Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not...
Transcript of Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not...
![Page 1: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/1.jpg)
Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Developmenthttp://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu
Dartmouth CollegeDartmouth College
IINSTITUTE NSTITUTE FORFOR SSECURITYECURITYTTECHNOLOGY ECHNOLOGY SSTUDIESTUDIES
Active 802.11 fingerprinting
Sergey BratusCory Cornelius, Daniel Peebles,
Axel Hansen
![Page 2: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/2.jpg)
Can a client station trust an AP?
Is this AP one of a trusted group, or evil faker?
Why yes, just exchange some crypto with it,and verify the AP knows the right secrets.
Problem solved, right?
Not exactly: are allthese exchangesbug-free?
www.ISTS.dartmouth.edu
Motivation INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 3: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/3.jpg)
Initially, an AP is just a MAC address (and other easily faked info)
That's all we know.
www.ISTS.dartmouth.edu
The problem INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
To perform crypto authentication of AP, driver must parse complex data structures
Complex data from untrusted source?
-- Is this such a good idea?
Trust me!
![Page 4: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/4.jpg)
www.ISTS.dartmouth.edu
Say it ain't so INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
LaptopWireless Access Point
rates, essid, ...
Probe Request -- Probe Response
![Page 5: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/5.jpg)
www.ISTS.dartmouth.edu
Say it ain't so INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
LaptopWireless Access Point
rates, essid, ...
Probe Request -- Probe Response
LaptopRing 0 exploit
![Page 6: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/6.jpg)
www.ISTS.dartmouth.edu
Say it ain't so INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
LaptopWireless Access Point
rates, essid, ...
Probe Request -- Probe Response
LaptopRing 0 exploit
![Page 7: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/7.jpg)
Early 802.11: AP = castle, must fight off barbarians (unauthorized clients)
Reality: can peasants = clients find the right castle?
• Dai Zovi, Macaulay: Karma• Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds”• Month of kernel bugs (Nov '06)
www.ISTS.dartmouth.edu
AP vs. clients INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 8: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/8.jpg)
Fingerprint the AP before trying to authenticate and associate with it:
limit the kinds of accepted data
Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. )
Follow IP stack fingerprinting ideas:
unusual and non-standard header field combinations – but in link layer (L2)
www.ISTS.dartmouth.edu
Fingerprint it! INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 9: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/9.jpg)
www.ISTS.dartmouth.edu
Where we fit in INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Passive“Reasonable & Customary” Frames
“Cruel & Unusual” Frames
L4 / L3
L2
Xprobe
P0fSinFP
J.Cache U5duration field
Franklin et al.probe timings
Fuzzers
Nmap
BAFFLE
![Page 10: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/10.jpg)
L3, need an L2 connection
• Nmap (1998-2006, ...)• Xprobe (2001, 2005, ...)• P0f (2000, 2006)• SinFP (2005)
• Timing-related: Ping RTT (2003), Clock Skew (2005)
• Scrubbers: Norm, Bro (2000-01)• Honeyd, Morph (2004-)• ... ?
www.ISTS.dartmouth.edu
TCP/IP fingerprinting INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 11: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/11.jpg)
www.ISTS.dartmouth.edu
BAFFLE INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
• Written in Ruby 1.8.2
• Ruby LORCON bindings from Metasploit
• Builds Pcap/BPF filters for 802.11 frames from Ruby objects
• Domain-specific language for tests, probes, and for matching responses
![Page 12: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/12.jpg)
www.ISTS.dartmouth.edu
Bits and states INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Not all flags make sense for all types & subtypes
Not all flags make sense for all
states
Type Subtype
![Page 13: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/13.jpg)
www.ISTS.dartmouth.edu
802.11 fiddly bits INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Only 0 makes sense on Mgmt & Ctrl
frames
Type Subtype
Unusualon
Probes
Not for Mgmtframes
![Page 14: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/14.jpg)
So many flags...
www.ISTS.dartmouth.edu
INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 15: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/15.jpg)
Probe Request tests
www.ISTS.dartmouth.edu
INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 16: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/16.jpg)
Auth Request tests
www.ISTS.dartmouth.edu
INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 17: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/17.jpg)
“Secret handshake”
www.ISTS.dartmouth.edu
INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
LaptopWireless Access Point?
• Send “gibberish” flag combinations in ProbeReq and AuthReq frames
• Watch for reactions (varying MACs helps):
• FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
![Page 18: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/18.jpg)
• Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...”
• Kohno, Broido, Claffy ('05): Clock Skew“Remote physical device fingerprinting”
• Dan Kaminsky ('05): IP frag time-outs
• Johnny Cache (Uninformed.org 5, '06):Statistical analysis of the duration field
• Franklin et al (USENIX Sec, '06): ScanningTime intervals between Probe Req frames
www.ISTS.dartmouth.edu
Timing INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
802.11 L2
TCP/IP L3
![Page 19: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/19.jpg)
• Beacon frames contain AP clock's timestamp
• Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05)
• Issues:
– AP clock's unique skew can be estimated reliably within 1-2 mins
– Similar AP models have closer skews
– Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough
www.ISTS.dartmouth.edu
AP beacon clock skew INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 20: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/20.jpg)
www.ISTS.dartmouth.edu
AP beacon clock skew INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
Sensor Time
AP
Ti
me
![Page 21: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/21.jpg)
www.ISTS.dartmouth.edu
AP beacon clock skew INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
![Page 22: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/22.jpg)
• Johnny Cache for many inspirations
• Joshua Wright and Mike Kershaw for LORCON
• ToorCon & Uninformed.org
• Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools)
www.ISTS.dartmouth.edu
Source & Thanks INSTITUTE FOR SECURITYTECHNOLOGY STUDIES
Dartmouth College
http://baffle.cs.dartmouth.edu/
![Page 23: Active 802.11 fingerprinting · Nmap BAFFLE. L3, need an L2 connection • Nmap (1998-2006, ... Not all flags make sense for all types & subtypes Not all flags make sense for all](https://reader031.fdocuments.net/reader031/viewer/2022022514/5af6c9377f8b9a74448ff09d/html5/thumbnails/23.jpg)
Contact Information
Institute for Security Technology Studies
Dartmouth College6211 Sudikoff Laboratory
Hanover, NH 03755---------------------------------Phone: 603.646.0700
Fax: 603.646.1672
Email: [email protected]