India Wireless Broadband Operator Options- A Strategic Review
Demystifying Wireless Security Using Open Source Options
-
Upload
michele-chubirka -
Category
Technology
-
view
86 -
download
2
Transcript of Demystifying Wireless Security Using Open Source Options
![Page 1: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/1.jpg)
Sweepin’ the Clouds Away
Demystifying Wireless Security
Using Open Source Tools
![Page 2: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/2.jpg)
Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as security architecture and best practices.
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/@MrsYisWhywww.linkedin.com/in/mchubirka/
![Page 3: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/3.jpg)
Wireless Security Doesn’t Have To Be So Hard
• You don’t always need a consultant or a commercial tool.
• All you need is the desire to learn.
• Open source offers great options.
• You can learn about Wifi security by using open source hacking tools against your own WLAN.
![Page 4: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/4.jpg)
Build Your Toolkit
• Wireless devices that support RFMON (monitor-mode).
• OSX supports this by default, Windows does not.
• For Windows or running a Linux-based VM, you’ll need an external device with the right drivers.
• Alfa USB devices are inexpensive alternatives to AirPcap and are also suitable for injection, but not all models support both 2.4 and 5 GHz.
• Tablets will work, but you’ll need Android and plan to “root” it.
• Apple disallows Wifi scanning apps, so you’ll need to jailbreak, which gets harder with every update.
![Page 5: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/5.jpg)
Why You Need Monitor-Mode
• Monitor-mode (RFMON) allows a wireless interface the ability to capture 802.11 WLAN frames without being associated with a network.
• This capability is essential for performing reconnaissance against a network.
![Page 6: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/6.jpg)
Check hardware compatibility guides for the tools you want to use. You’ll need to be able to put your tablet/phone in USB host mode. It may require jailbreaking/rooting.
![Page 7: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/7.jpg)
Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network.
• Can be used to perform a security profile of your WLAN infrastructure.
• Also used as an inexpensive monitoring tool.
![Page 8: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/8.jpg)
Where You Can Get One
• Minipwner
• OG150
• PwnPi
Low cost open source alternatives to Pwnie Express.
![Page 9: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/9.jpg)
![Page 10: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/10.jpg)
Roll Your Own
• Raspberry Pi
• Intel NUC
• TP-Link portable routers running Open-Wrt.
• Pwnie Express even has a community edition you can build yourself.
![Page 11: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/11.jpg)
Available Tools
• Aircrack-NG
• SSLStrip
• Tor
• Ettercap
• Kismet
![Page 12: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/12.jpg)
Get A Pineapple
An inexpensive wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.
![Page 13: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/13.jpg)
Features
• Stealth man-in-the-middle access point.
• Tethering via mobile device or PC.
• Remote management with persistent SSH tunnels.
• Relay and deauth attacks
![Page 14: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/14.jpg)
Wireshark Is Your Friend
But there are other protocol analysis tools available.
Example: NetworkMiner
![Page 15: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/15.jpg)
Wireshark in Monitor Mode
![Page 16: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/16.jpg)
NetworkMiner Network Forensic Analysis Tool
Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.
![Page 17: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/17.jpg)
Kali Linux is filled with Wireless
Tools
![Page 18: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/18.jpg)
Pentoo and Backbox
![Page 19: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/19.jpg)
Fun with Wifi
• Kismet
– An open source WIDS that works with any wireless devices supporting monitor-mode.
• Aircrack-NG
– An open source reconnaissance, key-cracking and testing tool.
![Page 20: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/20.jpg)
Kismet
![Page 21: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/21.jpg)
Aircrack-NG
![Page 22: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/22.jpg)
inSSIDer –notice any similarities?
![Page 23: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/23.jpg)
Miscellaneous Tools
• MDK3 – attack tool
• CoWPAtty – WPA cracking tool
• Reaver – WPS attack tool
• WiFite – auditing tool
![Page 24: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/24.jpg)
Some Basics
• Three types of WLAN frames
– Management
– Control
– Data
You can view all of these in a protocol analyzer, but only if your device supports monitor-mode. You can successfully attack them, but only if injection is supported.
![Page 25: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/25.jpg)
What?
• SSID (service set identifier) is the name of a network.
• BSSIDs (basic SSID) identify access points and clients.
• An ESS (extended service set) consists of BSSs
![Page 26: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/26.jpg)
Wireless Association
EAP occurs after this.
![Page 27: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/27.jpg)
Passive Vs. Active WLAN Discovery
• Beacon frames are transmitted at regular intervals in all WLAN networks for passive client discovery.
• Active WLAN discovery occurs when client station sends Probe Request to AP and receives Probe Response.
• Passive discovery is more appropriate for reconnaissance.
• Kismet and Aircrack-NG are passive tools.
![Page 28: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/28.jpg)
Who’s Out There?
Configuring a “monitor mode” wireless interface.
Airmon-ng start wlan0
Airodump-ng mon0
![Page 29: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/29.jpg)
![Page 30: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/30.jpg)
How To Find Hidden SSIDs
• Sniff in monitor-mode.
• Deauthenticate clients by injection with MDK3 or Aireplay-NG.
• Look for probe response, association, or reassociationpackets in protocol analyzer.
• Beacon, Probe Request, Probe Response and Association Request frames all contain the SSID.
![Page 31: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/31.jpg)
Common Wireless Attacks• Beating MAC filters with spoofing.
• Cracking WEP through weak IVs.
• Brute force against WPS.
• Brute force of WPA/WPA2 PSK.
• DoS deauth attacks.
• Evil Twin or Rogue access points.
• MITM with SSLstrip.
• Café Latte – client WEP attack.
![Page 32: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/32.jpg)
Protecting the WLAN
• By understanding common attack vectors, you can address weaknesses in your infrastructure.
• WIPS use attack methods such as deauths for rogue mitigation.
![Page 33: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/33.jpg)
Caution
• In many countries it is unlawful to interfere with wireless signals.
• Marriott was fined $600k in October, 2014, for preventing hotel and conference guests from using personal hotspots, in violation of section 333 of the Communications Act of 1934.
![Page 34: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/34.jpg)
47 U.S. Code § 333 - Willful or malicious interference
No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.
![Page 35: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/35.jpg)
Demo?
![Page 36: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/36.jpg)
Resources• Securitytube.net
• Hak5.org
• MyLittlePwny http://www.instructables.com/id/MyLittlePwny-Make-a-self-powered-pentesting-box-/
• Pwn Pi http://www.pwnpi.com/
• Minipwner http://www.minipwner.com/
• Podcast episode, “How Do I Pwn Thee?” http://packetpushers.net/healthy-paranoia-show-17-how-do-i-pwn-thee/
![Page 37: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/37.jpg)
Questions?
![Page 38: Demystifying Wireless Security Using Open Source Options](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a814fe1a28ab79508b4582/html5/thumbnails/38.jpg)
Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Fozzie before Kermit.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
m