B-Sides Asheville 2014: Wifi...WTF?!?!

Wifi…..WTFIt’s broken, but how bad can it be?

rbx@wifi:~# whoami● Tim Fowler● @roobixx● Project Engineer & Developer● Sabai Technology

rbx@wifi:~# info● I am a Hacker● Christian● Frequent speaker at LUGs● SouthEast Linuxfest speaker● Founder of Docker Greenville● Open Source Advocate● If seen at Starbucks with a smile….run!

rbx@wifi:~# wtf

WHY THis Talk??

rbx@wifi:~# points ● Understanding Basic 802.11 Elements● Wireless Attacks & Impacts● Tools & Devices

rbx@wifi:~# wtf

Part #1Basic Wireless Elements

rbx@wifi:~# basic elementsModes● Master - Access Point or Base Station● Managed - Infrastructure Mode (Client)● Ad-Hoc - Peer to Peer● Mesh - Mesh Cloud/Network. Planned Ad-hoc● Repeater - Range Extender● Monitor (RFMON)

Note: NOT all chipsets are made the same. Depending on chipset and other factors your adapter may not support all 6 modes.

rbx@wifi:~# basic elementsStates● State 1: Unauthenticated and Unassociated

● State 2: Authenticated but Unassociated

● State 3: Authenticated and Associated

rbx@wifi:~# basic elementsFrames● Frames: Simply Data Packets

Typically made up of: Header, Payload, Integrity, Check (CRC)

● Frame Header:Source and Destination, Ethertype (What Protocol)

● Frame Check Sequence:CRC, Say that again?

rbx@wifi:~# basic elementsFrame Types● Management Frames● Control Frames● Data Frames

rbx@wifi:~# basic elementsManagement Frames

● Beacons○ Advertise the network, Specify SSID (network name), Channels and other capabilities

● Probes○ Probe Request - Are you my friend?○ Probe Response

- Includes capability info● Authentications

○ Authentication- Open, WEP (Shared), WPA, WPA2, WPA-Radius

○ Deauthentication● Associations

○ Association Request - Can we be friends?○ Association Response○ Disassociation

rbx@wifi:~# basic elementsControl Frames● Request to Send - RTS: Can I speak?● Clear to Send - CTS: Sure! Everyone else

shut up.● Acknowledgement - ACK: Cool, I got what

you said ok.

rbx@wifi:~# basic elementsData Frames

<insert data here>

rbx@wifi:~# wtf

Part #2Wireless Attacks

rbx@wifi:~# wtf

Wifi SUCKS!

rbx@wifi:~# wtf

Wifi SUCKS!Okay, not really

Attack Types● Availability Attacks● Access Control Attacks● Confidentiality Attacks ● Integrity Attacks● Authentication Attacks

rbx@wifi:~# attacks

rbx@wifi:~# attacksAvailability Attacks● Deauthentication Flood - Client● Beacon Flood - Client● Authentication Flood - Access Point

Denial of S

ervice

rbx@wifi:~# attacksAccess Control Attacks● Rogue Access Point(s)● Mac Spoofing● Ad Hoc Associations● Wardriving*

*Every attack should start here!

rbx@wifi:~# attacksConfidentiality Attacks● MitM ● Evil Twin AP● Fake Captive Portal● Eavesdropping ● SSLStrip

rbx@wifi:~# attacksIntegrity Attacks● Frame Injection● Frame Replay

rbx@wifi:~# attacksAuthentication Attacks:● PSK Cracking● Shared Key Guessing - Vendor Defaults???● Login Credentials Gathering● If it has a password...we want it!

rbx@wifi:~#

Rarely will you use a single attack but rather multiple attacks layered together to get desired

results.

Beacon Floodmdk3 mon0 b -c 1

Authentication Floodmdk3 mon0 a -a <AP Mac Address>

Deauthentication Floodmdk3 mon0 d -b file.txt

rbx@wifi:~# examples

Evil Twin APKarma is a B!%&^!!

Man in the MiddleSee previous statement about Karma!

No matter how I get you to connect to me...I am now in control!

rbx@wifi:~# examples

rbx@wifi:~# wtf

Part #3Tools & Devices

rbx@wifi:~# toolsTools● Wireshark● Kismet● Aircrack-ng Suite● Karma● Ettercap● MDK3● TCPDUMP● Wigle Wardriving App● DNSSpoof● Macchanger

● KisMAC● Cowpatty● Airpawn● Airsnarf● Dsniff● DNSpwn● SSLStrip● Fern-wifi-cracker● And MANY MANY MORE...

rbx@wifi:~# devicesDevices● Wireless Adapters● Specialized Hardware● DIY Hardware

rbx@wifi:~# devicesWireless Adapters● Only real requirement is that your wireless

adapter support Monitor mode and Frame Injection

● A fairly complete list of compatible chipsets can be found at aircrack-ng.org

Wireless Adapters● Alfa AWUS036H -Realtek RL8187L● Alfa AWUS036NH - Ralink RT3070● TP-LINK TL-WN722N - Atheros AR9002U● Netgear WG111v2 - Realtek RL8187L● Netgear WG111v3 - Realtek RL8187B

rbx@wifi:~# devices

rbx@wifi:~# devicesSpecialized Hardware● Wifi Pineapple Mark V● Pwnie Express Pwnpad● Pwnie Express Pwn Plug R2

rbx@wifi:~# devicesDIY Hardware● Raspberry Pi running Kali linux + Wireless

adapter● Old Netbook, a laptop, tablet...● Anything that you can run linux on and use a

proper wireless adapter.

Questions??Thank You B-Sides Asheville!!!