SlideShare a Scribd company logo

fingerprinting blackhat by pseudor00t

pseudor00t overflow
pseudor00t overflow

(1) This document discusses fingerprinting wireless access points through passive analysis of probe responses before attempting authentication. (2) It proposes examining unusual combinations of header field values to fingerprint the access point in a simple and low-cost manner similar to IP stack fingerprinting. (3) Factors like clock skew, timing of probe requests, and reaction to "gibberish" frame values may help identify access points without full authentication.

1 of 23
Download to read offline
Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
“Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
• Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
• Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
• Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon Sonya
EC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docx
dohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon Sonya
EC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docx
dohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Seminar V2
Seminar V2Seminar V2
Seminar V2Moustafa Najm
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
GulshanKumar368
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
LINE Corporation
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edge
Simon Elliston Ball
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
Leif Bloomquist
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
Chase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
Jake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Databricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
rosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
Deepak Kumar (D3)
 
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
pseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
pseudor00t overflow
 

More Related Content

Similar to fingerprinting blackhat by pseudor00t

Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
GulshanKumar368
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
LINE Corporation
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edge
Simon Elliston Ball
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
Leif Bloomquist
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
Chase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
Jake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Databricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
rosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
Deepak Kumar (D3)
 

Similar to fingerprinting blackhat by pseudor00t (20)

Seminar V2
Seminar V2Seminar V2
Seminar V2
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edge
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
 

More from pseudor00t overflow

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
pseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
pseudor00t overflow
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00t
pseudor00t overflow
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIA
pseudor00t overflow
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
pseudor00t overflow
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
pseudor00t overflow
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
pseudor00t overflow
 
EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t
pseudor00t overflow
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00t
pseudor00t overflow
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00t
pseudor00t overflow
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
pseudor00t overflow
 
Hacking Etico by pseudor00t
Hacking Etico by pseudor00tHacking Etico by pseudor00t
Hacking Etico by pseudor00t
pseudor00t overflow
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00t
pseudor00t overflow
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t
pseudor00t overflow
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00t
pseudor00t overflow
 

More from pseudor00t overflow (15)

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00t
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
 
EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00t
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00t
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
 
Hacking Etico by pseudor00t
Hacking Etico by pseudor00tHacking Etico by pseudor00t
Hacking Etico by pseudor00t
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00t
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00t
 

Recently uploaded

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 

Recently uploaded (20)

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 

fingerprinting blackhat by pseudor00t

  • 1. Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
  • 2. Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 3. Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
  • 4. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
  • 5. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 6. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 7. Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 8. Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 9. www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
  • 10. L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 11. www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
  • 12. www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
  • 13. www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
  • 14. So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 15. Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 16. Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 17. “Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
  • 18. • Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
  • 19. • Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 20. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
  • 21. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 22. • Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
  • 23. Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu