SHARKFEST '09 | Stanford University | June 15–18, 2009
Wifi SecuritySharkfest '09
Mike KershawKismetwireless.net
SHARKFEST '09Stanford UniversityJune 15-18, 2009
SHARKFEST '09 | Stanford University | June 15–18, 2009
SHARKFEST '09 | Stanford University | June 15–18, 2009
Who?
• Mike Kershaw (sometimes aka Dragorn)• Random OSS security developer (Kismet,
Lorcon, Spectools, other stuff)• Software Engineer at Aruba Networks in the
Aruba Threat Labs and Aruba OSS Labs
SHARKFEST '09 | Stanford University | June 15–18, 2009
The Plan
• Speed-View of Old Kismet (boring)• New Kismet (the good stuff)• Spectrum Analysis• 802.11 Injection and Attacks• Future work• Q&A (aka “Audience does my work for me”)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Origins of Kismet
• Sumer of 2001, Airsnort released for Prism2 cards
• Modified it to show SSIDs• Asked if they wanted patches. They didn't.• Got a Cisco card which didn't talk prism2
netlink anyhow• Winter 2001, first Kismet release
SHARKFEST '09 | Stanford University | June 15–18, 2009
How Kismet does its voodoo
• Kismet places the device in monitor mode aka rfmon
• Subtly different from promisc mode• Raw 802.11 packets with the headers intact• Gives us all packets the card sees, regardless
of packet type or channel overlap
SHARKFEST '09 | Stanford University | June 15–18, 2009
The voodoo that it do (2)
• Seeing all the packets lets us:– Detect networks, even “cloaked” networks– Detect clients– Act as an 802.11 layer-2 IDS– Collect and decode/decrypt at a later date– Be a completely undetectable passive observer
SHARKFEST '09 | Stanford University | June 15–18, 2009
Hello, my name is 802.11
• Detecting 802.11• It's really easy to do. Really easy.• Networks are fundamentally noisy.• “Look at me! I'm a network! This is my name!
Come talk to me!”• Even weird networks with squelched beacons
chat when someone joins• Cloaked networks? Not so much.
SHARKFEST '09 | Stanford University | June 15–18, 2009
I'd like to talk to you
• Detecting 802.11 clients is as easy as detecting networks, in monitor mode
• If a client is talking to a network, you'll see it.• Every network a client looks for. “I'm looking
for SomeHighProfileDotCom, are you my mommy?”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Don't do that
• Snort is a great OSS IDS but doesn't have many rules for 802.11 layer 2
• Kismet already looks at all the packets anyhow• Stateless IDS (fingerprints)• Stateful (trends over time)• Flooding, DHCP abuse, fuzzing/driver attacks,
spoofing, etc
SHARKFEST '09 | Stanford University | June 15–18, 2009
The boring UI
SHARKFEST '09 | Stanford University | June 15–18, 2009
Still Boring
SHARKFEST '09 | Stanford University | June 15–18, 2009
Kismet-Newcore
• Project name of a total rewrite of the Kismet base, now Kismet-2009-05-RC2 and newer (hooray, releases!)
• Primary goal: Fix complaints about Kismet usability, config difficulties, etc
• Old code “grew” - New code is designed
SHARKFEST '09 | Stanford University | June 15–18, 2009
New stuff in Newcore
• Simpler configs• Live adding of sources• Smarter remote capture• Better error handling• New user interface• Better IDS• Plugins!
SHARKFEST '09 | Stanford University | June 15–18, 2009
The exciting UI
SHARKFEST '09 | Stanford University | June 15–18, 2009
More excitement
SHARKFEST '09 | Stanford University | June 15–18, 2009
Further Thrills
SHARKFEST '09 | Stanford University | June 15–18, 2009
Configuring Kismet
• Much easier now!• New security model similar to wireshark; add
user to 'kismet' group• Source types autodetected in most situations– ncsource=wlan0
• Run-time source adding• Run-time configuration of UI
SHARKFEST '09 | Stanford University | June 15–18, 2009
Live Export
• Virtual network device with tun/tap• Fake 802.11 NIC• Realtime export for any pcap-aware tool
(wireshark, snort, packet-o-matic)• Aggregate local and remote sources• Homogenize packet headers
SHARKFEST '09 | Stanford University | June 15–18, 2009
Plugins (not airfresheners)
• Can do anything Kismet can do• Define new capture sources and protocols
(DECT? Zigbee? Spec-An?)• Add new commands, IDS, logs• Add new widgets to the user interface• Visualize custom data
SHARKFEST '09 | Stanford University | June 15–18, 2009
Kismet + DECT
• http://www.dedected.org• Com-On-Air DECT PCMCIA• Sniff cordless phones• Adds a full non-802.11 protocol to Kismet in
plugins (in 800 lines!)• Server and client plugins for logging and
display
SHARKFEST '09 | Stanford University | June 15–18, 2009
Kismet + Dect (2)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Kismet + Spec-An
• Spectrum analysis• Uses Wi-Spy from MetaGeek• Logs spectrum data to PPI spectrum header on
pcap file• Display spectrum in Kismet UI• Correlate network events with spectrum
history
SHARKFEST '09 | Stanford University | June 15–18, 2009
Kismet + Spec-An (2)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Mapping
• Old map code kind of useless• New map code in progress• Works with “popular map service”, rhymes
with “Foogle”• Arbitrarily large images• International support
SHARKFEST '09 | Stanford University | June 15–18, 2009
Mapping Oslo
SHARKFEST '09 | Stanford University | June 15–18, 2009
Mapping Zoom
SHARKFEST '09 | Stanford University | June 15–18, 2009
Picking a Platform
• If you can, Linux is the best bet – It's what I use, and it's what Kismet is written on
• LiveCD distros like Backtrack are easy• Most cards have in-kernel drivers• Some out-of-kernel drivers may still be needed
(ralink 11n)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Pick a platform (2): Windows
• AirPCAP is a must• Only device with monitor mode on windows
with public drivers• May be possible to hack other drivers from
commercial sniffers, but I like not being sued• Cace supports OSS. Yay!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Pick a platform (3): OSX
• Airport drivers work (Broadcom, Atheros, with Apple drivers)
• Old airport classic don't really work anymore• USB will not work• KisMac can do USB, but is unrelated to Kismet,
uses embedded non-portable drivers
SHARKFEST '09 | Stanford University | June 15–18, 2009
Pick a Platform (4): Faking it
• Kismet requires direct access to hardware with native drivers
• Virtualization with USB passthrough can work (VMWare, KVM, Parallels, Virtualbox)
• No way to use cardbus/pci/internal/pcmcia cards.
SHARKFEST '09 | Stanford University | June 15–18, 2009
Related Tools
• Spectools– Spectrum Analysis for Cheap– Curses, GTK, network– Userspace USB drivers for Wi-Spy
• Lorcon– Loss Of Radio Control– Homogenizing injection across platforms– Same API for all drivers
SHARKFEST '09 | Stanford University | June 15–18, 2009
Spectools
• GPL drivers for Wi-Spy• Developed with support from MetaGeek –
they “get” open source!• Works with all 3 Wi-Spy devices• Network-compatible with Windows• Find non-802.11 interference like jamming
attacks
SHARKFEST '09 | Stanford University | June 15–18, 2009
Spectrum Sniffing
SHARKFEST '09 | Stanford University | June 15–18, 2009
Sniffing 5GHz
SHARKFEST '09 | Stanford University | June 15–18, 2009
LORCON
• Platform and driver neutral• Every driver has quirks; Do you write raw
packets? Rtap? Prism? Big endian? Host endian?
• Most injection tools were custom written for specific (now outdated) drivers
SHARKFEST '09 | Stanford University | June 15–18, 2009
LORCON (2)
• Josh Wright and I decided per-driver custom apps sucks
• Any app using LORCON should work w/ any driver
• Functional modes provide “best fit”• Basic packet crafting library• Basic packet dissection (strip custom headers)
SHARKFEST '09 | Stanford University | June 15–18, 2009
LORCON (3)
• Ported several apps to LORCON as proof-of-concept
• AirPwn running on Windows with Airpcap TX? Sure, why not.
• Raw packets with Metasploit? Sounds like a good idea!
• http://802.11ninja.net
SHARKFEST '09 | Stanford University | June 15–18, 2009
Security Snake Oil: Cloaking
• SSID cloaking tries to hide the network SSID so clients can't connect
• Operative word: tries• SSID is not a protected field!• “Cloaking” simply hides the SSID in beacons.• Good thing we see all the packets then!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Snake Oil: Cloaking (2)
• Network->All: “I'm a network!”• Client->All: “I'm looking for a few good
networks. Who are you?”• Network->All: “Not gonna tell you.”• OtherClient->Network: “I want to join
SomeCloakedNet”• Network->Otherclient: “That sounds like me,
come on in.”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Snake Oil: Cloaking (3)
• All we have to do is wait for a client to join the network and capture the probe request/response
• Waiting sounds boring. I don't like boring.• How about we send a packet from the
network, to everyone, saying “Get out”?
SHARKFEST '09 | Stanford University | June 15–18, 2009
Snake Oil: Cloaking (4)
• FakeNet->All: “Get out, now.”• All: “Oh no! I need to find a network!”• Client->Network: “I'm looking for
SomeCloakedNet again.”• Network->Client: “Sure, come on in.”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Snake Oil (5): MAC Filters
• “But”, someone says, “I don't need to turn on crypto, I have MAC filters!”
• No• Oh, that's the MAC of your client? I'll just be
joining now, thanks• Besides, none of your data is encrypted• You'll find out why this is a bad thing
SHARKFEST '09 | Stanford University | June 15–18, 2009
Gut-Punching 802.11
• Absurdly easy• Management frames are completely
unprotected• It's shared media• All the bad old days for layer 2 attacks live
again• I don't have to own the Internet, I own your
Internet
SHARKFEST '09 | Stanford University | June 15–18, 2009
Strangers with candy
• Avoiding hostile networks requires users to be smart; Users are bad decision makers
• The OS won't help; Most like to join networks they've joined before
• Networks go “viral” and appear everywhere• It's hard to tell what's real
SHARKFEST '09 | Stanford University | June 15–18, 2009
Catch the virus
• “HP setup” “Free Public Wifi”• Once Windows has seen a network, it wants to
see it again• Can't find it? Make an ad-hoc network!• I like free. I like wi-fi. Let me join!• Now another system will advertise it
SHARKFEST '09 | Stanford University | June 15–18, 2009
Free public wiffey
• Create AP named “Free Public Wifi”• Run “dnsmasq”• ????• Profit!• Windows happily joins the network• Why yes, I am your POP3 server. Why thank
you for that password.
SHARKFEST '09 | Stanford University | June 15–18, 2009
Making things worse: Karma
• Creating access points manually is really kind of a pain
• Isn't there an easier way?• Modified drivers respond for every network
requested• “Are you FreePublicWifi?” Sure• “Are you MyCorpNet?” Why not?
SHARKFEST '09 | Stanford University | June 15–18, 2009
Even worse: Karmetasploit
• Karma+Metasploit+Airbase• Become any AP. Become EVERY AP• Answer all DNS queries• Spoof common services like HTTP• Record all logins• You wanted Facebook? How about I give you
all the browser exploits instead. Tasty!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Man-in-the-Middle
• Why just spoof HTTP? Why not give you a real connection and let you log in? (and then read your email)
• SSL? Just give them a fake cert. A user would never accept one of those, right?
• “You encrypted the login, but you didn't move the bodies!”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Ignoring the network
• You know, after all, setting up this whole network framework just to attack a client is a big hassle
• Lets just rewrite their traffic in the air and own them that way
• Airpwn is underappreciated; Not just for serving shock-porn anymore!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Creative editing
• Lots of sites include little stubs of JS• Rhymes with “ShmaceHook” and “FlyMace”
and “Glitter”• Why not “enhance” them?• Once you have JS exec inside the page
domain, you win• Layer 2 hijacking of open and WEP data
SHARKFEST '09 | Stanford University | June 15–18, 2009
SHARKFEST '09 | Stanford University | June 15–18, 2009
Free candy inside
• Client->Server: “Give me a connection to 1.2.3.4:80”
• Attacker->Client: “I'm 1.2.3.4:80!”• Attacker->Server: “I'm Client! I changed my
mind.”• Attacker->Client: “Have some candy”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Constant interruptions
• Client->Server: “I want 1.2.3.4:80”• Server->Client: “OK”• Client->Server: “Give me /foo.js”• Attacker->Client: “I'm Server, here's foo.js”• Attacker->Server: “I'm Client. Go home.”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Not done yet
• Client->Server: “I want 1.2.3.4:80 /foo.js”• Server->Client: “Here's foo.js”• Attacker->Client: “No, no, theres more.”
SHARKFEST '09 | Stanford University | June 15–18, 2009
Now I'm in your browser...
• … Rewriting your DOM• What can we do? Anything we want• Rewrite the page DOM to strip HTTPS• Redirect links• Replace text and images• Send cookies to a remote system• Remote-control the browser to do other
stuff
SHARKFEST '09 | Stanford University | June 15–18, 2009
But it's just a little javascript
var embeds = document.getElementsByTagName('div');
for(var i=0; i < embeds.length; i++){ if (embeds[i].getAttribute("class") == "cnnT1Img") { embeds[i].innerHTML = "..."; } else if (embeds[i].getAttribute("class") == "cnnT1Txt") { embeds[i].innerHTML = "..."; }}
SHARKFEST '09 | Stanford University | June 15–18, 2009
SHARKFEST '09 | Stanford University | June 15–18, 2009
Cold, hard cache
• Discovered by Robert Hanson with VPNs• Feed a client some javascript• Set cache to infinity• What happens when they go back to
corporate HQ and load that?• Yup... I just started running JS inside your
corpnet a day later
SHARKFEST '09 | Stanford University | June 15–18, 2009
Funeral for WEP
• Who here uses WEP?• If you raised your hand, now I'm going to
yell• WEP is flawed• Very flawed• Fatally flawed• The corpse is stinking, bury it before the
neighbors freak out
SHARKFEST '09 | Stanford University | June 15–18, 2009
Breaking WEP
• Used to take hours and hundreds of thousands of packets
• Now takes minutes and as few as 20,000 packets
• ARP injection is obvious but works really well
• Or just wait!• Kismet-PTW plugin autocracks
SHARKFEST '09 | Stanford University | June 15–18, 2009
No, seriously
Starting PTW attack with 29645 ivs.
KEY FOUND! [ 59:69:6E:67:57 ] (ASCII: YingW )
Decrypted correctly: 100%
real 0m0.708s
Cracked WEP in the wild with 30,000 ARP packets in less than a second; Took less than 2 minutes to generate packets via ARP injection
WEP is so cheap to crack there is no reason not to try every 100 packets to see if there is enough statistical data to crack it now
SHARKFEST '09 | Stanford University | June 15–18, 2009
Home away from home
• Why wait for a client to find a network?• Caffe Latte attack uses only the client• Rewrite arp request to arp reply, send to
client, repeat• Cracked WEP and owned client in an airport.
Or a bus. Whatever
SHARKFEST '09 | Stanford University | June 15–18, 2009
Attacking WPA
• At least it's better than WEP• WPA-PSK is only as secure as the passphrase• Passphrase + SSID + Length of SSID hashed
into PMK• PMK makes PTK per user• Computing PMK is hard
SHARKFEST '09 | Stanford University | June 15–18, 2009
Look it up
• Computing PMK takes a while• So lets calculate the PMK for every
dictionary word plus the top 1000 SSIDs• Dictonary lookups are fast• Tables are big, but so what?• We can accelerate with CUDA and FPGA
SHARKFEST '09 | Stanford University | June 15–18, 2009
Attacking TKIP
• TKIP was a stop-gap before 11i• TKIP is RC4. Wait. Isn't WEP RC4?• So doesn't... TKIP suck?• Kind of. They made it better• Per-packet keying, replay prevention,
passphrase conversion standards, PTK renegotiation
SHARKFEST '09 | Stanford University | June 15–18, 2009
Countermeasures
• TKIP includes MIC countermeasures• Invalid packets cause the network to go sulk
in the corner and reset• Two invalids in 60 seconds cause the
network to go away• We can still guess, but we have to guess
slowly
SHARKFEST '09 | Stanford University | June 15–18, 2009
Unintended side effects
• QoS defined after TKIP• Can re-order packets• Each queue has a packet count• This means we can re-use a packet from one
queue in the other queues• Four commonly used, but 12 more available
SHARKFEST '09 | Stanford University | June 15–18, 2009
Chop chop!
• Cut the last byte off the packet• Fix the checksum• Inject• If we're wrong, nothing happens• If we're right, we get a spoof alert!• Wait 60 seconds, start on next byte
SHARKFEST '09 | Stanford University | June 15–18, 2009
Not quite dead yet
• Not a complete break; Slow, only gets us a few packets
• Once we get a few we could initiate a connection outside though...
• Beginning of the end• Switch to WPA2 now before someone
finishes the job on WPA1
SHARKFEST '09 | Stanford University | June 15–18, 2009
Attacking WPA-EAP
• Better than WPA-PSK• Commonly found on corporate networks• Many methods use PKI/TLS (SSL certificates)• No good way to distribute certs to all clients
at an institutional level• Spotty OS clients
SHARKFEST '09 | Stanford University | June 15–18, 2009
I am who I say I am
• If UAC isn't used, deciding “good” certs can be in the hands of users
• Users always make good decisions, right?• That SSL cert says “Veri$ign”, good 'nuff!
(This is actually optimistic)• Obviously that tennis player wants me to
see her naked!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Even the smart ones...
• Often the OS supplicant isn't helpful• May not show all of the cert• Even if it does... Self signed vs real?• If two certs have a common root (Verisign?)
the CN may not be compared anyhow
SHARKFEST '09 | Stanford University | June 15–18, 2009
Of course you're you
• Josh Wright and Brad Antoniewicz wrote a FreeRadius variant that accepts all logins
• Spoof a network and advertise PEAP• “Cert looks good to me!”• Combine with KARMA, own everyone who
connects• Harvest passwords
SHARKFEST '09 | Stanford University | June 15–18, 2009
1 2 3 4 5
• PEAP gives us password as MSCHAPV2• If only there were a tool for that... like
L0phtCrack• Users also pick bad passwords• That's the same password as my luggage!
SHARKFEST '09 | Stanford University | June 15–18, 2009
Future Plans
• More non-802.11 plugins (Zigbee, RFID)• More IDS• Integrate WPA-PSK decryption• Integrate WPA-EAP decryption with
provided certificates
SHARKFEST '09 | Stanford University | June 15–18, 2009
Thanks, Q&A, Live Demo
• Thanks to CACE for having Sharkfest!• Thanks to everyone who has helped test
Kismet-Newcore on the long road to release
Q&A
Top Related