Wireless Penetration Testing For Realz and WCTF @Rmellendick rmellendick@gmail.com @DaKahuna2007 da.kahuna@gmail.com
DISCLAIMER This is provided for informational purposes only. It is illegal in most countries, especially the US, to connect, decrypt traffic, penetrate, or inject any Wi- Fi network other than your own or any network where you do not have explicit (ROE) permission given to you by the rightful owner. YOU are solely responsible for any and all of your own actions and assume the consequences of those actions.
Legal stuff Know the wiretap laws and do not violate them Some states require that both parties consent to a phone call being recorded Know the scanner laws for the state you are operating in, remember to check this before traveling out of state Make sure your activities are authorized in the written rules of engagement In most states it is legal to monitor any radio transmission as long as its not a telephone call or pager traffic Additional activities to avoid: Jamming transmissions Decoding pager traffic Illegally transmitting
Why You Should Listen to Us You Shouldn t
DefCon 15
DefCon 21
Pentesting Distributions Network Security Toolkit (2003) Whoppix (2005) Auditor (2005) WHAX (2005) Pentoo (December 2006)* BackTrack 1.0 (2006) Kali Linux (March 2013)
Wireless Encryption WEP WPA 802.11i (WPA2) Cipher Algorithm RC4 RC4 (TKIP) AES-CCMP Encryption Key 40-bit 128-bit 128-bit Initialization Vector 24-bit 48-bit 48-bit Authentication Key None 64-bit 128-bit Integrity Check CRC-32 Michael CCM Key Distribution Manual 802.1X (EAP) 802.1X (EAP) Key Unique To: Network Packet, Session, User Packet, Session, User Key Hierarchy No Derived from 802.1X Derived from 802.1X Ad-hoc Security (P2P) No No Yes (IBSS) Pre-authentication No No Yes (EAPOL) Source: Wireless Security: The need for WPA and 802.11i, Abuzar Amini,
Methodology Develop a methodology make it repeatable Scope work Rules of engagement get out of jail free Enumeration/Assessment Target information collection SSIDs, ESSIDs & MACs Modes of encryption Parsing useful information from sites using EAP
Methodology Passive reconnaissance Active reconnaissance Exploitation MiTM Client side attacks Cracking encryption Validation and Out- brief Report Why, Who, What, Where, How
Wireless Pentesting What Do I Need Platform Selection Selecting an Operating System Pentesting Software Choices Choosing Wireless Network Cards 3 card setup vs. 2 card setup Deciding on an Antennas
Platform Selection Laptop External Wireless Adapter External Antenna Power Source Smartphone or Tablet Self- contained
Minimum Requirements - Platform PDA/phone history Laptop Fusion Smartphone Tablet
Selecting and Operating System Windows Mac OS X Fusion Multiple VM s *NIX
Pentesting Software Choices Non- GUI Aircrack- NG Suite AirGraph Kismet- NG Tshark Reaver GUI Cain & Able GISKismet Wireshark
Deciding on an Antenna Antenna Selection Radiation Pattern Matters Omnidirectional Fixed Magmount Directional Yagi Cantenna Panel
Deciding on an Antenna Omni Directional Dipole Directional Panel Yagi
GPS Selection USB based Must be NMEA compliant Latest models BU 353- S4 48 channels Columbus V- 800 66 channels
Choosing a Wireless Network Card Wireless Device Selection Alpha cards (B) (G) or (N) or (ABGN) Rokland N3 (BGN) Rosewill N600 UBE (ABGN) SR- 71 (ABG) AirPcapNx (ABGN) WiSpy DBX (2.4 and 5Ghz) Chipset is the key The good Atheros Ralink Realtek
Testing Gear Have a repeatable process for validating antennas/setup Hand testing fixed point Automated testing Kismet (kismet script shootout.rb) Know how different cards and antenna combinations work Never be surprised by your equipment on an assessment Know your target and plan ahead
Wireless Pentesting Attacks MITM Evil Access Point (Evil AP) Jasager (WiFi Pineapple) Karmetasploit Attwifi (new attack) PiWAT PwnPlug Injection Bluetooth
Password Cracking Wireless Tools Non- GUI GUI Aircrack- ng Suite Pyrit oclhashcat- plus/oclhashcat- lite WEPCrack Cain & Able KisMac hashcat- GUI
Putting It Into Practice Wireless CTF Contest Connection Make a connection in the most hostile environment Hide and seek Recon (finding an access point in crowded RF space) Fox and Hound Advanced Recon (finding a person) Password Cracking Getting in (using all the tools that are available) System Takeover Exploitation and putting it all together (both offense and defense)
Putting It Into Practice BSSIDes- dc WCTF The New Tower - Less is More"
The Old
Prep- work
Prep- work
The New
Rules You must register with the key server All Game BSSID s are in the context of BSSIDesWCTF# Offense and defense in play Every team that solves a challenge gets points for the challenge Keys will be within all of the networks Once connected scan for port 80 or 6666 IRC channels will be BSSIDesdcWCTF 180/370 points CAN be captured in 4 hours or less on a stock laptop 8 of the challenges are 100% solvable 1 challenge is VERY HARD but risk/reward is high so manage your time
Challenge 1 Welcome to the Terrordome BsidesWCTF1 (10 pts)
Challenge 2 Michael Ballack found me, can you?" BsidesWCTF2 (10 pts)
Challenge 3 "Home Invasion" BsidesWCTF3 (15 pts)
Challenge 4 This will WiPS you into shape BsidesWCTF4 (15 pts)
Challenge 5 WEP used to be easy BsidesWCTF5 (20 pts)
Challenge 6 "From Phil to #52 BsidesWCTF6 (20 pts)
Challenge 7 It's getting hot in herre; turn up the AirConditioner BsidesWCTF7 (30 pts)
Challenge 8 "Welcome Back to DC Things are not what they appear BsidesWCTF8 (30 pts)
Challenge 9 "Cisco is like CycloX Wireshark is your friend What s in a name BsidesWCTF9 (30 pts)
Scoring In order to participate in the Wireless Pentathlon you will need the following: A working copy of GnuPG or PGP depending on your operating system. A valid Public/Private key pair to be used for *SIGNING* your submissions. Access to email. Wireless Pentathlon Scoring Instructions and PGP Public Key are at http://wifi- ctf.subba.net A flag.sh shell script has been provided to aid in uploading keys. It s use is optional, but you will find that it might make it easier/faster to submit your scores.
Scoring To Submit a flag do the following: Copy the flag from it's location; it will be a long set of random numbers/ letters. Make sure you have the whole thing, no breaks or spaces. If using flag.sh use:./flag.sh <key> e.g../flag.sh cbbe3ec55dd050e749918770af0a40b6d8192679 Copy and paste resulting PGP message into an email You must email this resulting PGP message, and ONLY this text block to wifi- ctf@subba.net YOU MUST DO THIS WITH THE GPG KEY YOU SUBMITTED TO THE CTF The scoreboard will be updated every 3 minutes
Logging We will be logging all channels 2.4Ghz 5Ghz during the CTF For a copy of the PCAPs you must register and score!
Questions @Rmellendick rmellendick@gmail.com @DaKahuna2007 da.kahuna@gmail.com Please fill out this survey for the Conference https://www.surveymonkey.com/s/bsidesdc13- Speaker