Complexity. An introduction to protocol chaos. Andrés Blanco. CC License - Swtiruty Rgbytw

Similar documents
ABHELSINKI UNIVERSITY OF TECHNOLOGY

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Troubleshooting WLANs (Part 2)

Configuring Layer2 Security

Basic processes in IEEE networks

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

Table of Contents 1 WLAN Service Configuration 1-1

SharkFest 18 Europe. Troubleshooting WLANs (Part 2) Troubleshooting WLANs using Management & Control Frames. Rolf Leutert

ECE 435 Network Engineering Lecture 8

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

Optional Point Coordination Function (PCF)

3.1. Introduction to WLAN IEEE

Data Communications. Data Link Layer Protocols Wireless LANs

Functions of physical layer:

Wi-Fi Advanced Stealth BlackHat US, Las Vegas August 2-3, 2006

Chapter 24 Wireless Network Security

Welcome! SharkFest 16 Europe. Troubleshooting WLANs (Part 2) Rolf Leutert

Wireless Protocols. Training materials for wireless trainers

outline background & overview mac & phy wlan management security

Chapter 17. Wireless Network Security

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Wireless Router at Home

Day 1: Wi-Fi Technology Overview

Security in IEEE Networks

Wireless Network Security

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

Multiple Access Links and Protocols

Guide to Wireless Communications, Third Edition. Objectives

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

Configuring Management Frame Protection

Wireless technology Principles of Security

Tony Crawford The Villages Apple User Group November 28, 2018

whitepaper ClickShare Security

Wi-Fi Advanced Stealth

Basic Wireless Settings on the CVR100W VPN Router

Lecture (08) Wireless Traffic Flow and AP Discovery

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

Wireless# Guide to Wireless Communications. Objectives

Troubleshooting WLANs (Part 1)

transmitting on the same channel or adjacent channels

Topic 4. Wireless LAN IEEE

WRE2206. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Details. Version 1.00 Edition 1, 01/2015

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Wireless LANs. ITS 413 Internet Technologies and Applications

WLAN The Wireless Local Area Network Consortium

802.11r or Fast Transition (FT) for fast secure Roaming

Configuring a WLAN for Static WEP

IEEE Wireless LANs

Owner s Manual. Network Player

Laurent Butti BlackHat Europe

AirDrop Cheat Sheet. AirDrop files between your devices In OS X Yosemite, AirDrop helps you quickly transfer files between your Mac and nearby Mac

PW0-104 Q&As. Wireless LAN Administration Exam. Pass CWNP PW0-104 Exam with 100% Guarantee

Lab Configure Enterprise Security on AP

IEEE WLANs (WiFi) Part II/III System Overview and MAC Layer

Wireless LANs. Outline. Outline II. Benefits Applications Technologies Issues Configurations Overview of Standard

Mobile Device Support. Jeff Dove February

WPA-GPG: Wireless authentication using GPG Key

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release

AC1200 Smart WiFi Router

Exam Name: Implementing Cisco Unified Wireless Networking Essentials v2.0

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

1GHz Dual Core Processor Extreme Speed & Range

b/g/n 1T1R Wireless USB Adapter. User s Manual

Overview of IEEE Networks. Timo Smura

MAKE WI-FI HACKING ON SMARTPHONES GREAT AGAIN! Daniel Wegemer and Matthias Schulz

Security SSID Selection: Broadcast SSID:

I N D E X Numerics 100 Mbps WLANs, WLANs, 88

Connect to eduroam WiFi

SharkFest 18 Europe. Troubleshooting WLANs (Part 1) Layer 1 & 2 Analysis Using Wireshark, Wi-Spy & Other Tools. Rolf Leutert

MULTI-ROOM MUSIC SYSTEM LET THE MUSIC PLAY.

MÜZO COBBLESTONE USER GUIDE

BLUEGIGA WF111 SOFTWARE DRIVERS

Who can use eduroam. Participating Organizations. How does eduroam work

ECE442 Communications Lecture 3. Wireless Local Area Networks

Q&As. Implementing Cisco Unified Wireless Voice Networks (IUWVN) v2.0. Pass Cisco Exam with 100% Guarantee

1. Unbox it. Main unit. 3,5 mm minijack male to male cable. USB Cable. Wi-DAPTOR

Wireless Network Security

Mobile Communications Chapter 7: Wireless LANs

Introduction to IEEE

Configuring r BSS Fast Transition

IPHONE/IPAD PHOTO MANAGEMENT

1GHz Dual Core Processor Extreme Speed & Range

Mobile & Wireless Networking. Lecture 7: Wireless LAN

Secure Wireless LAN Design and Deployment

AirPlay. How to upgrade your Marantz component with AirPlay and helpful advice on using it. How to Install AirPlay. Helpful Advice on Using AirPlay

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Attacks on WLAN Alessandro Redondi

What you will learn. Summary Question and Answer

Viewing Status and Statistics

Android Samsung Galaxy S6 Edge

CSCD 433/533 Advanced Networking

Configuring the Client Adapter

Smart Fuzzing. Lidong LI & Naijie XU I.

23 Must-Have WiFi Features

WIRELESS LAN/PAN/BAN. Objectives: Readings: 1) Understanding the basic operations of WLANs. 2) WLAN security

Introduction. Giuseppe Bianchi, Ilenia Tinnirello

Transcription:

802.11 Complexity An introduction to 802.11 protocol chaos Andrés Blanco Email: 6e726d@gmail.com Twitter: @6e726d CC License - Swtiruty Rgbytw

Motivation 802.11 it s everywhere https://twitter.com/skrud/status/767243097331736578

Motivation Radio frequency has no defined boundaries CC License - Kirthiga

Motivation IEEE 802.11-1997 IEEE 802.11k IEEE 802.11-2012 IEEE 802.11a IEEE 802.11n IEEE 802.11aa IEEE 802.11b IEEE 802.11p IEEE 802.11ac IEEE 802.11c IEEE 802.11r IEEE 802.11ad IEEE 802.11d IEEE 802.11s IEEE 802.11ae IEEE 802.11e IEEE 802.11T IEEE 802.11af IEEE 802.11F IEEE 802.11u IEEE 802.11mc IEEE 802.11g IEEE 802.11v IEEE 802.11ah IEEE 802.11h IEEE 802.11w IEEE 802.11ai IEEE 802.11i IEEE 802.11y IEEE 802.11aj IEEE 802.11j IEEE 802.11z 802.11 protocol is growing and constantly changing

Motivation 802.11 is growing and constantly changing

Motivation Managed P2P Master Wireless NICs usually support more than one mode

Introduction Management Association Request Association Response Reassociation Request Reassociation Response Probe Request Probe Response Beacon ATIM Disassociation Authentication Deauthentication Action Control Block ACK Request Block ACK PS-Poll RTS CTS ACK CF-End CF-End+CF-ACK Data Data Data+CF-ACK Data+CF-Poll Data+CF-ACK+CF-Poll Null CF-ACK CF-Poll CF-ACK+CF-Poll QoS data QoS data+cf-ack QoS data+cf-poll QoS data+cf-ack+cf-poll QoS Null QoS+CF-Poll QoS+CF-ACK 802.11 frame types and subtypes

Introduction Management Association Request Association Response Reassociation Request Reassociation Response Probe Request Probe Response Beacon ATIM Disassociation Authentication Deauthentication Action Control Block ACK Request Block ACK PS-Poll RTS CTS ACK CF-End CF-End+CF-ACK Data Data Data+CF-ACK Data+CF-Poll Data+CF-ACK+CF-Poll Null CF-ACK CF-Poll CF-ACK+CF-Poll QoS data QoS data+cf-ack QoS data+cf-poll QoS data+cf-ack+cf-poll QoS Null QoS+CF-Poll QoS+CF-ACK 802.11 frame types and subtypes

Introduction Station Beacon Probe Request Probe Response Access Point Access Point Station Authentication Authentication Access Point Station Station Association Request Association Response Data Data Access Point Access Point 802.11 Association process

Introduction MAC Header Frame Control Duration Destination Source BSSID Seq Control 2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes Body FCS N bytes 4 bytes Management frame structure

Introduction Type Length Value 1 byte 1 byte N bytes Information elements are variable-length components

Introduction Type 0x00 Length 0x?? Value SSID 1 byte 1 byte N bytes SSID information element

Introduction Type 0x30 Length 0x?? Version Group Cipher Suite Pairwise Cipher Suite Count Pairwise Cipher Suite Auth. Suite Count 1 byte 1 byte 2 bytes 4 bytes 2 bytes 4 x N bytes 2 bytes Auth. Suite RSN Capa. PMK Count PMK List 4 x N bytes 2 bytes 2 bytes 16 x N bytes RSN information element

Length Nonsense Type 0x30 Length 0x?? Version Group Cipher Suite Pairwise Cipher Suite Count Pairwise Cipher Suite Auth. Suite Count 1 byte 1 byte 2 bytes 4 bytes 2 bytes 4 x N bytes 2 bytes Auth. Suite RSN Capa. PMK Count PMK List 4 x N bytes 2 bytes 2 bytes 16 x N bytes CVE-2012-2619 affected at least 15 different vendors

Cisco

Cisco If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request. CCX Cisco documentation www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_consolidated/b_cg74_consolidated_chapter_01011101.html

Cisco BSS Access Point 1 Access Point 2 reassociation Station 802.11 roaming

Cisco Access Point name and number of associated clients

Cisco Fake reassociation request frame

Cisco Reassociation response frame

Cisco Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you don t want to be part of it.

WiFi Alliance

WiFi Alliance Wi-Fi Protected Setup is an optional certification program based on technology designed to ease the setup of security-enabled Wi-Fi networks in home and small office environments. Wi-Fi Protected Setup supports methods (pushing a button, entering a PIN, or using NFC) that are familiar to most consumers to configure a network and enable security. http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup

WiFi Alliance Probe Response with WPS information element

WiFi Alliance Disabling WPS can protect a device from some know attacks

WiFi Alliance Even disabling WPS doesn t disable completely

WiFi Alliance WPS serial numbers

WiFi Alliance Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you don t want to be part of it.

WiFi Alliance Wi-Fi Direct, initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. https://en.wikipedia.org/wiki/wi-fi_direct

WiFi Alliance Wi-Fi Direct information element on Probe Response frame

WiFi Alliance Sharing serial numbers

WiFi Alliance Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you don t want to be part of it.

Endianness Nonsense Big-endian is the most common format in data networking

Apple

Apple With AirPlay, you can stream music, photos, and videos to your Apple TV, or stream music to your AirPort Express or AirPlay-enabled speakers. And with AirPlay Mirroring, you can display your ios screen on your Apple TV. https://support.apple.com/en-gb/ht204289

Apple AirPlay action frame from an AppleTV 3rd Generation

Apple With AirDrop, you can wirelessly send photos, videos, websites, locations, and more to a nearby iphone, ipad, ipod touch, or Mac. https://support.apple.com/en-us/ht203106

Apple AirDrop action frame from an ipod touch

Messy Implementations WD TV Live Media Player

Messy Implementations WD TV Live Media Player has WiFi Direct enabled by default

Protocol Complexity Messy Implementations Samsung TV authenticating a WiFi Direct connection request

Messy Implementations Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you don t want to be part of it.

Platform Complexity Introduction MLME stands for MAC Layer Management Entity. Examples of states a MLME may assist in reaching: Authenticate Deauthenticate Associate Disassociate Reassociate Beacon Probe Timing Synchronization Function (TSF) http://linuxwireless.org/en/developers/documentation/glossary/#mlme

Platform Complexity Introduction SoftMAC is a term used to describe a type of Wireless NIC where the MLME is expected to be managed in software. Kernel Wireless NIC MLME MAC PHY http://linuxwireless.org/en/developers/documentation/glossary/#softmac

Platform Complexity Introduction Wireless NIC FullMAC is a term used to describe a type of wireless card where the MLME is managed in hardware. MLME MAC PHY http://linuxwireless.org/en/developers/documentation/glossary/#fullmac

Platform Complexity Android Architecture Hardware Kernel User Firmware (Broadcom) Kernel Module (Broadcom) wpa_supplicant (Jouni Malinen) Android Framework (Google)

Platform Complexity Architecture Analysis Firmware No symbols, bare metal binary. Shared code with some kernel modules. Segment on chipset ROM. Kernel modules Open Source. ** Kernel debugging & debug parameters. wpa_supplicant & hostapd Open Source. Debugging & client interaction. Framework Open Source. Debugging & Log analysis.

Platform Complexity ios Architecture Hardware Kernel User Firmware (Broadcom) Kernel Extension (Broadcom) wifid (Apple) ios Framework (Apple)

Platform Complexity Architecture Analysis Firmware No symbols, bare metal binary. Shared code with OS X kernel extension. Segment on chipset ROM. Kernel extensions wifid Encrypted kernel. ** Shared code between OS X and ios. Handles more than 802.11 functionality. Framework Private framework.

Conclusions Specifications or proprietary protocols could help device fingerprinting. Specifications or proprietary protocols could break privacy features such as MAC address randomization. Bad implementations could expose devices to unauthenticated access. WD TV Live Streaming Media Player Wi-Fi Direct Unauthenticated Access - http://neseso.com/advisories/neseso-2016-0910.pdf Protocol and platform complexity could lead to vulnerabilities. Broadcom BCM4325 and BCM4329 wireless chipset denial-of-service vulnerability - CVE-2012-2619 Android WiFi-Direct DoS - CVE-2014-0997

Future Work Research other platforms and vendors. Implement Apple Bluetooth Low Energy scanning protocol on Ubertooth and extend the reverse engineering on Apple proprietary protocols. Develop a 802.11 information gathering tool.

Questions WIG Project Repository https://github.com/6e726d/wig Email: 6e726d@gmail.com Twitter: @6e726d

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback