Wi Fish Finder Defcon 17 Ahmadand Dhyani

1,330 views

Published on

WiFish Finder is a tool written for Linux platform. This tool can be used to discover infected or vulnerable WiFi clients.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,330
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Wi Fish Finder Defcon 17 Ahmadand Dhyani

  1. 1. Md Sohail Ahmad Prabhash Dhyani AirTight Networks www.airtightnetworks.com Wi-Fish Finder : Who will bite the bait? There is >50 % chance that your laptop will!
  2. 2. Background <ul><li>For last 2-3 years we have been conducting WiFi scan in various cities in the world and studying the trend of WiFi security adoption </li></ul>Financial Districts WiFi Scan Study (April, 2009) http://www.airtightnetworks.com/finance-wifi-study Airport WiFi Scan Study (March, 2008) http://www.airtightnetworks.com/airport-wifi-study
  3. 3. A Thought <ul><li>There are places like airports where thousands of people from different parts of the globe transit everyday. </li></ul><ul><li>Most are business travelers and carry a WiFi enabled laptop, smartphone, PDAs etc. </li></ul>
  4. 4. Smart WiFi Study Scanning WiFi Clients Scanning WiFi APs So, a very interesting client based WiFi scan study was possible right there instead of us going to different locations
  5. 5. A Scan Sample of WiFi Clients Laptop is probing for SSIDs from preferred list (cached). Popular Hotspot WiFi Networks Client
  6. 6. Client Probes For WiFi Networks Present in PNL
  7. 7. The Problem Can Security Mode of Each Probed Network (OPEN, WEP, WPA or WPA2) be Determined?
  8. 8. Time To Do A Live Demo !!! Security of a Probed SSID Security posture Probed SSID
  9. 9. A Naïve Approach WiFi Discovery Authentication Association <ul><li>Practical Issues: </li></ul><ul><li>Probes for multiple SSIDs </li></ul><ul><li>Probes from multiple clients </li></ul><ul><li>Total 11 commonly used </li></ul><ul><li>security configurations </li></ul><ul><li>(1-Open, 2-WEP, 4-WPA, </li></ul><ul><li>4-WPA2) </li></ul>Laptop is probing for SSIDs from preferred list (cached). Client Probe Resp, “WXYZ” Authetication Authentication Assoc Request Probe Request, “WXYZ” Access Point Assoc Resp
  10. 10. Wi-Fish Finder Automates That For You Wi-Fish Finder running on a Laptop <ul><li>WiFish Finder: </li></ul><ul><ul><li>Handles probes for Multiple SSIDs </li></ul></ul><ul><ul><li>2. Handles probes from Multiple Clients </li></ul></ul><ul><ul><li>3. Works for almost all commonly </li></ul></ul><ul><ul><li>used security configurations (1-Open, </li></ul></ul><ul><ul><li>2-WEP, 4-WPA, 4-WPA2) </li></ul></ul>Handshakes Between client and WiFish Finder WiFish Finder simulates a virtual WiFi network environment around a probing client Laptop is probing for SSIDs from preferred list (cached). Client
  11. 11. Implementation: Wi-Fish Finder Probe Resp, “WXYZ”, Open Probe Request, “WXYZ” Guess1 :Probed SSID is Open Wi-Fish Finder running on a Laptop Laptop is probing for SSIDs from preferred list (cached). Client
  12. 12. Implementation: Wi-Fish Finder Probe Resp, “WXYZ”, WEP Probe Request, “WXYZ” Guess2 :Probed SSID is WEP Wi-Fish Finder running on a Laptop Laptop is probing for SSIDs from preferred list (cached). Client
  13. 13. Implementation: Wi-Fish Finder Probe Resp, “WXYZ”, WPA Probe Request, “WXYZ” Guess3 :Probed SSID is WPA Wi-Fish Finder running on a Laptop Laptop is probing for SSIDs from preferred list (cached). Client
  14. 14. Implementation: Wi-Fish Finder Probe Resp, “WXYZ”, RSN Assoc Request, RSN Probe Request, “WXYZ” Security settings of SSID “WXYZ” found Guess4 :Probed SSID is WPA2 Wi-Fish Finder running on a Laptop Laptop is probing for SSIDs from preferred list (cached). Client Authetication Authentication
  15. 15. Snippet of the Scan Study Done In This Conference From thousands of miles away, I knew So a WiFi scan study is possible using this tool, what else ? Home Network Default Config Insecure Profile In PNL Viral SSID or adhoc mode
  16. 16. Client Vulnerability Assessment Wi-Fish Finder can be used in identifying such vulnerable clients well in advance Dictionary Attack (if Weak Passphrase) Probed SSID -  WPA/WPA2 (Pre Shared Key) PEAP Attack (if Certificate Validation Uncheck) Probed SSID -  WPA/WPA2 (MGT, 802.1x) Caffe Latte Attack Probed SSID -  WEP It is possible to launch Security of a Probed SSID
  17. 17. PEAP Vulnerability Detection EAP Request/Identity EAP Response Identity EAP-Req(Fake Server Cert) EAP-Resp(Cert verified) Client with SSID “WXYZ” vulnerable To PEAP Attack Client is associated with Wi-Fish Finder, Probed SSID “WXYZ”, Security WPA2+.1x EAP Req EAP-Type=PEAP v0 EAP Response(TLS Client Hello) Laptop is probing for SSIDs from preferred list (cached). Client Wi-Fish Finder running on a Laptop
  18. 18. Conclusion <ul><li>Wi-Fish Finder can be served as “WiFi Client Security Assessment Tool” and can be used by security auditors or network admins in identifying clients vulnerable to Wi-Fishing or Honeypots </li></ul><ul><ul><li>While lot of measures have been taken to secure WiFi </li></ul></ul><ul><ul><li>infrastructure (both APs and Client in the vicinity) by following best practices and deploying various forms of WIPS solution, </li></ul></ul><ul><ul><li>An isolated WiFi client device still need </li></ul></ul><ul><ul><li>adequate security cover to prevent it from Honeypots </li></ul></ul>Download WiFish Finder: http://blog.airtightnetworks.com
  19. 19. Thanks ! Md Sohail Ahmad [email_address] [email_address] Prabhash Dhyani prabhash.dhyani@airtightnetworks.com AirTight Networks www.airtightnetworks.com
  20. 20. References <ul><li>Aircrack Suite </li></ul><ul><li>http://www.aircrack-ng.org/doku.php </li></ul><ul><li>Attacking Automatic Wireless Network Selection http://www.theta44.org/karma/aawns.pdf </li></ul><ul><li>Hotspotter-Automatic wireless client penetration http://www.remote-exploit.org/codes_hotspotter.html </li></ul><ul><li>Karma Main http://wirelessdefence.org/Contents/KARMAMain.htm </li></ul><ul><li>Cafe Latte attack http://www.airtightnetworks.com/home/resources/knowledge-center/caffe-latte.html </li></ul><ul><li>PEAP: Pwned Extensible Authentication Protocol http://www.willhackforsushi.com/papers/shmoocon-rfp-joshua-wright.pdf </li></ul>

×