Archive for November, 2008

 

Flaws in Wireless – oh yay!

Nov 24, 2008 in Security

Lately there has been a lot of talk lately about WPA (http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) and finally finding their weaknesses (http://milw0rm.com/papers/250).  We all know now that WEP encryption can be broken within minutes, so we have heavily relied on WPA.  If this is all true, we could be in a bit of trouble.

“Academic researchers have found an exploitable hole in a popular form of wireless networking encryption. The hole is in a part of 802.11i that forms the basis of WiFi Protected Access (WPA), so it could affect routers worldwide. German graduate student Erik Tews will present a paper at next week’s PacSec in Tokyo coauthored with fellow student and aircrack-ng team member Martin Beck that reveals how remnants of WPA’s predecessor allow them to slip a knife into a crack in the encryption scheme and send bogus data to an unsuspecting WiFi client.” –http://arstechnica.com/articles/paedia/wpa-cracked.ars

Although I haven’t seen an successful attack against WPA at it’s protocol level (instead of by brute force), I’ve decided to talk about other wireless tricks.

Easiest way to do everything below is by using Backtrack (http://www.remote-exploit.org/backtrack.html)

Kismet (http://www.kismetwireless.net/)
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Using a Cantenna (http://www.cantenna.com/) and a a Ubiquiti wireless card (http://www.ubnt.com/products/src.php) and the proper pigtails, we are ready to sniff.  We use Kismet to see what wireless networks are available, sniff open connections [sample of data sniff] and look for other wireless clients probing.  [Image sample of my network]

When a wireless client probes, it looks for a wireless connection that it has connected to before [Probe example through kismet].  This is an issue (as I see it) that windows does by default.  So if your laptop isn’t connected to a wireless network and the wireless function is turned on, it keeps looking for a wireless access point that it had connected to before.

Now how can we exploit this?

We can use Karma, which is also included in backtrack 3.  We use Karma to create a fake access point (in this case called NDS as we saw the client probing for this SSID).  With the Cantenna, we have enough signal strength to force the user to connect to our rouge access point.  Since Karma comes with an access point, dhcp server, dns server, web server, ftp server, and more, we are all set to start exploit [example of Karma running].  Once we get the client to connect, we have full control over what they can do.  One example, is if they decide to go to gmail.com, why not throw a fake page up and copy their username and password?  (remember to always check security certificates!)

One further step is called KarmaSploit (http://www.metasploit.com/dev/trac/wiki/Karmetasploit).  It takes the same concept, but when someone connects to your fake access point, you start testing them against known vulnerabilities, steal cookies, steal passwords and or even get r00t!

Fun stuff eh?

_Cheetz