AdSense

Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.8 - Working at disallowed channels and exceeding power output limits


2.8 - Working at disallowed channels and exceeding power output limits

- Because every country in the world has got its own legislation regarding to the radio spectrum, it is important to know which are the channels and output power allowed in every place. Moreover, each wireless network interface has got its own default regulatory settings.  
- First of all, assuming we are in the United States (US), let's take for instance the US regulatory domain:



- This new setting is immediately detected by the log file of the system:



- In the US regulatory domain is perfectly possible to use channel 11:



- But it is not allowed channel 12:



- About the power output, maximum allowed is 27 dBm (500 mW):



- For that reason, 30 dBm ( 1 Watt) is rejected:



- Now, although being physically in the US, the regulatory domain can be changed, for instance to Bolivia (BO):



- Again, the log file records the news:



- Now, the system allows to use both channel 12 (2.467 GHz) and power 30 dBm (1 Watt), because Bolivian regulatory domains are different from the US:



- What to do for using the all over the world forbidden channel 14? the answer is to change to Japanese regulatory domain, because Japan is the only country in the world allowing channel 14:



- The log informs about the changes:



- Verifying that the wireless interface card is now working at the forbidden channel 14 (2.484 GHz):



- From this practice, we conclude that although in each country there are unlicensed wireless bands and strict power limits specified, all those regulations can be overwritten changing the regulatory domain to other country. In this way, the wireless interface card is forced to work at:
  • disallowed channels
  • more than allowed power transmission




Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.7 - Discovering unauthorized clients


2.7 - Discovering unauthorized clients

- The method of discovering if there is any unauthorized client connected to an specific AP consists just on comparing the list of authorized clients with the list of the actually connected clients. There are two ways to detect what clients are connected to an specific AP:

a) checking the AP itself:

- The Access Control option allows to obtain the list of connected clients at a given instant:



- For example, in this case there are 5 clients connected to the lab's AP:



- Obviously, client "kali" shouldn't be on the authorized client list, so it could be easily considered an intruder.

b) using the airodump-ng command to explore the AP:



- It can be checked that boths ways of discovering clients yield identical output.



Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.6 - Bridge to a network through a rogue Access Point



2.6 - Bridge to a network through a rogue Access Point

- The purpose of this practice is to create a rogue (fake, false) Access Point at the "kali" attacker machine, whose ESSID will be "falso", and then to connect any wireless client of the AP through a bridge to the authorized network.

- So, the bridge could be used as a backdoor to the network for any attacker connected to that rogue AP. If achieved that goal, all the efforts by firewalls and Intrusion Prevention System to protect the network would render totally useless, because the access would be free.

- First of all, using airbase-ng command, it is possible to create a Rogue AP called "falso", following the same method used at 9.3:



- Now, brctl addbr command creates a bridge, for instance called "puente", between the Ethernet interface, which is a part of the authorized network, and the rogue AP:



- Adding the Ethernet eth0 and the virtual at0 interfaces to the bridge "puente":



- Bringing up the bridge on both interfaces:


Also, ensuring that the system is routing forward all received packets:



- Finally, the client "roch" is connected to the network newly created "falso":
For the purpose of demonstrating that the practise is correctly done, it is important to note that the MAC addresss of the connected client "roch"is 28:C6:8E:63:15:6B:



- Now, at the "kali" attacker machine, it can be verified that the quoted client whose MAC is 28:C6:8E:63:15:6B (actually "roch") has associated to network "falso" at 13:37:42, two minutes later than the rogue AP was created, at 13:35:38:



- What is the conclusion of the practise? with the creation of: a) the rogue AP, and b) the bridge between the authorized Ethernet network and the rogue AP, any wireless client connecting to the AP would be able to have access to the whole LAN. For instance, from "roch", connected wirelessly to the AP "false", it is possible to ping the gateway of the wired network.



- Of course, once any client has got access to the authorized network, subsequent attacks could be launched for accessing valuable data and files. So, this would be just the first step on a full penetration attack, actually the "wireless" step of the whole potential attack.






Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.5 - Attack ""Evil Twin" spoofing the SSID and MAC of the AP



2.5 - Attack "Evil Twin" spoofing the SSID and MAC of the AP

- The "Evil Twin" attack consists of introducing a new AP by the attacker, sharing the same name or SSID and/or the same MAC address with the legitimate AP from the authorized network. In that way, some unaware users could connect to the malicious AP believing that it is a reliable AP. After this evil connection is done, the attacker could act as a Man-In-The-Middle (MITM), getting access to all the packets.

a) spoofing only the SSID (name of the network)

- First of all, we show information about the legitimate AP (00:25:F2:9B:91:23) and its network called "spaniard":



- The laptop "roch" (28:C6:8E:63:15:6B) is connected to the legitimate AP (00:25:F2:9B:91:23):











 Next, a new and fake AP will be created, using airbase-ng command. The fake MAC address will be AA:AA:AA:AA:AA:AA, the SSID "spaniard" (imitating the legitimate one), and the working channel the 6:



- Wireshark captures broadcast Beacon frames from new AP, whose BSSID = AA:AA:AA:AA:AA:AA announcing its SSID = "spaniard":




Also,some seconds after the creation of the fake AP, the client "roch" detects the existence of this new AP, called "spaniard" as the legitimate one:
















- Now, let's connect the client "roch" to the fake AP. Remember that it could be done by the attacker just deauthenticating the client (or all clients) and waiting for the client to reconnect itself, like shown at previous example 9.2. But in this case it will be done manually, for the ease of this demonstration:



- Checking what's happening at fake AP (AA:AA:AA:AA:AA:AA) with airodump-ng, we can verify that the client "roch" is connected to the attacker's new created AP. As seen at the image, the fake AP does not have any authentication (OPN = open):



- So, as a result of the creation of the fake AP "spaniard", the client or victim "roch" would not be able to difference between the good "spaniard" and the evil "spaniard" AP.

- The final deciding factor fo connecting would be the signal strength, because the client would connect to the one with higher signal strength, what depends usually on proximity. In this way, the attacker achieves the goal of having the victim connected to the fake AP, in the false believe that it is connected to the legitimate one.

b) spoofing the ESSID (name of the network) and the BSSID (MAC address)

- In previous example we used a very easy to discover MAC (AA:AA:AA:AA:AA:AA), but now it will be spoofed not
only the ESSID but also the BSSID or MAC address.

- Using again airbase-ng command, a new AP is created with both ESSID and BSSID imitating the legitimate AP:
The fake network is detected by airodump-ng, showing that it does not use encryption (OPN=open):



- But airodump-ng also detects the legitimate network, with WPA-PSK CCMP encryption:












- So, although working in different bands and channels, there are 2 networks and APs sharing same SSID ("spaniard") and same BSSID (00:25:F2:9B:91:23).

- Any client could connect to the attacker's one, being unaware of the deception.

- Also, using Vistumbler network detector, both "spaniard" networks are available, whith the same MAC address:



As it can be seen at previous screenshot, the only difference between both "spaniard" networks is the authentication type: the legitimate one uses WPA2-CCMP and the evil one uses Open authentication. Which one of both would an unware user pick up? in case his knowledge about Wi-Fi security is low, he probably would choose the open one, falling into the attacker's trap.



Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.4 - Denial of Service by deauthenticating clients


2.4 - Denial of Service attack by deauthenticating clients

- First of all, let's see the process to deauthenticate one client; airodump-ng informs about clients connected to the AP, whose MAC address is 00:25:F2:9B:91:23:



- The station 28:C6:8E:63:15:6B ("roch") is connected:



- Using aireplay-ng with option --deauth it is possible to deuthenticate the 28:C6:8E:63:15:6B station ("roch"): computer). Option 1 means just "1 client":



- Now, "roch" is disconnected from the AP:












 - The concept or Denial of Service implies to render unavailable a system. One instance would be to deauthenticate all the clients connected to an AP. The difference with the previous aireplay-ng command is the option "0", which acts as a "broadcast deauthentication" for all clients:



- Wireshark constantly captures deauthentication packets from the victim to the AP, and from the AP to the client:



- After this attack, no client would be able to reconnect to the AP, while the attack is happening. Anyway, as soon as a client is disconnected, it will try to connect back immediately. For this reason, to have a successful DoS attack like this, it needs to be done in a steady way for some time, no letting clients to reconnect. The effect of this easy attack is devastating, because the whole network renders unavailable during the time the attack is being performed.




Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.3 - Default accounts and credentials on APs


2.3 - Attack against default accounts and credentials on APs

- When a customer acquires an Access Point, the device usually has got default credentials provided by the manufacturer. For instance, for the Motorola AP used in this lab, the default username = admin, and password = motorola, as anybody can learn at the device's User Guide.

- It is a very important measure of security to change the default credentials of the AP, because the AP is the key element of a wireless network to be protected. Malicious access to the AP could result on the loss of the whole network.

- The process of introducing new credentials should be always done via Ethernet or wired connection, because otherwise a potential attacker could sniff and capture those credentials from the air. Actually, the User Guide provides guidelines for protecting the AP changing the default credentials:





- Moreover, in case of physical access to the AP, a malicious attacker could just reboot manually the device, resetting all the possible configuration introduced by the administrator. Then, default credentials would be working again, and access to the AP open for anybody knowing that information.




Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.2 - Attack against MAC filters


2.2 - Attack against MAC filters

- One of the most used security measure consists on protecting the access to a network with a MAC filter implemented on the Access Point. However, during this practice it will be shown that filtering MACs is actually useless, because that filter can be defeated. MAC filtering is based on the usual wired firewalls, where there is a list of allowed and denied devices. Actually, MAC filtering is added by the AP software and is not really present in the 802.11's security standard.

- For instance, let's filter the access of the attacker "kali" (00:C0:CA:72:1A:36) with the AP's option MAC Restrict Mode equal to Deny:




- As we can see, now there is just one legitimate client connected, "roch". 

- About "kali"s wlan0 interface, it is verified that its MAC address is 00:C0:CA:72:1A:36:












- If "kali" tries to connect to the network "spaniard" it will be rejected due to the filter:





- This screenshot shows that the status is of failured connection: Access Point = Not-Associated:












- Wireshark detects Authentication failure packets between the AP (Motorola) and the attacker "kali" (Alfa card):



- To start the attack from "kali", the first step would be to write down the legitimate connected client "roch"s MAC, it is 28:C6:8E:63:15:6B, which is shown by airodump-ng in clear text. In shortly that number will be of great value:



- The interface wlan0 is turned off:



- With the command macchanger the wlan0's MAC address is replaced by legitimate client "roch"s MAC, which has been shown by airodump-ng in clear text:



- The interface wlan0 is turned on:



- It is checked that now wlan0 has got a different MAC address than the original one:













- Then, the connection to "spaniard" is tried again:



- The connection is successful, because the status has changed to Access Point = 00:25:F2:9B:91:23



- The conclusion of this practice is that an attacker whose access to a network is prohibited due to a MAC filter implemented at the AP is able to beat the filter just spoofing its own MAC address, replacing it with the MAC of a legitimate client. How to know the good client's MAC? as usual, airodump-ng helps to solve that step.

- What is really shocking is to verify that even the AP gets confused, because it reads the spoofed MAC address of the attacker "kali" as if it was the good one:






Posted by at
Labels:

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.1 - Uncovering hidden SSIDs


2.1 - UNCOVERING HIDDEN SSIDs

- Every Access Point offers the option, known as "Closed Network", of hidding the SSID when broadcasting beacon frames to announce itself. This option is usually considered a security measure, but as it will be explained here, it is actually easy to uncover the hidden SSID.

- At the AP used in this practice, "Closed Network" can be enabled in this way:



- Then, capturing beacon frames from the AP, Wireshark is not able to detect the SSID, actually showing the field in blank:



- The attacker "kali" uses airodump-ng to detect that the victim "roch" is connected to the AP, but it is not able to learn the ESSID, just showing that it has got a length of 8 characters: <length: 8>:



- The trick consists on forcing the client "roch" to deauthenticate, knowing that later it will try to reconnect to the AP. Using aireplay-ng 5 packets are sent to the Access Point whose MAC address is 00:25:F2:9B:91:23, through "kali"s interface (00:C0:CA:72:1A:36), forcing the "roch" client (28:C6:8E:63:15:6B) to be disconnected:



- Using this filter at Wireshark (wlan.bssid == 00:25:F2:9B:91:23) && !(wlan.fc.type_subtype == 0x08), meaning packets different than subtype beacon frame (0x08), the deauthentication packets can be observed:


















 - Next, waiting just some instants, when client "roch" tries to reconnect by means of a Probe Request packet, the AP answers with a Probe Response message, showing the expected SSID in clear text ("spaniard"):



This attack is based on the fact that Probe Request/Response exchanged packets need to use the SSID. This packets are not encrypted and are very easy to be sniffed from the air. So, forcing to deauthenticate a client, and waiting for the reconnection process, the SSID is sooner or later achieved. Of course, waiting for a client to connect by itself would be also a valid way of achieving the same goal, although in that case it would be taking a passive attitude during the attack. 




Posted by at
Labels:
Subscribe to: Posts (Atom)