Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных сетей.

2,506 views

Published on

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных сетей.
defcon-russia.ru

Published in: Science
  • Be the first to comment

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных сетей.

  1. 1. 802.11 tips and threats @090h
  2. 2. 7iP5 Li57 1. Conditions: weather/time/other 2. Antenna inside and outside 3. HW 4. SW 5. RF 6. Channel plan(s) 7. “Good” news 4 everyone (CRDA, Syste.md) 8. TP-Link 722n as hamradio 9. 802.11 @ OS X 10. Some stupid phun if some time remains
  3. 3. Independent conditions Weather: •H2O + RF = ? Remember borsch in microwave. •WWW - Wardriving/Warwalking/Warsitting 8). IT’S TiME TO HACK!! •DFS* Happy hours: •WEP - anytime •WPS - night •WPA-Personal - evening •WPA-Enterprise – 9:00 or when normal people come to the job? 8) Other: •Depends on your neighbors, interference, PRNG, ISP, etc..
  4. 4. Antenna types • Omnidirectional • Uda Yagi • Panel • Parabolic • Sector
  5. 5. Omnidirectional antenna
  6. 6. Omnidirectional Antenna RF Gain Pattern
  7. 7. Uda Yagi Use “Uda Yagi Calculator” 4 DIY*
  8. 8. Omnidirectional Antenna RF Gain Pattern
  9. 9. Hardware • No silver bullet. TP-Link TL-WN722N best choice for beginner. • WPS brute –> Alfa AWUS 036H • Handshake capturing -> MIMO card. MAC80211+Ralink chips rule. • Deauth => Any card with INJMON • Wisipi = KARMA + custom soft => TP-Link: 3020, 3040, 3220, 4300 • WiFi Pineapple -> MARK IV, MARK V • Google Nexus (Kali Nethunter compatible) • INJMON_WITHOUT_EXTERNAL_CARD -> Nokia N900, N9
  10. 10. Software • Kali, Kali Nethunter, BlackArch, ArchAssault • kismet, horst, • Aircrack-NG, Pyrit, cowpatty • reaver-wps, WPSPIN.sh, wpscrack, Bully, pixie-wps, WPSIG • Wifite (forked) • KARMA, MANA, Hostapd-WPE • https://github.com/0x90/wifi-arsenal • https://github.com/0x90/wps-scripts • WISPI http://semaraks.blogspot.ru /2014/12/wispi-ver-11-for-tp-link-mr3020-mini.html
  11. 11. - RF? - No… 8( - 2.4GHz, 5GHz!
  12. 12. RF • 700MHz – ITS in Japan • 900 MHz (802.11ah) – US unlicensed • 2.4 GHz (802.11b/g/n) – everyone uses @ home • 3.6 GHz, 4.9GHz (802.11y) – US, Public Safety WLAN 50 MHz of spectrum from 4940 MHz to 4990 MHz (WLAN channels 20–26) are in use by public safety entities in the US. • 5 GHz (802.11a/h/j/n/ac) – 802.11ac is what you should use @ home • 5.9 GHz (802.11p) – Wireless Access in Vehicular Environments (WAVE), ITS in EU • 60 GHz (802.11ad) – WiGig. 7Gbit/s, 10m, beamforming, HDMI over WiFi
  13. 13. Channels, plans and the world.
  14. 14. 802.11b channel center frequency
  15. 15. 802.11b • Channel 1 • Channel 6 • Channel 11 • Channel 14
  16. 16. 802.11g/n (20 MHz) • Channel 1 • Channel 5 • Channel 9 • Channel 13
  17. 17. 802.11g/n (40 MHz) • Channel 1+5 (Upper) • Channel 5-1 (Lower) • Channel 5+9 (Upper) • Channel 9-5 (Lower) • Channel 9+13 (Upper) • Channel 13-9 (Lower)
  18. 18. 2.4GHz channel plan
  19. 19. 2.4GHz channel plan for US
  20. 20. Channel plans Theory: •US => 1,6,11 •WORLD => 1,5,9,13 IRL fcukups: •wtf is channel plan? •40MHz bandwith will give me more speed! •More AP power will give me more speed! •More antennas will give me more speed!
  21. 21. Interference indoor
  22. 22. Gr337z fly 2 JBFC
  23. 23. 5GHz around the world
  24. 24. Meanwhile in Russia Также во исполнение протокольной записи к решению ГКРЧ от 19 августа 2009 г. № 09-04-09, ГКРЧ решила[16] (п.2): Выделить полосы радиочастот 5150-5350 МГц и 5650-6425 МГц для применения на территории Российской Федерации за исключением городов, указанных в приложении № 2 [1], РЭС фиксированного беспроводного доступа гражданами Российской Федерации и российскими юридическими лицами без оформления отдельных решений ГКРЧ для каждого физического или юридического лица. Brief: 802.11a/h/j/n channels: 36-64, 136-165.
  25. 25. 5GHz freedom? Depends on weather. DFS.
  26. 26. Country limitations
  27. 27. HACKER = NO_LIMITS • Patched wireless-db https://github.com/0x90/wireless-regdb • Pathched CRDA https://github.com/0x90/crda-ct • Install script https://github.com/0x90/kali-scripts
  28. 28. UDEV IFACE NAMING • wlan0 -> wlp3s0 • mon0 -> wlp3s0mon • wlan1 -> wlp0s20u9 • mon2 -> wlp0s29f7u2mon • All mon0 based bash scripts fcuked up • Lorcon + PyLorcon2 broken
  29. 29. ath9k low level • http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/ • Ath9k/ath9k_htc open source driver, firmware • FFT disable • Channels: -19- if ath9k.driver.has_sw_limits() && ’kernel patching’ in hacker.skills[]: hacker.patch(ath9k.driver) ath9k.channel = -5 ath9k.power = 30 ath9k.bandwith = 5
  30. 30. ath9k spectral scan • Fluke Spectral Analyser = many $$$ • Atheros AR92XX, AR93XX chips support spectral scan (???) • http://pages.cs.wisc.edu/~patro/htc_spectral/0003-Update-spectral- scan-calls-to-support-both-ath9k-and.patch • http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/
  31. 31. spectral scan plot
  32. 32. ath9k advanced • echo "$bandwidth" > /sys/kernel/debug/ieee80211/$phy/ath9k/chanbw • ls /sys/kernel/debug/ieee80211/phy*/ath9k_htc/registers/ • ath9k_htc AP mode client fw limit https://lists.ath9k.org/pipermail/ath9k-devel/2013- April/010513.html • echo '1' > /sys/kernel/debug/ieee80211/phy0/ath9k/disable_ani • iw --debug dev wlan0 info
  33. 33. 802.11 hacking @ OS X • No INJ, only RFMON => No sending deauth frames* • Use reaver-wps, aircrack-ng, tcpdump from mac ports • airport cmd with RFMON support /System/Library/PrivateFrameworks/Apple80211.framework/Version s/Current/Resources/airport • Scapy patched for RFMON @ OSX https://github.com/0x90/scapy-osx • WPSIK • PrivateFrameworks: Apple80211, CoreWLAN, etc… • Horst to be patched
  34. 34. 7HR3475 • PWN via MosMetro_Free • WPS_FAST_PWN = pingen + pixie wps + fork(wifite, reaver) • KARMA, MANA, HOSTAPD-WPE - pros and cons • I’LL CALL YOU @ WPA2 PWD (greetings fly 2 d0znpp)
  35. 35. KARMA/MANA/ROGUE AP
  36. 36. KARMA vs MANA KARMA •Client->ProbeRequest ESSID=FreeWiFi •ProbeReply ESSID=FreeWiFi BSSID=00:13:37… •+ PineAP @ Mark V == beconizer by ESSID list MANA •PNL gathering (capture broadcast) •Beacon Broadcast •Hidden SSID
  37. 37. QUESTIONS? PWN’EM ALL! @090h/root@0x90.ru Code @ •http://github.com/0x90/ • http://github.com/dc7499

×