2. About us
PegasusTeam was founded in 2015. We focus on wireless
and IoT security.
360 Security Technology is a leading Internet security
company in Asia. Our core products are anti-virus security
software for PC and cellphones.
3. About me
Yunfei Yang(@qingxp9)
• wireless security researcher, 360 Security
Technology
• member of PegasusTeam
• Wi-Fi attacks and defends
• previous speaker for KCON, HITCON, FIT,
DEFCON Group 010, Overdrive
9. Association
Establishes the data link between the
client and the AP.
A client can only associate with one
AP at a time.
If a client roams from one AP to
another within the network, the
association is called a re-association.
11. Physical Properties
Image source: https://pt.slideshare.net/MdSohailAhmad/rogue-ap
• Do not need any physical connection
• RF signal spillage may expose the network to unauthorized users.
12. Dos Attacks
• Beacon Flood
• Authentication Flood
• Association Flood
• Deauthentication Flood
• Disassociation Flood
• …
MDK3
b Beacon Flood Mode
- show many fake APs at clients.
d Deauth/Disassoc Amok Mode
- kick all clients from AP.
20. Wi-Fi Protected Setup(WPS)
• Introduced by Wi-Fi Alliance in 2006, it allows user to add new
devices to a wireless network without entering long passphrases.
24. Pixie Dust attack - pixiewps
The attack focuses on a lack of randomization when generating
the E-S1 and E-S2 secret nonces.
Knowing these two nonces, the PIN can be recovered within a
couple of minutes.
It works only for several wireless chip makers: Ralink, MediaTek,
Realtek and Broadcom
34. FakeAP attack
If you had connected a same name open WiFi link before, your device will
automatically connect to the FakeAP!
Then, Using a fake login page to steal your accounts.
37. WPA/WPA2-Enterprise(802.1X)
EAP Support
• Windows XP(sp3+)
• EAP-TLS
• PEAP
• Android/iOS
• EAP-SIM
• EAP-TLS
• PEAP
• LEAP
• EAP-FAST
• ...
PEAP is a product of Cisco, Microsoft and RSA
Security, and has been shipped with major
operating systems.
38. PEAP Weakness
•Deployment using untrusted certificate.
•Users make the decision to trust/reject
network.
•Anyone can impersonate the RADIUS server
39. PEAP Attacks(hostapd-wpe)
•Fake AP + RADIUS Server
•Always Return EAP-Success
•Logs authentication credentials (challenge/response, password, username)
•Credential cracking with fixed challenge
42. Rogue AP
Some unauthorized APs attached to enterprise network, installed with a wireless router or
a soft AP(USB Wi-Fi adapter). It may configured with poor security.
60. • Considered to be the most secure
• Considered to be the most secure
Air-Gapped Network
61. Implant malware
•USB HID attack
•BashBunny
Setup C&C tunnel
•Via 802.11 beacon and
probe request &
response
Exfiltrate data
•Execute Command
Ghost Tunnel
• Nothing is impossible
• Attack Vectors
• Malicious USB
• Employee's laptop
62. Advantages
• Covert
• HID device only release the payload, then can be removed.
• No normal network connections
• Bypass firewalls
• Cross-Platform support
• Transmission distance up to 50 meters