You think your Wifi is         Safe?       Rob Gillen         @argodev
CodeStock is proudly partnered with:                RecruitWise and Staff with Excellence - www.recruitwise.jobs      Send...
what we do consulting       training     design      debuggingwho we are Founded by top experts on Microsoft – Jeffrey Ric...
Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescri...
DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not...
Overview• Pre-Requisite Knowledge• Various Security Approaches• Tools and Attacks
Required Gear• Network Adapter that supports  “Monitor” mode.  – Equivalent   to promiscuous mode on a    normal NIC• Wind...
Wireless Packet Frames• Management Frames          • Control Frames  –   Authentication           – Request to Send  –   D...
Packet Sniffing• Filters:  – wlan.fc.type    • == 0 (mgmt frames)    • == 1 (control frames)    • == 2 (data frames)  – wl...
Packet Sniffing• Determine the channel of the  network we are interested in  – required for sniffing data packets  – airod...
Packet Injection• aireplay-ng  – Inject packets onto a specific    wireless network without specific    association to tha...
Regulatory Issues• Available Channels• Radio Power Levels  – iw reg set US  – iw reg set BO
DEMO: HIDDEN SSID
DEMO: Hidden SSID•   Show packet capture with the SSID•   Hide SSID•   Prove it is now hidden•   Solve for X    – Passive ...
DEMO: MAC FILTERS
DEMO: MAC Filters• Enable MAC Filtering on the WAP• Prove that a client cannot connect• Use airodump-ng to show associated...
DEMO: SHARED KEYAUTHENTICATION
DEMO: Shared Key          Authentication• Illustration (steal picture from  Wikipedia/netgear?)• Configured AP for Shared ...
DEMO: WEP ENCRYPTION
DEMO: WEP Encryption• Capture data packets (ARP) from a  known/trusted client (airodump-ng)• Replay them/re-inject between...
DEMO: WPA/2 ENCRYPTION
DEMO: WPA/2 Encryption• Vulnerable to dictionary attacks• Collect authentication handshake• Select dictionary file and run...
Tools
Tools• Jasegar (Pineapple IV)• I can be anything you want  me to be
Man-In-The-Middle
Man-In-The-Middle
Man-In-The-Middle
Man-In-The-Middle
Tools• Reaver Pro (WPS Exploit)• 4-10 hours and your network  is mine
What is Safe?• Stop using Wi-Fi• Avoid open Wi-Fi networks• Always use SSL• Use VPN• Disable Auto-Connect… on *all*  devic...
Equipment List• Two Laptops• Any Wireless Access Point• Alfa Card  http://www.amazon.com/gp/product/B002BFMZR8• Yagi Anten...
Learning More• http://www.securityfocus.com• http://www.aircrack-ng.org• http://raulsiles.com/resources/wif  i.html• http:...
Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev
Upcoming SlideShare
Loading in …5
×

You think your WiFi is safe?

2,204 views

Published on

Slides from my talk at CodeStock 2012 on wireless network security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

You think your WiFi is safe?

  1. 1. You think your Wifi is Safe? Rob Gillen @argodev
  2. 2. CodeStock is proudly partnered with: RecruitWise and Staff with Excellence - www.recruitwise.jobs Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 406 This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide.
  3. 3. what we do consulting training design debuggingwho we are Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our mission is to help our customers achieve their goals through advanced software-based consulting and training solutions.how we do it Training • On-site instructor-led training Consulting & Debugging • Virtual instructor-led training • Architecture, analysis, and design services • Devscovery conferences • Full lifecycle custom software development • Content creation Design • Project management • User Experience Design • Debugging & performance tuning • Visual & Content Design • Video & Animation Production wintellect.com
  4. 4. Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescribed would be considered ILLEGALif attempted on systems that you donot have explicit permission to testand attack. I assume no responsibilityfor any actions you perform based onthe content of this presentation orsubsequent conversations. Pleaseremember this basic guideline: Withknowledge comes responsibility.
  5. 5. DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not endorsed by, orrepresentative in any way of myemployer nor is it intended to be aview into my work or a reflection onthe type of work that I or my groupperforms. It is simply a hobby andpersonal interest and should beconsidered as such.
  6. 6. Overview• Pre-Requisite Knowledge• Various Security Approaches• Tools and Attacks
  7. 7. Required Gear• Network Adapter that supports “Monitor” mode. – Equivalent to promiscuous mode on a normal NIC• Windows, MAC, or Linux – Linux tools tend to be more readily available
  8. 8. Wireless Packet Frames• Management Frames • Control Frames – Authentication – Request to Send – De-authentication (RTS) – Association Request – Clear to Send (CTS) – Association Response – Acknowledgment (AWK) – Re-association • Data Frames Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response
  9. 9. Packet Sniffing• Filters: – wlan.fc.type • == 0 (mgmt frames) • == 1 (control frames) • == 2 (data frames) – wlan.fc.subtype • == 8 (beacons)• (wlan.fc.type == 0) && (wlan.fc.subtype == 8)
  10. 10. Packet Sniffing• Determine the channel of the network we are interested in – required for sniffing data packets – airodump-ng• iwconfig mon0 channel 11 (demo pre/post)
  11. 11. Packet Injection• aireplay-ng – Inject packets onto a specific wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association
  12. 12. Regulatory Issues• Available Channels• Radio Power Levels – iw reg set US – iw reg set BO
  13. 13. DEMO: HIDDEN SSID
  14. 14. DEMO: Hidden SSID• Show packet capture with the SSID• Hide SSID• Prove it is now hidden• Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery• Probe Request/Probe Response packets
  15. 15. DEMO: MAC FILTERS
  16. 16. DEMO: MAC Filters• Enable MAC Filtering on the WAP• Prove that a client cannot connect• Use airodump-ng to show associated clients• Use macchanger to spoof the whitelisted address and connect.
  17. 17. DEMO: SHARED KEYAUTHENTICATION
  18. 18. DEMO: Shared Key Authentication• Illustration (steal picture from Wikipedia/netgear?)• Configured AP for Shared Key/Update Client• Use airodump-ng to capture/log the authentication scheme + keystream – Wait for valid client or send deauth pkt• Use aireplay-ng to pass back the captured auth pkt• TIP: DOS by filling up AP tables (wrapper around airreplay-ng)
  19. 19. DEMO: WEP ENCRYPTION
  20. 20. DEMO: WEP Encryption• Capture data packets (ARP) from a known/trusted client (airodump-ng)• Replay them/re-inject between 10- 100,000 times (aireplay-ng)• Crack them (aircrack-ng)• “Guaranteed” crack
  21. 21. DEMO: WPA/2 ENCRYPTION
  22. 22. DEMO: WPA/2 Encryption• Vulnerable to dictionary attacks• Collect authentication handshake• Select dictionary file and run the cracker• Works for WPA, WPA2, AES, TKIP
  23. 23. Tools
  24. 24. Tools• Jasegar (Pineapple IV)• I can be anything you want me to be
  25. 25. Man-In-The-Middle
  26. 26. Man-In-The-Middle
  27. 27. Man-In-The-Middle
  28. 28. Man-In-The-Middle
  29. 29. Tools• Reaver Pro (WPS Exploit)• 4-10 hours and your network is mine
  30. 30. What is Safe?• Stop using Wi-Fi• Avoid open Wi-Fi networks• Always use SSL• Use VPN• Disable Auto-Connect… on *all* devices• Hard/complex network keys• WPA-Enterprise / RADIUS / PEAP / EAP-TTLS• Disable WPS!
  31. 31. Equipment List• Two Laptops• Any Wireless Access Point• Alfa Card http://www.amazon.com/gp/product/B002BFMZR8• Yagi Antenna http://www.amazon.com/gp/product/B004L0TKW4• Reaver Kit http://hakshop.myshopify.com/products/reaver -pro• WiFi Pinapple http://hakshop.myshopify.com/collections/fro ntpage/products/wifi-pineapple
  32. 32. Learning More• http://www.securityfocus.com• http://www.aircrack-ng.org• http://raulsiles.com/resources/wif i.html• http://www.willhackforsushi.com
  33. 33. Questions/ContactRob Gillenrob@gillenfamily.nethttp://rob.gillenfamily.net@argodev

×