Upload File

psj04 macaulay zovi e

19
“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps

Upload: nitin-bhaidiya

Post on 12-May-2017

219 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Psj04 Macaulay Zovi e

“All your layer are belong to us”Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps

Page 2: Psj04 Macaulay Zovi e

Agenda Windows XP Wireless Auto

Configuration (WZCSVC) Wireless Client Attack Tool Creating an ALL SSIDs network (L1) Creating a virtual network (L2+) Exploiting client-side application

vulnerabilities (L5) Demo

All your layer are belong to us

Page 3: Psj04 Macaulay Zovi e

Wireless Auto Configuration Algorithm

First, Client builds list of available networks Send broadcast Probe Request on

each channel

Page 4: Psj04 Macaulay Zovi e

Wireless Auto Configuration Algorithm

Access Points within range respond with Probe Responses

Page 5: Psj04 Macaulay Zovi e

Wireless Auto Configuration Algorithm

If Probe Responses are received for networks in preferred networks list: Connect to them in preferred networks list order

Otherwise, if no available networks match preferred networks: Specific Probe Requests are sent for each

preferred network in case networks are “hidden”

Page 6: Psj04 Macaulay Zovi e

Wireless Auto Configuration Algorithm

If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node Use self-assigned IP address (169.X.Y.Z)

Page 7: Psj04 Macaulay Zovi e

Wireless Auto Configuration Algorithm

Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected

Otherwise, wait for user to select a network Continue scanning for networks

Page 8: Psj04 Macaulay Zovi e

Attacking Wireless Auto Configuration

Attacker spoofs disassociation frame to victim

Client sends broadcast and specific Probe Requests again Attacker discovers networks in Preferred

Networks list (e.g. linksys, MegaCorp, t-mobile)

Page 9: Psj04 Macaulay Zovi e

Attacking Wireless Auto Configuration

Attacker creates network MegaCorp with HostAP driver

Page 10: Psj04 Macaulay Zovi e

Attacking Wireless Auto Configuration

Victim associates to attacker’s fake network Even if preferred network was WEP (XP SP 0)

Attacker can supply DHCP, DNS, …, servers

Page 11: Psj04 Macaulay Zovi e

Wireless Auto Configuration AttacksA. Attacker can join created ad-hoc network

Sniff network to discover self-assigned IP (169.X.Y.Z) and attack

B. Create a more Preferred Network Spoof disassociation frames to cause clients to

restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request

C. Create a stronger signal for currently associated network While associated to a network, clients sent Probe

Requests for same network to look for stronger signal

You can be 0wned while watching a DVD on a plane!

Page 12: Psj04 Macaulay Zovi e

A Tool to Automate the Attack Track clients by MAC address

Identify state: scanning/associated Record preferred networks by capturing

Probe Requests Display signal strength of packets from client

Target specific clients and create a network they will automatically associate to

Compromise client and let them rejoin original network Connect back out over Internet to attacker Launch worm inside corporate network Etc.

“Kismet” for wireless clients

Page 13: Psj04 Macaulay Zovi e

L1: Creating An ALL SSIDs Network Can we attack multiple clients at once? Want a network that responds to Probe

Requests for any SSID PrismII HostAP mode handles Probe

Requests in firmware, doesn’t pass them to driver

Can modify driver to accept Associations for any SSID

Can use second card to sniff for Probe Requests and forge Probe Responses

Custom firmware would be better

Page 14: Psj04 Macaulay Zovi e

L2: Creating a FishNet Want a network where we can

observe clients in a “fishbowl” environment

Once victims associate to wireless network, will acquire a DHCP address

We run our own DHCP server We are also the DNS server and

router

Page 15: Psj04 Macaulay Zovi e

FishNet Services When wireless link becomes active,

client software activates and attempts to connect, reconnect, etc. without requiring user action

Our custom DNS server replies with our IP address for every query

We also run “trap” web, mail, chat services Fingerprint client software versions Steal credentials Exploit client-side application

vulnerabilities

Page 16: Psj04 Macaulay Zovi e

Fingerprinting FishNet Clients Automatic DNS queries

wpad.domain -> Windows _isatap -> Windows XP SP 0 isatap.domain -> Windows XP SP 1 teredo.ipv6.microsoft.com -> XP SP 2

Automatic HTTP Requests windowsupdate.com, etc. User-Agent String reveals OS version

Passive OS fingerprinting (p0f)

Page 17: Psj04 Macaulay Zovi e

L5: Exploiting FishNet Clients Fake services steal credentials

Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN)

Reject authentication attempts using non-cleartext commands

Many clients automatically resort to cleartext when non-cleartext is not supported

Attack VPN clients…

Page 18: Psj04 Macaulay Zovi e

Client-Side Application Vulnerabilities Recent client-side vulnerabilities

Microsoft JPG Processing (GDI+) Mozilla POP3 Heap Overflows GDK Pixbuf XPM Vulnerabilities …

Exploits can make use of fingerprinting info

Page 19: Psj04 Macaulay Zovi e

DEMO


Pantene Pro V Advert 2017 Zac Macaulay Films provide ... · E: [email protected] Pantene Pro V Advert Film - Ruefull Warrior About Zac Macaulay Zac has worked with some of the best

Macaulay Sinclair Work

VioletStreet, Fashion And You, Zovi,Voonik | Company Showdown

Macaulay - Essay on Milton.pdf

William E. Macaulay Honors College...Created Date 1/31/2012 2:24:58 PM

macaulay honors college identity guidelines€¦ · macaulay honors college identity guidelines. Macaulay is the honors college at The City University of New York, ... Subway Sign

Cohen-Macaulay Ordered Sets - Baclawski

Sequentially Cohen-Macaulay rings and modules · The purpose of my thesis is to study sequentially Cohen-Macaulay rings and modules. The notion of sequentially Cohen-Macaulay ring

Cohen-Macaulay Representation Theory

MACAULAY #??

Macaulay, mc gill

Words - Jack Macaulay (Chapter 1)

Memory Corruption, Exploitation, and You - Dino Dai Zovi

Thomas Babington Macaulay

Arithmetically Cohen{Macaulay bundles on cubic …algebraicgeometry.nl/2015-2/2015-2-011.pdf · Arithmetically Cohen{Macaulay bundles on ... We study arithmetically Cohen{Macaulay

Moses Response to Power Broker - William E. Macaulay

COHEN{MACAULAY MODULES OVER SOME NON{REDUCED …burban/BurbanGnedin.pdf · Cohen{Macaulay modules over Cohen{Macaulay rings have been intensively studied in recent years. They appear

Macaulay Tech Fair Intro, 2011

Macaulay Seminar 1: A Retrospective

#HOMAS BABINGTON MACAULAY ' 5 HISTORY E ENGLAND

Residually faithful modules and the Cohen-Macaulay type of ... · Cohen-Macaulay modules over Cohen-Macaulay local rings is closely explored. There are two extremal cases, one of

Macaulay-Minute on Indian education

Zovi online company

Macaulay Food

Zovi Coupons: December 2014 Coupon Codes - vletuknow

William E. Macaulay Honors College

Save money for all your purchase on zovi using zovi coupon codes & discount vouchers

Dino Dai Zovi: Mac OS Xploitation

City (Complete Version) - David Macaulay

MacAulay - The Celtic Languages

Use Zovi Coupons at 27coupons.com for Savings

Brian MacAulay Digital Catapult, UK

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques

TRANSCRIPT HUNTINGTON DIARY 1937 LOUISBOURG…cbrl.ca/LouisbourgDiaries/HD 1937.pdf · Death of Mrs. MacAulay Mrs. Flora MacAulay, widow of the late John MacAulay of Albert Bridge,

Cohen-Macaulay Monomial Rings