Wireless Penetration Testing For Realz and WCTF

Size: px

Start display at page:

Download "Wireless Penetration Testing For Realz and WCTF"

Gwendoline Atkins
6 years ago
Views:

1 Wireless Penetration Testing For Realz

2 DISCLAIMER This is provided for informational purposes only. It is illegal in most countries, especially the US, to connect, decrypt traffic, penetrate, or inject any Wi- Fi network other than your own or any network where you do not have explicit (ROE) permission given to you by the rightful owner. YOU are solely responsible for any and all of your own actions and assume the consequences of those actions.

3 Legal stuff Know the wiretap laws and do not violate them Some states require that both parties consent to a phone call being recorded Know the scanner laws for the state you are operating in, remember to check this before traveling out of state Make sure your activities are authorized in the written rules of engagement In most states it is legal to monitor any radio transmission as long as its not a telephone call or pager traffic Additional activities to avoid: Jamming transmissions Decoding pager traffic Illegally transmitting

4 Why You Should Listen to Us You Shouldn t

5 DefCon 15

6 DefCon 21

7 Pentesting Distributions Network Security Toolkit (2003) Whoppix (2005) Auditor (2005) WHAX (2005) Pentoo (December 2006)* BackTrack 1.0 (2006) Kali Linux (March 2013)

8 Wireless Encryption WEP WPA i (WPA2) Cipher Algorithm RC4 RC4 (TKIP) AES-CCMP Encryption Key 40-bit 128-bit 128-bit Initialization Vector 24-bit 48-bit 48-bit Authentication Key None 64-bit 128-bit Integrity Check CRC-32 Michael CCM Key Distribution Manual 802.1X (EAP) 802.1X (EAP) Key Unique To: Network Packet, Session, User Packet, Session, User Key Hierarchy No Derived from 802.1X Derived from 802.1X Ad-hoc Security (P2P) No No Yes (IBSS) Pre-authentication No No Yes (EAPOL) Source: Wireless Security: The need for WPA and i, Abuzar Amini,

9 Methodology Develop a methodology make it repeatable Scope work Rules of engagement get out of jail free Enumeration/Assessment Target information collection SSIDs, ESSIDs & MACs Modes of encryption Parsing useful information from sites using EAP

10 Methodology Passive reconnaissance Active reconnaissance Exploitation MiTM Client side attacks Cracking encryption Validation and Out- brief Report Why, Who, What, Where, How

11 Wireless Pentesting What Do I Need Platform Selection Selecting an Operating System Pentesting Software Choices Choosing Wireless Network Cards 3 card setup vs. 2 card setup Deciding on an Antennas

12 Platform Selection Laptop External Wireless Adapter External Antenna Power Source Smartphone or Tablet Self- contained

13 Minimum Requirements - Platform PDA/phone history Laptop Fusion Smartphone Tablet

14 Selecting and Operating System Windows Mac OS X Fusion Multiple VM s *NIX

15 Pentesting Software Choices Non- GUI Aircrack- NG Suite AirGraph Kismet- NG Tshark Reaver GUI Cain & Able GISKismet Wireshark

16 Deciding on an Antenna Antenna Selection Radiation Pattern Matters Omnidirectional Fixed Magmount Directional Yagi Cantenna Panel

17 Deciding on an Antenna Omni Directional Dipole Directional Panel Yagi

18 GPS Selection USB based Must be NMEA compliant Latest models BU 353- S4 48 channels Columbus V channels

19 Choosing a Wireless Network Card Wireless Device Selection Alpha cards (B) (G) or (N) or (ABGN) Rokland N3 (BGN) Rosewill N600 UBE (ABGN) SR- 71 (ABG) AirPcapNx (ABGN) WiSpy DBX (2.4 and 5Ghz) Chipset is the key The good Atheros Ralink Realtek

20 Testing Gear Have a repeatable process for validating antennas/setup Hand testing fixed point Automated testing Kismet (kismet script shootout.rb) Know how different cards and antenna combinations work Never be surprised by your equipment on an assessment Know your target and plan ahead

21 Wireless Pentesting Attacks MITM Evil Access Point (Evil AP) Jasager (WiFi Pineapple) Karmetasploit Attwifi (new attack) PiWAT PwnPlug Injection Bluetooth

22 Password Cracking Wireless Tools Non- GUI GUI Aircrack- ng Suite Pyrit oclhashcat- plus/oclhashcat- lite WEPCrack Cain & Able KisMac hashcat- GUI

23 Putting It Into Practice Wireless CTF Contest Connection Make a connection in the most hostile environment Hide and seek Recon (finding an access point in crowded RF space) Fox and Hound Advanced Recon (finding a person) Password Cracking Getting in (using all the tools that are available) System Takeover Exploitation and putting it all together (both offense and defense)

24 Putting It Into Practice BSSIDes- dc WCTF The New Tower - Less is More"

25 The Old

26 Prep- work

27 Prep- work

28 The New

29 Rules You must register with the key server All Game BSSID s are in the context of BSSIDesWCTF# Offense and defense in play Every team that solves a challenge gets points for the challenge Keys will be within all of the networks Once connected scan for port 80 or 6666 IRC channels will be BSSIDesdcWCTF 180/370 points CAN be captured in 4 hours or less on a stock laptop 8 of the challenges are 100% solvable 1 challenge is VERY HARD but risk/reward is high so manage your time

30 Challenge 1 Welcome to the Terrordome BsidesWCTF1 (10 pts)

31 Challenge 2 Michael Ballack found me, can you?" BsidesWCTF2 (10 pts)

32 Challenge 3 "Home Invasion" BsidesWCTF3 (15 pts)

33 Challenge 4 This will WiPS you into shape BsidesWCTF4 (15 pts)

34 Challenge 5 WEP used to be easy BsidesWCTF5 (20 pts)

35 Challenge 6 "From Phil to #52 BsidesWCTF6 (20 pts)

36 Challenge 7 It's getting hot in herre; turn up the AirConditioner BsidesWCTF7 (30 pts)

37 Challenge 8 "Welcome Back to DC Things are not what they appear BsidesWCTF8 (30 pts)

38 Challenge 9 "Cisco is like CycloX Wireshark is your friend What s in a name BsidesWCTF9 (30 pts)

39 Scoring In order to participate in the Wireless Pentathlon you will need the following: A working copy of GnuPG or PGP depending on your operating system. A valid Public/Private key pair to be used for *SIGNING* your submissions. Access to . Wireless Pentathlon Scoring Instructions and PGP Public Key are at ctf.subba.net A flag.sh shell script has been provided to aid in uploading keys. It s use is optional, but you will find that it might make it easier/faster to submit your scores.

40 Scoring To Submit a flag do the following: Copy the flag from it's location; it will be a long set of random numbers/ letters. Make sure you have the whole thing, no breaks or spaces. If using flag.sh use:./flag.sh <key> e.g../flag.sh cbbe3ec55dd050e af0a40b6d Copy and paste resulting PGP message into an You must this resulting PGP message, and ONLY this text block to wifi- ctf@subba.net YOU MUST DO THIS WITH THE GPG KEY YOU SUBMITTED TO THE CTF The scoreboard will be updated every 3 minutes

41 Logging We will be logging all channels 2.4Ghz 5Ghz during the CTF For a copy of the PCAPs you must register and score!

Questions @Rmellendick rmellendick@gmail.

42 Questions Please fill out this survey for the Conference Speaker

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU Mc Graw mim CONTENTS Foreword Acknowledgments Introduction xvn xlx XX1 Hacking 802.11