tmplab hostile wrt-5-hacklu
TRANSCRIPT
![Page 1: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/1.jpg)
HostileWRT
Reclaim Your Spectrum
Eugene Parkinson, Philippe Langlois
http://www.tmplab.org
http://www.p1security.com
![Page 2: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/2.jpg)
Why HostileWRT?
•Wireless Security Audit
•Controlled envt only
•Inside an industrial site
•Big number of AP to audit
•Need for Ultra-Fast setup
•Access to friends’ network
•Beware of the law! Need author.
![Page 3: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/3.jpg)
What is HostileWRT?
•Based on OpenWRT (www.openwrt.org)
•Script to automate WiFi actions
•Packages for aircrack-ng
•WiFi networks: LoveWRT
•Great hardware: FON2
![Page 4: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/4.jpg)
Routeur HADOPI Scandal
•This IS NOT!
•But...
•It may be used this way...
•...if you don’t respect the law
•Of course, you should not
![Page 5: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/5.jpg)
Limitations
•Small Memory
•Slow CPU
•No internet
•or rarefied (IPoICMP, IPoDNS)
![Page 6: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/6.jpg)
Behaviours•== Modes
•Fast Setup
•Auto-join on first crack
•Mass Audit
•Collect and crack
•Key size dependent? (big: crack later, small: crack now)
•Multi-ops mode
•AP / STA / MONITOR
![Page 7: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/7.jpg)
Plug-ins
•Hooks
•For each event
•On start
•On WEP attack working
•On WEP attack start
•On WEP key found
•Open Generic Model
•On client detect
![Page 8: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/8.jpg)
Demo & Internals
![Page 9: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/9.jpg)
![Page 10: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/10.jpg)
![Page 11: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/11.jpg)
![Page 12: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/12.jpg)
Roadmap
•What works
•Scan
•WEP crack
•Client Mode (stability?)
•AP Mode (channel changing)
•What’s next
•Web UI, QA
•Resistant WEPs, WPA with Kalk
![Page 13: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/13.jpg)
Hacks: Mobile
•Batteries
•Car, Bicycle-based
•FridaV example
•Already using OpenWRT
•Thanks to Ljudmila hackerspace
![Page 14: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/14.jpg)
Hacks: Hiding
•Industrial boxes
•Lightpost
•Office ceiling
•Others...
![Page 15: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/15.jpg)
Hacks: Antennas
•Omni
•HSB Mighty Waveguide hacks
•NZ DIY antennas
•Coffee box
•Is THIS ridiculous???
•Yagi
![Page 16: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/16.jpg)
Hacks: Connecting things
•GPIO: SPI, I2C
•Chemical Sensors
•Thanks Sebastien B.
•Radioactivity diodes
•Thanks M
![Page 17: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/17.jpg)
SSID to Wordlists
•New in 0.3.2
•Guess the best dictionaries for your country
•SSID list gives fingerprint
•SSID patterns, FR: Livebox_
•You can contribute for your Country
•Hint: .hr, .pl, .hu, ...
![Page 18: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/18.jpg)
Bugs
•NO STORAGE ON FLASH!!!!
•Pwweez don’t crash your AP
•Newest AP (Fon2N?)
•airdecloak-ng
•None other known... :)
![Page 19: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/19.jpg)
Future
•Mesh networks (BABEL?!)
•Datagram control (BOTmode)
•Captive portal fishing test
•Reliable IPoDNS, IPoICMP
•Anonymous Browsing (TOR?)
•Industrial solution (reporting, mgmt, dual approach)
![Page 20: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/20.jpg)
Help Needed
•Developpers
•Testers
•Real-world experience feedback
•IPoXXX endpoints / exit nodes
•Resistant WEP tricks
•WPA Crypto+FPGA Genius? (K!LK!)
![Page 21: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/21.jpg)
Credits
•The OpenWRT project
•XXX for FONbook on batteries
•Loloster
•All the /tmp/lab crew
![Page 22: Tmplab hostile wrt-5-hacklu](https://reader034.vdocument.in/reader034/viewer/2022042607/55a704811a28ab3f348b4660/html5/thumbnails/22.jpg)
Thanks! Merci!Work In Progress @ /tmp/lab
Come meet us
http://www.tmplab.org
http://www.p1security.com