Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

5 ghz electronic warfare part i


Published on

A supporting slide deck for Digital Silence's 2018 talk from HackWest, BSides KC, and Thotcon. A supplemental blog post with more useful written information can be found at:

You can check out the source code at:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

5 ghz electronic warfare part i

  1. 1. 5GHz Electronic Warfare Part I - 802.11n
  2. 2. net user author /domain Gabriel Ryan Co-Founder / Principal Security Consultant @ Digital Silence @s0lst1c3 @digitalsilence_
  3. 3. Typical Enterprise WiFi Configurations will have Dedicated networks for: ● Guest internet ● Corporate network access ● Possibly BYOD Varying levels of security for each of these. However, if it’s important it’ll probably be protected using WPA-EAP
  4. 4. Unless it’s ICS/SCADA, in which case it’ll probably be protected by WEP
  5. 5. How do you attack WPA-EAP? The primary means of breaching WPA-EAP networks is the Rogue AP Attack ● Bread of butter of wireless pentesting
  6. 6. Rogue AP Attack Force client devices to connect to the attacker’s access point. Most reliable way of doing this == evil twin attack
  7. 7. (VERY) High level WPA2-EAP overview
  8. 8. The problem To perform an evil twin attack, the attacker must either: 1. Entice a client device to roam to a rogue AP by providing a better connection (higher signal strength, better signal to noise ratio) 2. Coerce a client device to roam to a rogue AP by denying access to legitimate AP (deauth packets)
  9. 9. The problem Most modern hardware uses 802.11ac or 802.11n. Existing tools for performing rogue AP attacks either: 1. Don’t support 802.11n and 802.11ac at all 2. Only do so with extensive manual configuration What this means: timeboxed pentesters stuck using 802.11g or 802.11a
  10. 10. 802.11n and 802.11ac provide notably better throughput than 802.11a or 802.11g 802.11g – maximum of 54 Mbps 802.11n – theoretically can reach speeds of 600-900 Mbps (300 Mbps more realistic)
  11. 11. What this means It is very difficult to entice a client to roam from a 40 MHz 802.11n access point to a 20MHz 802.11g rogue access point. Coercion through denial service the only viable option in most cases.
  12. 12. Why coercion doesn’t always work ● Very rarely will you be going up against a single AP ● When you deauth a single AP the clients will just roam to another 802.11n or 802.11ac AP
  13. 13. Can’t you solve this problem by deauthenticating BOTH target access points? Sure, you’ll just need 3 WiFi interfaces (1 for rogue AP, 2 for deauthentication) ● but what if the target network uses 3 APs? ● now we need 4 WiFi interfaces ● … and so on and so forth This can quickly get out of hand.
  14. 14. Other proposed solution: jam 5GHz spectrum using SDR I’ve heard of people doing this. Disclaimer: I do not endorse or recommend it.
  15. 15. Other proposed solution: jam 5GHz spectrum using SDR cat /dev/urandom | $FIVE_GHZ_SPECTRUM
  16. 16. Obviously a terrible idea  Not a targeted attack  802.11n and 802.11ac can still use 2.4Ghz spectrum  5GHz used by all kinds of other neat stuff…. like aircraft radar
  17. 17. What we really need: a tool that can create rogue APs using 802.11n and 802.11ac on both 2.4Ghz and 5GHz spectrums ... This talk focuses primarily on 802.11n. Stay tuned for 802.11ac.
  18. 18. Why 802.11n is so hard:  Access point configuration is highly complicated  Access points must be 802.11h compliant in order to work on DFS channels (i.e. - must be able to detect and avoid interfering with airplane radar)  BSS overlap prevention must be circumvented What does any of this mean? Stay tuned for following sections.
  19. 19. Before we continue… let’s talk about 802.11n
  20. 20. 802.11n offers five main technical improvements: ● Multiple Input Multiple Output (MIMO) ● Spatial Multiplexing ● Channel Bonding ● Short Guard Interval ● Mac Layer Improvements
  21. 21. Multiple Input Multiple Output
  22. 22. Spatial Multiplexing
  23. 23. Without Spatial Multiplexing:
  24. 24. With Spatial Multiplexing:
  25. 25. How 802.11n Uses Spatial Multiplexing Multiple data streams transmitted at the same time and on the same channel. How this works:  Transmitter splits data streams into multiple spatial streams using MIMO signal process  Each spatial stream is transmitted using a dedicated antenna  Receiver recombines the spatial streams using MIMO signal process
  26. 26. Channel Bonding
  27. 27. Channel Bonding Traditional 802.11 channels (assuming OFDM):  20 MHz wide
  28. 28. 802.11n Channel Bonding  Traditional 802.11 channels (assuming OFDM) are 20 MHz Wide  Channel bonding combines two or adjacent channels to create a 40 MHz wide channel, doubling bandwidth
  29. 29. Other improvements introduced by 802.11n:  Short Guard Interval  MAC improvements This is a 45 minute presentation, so we don’t have time to talk about these ;) Not as relevant to discussion as MIMO, spatial multiplexing, and channel bonding. Look them up if you’re curious.
  30. 30. What this means for pentesters: To create a rogue AP using 802.11n you must: 1. select a channel width (20 MHz or 40 MHz) 2. select an operating channel 3. select a hardware mode that works with that operating channel 4. set your HT parameters correctly
  31. 31. We’re not done… To create a rogue AP using 802.11n you must: 5. decide whether to allow non-HT connections to your HT access point 6. select an appropriate number of spatial streams Bonus: if you chose a 40MHz channel, you need to choose whether to place the secondary channel above or below the primary channel. :D
  32. 32. If you mess up any of these up, hostapd will either refuse to start or silently fail.
  33. 33. There is a method to this madness. You just need to know what configuration options to use in any given situation…
  34. 34. … or use a tool that will handle configuration for you.
  35. 35. Demo
  36. 36. Achieving 802.11h Compliance
  37. 37. Achieving 802.11h Compliance ● Certain parts of the 5Ghz spectrum are used by radar ● Regulations by FCC, EU, etc dictate that APs operating on this channel must be capable of detecting and avoiding radar ● This means that if you want to legally operate on DFS channels, you need to be compliant
  38. 38. Also a safety issue…
  39. 39. Achieving 802.11h Compliance How we’ve addressed this: ● Added flags to eaphammer that enable 802.11h, granting access to DFS channels ● Note: you may still have to enable DFS at the kernel level. That’s on you. ● For researchers: added flags that force eaphammer to use DFS channels even if DFS is not enabled (do not use this outside of a lab)
  40. 40. Circumventing BSS Overlap Protection
  41. 41. BSS Conflicts: Law of 802.11n - thou shall not occupy the same primary channel as another AP if possible
  42. 42. BSS Conflicts Evil Twin Attack - Deliberately occupying the same ESSID and channel as another AP in order to force client devices to connect to the attacker
  43. 43. BSS Conflicts Fortunately, we can resolve this issue by patching hostapd to ignore BSS conflicts. ● People have been doing this for years, and it’s as easy as changing a couple lines of code (hostapd only checks for conflicts at start) [3]
  44. 44. What’s been added to eaphammer: Out of the box support for ● 5Ghz rogue access points ● 802.11n compatibility (ac comes next) ● Added support for wmm (for good measure) ● 802.11h compliant (yay) ● Minimal manual configuration needed, granular configuration still possible
  45. 45. Check out the source code: