Professional Documents
Culture Documents
Cédric BLANCHER
cedric.blancher@eads.net sid@rstack.org
EADS Corporate Research Center Rstack Team
EADS/CCR/DCR/SSI http://sid.rstack.org/
Agenda
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Introduction
Introduction
Maybe make some people learn something1 , at least (in case they
don’t know yet)
1
Must see website[ABOB]
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Introduction
Traffic injection has changed things
Increased DoS capabilities
Dramaticly decreased WEP cracking achievement time
Allows traffic tampering
Allows stations attacks
But still...
Most ISPs selling wireless/router/modem boxes only provide
WEP support
Many WiFi compliant devices only support WEP (PSP,
Zaurus, etc.)
Most commercial hotspots are still open networks...
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WiFi injection basics
WPA, WPA2 and 802.11i
Conclusion
Bibliography
802.11 basics
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Toolkit
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Where’s the police - Managing management traffic
Really quick 802.11 101
In the darkness bind them - Rogue APs
Attacking WiFi networks
Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i
Let me free - Bypassing captive portals
Conclusion
All naked - Attacking stations
Bibliography
Disclaimer :)
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Management traffic
Description
Management traffic :
is a regulation traffic
is completly unprotected ! ?
It’s a target of choice...
Lots of tools for playing with it
Management traffic
Tampering
Management traffic
Injection
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Rogue APs
Building AP from scratch
Rogue APs
Enter the game
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
WEP cracking
Attacks overview
WEP cracking
IV collisions
WEP cracking
Modified frame injection
This means you can inject arbitrary layer 2 consistent WEP frames
and have them decrypted...
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Where’s the police - Managing management traffic
Really quick 802.11 101
In the darkness bind them - Rogue APs
Attacking WiFi networks
Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i
Let me free - Bypassing captive portals
Conclusion
All naked - Attacking stations
Bibliography
WEP cracking
Arbitrary injection consequences
WEP cracking
Cleartext attack
Authentication bypass
WEP cracking
Fluhrer, Mantin and Shamir attack
WEP cracking
Korek Chopchop attack
WEP cracking
Devine aircrack/aireplay WEP cracking
WEP cracking
WEP is weak, but still...
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Batman
Joker
Firewall
IP address Batman
sorting
Joker
spoofing
See my LSM 2002 talk[BLA02], arp-sk Joker spoofs Batman IP
Firewall
website[ARPS] or MISC3[MISC] All traffic to
Batman IP
goes to Joker
Access
ARP cache poisoning and IP Point
spoofing
Hint : IP layer and MAC layer Joker spoofs Batman MAC
_and_ IP
All traffic to
Batman IP
goes to Joker
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Attacking stations
What about associated stations ?
Attacking stations
Station to station traffic prevention
Batman
Security feature that blocks traffic
within DS Without PSPF
Cisco calls this PSPF, each vendor has
To = Robin
it’s own name/flavor To = Robin From-DS = 1
To-DS = 1
Station sends To-DS frame Access Point
Robin
AP drops the frame
With PSPF
No From-DS frame, so no
communicationa : stations can’t talk to To = Robin X
each other... To-DS = 1
Access Point
a
Does not work between 2 APs linked via
wired network Robin
Attacking stations
PSPF bypass with injection
Joker
Robin
Attacking stations
Traffic tampering with injection
Attacking stations
Full communication with injection
Attacking stations
Proof of concept : Wifitap
Attacking stations
Wifitap usage
# ./wifitap.py -h
Usage: wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p]]
[-w <WEP key> [-k <key id>]]
[-d [-v]] [-h]
-b <BSSID> specify BSSID for injection
-o <iface> specify interface for injection
-i <iface> specify interface for listening
-p No Prism Headers in capture
-w <key> WEP mode and key
-k <key id> WEP key id (default: 0)
-d activate debug
-v verbose debugging
-h this so helpful output
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Where’s the police - Managing management traffic
Really quick 802.11 101
In the darkness bind them - Rogue APs
Attacking WiFi networks
Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i
Let me free - Bypassing captive portals
Conclusion
All naked - Attacking stations
Bibliography
Attacking stations
Wifitap in short
Attacking stations
Quick demo...
Download Wifitap at
http://sid.rstack.org/index.php/Wifitap_EN
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Where’s the police - Managing management traffic
Really quick 802.11 101
In the darkness bind them - Rogue APs
Attacking WiFi networks
Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i
Let me free - Bypassing captive portals
Conclusion
All naked - Attacking stations
Bibliography
3
Side effect : tools like arpspoof won’t work
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Where’s the police - Managing management traffic
Really quick 802.11 101
In the darkness bind them - Rogue APs
Attacking WiFi networks
Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i
Let me free - Bypassing captive portals
Conclusion
All naked - Attacking stations
Bibliography
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
WPA
4
Robust Security Network
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
And then ?
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Conclusion
Greetings to...
Plan
1 Introduction
2 Really quick 802.11 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
In the darkness bind them - Rogue APs
Breaking the shell - WEP cracking
Let me free - Bypassing captive portals
All naked - Attacking stations
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick 802.11 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Bibliography I
Bibliography II
Bibliography III
Bibliography IV
Bibliography V
Bibliography VI
Bibliography VII
Bibliography VIII
Bibliography IX
[WTAP] Wifitap,
http://sid.rstack.org/index.php/Wifitap_EN
[ISCD] ISC Handler’s Diary,
http://isc.sans.org/diary.php?date=2005-06-26