Wireless Network Risks and Controls - · PDF fileWireless Network Risks and Controls Offensive...
Transcript of Wireless Network Risks and Controls - · PDF fileWireless Network Risks and Controls Offensive...
Wireless NetworkRisks and ControlsOffensive Security Tools, Techniques, and Defenses
22 January 2015 – ISACA Phoenix Chapter – Phoenix, AZ
Presented by:Ruihai FangDan PetroBishop Foxwww.bishopfox.com
Introduction/Background
2
GETTING UP TO SPEED
Used to be a PainLots to of heavy things to carry
3
Kali VM and USB Adapter
4
N O W E A S Y
• Kali Linux VM + TP-LINK - TL-WN722N (USB)
+
Laptops, Netbooks (easier to conceal),and adapters
Asus EEPc
TP-Link AdapterCapable of attaching aYAGI antenna
YAGI Antennas – Directional
Very good for attacking from adistance, like from the comfort ofyour hotel room.
Antenna Connector Cables are Necessary
WiFi Hacking Using Android Phones
StarTech Micro USBOn-the-go Adapter
Alfa 1000mW 1W 802.11b/g USBWiFi Adapter. Uses RTL8187 Chipset.
Samsung Galaxy S3
Wireless Hacking Tools
9
ACROSS VARIOUS OS’S
Wireless Tools
10
Discovery
• Supported operating systems
• Supported wireless protocols
• Active vs. passive scanning
• Packet capturing and decoding
• Distinguishes between AP, ad hoc, and clientdevices
• Statistics and reporting capabilities
• User interface
• Price
NirSoft Wireless Tools
11
W I N D O W S H A C K I N G T O O L S
• NirSoft – WirelessNetView
• NirSoft – WifiInfoView
• NirSoft - Wireless Network Watcher
inSSIDer Wi-Fi Scanner
12
W I N D O W S H A C K I N G T O O L S
Aircrack-ng Suite
13
L I N U X H A C K I N G T O O L S
Kismet
14
L I N U X H A C K I N G T O O L S
Kismac
15
M A C O S X H A C K I N G T O O L S
inSSIDer for Mac
16
M A C O S X H A C K I N G T O O L S
Wi-Fi Pineapple
17
W IRELESS PENETRATION TESTING ROUTER
Features
18
• Wireless Jamming (De-auth Attack)• Man-in-the-Middle attack• DNS Spoof on lure client• Web base management• Tether via Mobile Broadband• Battery power and portable
W HAT CAN IT DO?
Specs
19
• Atheros AR9331 SoC at 400MHz
• 802.11 b/g/n 150 Mbps wireless
• 2x Ethernet, one PoE (Power-Over-Ethernet)capable
• USB 2.0 for expanded storage, WiFi Interfaceand Mobile Broadband
• Fast Linux Kernel 3.2 based Jasager Firmware
THE HARDWARE
Methodology
20
Social Engineering
1. Karma (Rogue AP)
2. DNS Spoof & MITM
3. Phishing
Auto-Association
21
PROBLEM TO EXPLOIT
Karma
22
• Listen to wireless probes from nearby wirelessdevices
• Impersonate as the requested wireless AP
HOW DOES IT W ORK?
Karma
23
ROGUE AP
reddit.com
DNS Spoof
24
• Modify DNS records and point to a malicious site• Man-in-the-middle between the victim and
Internet
POISONING YOUR DNS
reddit.com
Malicious site
Phishing
• Clone the officialwebsite (reddit.com)
• Implement key logger
• Deploy malware orbackdoor on theforged website
• Compromise thevictim
25
PHISHING ATTACK
DEMO
26
1. Disable the “Connect Automatically” setting on allunsecured wireless networks.
2. Use DNS Crypt or Google DNS
3. Don’t connect to any unsecured or unknownwireless network
4. Use a trusted VPN tunnel to encrypt the traffic onpublic network
MitigationThings that you should be doing
27
Raspberry Pi
28
F R U I T Y W I F I
• Raspberry Pi – cheap alternative (~$35)
• Fruity WiFi – Raspberry Pi version of the WiFi Pineapple
Easy-creds
29
AUTOMATING W IFI CLIENT ATTACKS
Dumping Keys
30
CLIENT EXPLOITING
Cracking WPA2-PSK with Pyrit
31
Using Kismet We’ve Decided on ourTarget Network
Pyrithttps://code.google.com/p/pyrit/
Pyrit allows to create massive databases,pre-computing part of the IEEE 802.11WPA/WPA2-PSK authentication phase ina space-time-tradeoff. Exploiting thecomputational power of Many-Core- andother platforms through ATI-Stream, Nvidia CUDA and OpenCL, it iscurrently by far the most powerful attackagainst one of the world's most usedsecurity-protocols.
During Recon Find What Channel Your Target is on and Capture only on thatChannel to Increase Your Chances of Getting a Valid WPA Handshake
CorpWiFi9 onChannel 6
Passive Monitoring with Kismet
Running Kismet for 12 hours will capturelots of packets and PCAP files can belarge.
DEMO
36
Stripping a PCAP File with Pyrit
Randomly Captured WPA2 HandshakeAfter Running Kismet for 12 hours in
my apartment
A Typical Windows 7 Wireless ClientUsing WPA2
WPA 4-Way Handshake
WPA 4-Way Handshake
Decrypting WPA Packet Captures withFound Key in Wireshark
Before and After Decryption inWireshark
Before Applying WPA Key
After Applying WPA Key
Mobile WiFiSecurity Tools
44
Popular Mobile WiFi Hacking Tools
WiFi Sniffing on Android in Monitor Modehttp://www.kismetwireless.net/android-pcap/
Password Sniffing & SessionHijacking Using dSploithttp://dsploit.net/
https://code.google.com/p/iphone-wireless/wiki/Stumbler
iphone-wireless
More Discreet Monitoring UsingAlpha 1 802.11b/g
Model NumberAWUS036H. This usesthe RTL8187 WirelessChipset.
Android PCAP Monitor Mode on aGalaxy S3
Arp Spoofing & Detection
88:32:9b:0b:a8:06 isactually the Android
Phone pretending to bethe default gateway at
192.168.1.254
Web Session Hijacking using dSploit
PwnPad
51
N E X U S 7 P E N T E S T D E V I C E
Defenses
52
A V O I D B E I N G P R O B E D
Defenses
53
R E C O M M E N D A T I O N S
• Conduct regular wireless assessments
• Employ strong encryption and authenticationmethods
• Employ wireless IDS/IPS
• Secure wireless clients (laptops, phones, …)
Defenses
54
R E C O M M E N D A T I O N S
Use “wireless checks” of network vulnerabilityscanners
Defenses
55
R E C O M M E N D A T I O N S
Physically track down rogue access points andmalicious devices
Thank You
56
Bishop Fox – see for more info:http://www.bishopfox.com/