“we need a special holiday to honor the countless kind souls with unsecured networks named...
TRANSCRIPT
“We need a special holiday to honor the countless kind souls with unsecured networks named 'linksys'.”
www.xkcd.com
“If you're not cool enough to do it manually, you can look up tools like Upside-Down-Ternet for playing games with people on your wifi.”
www.xkcd.com
“I hear this is an option in the latest Ubuntu release.”
…isn’t BackTrack 4 based on Ubuntu…
www.xkcd.com
802.11 ObgYn
Spread your Spectrum
IEEE 802.11y
• 802.11o is a reserved and unused letter• When I submitted this talk, I didn’t realize
that 802.11y had been ratified• This really ruined my joke name…• Sadly, I don’t have an 802.11y card or
driver so we will not be discussing 3650-3700MHz
• I really hope this doesn’t disappoint anyone, I will try to make it up to you all next time…
Who am I and why do you care?
Rick “Zero_Chaos” FarinaSenior Wireless Security Researcher for AirTight
NetworksAircrack-ng Team MemberEmbedded DevelopmentMaverick Hunter Rank S
•You might remember me from such things as:
Walking into my own talk late at Defcon 16
Rudely interrupting other people's talks...
...and inciting hackers to riot
Now I'm back!
Today's AgendaFreq Update
Updated patches Updated information
Unusual Encryption Like what? How to detect it
Wireless Intrusion Detection and Prevention What is it? How it works
Standard DISCLAIMER:
• Some of the topics in this presentation may be used to break the law in new and exciting ways…
• of course I do not recommend breaking the law and it is your responsibility to check your local laws and abide by them.
• DO NOT blame me when a three letter organization knocks on your door.
• I am not an expert, this is all based on my research and dumb luck.
Contest
Find the AP I have hidden an AP somewhere in the
airwaves Report the center frequency of operation,
SSID, and mac address to win (Insiders and friends are not eligible)
Spoils* (first winner only)
Find the AP before the end of the talkUbiquiti Super Range Cardbus wifi cardYour face in the video if you are rightPublic embarrassment if you are wrong
Find the AP before 17:00$50 towards a nice Atheros card
Find the AP after 17:00Hearty handshake and a pat on the back
*game may end early due to unforeseen hardware failure
We have discussed this before:
WiFi Frequencies .11b/g 2412-2462 (US) .11a 5180-5320, 5745*-5825 (US)(regulatory settings from kernel old reg)
Obviously makes no senseDoes the card really not have the ability to use
5320-5745?
*DFS channels excluded due to driver limitations
Licensed Bands
Some vendors make special licensed radios Special wifi cards for use by military and
public safety Typically very expensive Frequencies of 4920 seem surprisingly
close to 5180
Manufacturers are cheap
Atheros and others sometimes support more channels
Allows for 1 radio to be sold for many purposes.
Software controls allowed frequencies
Who Controls the Software?
YesterdayMost wifi drivers in Linux require binary
firmware of some kindControls anything the vendor wants
TodayMore and more vendors are going fully open
source
Who do we like for this stuff?
Preferred UndesirableA
ther
osR
alin
k
Inte
lM
arve
ll
Bro
adco
m
Fully Open Source Drivers.
Developers working with the community.
Closed Source (sometimes buggy) Firmware.
Developers working with the community.
Ignores requests for chipset docs.
Releases completely closed source binary drivers.
Our Playground
Madwifi-ng was driven by a binary HAL Ath5k is the fully open source driver now
in the kernel Kugutsumen released a patch for
“DEBUG” regdomain Allows for all *officially* supported
channels to be tuned to
Fun Comments in ath5k
/* Set this to 1 to disable regulatory domain restrictions for channel tests.
* WARNING: This is for debuging only and has side effects (eg. scan takes too
* long and results timeouts). It's also illegal to tune to some of the
* supported frequencies in some countries, so use this at your own risk,
* you've been warned. */
Comments (cont)
• /*• * XXX The tranceiver supports frequencies from 4920 to
6100GHz• * XXX and from 2312 to 2732GHz. There are problems with the• * XXX current ieee80211 implementation because the IEEE• * XXX channel mapping does not support negative channel• * XXX numbers (2312MHz is channel -19). Of course, this• * XXX doesn't matter because these channels are out of range• * XXX but some regulation domains like MKK (Japan) will• * XXX support frequencies somewhere around 4.8GHz.• */
New Toys
Yesterday .11b/g 2412-2462 (US) .11a 5180-5320, 5745-5825 (US)
TodayUbiquiti SRC
.11b/g 2192-2732 .11a 4800-6000
Linksys WPC55AG ver 1.3 .11b/g 2277-2484 .11a 4800-6000
Spectrum Analyzer
Fully tested frequenciesSadly no one would let me borrow a SA
Warning: This will differ from card to card I’ve already lost a few wifi cards…
What is on these new freq?
2180.000 - 2200.000 Fixed Point-to-point (n-p)2200.000 - 2290.000 DoD2300.000 - 2310.000 Amateur2390.000 - 2450.000 Amateur2450.000 - 2500.000 Radio location2500.000 - 2535.000 Fixed SAT2500.000 - 2690.000 Fixed Point-to-point (n-p), Instructional TV2655.000 - 2690.000 Fixed SAT2690.000 - 2700.000 Radio Astronomy2700.000 - 2900.000 DoD
Freq (cont)
4400.000 - 4990.000 DoD4990.000 - 5000.000 Meteo - Radio Astronomy5250.000 - 5650.000 Radio Location - Coastal Radar5460.000 - 5470.000 Radio Nav - General5470.000 - 5650.000 Meteo - Ground-based Radar5650.000 - 5925.000 Amateur5800.000 ISM5925.000 - 6425.000 Common Carrier and Fixed SAT
Limitations
Many real licensed implementations are broken Card reports channel 1 but is actually on
4920MHz or some such This is done to make it easy to use existing
drivers This breaks many open source applications
Airodump-ng
Airodump-ng now supports a list of frequencies to scan rather than channels
Only channels are shown in display, may be wrong
Strips vital header information off of packet so data saved from extended channels is useless
Improvement Was Needed
Sniffers were too trusting, they believed what they saw
Never intended to deal with oddly broken implementations such as channel number fudging
Sniffers had to mature to report more reality, and less assumptions
Kismet
Kismet-newcore fully supports frequency ranges
Displays channels AND frequency in display
Saves pcap files with usable headers dragorn just generally rocks
Kismet-Newcore
• Usable now in SVN from kismetwireless.net• Would have been a Kismet-Test1 release for
Shmoocon but setting up freeradius sucks. Bad.• New UI, better logging, improved IDS features,
*Plugins*, new mapping SW on its way• Autoconfig device support• Multiple protocol support via plugins – DECT
cordless phone sniffing
-dragorn
Kernel Regulatory Changes
“old reg” depreciated soon Contains very few static regulatory domains Built right into kernel
New userspace Central Regulatory Domain Agent Userspace app called by udev named crda Takes input from visible AP or user through iw Sets accurate reg domain based on country Uses separate wireless-regdb with contains country
information
Ath5k frequency patches
Old ath5k patchesCompletely removed txNo way to control tx If you are in any mode but monitor you ARE
breaking the law New Ath5k patches
No patch for old regcrda controls which freq you can tx onAble to use card safely within the law
Patch released
New ath5k patch released for vanilla kernel 2.6.28.x I can't support every distro
Available from aircrack-ng svn Included directions for required userspace tools Patch available for wireless-regdb
US only (willing to add more on request)Binary regulatory.bin will be made availableWilling to add capabilities for Licensed
Professional and Amateur operations
Future Research in this Area
Kernel AcceptanceNeed to fix a few minor bugs
Ath9k supportYes, these can be extended as well
Ralink support I've got a hot tip that these support much fun
Final Thoughts on Frequencies
Remember everyone here is a white hat Please use your new found knowledge for
good not evil In the United States it is LEGAL to monitor
all radio frequencies Have fun…
Unusual Crypto
• What do we know?– Kismet and Airodump-ng detect 802.11
encryptions
• WEP/WEP+/DWEP/LEAP
• WPA/WPA2 PSK/802.1x
• EAP types used
Have you ever seen…
• a WEP network invulnerable to replay?
• Open AP that you cannot connect to?
• 802.11 on Spectrum Analyzer but an empty pcap file?
Symbol Keyguard
• “TKIP encryption implementation based on the forthcoming 802.11i standard”
• “Kerberos V5 based mobile security”• “EAP/TLS with 802.1X port-based Network Access
Control or RADIUS”• Really it is just pre-standard tkip• Replay prevention• Detected as WEP by Kismet and Airodump-ng• Thanks to pcap donations, Kismet is adding detection
Government Crypto (Type 3 or 4)
• Type 4– (Exportable) 40bit non-sense
• Type 3– Cranite
• Appears defunct
– Fortress• FIPS 140-2
– 802.11i
Huh?
• Government Crypto Precursors to 802.11i– Cranite– Fortress
• Hardware or software encryption/decryption
• Strong encryption (Typically AES)
• Strong Authentication (Typically certificates)
Unencrypted ?
Does this look unencrypted to you?
Government Crypto (Type 1)
• Harris Secnet 11– Intersil Prism 2 and Harris Sierra CryptoTM Module– Encrypts entire MPDU– Essentially Invisible
• Harris Secnet 54– Modular separation between encrypter and radio– Compatible with COTS equipment– Layer 2 and/or 3 encryption available
Invisible?
+ /* Allow CRC errors through */
+ if (rs.rs_status & AR5K_RXERR_CRC) {
+ goto accept;
+ }
*Super Special thanks to dragorn for writing this in like 6 seconds for me
Pcap beg
• Am I looking for something that you have?
• Do you know of an encryption that I didn’t mention?
• Have you found something just plain odd?
SEND ME PCAPS
WIDS/WIPS
• Wireless Intrusion Detection System– Early products– “Noise maker”
• Wireless Intrusion Prevention System– Later Products– Log events– Auto-classify devices– Prevent wireless threats in real time
Hybrid vs Overlay
• Hybrid– Access Points double as Sensors– Typically ignores client behavior– Every tick spent doing security mean no data transport– No additional hardware to buy – Some of these can be fixed by deploying as…
• Overlay– Dedicated Sensors to handle security– Spends 100% of time focusing on security– Additional hardware required
Auto-Classification
How does it work?
“Example of a switch polling based method of wired status detection”*
*Not all systems use this method
00:11:22:33:44:55
CAM Table
00:11:22:33:44:55
Client 00:11:22:33:44:55
Final WIPS Thoughts
• You are not invisible– Corporations and Organizations are
monitoring wifi
• You are not invincible– Automatic Threat Remediation– Automatic Location Tracking
• Even odd frequencies may not be safe– Many WIPS monitor extended channel sets
Pentoo
• A great platform to launch wireless attacks
• LiveCD
• Based on a Gentoo
• Safe to install
• Updates often
• www.pentoo.ch
Thanks
• Contact me if– You have a license or country you wish added
to the Ath5k patches– You have pcaps of an unusual encryption
used commonly with wifi
Try Pentoo www.pentoo.ch