Download Wireless Security: Insights from a Wireless Penetration Tester and more Study notes Computer Science in PDF only on Docsity! Wireless (In)Security
> erat
a tt ron reO ¢q
‘=p pi?
| Who am |?
° Joshua Smith
| * Worked 400 days in the IT field
* Spent 10 years in the golf industry
° Currently employed at Jones Stephens Corp
* Also operate Symmetric Wireless
| Current Condition Of Wireless
° Open — 33%
°* WEP — 59%
° TKIP/CCMP (WPA/WPA2) — 8%
° Wireless continues to gain momentum and
popularity, but similar to the wired side,
security is still somewhat of an afterthought
* Much like the wired side, attacks are focusing
on the client side (don't trust the user)
. AirPWN
* Released at Defcon 12 (2004)
° Written by toast
° http://airown.sourceforge.net/Airown.html
* Goal: To implement a hotspot injection
attack, exploiting the race condition, thereby
spoofing legitimate traffic
| AirPWN
- “Airpwn listens to incoming wireless
packets, and if the data matches a pattern
specified in the config files, custom content
is injected "spoofed" from the wireless
access point. From the perspective of the
wireless client, airown becomes the
server.”
| ° Details:
| openWRT
- Install a lean, flexible, powerful OS (Linux) ona
consumer grade wireless access point
- After install, you can install any available
packages, or build your own for custom
applications and environments
- Advanced features build in or easily available to
add on
| ° Details:
openWRT Details (cont): − Some packages available: freeRADIUS openVPN Kismet Snort Chillispot (easily set up WiFi Hotspot) nmap Nessus dsniff ettercap aircrackng tcpdump | openWRT
- Very flexible
- Not ideal for large, corporate roll outs (still no
unified management available)
- Very applicable for small companies that want a
lot of options, without the associated price tag
- Powerful tool for security auditors, researchers,
and pen tests
| ° Real World
KARMA Details: − What is a PNL? − Monitor mode listening for probe requests − KARMA then becomes network probe is looking for (rogue AP) − Client can automatically join created AP − Once connected, higher level services collect information or exploit victim (DNS, DHCP, POP3, FTP, SMB, etc) KARMA Real World: − Attacker runs KARMA, client systems automatically join rogue AP − Once joined, AP dishes out content as decided by them, possibly over several different protocols − Authors describe as “BYOX” (Bring your own exploit), and state that “automated agent deployment is also planned” − Scariest tool I have seen to date Along the way (Part 2)... You never know what you are going to run across swversion=8.1012649 platform=tcd/Series2 TSN=xxxxxxxxxxxxxxx tivoconnect=1 swversion=8.1012649 method=broadcast identity=xxxxxxxxxxxxxxx machine=DVR 6116 platform=tcd/Series2 services=TiVoServeTcdVideo1:2191/tvbus_v3,TiVoMediaServer:80/http Wireless Fuzzing Details (cont): − Mostly a client side attack (wireless drivers), but what about exploiting an AP? − How about a TiVo? − The IEEE 802.111999 spec says that the length of the SSID should be between 0 and 32 octets. from scapy file... p /= Dot11Elt( ID=0, # SSID IE len=400, # Length of "ssid" info="/x01/x0") # SSID string p /= fuzz(Dot11Elt( ID=1)) # Supported rates | Wireless Fuzzing
| * Real World: Fuzzing a box with scapy
Thats it
° Thanks for listening
* Questions?