Wireless Security: Insights from a Wireless Penetration Tester, Study notes of Computer Science

Download Wireless Security: Insights from a Wireless Penetration Tester and more Study notes Computer Science in PDF only on Docsity! Wireless (In)Security > erat a tt ron reO ¢q ‘=p pi? | Who am |? ° Joshua Smith | * Worked 400 days in the IT field * Spent 10 years in the golf industry ° Currently employed at Jones Stephens Corp * Also operate Symmetric Wireless | Current Condition Of Wireless ° Open — 33% °* WEP — 59% ° TKIP/CCMP (WPA/WPA2) — 8% ° Wireless continues to gain momentum and popularity, but similar to the wired side, security is still somewhat of an afterthought * Much like the wired side, attacks are focusing on the client side (don't trust the user) . AirPWN * Released at Defcon 12 (2004) ° Written by toast ° http://airown.sourceforge.net/Airown.html * Goal: To implement a hotspot injection attack, exploiting the race condition, thereby spoofing legitimate traffic | AirPWN - “Airpwn listens to incoming wireless packets, and if the data matches a pattern specified in the config files, custom content is injected "spoofed" from the wireless access point. From the perspective of the wireless client, airown becomes the server.” | ° Details: | openWRT - Install a lean, flexible, powerful OS (Linux) ona consumer grade wireless access point - After install, you can install any available packages, or build your own for custom applications and environments - Advanced features build in or easily available to add on | ° Details: openWRT  Details (cont): − Some packages available:  freeRADIUS  openVPN  Kismet  Snort  Chillispot (easily set up Wi­Fi Hotspot)  nmap  Nessus  dsniff  ettercap  aircrack­ng  tcpdump | openWRT - Very flexible - Not ideal for large, corporate roll outs (still no unified management available) - Very applicable for small companies that want a lot of options, without the associated price tag - Powerful tool for security auditors, researchers, and pen tests | ° Real World KARMA  Details: − What is a PNL? − Monitor mode listening for probe requests − KARMA then becomes network probe is looking  for (rogue AP) − Client can automatically join created AP − Once connected, higher level services collect  information or exploit victim (DNS, DHCP, POP3,  FTP, SMB, etc) KARMA  Real World: − Attacker runs KARMA, client systems  automatically join rogue AP − Once joined, AP dishes out content as decided  by them, possibly over several different protocols − Authors describe as “BYOX” (Bring your own  exploit), and state that “automated agent  deployment is also planned”  − Scariest tool I have seen to date Along the way (Part 2)...  You never know what you are going to run  across swversion=8.1­01­2­649 platform=tcd/Series2 TSN=xxxxxxxxxxxxxxx tivoconnect=1 swversion=8.1­01­2­649 method=broadcast identity=xxxxxxxxxxxxxxx machine=DVR 6116 platform=tcd/Series2 services=TiVo­ServeTcdVideo­1:2191/tvbus_v3,TiVoMediaServer:80/http Wireless Fuzzing  Details (cont): − Mostly a client side attack (wireless drivers), but  what about exploiting an AP? − How about a TiVo? − The IEEE 802.11­1999 spec says that the length  of the SSID should be between 0 and 32 octets.  from scapy file... p /= Dot11Elt( ID=0,             # SSID IE len=400,             # Length of "ssid" info="/x01/x0")    # SSID string p /= fuzz(Dot11Elt( ID=1))             # Supported rates | Wireless Fuzzing | * Real World: Fuzzing a box with scapy Thats it ° Thanks for listening * Questions?