Sweepin’ the
Clouds Away
Demystifying
Wireless Security
Using Open Source
Tools
Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect
and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as
security architecture and best practices.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/
@MrsYisWhy
www.linkedin.com/in/mchubirka/
Wireless Security Doesn’t Have To Be So Hard
• You don’t always need a
consultant or a commercial tool.
• All you need is the desire to
learn.
• Open source offers great
options.
• You can learn about Wifi security
by using open source hacking
tools against your own WLAN.
Build Your Toolkit
• Wireless devices that support RFMON (monitor-mode).
• OSX supports this by default, Windows does not.
• For Windows or running a Linux-based VM, you’ll need an external
device with the right drivers.
• Alfa USB devices are inexpensive alternatives to AirPcap and are also
suitable for injection, but not all models support both 2.4 and 5 GHz.
• Tablets will work, but you’ll need Android and plan to “root” it.
• Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which
gets harder with every update.
Why You Need Monitor-Mode
• Monitor-mode (RFMON) allows a
wireless interface the ability to
capture 802.11 WLAN frames
without being associated with a
network.
• This capability is essential for
performing reconnaissance
against a network.
Check hardware compatibility guides
for the tools you want to use. You’ll
need to be able to put your
tablet/phone in USB host mode. It may
require jailbreaking/rooting.
Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device
used by pentesters to gain a
backdoor into a target network.
• Can be used to perform a security
profile of your WLAN infrastructure.
• Also used as an inexpensive
monitoring tool.
Where You Can Get One
• Minipwner
• OG150
• PwnPi
Low cost open source
alternatives to Pwnie Express.
Roll Your Own
• Raspberry Pi
• Intel NUC
• TP-Link portable routers running
Open-Wrt.
• Pwnie Express even has a community
edition you can build yourself.
Available Tools
• Aircrack-NG
• SSLStrip
• Tor
• Ettercap
• Kismet
Get A Pineapple
An inexpensive wireless
network auditing tool.
Highly customizable
Wifi router, based on
Open-Wrt and Jasager.
Features
• Stealth man-in-the-middle access point.
• Tethering via mobile device or PC.
• Remote management with persistent SSH tunnels.
• Relay and deauth attacks
Wireshark Is Your Friend
But there are other
protocol analysis
tools available.
Example:
NetworkMiner
Wireshark in Monitor Mode
NetworkMiner Network Forensic Analysis Tool
Free and professional
editions – can be used
live or to parse PCAP
files. Focuses on
collecting data about
hosts.
Kali Linux is
filled with
Wireless
Tools
Pentoo and Backbox
Fun with Wifi
• Kismet
– An open source WIDS that works with any wireless devices
supporting monitor-mode.
• Aircrack-NG
– An open source reconnaissance, key-cracking and testing
tool.
Kismet
Aircrack-NG
inSSIDer –
notice any
similarities?
Miscellaneous Tools
• MDK3 – attack tool
• CoWPAtty – WPA cracking
tool
• Reaver – WPS attack tool
• WiFite – auditing tool
Some Basics
• Three types of WLAN frames
– Management
– Control
– Data
You can view all of these in a
protocol analyzer, but only if your
device supports monitor-mode.
You can successfully attack them,
but only if injection is supported.
What?
• SSID (service set identifier) is the name
of a network.
• BSSIDs (basic SSID) identify access
points and clients.
• An ESS (extended service set) consists
of BSSs
Wireless
Association
EAP occurs after this.
Passive Vs. Active WLAN Discovery
• Beacon frames are transmitted at regular intervals in
all WLAN networks for passive client discovery.
• Active WLAN discovery occurs when client station
sends Probe Request to AP and receives Probe
Response.
• Passive discovery is more appropriate for
reconnaissance.
• Kismet and Aircrack-NG are passive tools.
Who’s Out There?
Configuring a “monitor mode” wireless interface.
Airmon-ng start wlan0
Airodump-ng mon0
How To Find Hidden SSIDs
• Sniff in monitor-mode.
• Deauthenticate clients by injection with MDK3 or
Aireplay-NG.
• Look for probe response, association, or reassociation
packets in protocol analyzer.
• Beacon, Probe Request, Probe Response and
Association Request frames all contain the SSID.
Common Wireless Attacks
• Beating MAC filters with spoofing.
• Cracking WEP through weak IVs.
• Brute force against WPS.
• Brute force of WPA/WPA2 PSK.
• DoS deauth attacks.
• Evil Twin or Rogue access points.
• MITM with SSLstrip.
• Café Latte – client WEP attack.
Protecting the WLAN
• By understanding common attack
vectors, you can address
weaknesses in your infrastructure.
• WIPS use attack methods such as
deauths for rogue mitigation.
Caution
• In many countries it is unlawful to
interfere with wireless signals.
• Marriott was fined $600k in
October, 2014, for preventing
hotel and conference guests from
using personal hotspots, in
violation of section 333 of the
Communications Act of 1934.
47 U.S. Code § 333 - Willful or malicious interference
No person shall willfully or maliciously interfere with or
cause interference to any radio communications of any
station licensed or authorized by or under this chapter or
operated by the United States Government.
Demo?
Resources
• Securitytube.net
• Hak5.org
• MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a-
self-powered-pentesting-box-/
• Pwn Pi http://www.pwnpi.com/
• Minipwner http://www.minipwner.com/
• Podcast episode, “How Do I Pwn Thee?”
http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn-
thee/
Questions?
Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Fozzie before Kermit.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@postmodernsecurity.co
m

Demystifying Wireless Security Using Open Source Options

  • 1.
    Sweepin’ the Clouds Away Demystifying WirelessSecurity Using Open Source Tools
  • 2.
    Who Am I? •Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian. • Analyst, blogger, B2B writer, podcaster. • Researches and pontificates on topics such as security architecture and best practices. chubirka@postmodernsecurity.com http://postmodernsecurity.com https://www.novainfosec.com/author/mrsy/ @MrsYisWhy www.linkedin.com/in/mchubirka/
  • 3.
    Wireless Security Doesn’tHave To Be So Hard • You don’t always need a consultant or a commercial tool. • All you need is the desire to learn. • Open source offers great options. • You can learn about Wifi security by using open source hacking tools against your own WLAN.
  • 4.
    Build Your Toolkit •Wireless devices that support RFMON (monitor-mode). • OSX supports this by default, Windows does not. • For Windows or running a Linux-based VM, you’ll need an external device with the right drivers. • Alfa USB devices are inexpensive alternatives to AirPcap and are also suitable for injection, but not all models support both 2.4 and 5 GHz. • Tablets will work, but you’ll need Android and plan to “root” it. • Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which gets harder with every update.
  • 5.
    Why You NeedMonitor-Mode • Monitor-mode (RFMON) allows a wireless interface the ability to capture 802.11 WLAN frames without being associated with a network. • This capability is essential for performing reconnaissance against a network.
  • 6.
    Check hardware compatibilityguides for the tools you want to use. You’ll need to be able to put your tablet/phone in USB host mode. It may require jailbreaking/rooting.
  • 7.
    Pentest Dropboxes aka“Creepers” • Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network. • Can be used to perform a security profile of your WLAN infrastructure. • Also used as an inexpensive monitoring tool.
  • 8.
    Where You CanGet One • Minipwner • OG150 • PwnPi Low cost open source alternatives to Pwnie Express.
  • 10.
    Roll Your Own •Raspberry Pi • Intel NUC • TP-Link portable routers running Open-Wrt. • Pwnie Express even has a community edition you can build yourself.
  • 11.
    Available Tools • Aircrack-NG •SSLStrip • Tor • Ettercap • Kismet
  • 12.
    Get A Pineapple Aninexpensive wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.
  • 13.
    Features • Stealth man-in-the-middleaccess point. • Tethering via mobile device or PC. • Remote management with persistent SSH tunnels. • Relay and deauth attacks
  • 14.
    Wireshark Is YourFriend But there are other protocol analysis tools available. Example: NetworkMiner
  • 15.
  • 16.
    NetworkMiner Network ForensicAnalysis Tool Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.
  • 17.
    Kali Linux is filledwith Wireless Tools
  • 18.
  • 19.
    Fun with Wifi •Kismet – An open source WIDS that works with any wireless devices supporting monitor-mode. • Aircrack-NG – An open source reconnaissance, key-cracking and testing tool.
  • 20.
  • 21.
  • 22.
  • 23.
    Miscellaneous Tools • MDK3– attack tool • CoWPAtty – WPA cracking tool • Reaver – WPS attack tool • WiFite – auditing tool
  • 24.
    Some Basics • Threetypes of WLAN frames – Management – Control – Data You can view all of these in a protocol analyzer, but only if your device supports monitor-mode. You can successfully attack them, but only if injection is supported.
  • 25.
    What? • SSID (serviceset identifier) is the name of a network. • BSSIDs (basic SSID) identify access points and clients. • An ESS (extended service set) consists of BSSs
  • 26.
  • 27.
    Passive Vs. ActiveWLAN Discovery • Beacon frames are transmitted at regular intervals in all WLAN networks for passive client discovery. • Active WLAN discovery occurs when client station sends Probe Request to AP and receives Probe Response. • Passive discovery is more appropriate for reconnaissance. • Kismet and Aircrack-NG are passive tools.
  • 28.
    Who’s Out There? Configuringa “monitor mode” wireless interface. Airmon-ng start wlan0 Airodump-ng mon0
  • 30.
    How To FindHidden SSIDs • Sniff in monitor-mode. • Deauthenticate clients by injection with MDK3 or Aireplay-NG. • Look for probe response, association, or reassociation packets in protocol analyzer. • Beacon, Probe Request, Probe Response and Association Request frames all contain the SSID.
  • 31.
    Common Wireless Attacks •Beating MAC filters with spoofing. • Cracking WEP through weak IVs. • Brute force against WPS. • Brute force of WPA/WPA2 PSK. • DoS deauth attacks. • Evil Twin or Rogue access points. • MITM with SSLstrip. • Café Latte – client WEP attack.
  • 32.
    Protecting the WLAN •By understanding common attack vectors, you can address weaknesses in your infrastructure. • WIPS use attack methods such as deauths for rogue mitigation.
  • 33.
    Caution • In manycountries it is unlawful to interfere with wireless signals. • Marriott was fined $600k in October, 2014, for preventing hotel and conference guests from using personal hotspots, in violation of section 333 of the Communications Act of 1934.
  • 34.
    47 U.S. Code§ 333 - Willful or malicious interference No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.
  • 35.
  • 36.
    Resources • Securitytube.net • Hak5.org •MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a- self-powered-pentesting-box-/ • Pwn Pi http://www.pwnpi.com/ • Minipwner http://www.minipwner.com/ • Podcast episode, “How Do I Pwn Thee?” http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn- thee/
  • 37.
  • 38.
    Where Can YouFind Me? Michele Chubirka Spending quality time in kernel mode. Fozzie before Kermit. http://postmodernsecurity.com Twitter @MrsYisWhy Google+ MrsYisWhy chubirka@postmodernsecurity.co m