.willhackforsushi.com• http://hak5.org – learning – kit
  • 35. Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev

×