Shifting the Focus of WiFi Security:

Download Report

Transcript Shifting the Focus of WiFi Security: 

“We need a special holiday to honor the countless
kind souls with unsecured networks named 'linksys'.”
www.xkcd.com
“If you're not cool enough to do it manually, you can look up tools like
Upside-Down-Ternet for playing games with people on your wifi.”
www.xkcd.com
“I hear this is an option in the latest Ubuntu release.”
…isn’t BackTrack 4 based on Ubuntu…
www.xkcd.com
802.11 ObgYn
Spread your Spectrum
IEEE 802.11y
• 802.11o is a reserved and unused letter
• When I submitted this talk, I didn’t realize
that 802.11y had been ratified
• This really ruined my joke name…
• Sadly, I don’t have an 802.11y card or
driver so we will not be discussing 36503700MHz
• I really hope this doesn’t disappoint
anyone, I will try to make it up to you all
next time…
Who am I and why do you care?

Rick “Zero_Chaos” Farina
 Senior
Wireless Security Researcher for AirTight
Networks
 Aircrack-ng Team Member
 Embedded Development
 Maverick Hunter Rank S
•You might remember me from
such things as:
Walking into my own talk late at Defcon 16
Rudely interrupting other people's talks...
...and inciting hackers to riot
Now I'm back!

Today's Agenda
 Freq
Update
Updated patches
 Updated information

 Unusual
Encryption
Like what?
 How to detect it

 Wireless
Intrusion Detection and Prevention
What is it?
 How it works

Standard DISCLAIMER:
• Some of the topics in this presentation
may be used to break the law in new and
exciting ways…
• of course I do not recommend breaking
the law and it is your responsibility to
check your local laws and abide by them.
• DO NOT blame me when a three letter
organization knocks on your door.
• I am not an expert, this is all based on my
research and dumb luck.
Contest
Find the AP
 I have hidden an AP somewhere in the
airwaves
 Report the center frequency of operation,
SSID, and mac address to win
 (Insiders and friends are not eligible)

Spoils* (first winner only)

Find the AP before the end of the talk
 Ubiquiti
Super Range Cardbus wifi card
 Your face in the video if you are right
 Public embarrassment if you are wrong

Find the AP before 17:00
 $50

towards a nice Atheros card
Find the AP after 17:00
 Hearty
handshake and a pat on the back
*game may end early due to unforeseen hardware failure
We have discussed this before:

WiFi Frequencies
 .11b/g
2412-2462 (US)
 .11a 5180-5320, 5745*-5825 (US)
 (regulatory settings from kernel old reg)

Obviously makes no sense
 Does
the card really not have the ability to use
5320-5745?
*DFS channels excluded due to driver limitations
Licensed Bands
Some vendors make special licensed radios
 Special wifi cards for use by military and
public safety
 Typically very expensive
 Frequencies of 4920 seem surprisingly
close to 5180

Manufacturers are cheap
Atheros and others sometimes support
more channels
 Allows for 1 radio to be sold for many
purposes.
 Software controls allowed frequencies

Who Controls the Software?

Yesterday
 Most
wifi drivers in Linux require binary
firmware of some kind
 Controls anything the vendor wants

Today
 More
and more vendors are going fully open
source
Who do we like for this stuff?
Undesirable
Intel
Marvell
Atheros
Ralink
Fully Open Source
Drivers.

Developers working
with the community.

Broadcom
Preferred
Closed Source
(sometimes buggy)
Firmware.

Ignores requests for
chipset docs.

Releases completely
closed source binary
drivers.

Developers
working with the
community.

Our Playground
Madwifi-ng was driven by a binary HAL
 Ath5k is the fully open source driver now
in the kernel
 Kugutsumen released a patch for
“DEBUG” regdomain
 Allows for all *officially* supported
channels to be tuned to

Fun Comments in ath5k
/* Set this to 1 to disable regulatory domain
restrictions for channel tests.
 * WARNING: This is for debuging only and has
side effects (eg. scan takes too
 * long and results timeouts). It's also illegal to
tune to some of the
 * supported frequencies in some countries, so
use this at your own risk,
 * you've been warned. */

Comments (cont)
• /*
• * XXX The tranceiver supports frequencies from 4920 to 6100GHz
• * XXX and from 2312 to 2732GHz. There are problems with the
• * XXX current ieee80211 implementation because the IEEE
• * XXX channel mapping does not support negative channel
• * XXX numbers (2312MHz is channel -19). Of course, this
• * XXX doesn't matter because these channels are out of range
• * XXX but some regulation domains like MKK (Japan) will
• * XXX support frequencies somewhere around 4.8GHz.
• */
New Toys

Yesterday
 .11b/g
2412-2462 (US)
 .11a 5180-5320, 5745-5825 (US)

Today
 Ubiquiti
SRC
.11b/g 2192-2732
 .11a 4800-6000

 Linksys
WPC55AG ver 1.3
.11b/g 2277-2484
 .11a 4800-6000

Spectrum Analyzer

Fully tested frequencies
 Sadly

no one would let me borrow a SA
Warning: This will differ from card to card
 I’ve
already lost a few wifi cards…
What is on these new freq?
2180.000
2200.000
2300.000
2390.000
2450.000
2500.000
2500.000
2655.000
2690.000
2700.000
-
2200.000
2290.000
2310.000
2450.000
2500.000
2535.000
2690.000
2690.000
2700.000
2900.000
Fixed Point-to-point (n-p)
DoD
Amateur
Amateur
Radio location
Fixed SAT
Fixed Point-to-point (n-p), Instructional TV
Fixed SAT
Radio Astronomy
DoD
Freq (cont)
4400.000
4990.000
5250.000
5460.000
5470.000
5650.000
5800.000
5925.000
-
4990.000 DoD
5000.000 Meteo - Radio Astronomy
5650.000 Radio Location - Coastal Radar
5470.000 Radio Nav - General
5650.000 Meteo - Ground-based Radar
5925.000 Amateur
ISM
- 6425.000 Common Carrier and Fixed SAT
Limitations
Many real licensed implementations are broken
 Card reports channel 1 but is actually on
4920MHz or some such
 This is done to make it easy to use existing
drivers
 This breaks many open source applications

Airodump-ng
Airodump-ng now supports a list of
frequencies to scan rather than channels
 Only channels are shown in display, may
be wrong
 Strips vital header information off of packet
so data saved from extended channels is
useless

Improvement Was Needed
Sniffers were too trusting, they believed
what they saw
 Never intended to deal with oddly broken
implementations such as channel number
fudging
 Sniffers had to mature to report more
reality, and less assumptions

Kismet
Kismet-newcore fully supports frequency
ranges
 Displays channels AND frequency in
display
 Saves pcap files with usable headers
 dragorn just generally rocks

Kismet-Newcore
• Usable now in SVN from kismetwireless.net
• Would have been a Kismet-Test1 release for
Shmoocon but setting up freeradius sucks. Bad.
• New UI, better logging, improved IDS features,
*Plugins*, new mapping SW on its way
• Autoconfig device support
• Multiple protocol support via plugins – DECT
cordless phone sniffing
-dragorn
Kernel Regulatory Changes

“old reg” depreciated soon
 Contains very few static regulatory domains
 Built right into kernel

New userspace Central Regulatory Domain Agent
 Userspace app called by udev named crda
 Takes input from visible AP or user through iw
 Sets accurate reg domain based on country
 Uses separate wireless-regdb with contains country
information
Ath5k frequency patches

Old ath5k patches
 Completely
removed tx
 No way to control tx
 If you are in any mode but monitor you ARE
breaking the law

New Ath5k patches
 No
patch for old reg
 crda controls which freq you can tx on
 Able to use card safely within the law
Patch released




New ath5k patch released for vanilla kernel 2.6.28.x
 I can't support every distro
Available from aircrack-ng svn
Included directions for required userspace tools
Patch available for wireless-regdb
 US only (willing to add more on request)
 Binary regulatory.bin will be made available
 Willing to add capabilities for Licensed
Professional and Amateur operations
Future Research in this Area

Kernel Acceptance
 Need

Ath9k support
 Yes,

to fix a few minor bugs
these can be extended as well
Ralink support
 I've
got a hot tip that these support much fun
Final Thoughts on Frequencies
Remember everyone here is a white hat
 Please use your new found knowledge for
good not evil
 In the United States it is LEGAL to monitor
all radio frequencies
 Have fun…

Unusual Crypto
• What do we know?
– Kismet and Airodump-ng detect 802.11
encryptions
• WEP/WEP+/DWEP/LEAP
• WPA/WPA2 PSK/802.1x
• EAP types used
Have you ever seen…
• a WEP network invulnerable to replay?
• Open AP that you cannot connect to?
• 802.11 on Spectrum Analyzer but an
empty pcap file?
Symbol Keyguard
• “TKIP encryption implementation based on the
forthcoming 802.11i standard”
• “Kerberos V5 based mobile security”
• “EAP/TLS with 802.1X port-based Network Access
Control or RADIUS”
• Really it is just pre-standard tkip
• Replay prevention
• Detected as WEP by Kismet and Airodump-ng
• Thanks to pcap donations, Kismet is adding detection
Government Crypto (Type 3 or 4)
• Type 4
– (Exportable) 40bit non-sense
• Type 3
– Cranite
• Appears defunct
– Fortress
• FIPS 140-2
– 802.11i
Huh?
• Government Crypto Precursors to 802.11i
– Cranite
– Fortress
• Hardware or software encryption/decryption
• Strong encryption (Typically AES)
• Strong Authentication (Typically certificates)
Unencrypted ?
Does this look unencrypted to you?
Government Crypto (Type 1)
• Harris Secnet 11
– Intersil Prism 2 and Harris Sierra CryptoTM Module
– Encrypts entire MPDU
– Essentially Invisible
• Harris Secnet 54
– Modular separation between encrypter and radio
– Compatible with COTS equipment
– Layer 2 and/or 3 encryption available
Invisible?
+
+
+
+
/* Allow CRC errors through */
if (rs.rs_status & AR5K_RXERR_CRC) {
goto accept;
}
*Super Special thanks to dragorn for writing this in like 6 seconds for me
Pcap beg
• Am I looking for something that you have?
• Do you know of an encryption that I didn’t
mention?
• Have you found something just plain odd?
SEND ME PCAPS
[email protected]
WIDS/WIPS
• Wireless Intrusion Detection System
– Early products
– “Noise maker”
• Wireless Intrusion Prevention System
– Later Products
– Log events
– Auto-classify devices
– Prevent wireless threats in real time
Hybrid vs Overlay
• Hybrid
–
–
–
–
–
Access Points double as Sensors
Typically ignores client behavior
Every tick spent doing security mean no data transport
No additional hardware to buy
Some of these can be fixed by deploying as…
• Overlay
– Dedicated Sensors to handle security
– Spends 100% of time focusing on security
– Additional hardware required
Auto-Classification
How does it work?
CAM Table
00:11:22:33:44:55
Client 00:11:22:33:44:55
00:11:22:33:44:55
“Example of a switch polling based method
of wired status detection”*
*Not all systems use this method
Final WIPS Thoughts
• You are not invisible
– Corporations and Organizations are
monitoring wifi
• You are not invincible
– Automatic Threat Remediation
– Automatic Location Tracking
• Even odd frequencies may not be safe
– Many WIPS monitor extended channel sets
Pentoo
•
•
•
•
•
•
A great platform to launch wireless attacks
LiveCD
Based on a Gentoo
Safe to install
Updates often
www.pentoo.ch
Thanks
• Contact me if
– You have a license or country you wish added
to the Ath5k patches
– You have pcaps of an unusual encryption
used commonly with wifi
• [email protected]
Try Pentoo 
www.pentoo.ch