Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
©SecurityTube.net Chellam – a Wi-Fi IDS/Firewall for Windows
©SecurityTube.net Vivek Ramachandran WEP Cloaking Defcon 19 Caffe Latte Attack Toorcon 9 Microsoft Security Shootout Wi-Fi...
©SecurityTube.net SecurityTube and Pentester Academy
©SecurityTube.net Motivation • Attack! Attack! Attack! • Defense? • Important problem? • Solution viable?
©SecurityTube.net Enterprise Premise Focused Enterprise
©SecurityTube.net Roaming Clients? • State of current solutions – Lockdown Wi-Fi, Bluetooth etc. – Policy based on SSID – ...
©SecurityTube.net What about the rest of us? • World beyond Enterprise • Millions of Personal Devices • Every Internet cap...
©SecurityTube.net Wi-Fi Client Attack Surface • Honeypots – AP-less WEP/WPA/WPA2 Cracking • Evil Twins • Mis-Associations ...
©SecurityTube.net Typical Attack SSID1 SSID2 SSID3 SSID1 SSID2 SSID3
©SecurityTube.net AP-less Cracking No Encryption WEP WPA/WPA2 PSK WPA/WPA2 PEAP, EAP-TTLS AP-less Cracking Cloud Cracking ...
©SecurityTube.net Where are you SAFE? Nowhere!!!
©SecurityTube.net Hijack Wi-Fi == Hijack Layer 2 • Traffic Monitoring • DNS Hijacking • SSL MITM • Application Attacks
©SecurityTube.net Defining the Scope • Windows Endpoints – No custom hardware or drivers • Detect Honeypot creation Tools ...
©SecurityTube.net Architecture Block Diagram Wi-Fi Native APIState Machine Scan Data Network Profiles Card Control Data Co...
©SecurityTube.net Wi-Fi Native API Wi-Fi Native API State Machine Scan Data Network Profiles Card Control State Machine Sc...
©SecurityTube.net Technicalities https://msdn.microsoft.com/en-us/library/windows/desktop/ms706839(v=vs.85).aspx
©SecurityTube.net Demo – Data Sources
©SecurityTube.net Data Collection and Storage Data Collection Engine Event Data BSS Information Profile XML Data Hardware ...
©SecurityTube.net Demo – SQLITE DB Data
©SecurityTube.net Rule Matching and Analysis Data Storage Analysis Engine Rule Matching Engine • Rules can be written to i...
©SecurityTube.net Demo – Monitoring and Event Detection
©SecurityTube.net Understanding Attack Detection Internet SSID N1 N2 N3 N4
©SecurityTube.net Fingerprinting the Network SSID • BSSID(s) • BSS type • PHY type • Beacon Interval • Channel(s) & Hoppin...
©SecurityTube.net Typical Attack Mitigation SSID1 SSID2 SSID3 SSID1 SSID2 SSID3 • BSSID(s) • Channel(s) & Hopping • Rates ...
©SecurityTube.net Demo – Attack Tool Detection (Airbase)
©SecurityTube.net Why is this important? • Attack tools will have to significantly improve • Make it difficult to fingerpr...
©SecurityTube.net Roadmap - Enhancements • Whitelist vs Blacklist • Plugin Architecture – SQL with Python • Intrusion Prev...
©SecurityTube.net Questions?
Upcoming SlideShare
Loading in …5
×

DEF CON 23 - vivek ramachadran - chellam

13 views

Published on

DEF CON 23 - vivek ramachadran - chellam

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

DEF CON 23 - vivek ramachadran - chellam

  1. 1. ©SecurityTube.net Chellam – a Wi-Fi IDS/Firewall for Windows
  2. 2. ©SecurityTube.net Vivek Ramachandran WEP Cloaking Defcon 19 Caffe Latte Attack Toorcon 9 Microsoft Security Shootout Wi-Fi Malware, 2011 802.1x, Cat65k Cisco Systems B.Tech, ECE IIT Guwahati Media Coverage CBS5, BBC Trainer, 2011
  3. 3. ©SecurityTube.net SecurityTube and Pentester Academy
  4. 4. ©SecurityTube.net Motivation • Attack! Attack! Attack! • Defense? • Important problem? • Solution viable?
  5. 5. ©SecurityTube.net Enterprise Premise Focused Enterprise
  6. 6. ©SecurityTube.net Roaming Clients? • State of current solutions – Lockdown Wi-Fi, Bluetooth etc. – Policy based on SSID – Not BYOD ready – No Attack detection • Heterogeneous Devices – Varied Operating Systems – Non standard Wi-Fi API – No low level support e.g. iOS
  7. 7. ©SecurityTube.net What about the rest of us? • World beyond Enterprise • Millions of Personal Devices • Every Internet capable device • Internet Of Things (IoT)
  8. 8. ©SecurityTube.net Wi-Fi Client Attack Surface • Honeypots – AP-less WEP/WPA/WPA2 Cracking • Evil Twins • Mis-Associations • Hosted Network Backdoors • …
  9. 9. ©SecurityTube.net Typical Attack SSID1 SSID2 SSID3 SSID1 SSID2 SSID3
  10. 10. ©SecurityTube.net AP-less Cracking No Encryption WEP WPA/WPA2 PSK WPA/WPA2 PEAP, EAP-TTLS AP-less Cracking Cloud Cracking • Caffe Latte • Hirte Handshake, MS-CHAPv2 CR
  11. 11. ©SecurityTube.net Where are you SAFE? Nowhere!!!
  12. 12. ©SecurityTube.net Hijack Wi-Fi == Hijack Layer 2 • Traffic Monitoring • DNS Hijacking • SSL MITM • Application Attacks
  13. 13. ©SecurityTube.net Defining the Scope • Windows Endpoints – No custom hardware or drivers • Detect Honeypot creation Tools • Firewall like Rule Creation – “Allow”, “Deny” • Monitoring Wi-Fi state machine • Detect Wi-Fi backdoors
  14. 14. ©SecurityTube.net Architecture Block Diagram Wi-Fi Native APIState Machine Scan Data Network Profiles Card Control Data Collection Engine Event Data BSS Information Profile XML Data Hardware State Data Data Storage Analysis Engine Rule Matching Engine Presentation Layer Interface Application GUI
  15. 15. ©SecurityTube.net Wi-Fi Native API Wi-Fi Native API State Machine Scan Data Network Profiles Card Control State Machine Scan Data Network Profiles Card Control 802.11 state machine per Wi-Fi card Periodic Scan Results with BSS data XML network profile data Scan, Connect, Disconnect, Lock etc.
  16. 16. ©SecurityTube.net Technicalities https://msdn.microsoft.com/en-us/library/windows/desktop/ms706839(v=vs.85).aspx
  17. 17. ©SecurityTube.net Demo – Data Sources
  18. 18. ©SecurityTube.net Data Collection and Storage Data Collection Engine Event Data BSS Information Profile XML Data Hardware State Data Data Storage • Stored in SQLITE databases • Makes it easy to write plugins • 3rd party tools can use the database
  19. 19. ©SecurityTube.net Demo – SQLITE DB Data
  20. 20. ©SecurityTube.net Rule Matching and Analysis Data Storage Analysis Engine Rule Matching Engine • Rules can be written to include: – BSSID – Neighboring Networks – Channel use patterns and frequencies – Information Elements in the Beacon / Probe Response – Access pattern based on time of day
  21. 21. ©SecurityTube.net Demo – Monitoring and Event Detection
  22. 22. ©SecurityTube.net Understanding Attack Detection Internet SSID N1 N2 N3 N4
  23. 23. ©SecurityTube.net Fingerprinting the Network SSID • BSSID(s) • BSS type • PHY type • Beacon Interval • Channel(s) & Hopping • Rates – basic and extended • Capability Information • Information Element(s) • Neighboring Access Points • AP details as above • IP, Gateway • DNS, ARP cache • Subnet scan • OS and service scan 802.11 (pre connect) IP & Above (post connect)
  24. 24. ©SecurityTube.net Typical Attack Mitigation SSID1 SSID2 SSID3 SSID1 SSID2 SSID3 • BSSID(s) • Channel(s) & Hopping • Rates – basic and extended • Capability Information • Information Element(s) • Neighboring Access Points • AP details as above
  25. 25. ©SecurityTube.net Demo – Attack Tool Detection (Airbase)
  26. 26. ©SecurityTube.net Why is this important? • Attack tools will have to significantly improve • Make it difficult to fingerprint – No hardcoded values, random BSSID etc. • More features to mimic authorized networks – Ability to “clone” network beacons / probe responses – Ability to closely follow Clocks (timestamp) – Have to be on the right channel and band • Very difficult to beat Whitelist approach
  27. 27. ©SecurityTube.net Roadmap - Enhancements • Whitelist vs Blacklist • Plugin Architecture – SQL with Python • Intrusion Prevention / Firewall with custom Driver • Assisted and automatic learning of whitelists • Downloadable blacklists for attack tools
  28. 28. ©SecurityTube.net Questions?

×