WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari.
-
Upload
samuel-roberts -
Category
Documents
-
view
224 -
download
0
Transcript of WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari.
WiFi networks &
RAW SOCKETS
IL-HACK2009
Eddie Harari
Sniffing WiFi
Managed mode VS Monitor mode Promiscuous mode is
driver/Firmware dependent. Driver and Firmware for each NIC. can we sniff with any card ???Monitor mode, IT IS !!!
802.11 Data frames
Frame size is not fixed ! Encapsulation is 802.2 (inside body). Some networks use QOS ( Extra 2 bytes). Is it so important ?
Sniffing in promiscuous mode
Ethernet II frame “EMULATION”
MITM Implementation
“Clear text” Networks. “WEP” based Networks. Shared & non shared keys. famous last words:
“ I surf through my neighbors WIFI connection.”
Monitor VS Managed
Monitor mode sniffs everything. Monitor mode is undetectable. Packet injection is hard… A word about WIFI encryption. Managed mode is “Dream environment” for packet injection.
So which one is it ?
Pre implementation considerations
SCAPY is for script kiddies !?(SCAPY is good solution for certain things…)
MITM network attack must win RACE conditions .
What are the attacks that can take place here ?
Thinking of an attack
Don’t you hate when your WIFI bandwidth is low cause everyone else is using the AP ?
RESET any TCP -SYN request !From all machines but ours…
Why cant you reset “MS” SYN request on the client side …
MITM implementation
LibPcap is the best tool to use on this scenario. Ability to sniff & inject packets. Support all common DLT. Supports Managed and monitor modes. In monitor mode you can get RADIO headers…(FREAKY).
Code & Implementation
EXAMPLE I – RESETCON CODE RESETCON POC CODE
Some ideas of what can be done…
MSN contact stealer…DNS Spoofing…FILE DOWNLOAD Injection…ANY MITM ATTACK
Important things to remember…
802.11 headers are not fixed. RADIO TAP headers are not fixed. Code must win race conditions. Packet format is important. Detectable !? How to avoid that…
THANK YOU !!!