SEC617 (GAWN): SANS Wireless Ethical Hacking, Pen Testing ... · SEC617 SANS Wireless Ethical Hacking, Penetration Testing and Defenses – Index Page 6 of 38 SANS SEC617 (GAWN) Wireless

SEC617 SANS Wireless Ethical Hacking, Penetration Testing and Defenses – Index Page 1 of 38

SANS SEC617 (GAWN) Wireless Ethical Hacking, Penetration Testing, and Defenses

Book 617.1 Wireless Architecture and Analysis

617.1 Module 1: The Wireless Threat .......................................... 1-1 ----- 1-25

Introducing Wireless Security Misconceptions, Attacks & Vulnerabilities

Mobility Changes Traditional Security Approaches ...................................... 1-2 Outdoor WMAN Signal Exposure ................................................................. 1-3 Common Misconceptions .................................................................... 1-4 –1- 7 Wireless LAN Signal Leakage ............................................................. 1-8 –1- 9 Information Disclosure Threats ........................................................ 1-10 - 1-11 Outdoor Wireless MAN – Unencrypted Denial-of-Service Attacks ................................................................ 1-12 – 1-13 Rogue Treats .............................................................................................. 1-14 Protocol Weaknesses ................................................................................. 1-15 Albert Gonzalez (TJ Max, etc.) ................................................................... 1-16 Bluetooth Data Extrusion ............................................................................ 1-17 Home Users................................................................................................ 1-18 Anonymity Attacks ...................................................................................... 1-19 Capturing Network Probes ......................................................................... 1-20 Wireless Geographic Locating .................................................................... 1-21 www.wigle.net Google Maps .............................................................................................. 1-22 Summary – Wireless Threats .......................................................... 1-23 – 1-25 Additional Reading: http://www.sans.org/reading_room/whitepapers/wireless/corporate-wireless-lan-risks-practices-mitigate_1350

http://www.wigle.net/

http://www.sans.org/reading_room/whitepapers/wireless/corporate-wireless-lan-risks-practices-mitigate_1350

http://www.sans.org/reading_room/whitepapers/wireless/corporate-wireless-lan-risks-practices-mitigate_1350


617.1 Module 2: Wireless LAN Organizations & Standards ....... 2-2 ----- 2-24 “802.11 Alphabet Soup” and the Responsible Parties

Introduction ................................................................................................... 2-2 Standards Bodies ......................................................................................... 2-3 FCC .............................................................................................................. 2-4 Institute of Electrical & Electronics Engineers (IEEE) ................................... 2-5 Internet Engineering Task Force .................................................................. 2-6 Wi-Fi Alliance ................................................................................................ 2-7 Standards Bodies and OSI ........................................................................... 2-8 IETF Standard - EAP .................................................................................... 2-9

IEEE Wireless Standards ........................................................................ 2-10 ------ 2-21

802.11i ............................................................................................. 2-11

802.11k ............................................................................................ 2-12

802.11n ............................................................................................ 2-13

802.11r ............................................................................................. 2-14

802.11s ............................................................................................ 2-15

802.11w ................................................................................ 2-16 – 2-17

802.11y ............................................................................................ 2-18 Upcoming Technology ..................................................................... 2-19 – 2-20 802.11z 802.11aa 802.11ac 802.11ad 802.11ae 802.11af 802.11ah 802.11 WG Resources ............................................................................... 2-21 Summary .................................................................................................... 2-22 Backup ....................................................................................................... 2-23 IETF Standards - RADIUS .......................................................................... 2-24

617.1 Module 3: SWAT Kit Components ..................................... 3-1 ------ 3-5 Introduction to the SANS Wireless Auditing Toolkit

SWAT ................................................................................................................. -------- 3-2

Hardware – ALFA USB Adapter ................................................................... 3-3 Hardware – Parani SENA UD-100 Bluetooth Adapter .................................. 3-4 Hardware – TripNav GPS ............................................................................. 3-5


617.1 Module 4: Sniffing Wireless ............................................... 4-1 ---- 4- 49 Tools, Techniques and Implementation

Sniffing Wireless Introduction ....................................................................... 4-2 Tools for this Module .................................................................................... 4-3 Libpcap – http://www.tcpdump.org Tcpdump – http://www.tcpdump.org (Unix / Linux) http://www.winpcap.org/ (Windows) Wireshark – www.wireshark.org Kismet – www.kismetwireless.net NetMon – http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en Definitions and Terms ................................................................................... 4-4 Wireless Sniffing .................................................................................. 4-5 – 4-6 Managed Mode Sniffing (1) .......................................................................... 4-7 Monitor Mode Sniffing (2) ............................................................................. 4-8 Using RFMON Sniffing ................................................................................. 4-9 Windows XP/Vista/7 - Airpcap .................................................................... 4-10 RFMON – Vista/7 ....................................................................................... 4-11 NetMon 3.3 Wi-Fi Capture .......................................................................... 4-12 Mac OS X – Snow Leopard ........................................................................ 4-13 Linux – Setting RFMON Mode ......................................................... 4-14 – 4-15 Linux Auditing Tools ................................................................................... 4-16 Libpcap ....................................................................................................... 4-17 Tcpdump .................................................................................................... 4-18 Common Tcpdump Options ........................................................................ 4-19 -i : Specify interface -n : No DNS name Resolution -s : Specify snap length -X: Print payload in ASCII & Hex -r : read from capture file -w : save to libpcap-formatted file Using Tcpdump .......................................................................................... 4-20

Wireshark ................................................................................................. 4-21 ------ 4-28 Using Wireshark ......................................................................................... 4-22 Wireshark Display Filters ................................................................. 4-23 – 4-24 Identifying Wireshark Display Fields ........................................................... 4-25 Creating Display Filters ................................................................... 4-26 – 4-27 Wireshark Protocol Dissectors .................................................................... 4-28

Kismet ....................................................................................................... 4-29 ------ 4-38 Kismet Features .............................................................................. 4-30 – 4-31 Kismet Requirements ................................................................................. 4-32 Using Kismet Detecting Networks .............................................................. 4-33

– (Module 4 is continued on next page) –

http://www.tcpdump.org/


http://www.winpcap.org/

http://www.wireshark.org/

http://www.kismetwireless.net/

http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en



– (Module 4, continued from previous page) –

Using Kismet Common UI Commands ............................................ 4-34 – 4-35

s: change sort order

h: help

i: get detailed info on selected network

c: show clients

p: real-time packet dump

d: clear-text strings

x: quit current window

Q: Quit Kismet Using Kismet Network Detail ...................................................................... 4-36 Using Kismet Client Listing ......................................................................... 4-37 Using Kismet Network Mapping .................................................................. 4-38 GPSMAP Reporting ......................................................................... 4-39 – 4-40 GPSMAP – Range Map .............................................................................. 4-41 GPSMAP – Google Maps ........................................................................... 4-42 GPSMAP – Google Earth ........................................................................... 4-43 Kismet - Newcore ............................................................................ 4-44 – 4-45 Kismet Newcore UI ..................................................................................... 4-46 Summary ......................................................................................... 4-47 – 4-48

Lab - Sniffing Wireless .......................................................................................... ------ 4-49

Using Backtrack

Using Wireshark display filters

Monitor mode sniffing

Introduction to using Kismet

Network mapping with gpsmap

Workbook Lab 1 - Sniffing Wireless Pages 1-1 – 1-51 : Answers on Pages 1-52 – 1-53

Workbook Lab 2 - Live Network Mapping Pages 2-1 – 2-9

Workbook Lab 2A – Outdoor Live Network Mapping Pages 2A-1 – 2A-12


617.1 Module 5: 802.11 MAC ........................................................ 5-1 ----- 5-38 Examining the 802.11 MAC Layer and Associated Standards

Introduction ................................................................................................... 5-2 Definitions and Terms ................................................................................... 5-3 IEEE 802.11 Specification ............................................................................ 5-4 MAC Layer........................................................................................... 5-5 – 5-6 IBSS Architecture ......................................................................................... 5-7 Infrastructure Architecture ............................................................................ 5-8 Authentication and Association.......................................................... 5-9 – 5-10 Client --------- AP IEEE 802.11X .................................................................................. 5-11 – 5-12 IEEE 802.11X Authentication ..................................................................... 5-13 (EAP) EAP and 802.1X ......................................................................................... 5-14 What’s in an EAP? ........................................................................... 5-15 – 5-16 802.11 Framing .......................................................................................... 5-17 Generic 802.11 Frame Header ................................................................... 5-18 802.11 Frame Control Field ............................................................. 5-19 – 5-20 To DS and from DS Significance ..................................................... 5-21 – 5-22 802.11 Frame Control Field ............................................................. 5-19 – 5-20 802.11 Duration/ID Field ....................................................................... 5-23 802.11 Addressing ..................................................................... 5-24 – 5-25 Address Order, Infrastructure ............................................................... 5-26 Address Order, Special ............................................................. 5-27 – 5-28 802.11 Sequence Control Field ............................................................ 5-29 802.11 Frame Check Sequence ........................................................... 5-30 802.11 Management Frames (1) ................................................................ 5-31 802.11 Management Frames (2) ................................................................ 5-32 802.11 Management Action Frames ........................................................... 5-33 Sample Decode .......................................................................................... 5-34 Summary ......................................................................................... 5-35 – 5-37

Lab - 802.11 Fundamentals .................................................................................. ------ 5-38

Examine supplied sniffer traces

Inspect management frames

Follow the exchange of EAP

Workbook Lab 3 - 802.11 MAC Pages 3-1 – 3-13: Answers on Pages 3-14 – 3-18

Book 617.1 Wireless Architecture and Analysis

– END –



Book 617.2 Wireless Security Exposed Part 1

617.2 Module 6: WLAN Auditing Methodologies ........................ 1-1 ----- 1-45

Identifying WLAN Components from Network Analysis

Introduction ................................................................................................... 1-2 Tools for this Module .................................................................................... 1-3 Kismet – www.kismetwireless.net Wireshark – www.wireshark.org Ekahau HeatMapper – http://www.ekahau.com/heatmapper Microsoft Excel – www.microsoft.com PCAPhistogram – http://802.11ninja.net/code/pcaphistogram.pl (Dead Link) Definitions and Terms .......................................................................... 1-4 – 1-5 Assumptions so Far… ................................................................................. 1-6 Passive AP Fingerprinting ............................................................................ 1-7 Fingerprinting – MAC Prefixes ...................................................................... 1-8 Fingerprinting – Beacons ................................................................... 1-9 – 1-10 IE Information Disclosure ........................................................................... 1-11 Cisco WLC Disclosure ............................................................................... 1-12 Client Post – Processing Analysis ............................................................. 1-13 XML Analysis Example ............................................................................... 1-14 Security Methods - Kismet .......................................................................... 1-15 Manual Analysis - Wireshark ...................................................................... 1-16 Mapping Range - Outdoor .......................................................................... 1-17 Kismet Outdoor Mapping ............................................................................ 1-18 Ekahau Heat Mapper .................................................................................. 1-19 Visualizing Clients/APs ............................................................................... 1-20 Client to AP Relationship Map .................................................................... 1-21 Client Probe Graph Map ............................................................................. 1-22 Assessing Traffic ........................................................................................ 1-23 Interesting Strings ............................................................................ 1-24 – 1-25 What’s in a MAC? ............................................................................ 1-26 – 1-27 Identifying Encrypted Traffic ....................................................................... 1-28 PCAP Histogram ........................................................................................ 1-29 Policy Compliance ...................................................................................... 1-30 DoDD 8100.2 ................................................................................... 1-31 – 1-32 Auditing DoDD 8100.2 ................................................................................ 1-33 PCI Implications ............................................................................... 1-34 – 1-35

Summary .............................................................................................................. 1-36 -- 1-38




http://www.ekahau.com/heatmapper

http://www.microsoft.com/

http://802.11ninja.net/code/pcaphistogram.pl



Lab – Wireless Auditing ............................................................................................. -- 1-39

Determine encrypted traffic with pcaphistogram

Use “strings” to identify ASCII strings in a pcap file

Identify all usernames in EAP transactions for a capture file

Workbook Lab 4 - WLAN Audit Methodologies Pages 4-1 – 4-14 : Answers on Pages 4-15 – 4-19

Backup (Additional Content)................................................................... 1-44 ------ 1-45 Mapping Range - Indoor .................................................................. 1-41 – 1-42 Netstumbler for Indoor Mapping ................................................................. 1-43 Netstumbler - www.stumbler.net – v0.4.0 Indoor Mapping AirMagnet Survey ............................................................. 1-44 AirMagnet Survey Example ........................................................................ 1-45

http://www.stumbler.net/


617.2 Module 7: Rogue Network Threats .................................... 2-1 ----- 2-40 Identifying, Locating and Defeating Rogue APs

Introduction ................................................................................................... 2-2 Tools for this Module .................................................................................... 2-3 Nmap – www.insecure.org Rogue AP.nse– http://www.willhackforsushi.com/code/rogueap.nse Kismet – www.kismetwireless.net Wireshark – www.wireshark.org Definitions and Terms .......................................................................... 2-4 – 2-5 Types of Rogue Threats ............................................................................... 2-6 Malicious Rogue Compromise ...................................................................... 2-7 IBSS Rogues ................................................................................................ 2-8 “Free Public WiFi” ......................................................................................... 2-9 Windows Bridging ....................................................................................... 2-10 Infrastructure Rogues ................................................................................. 2-11 Wired-Side Analysis AP Fingerprinting ....................................................... 2-12 Nmap RogueAP NSE ................................................................................. 2-13 Wired-Side Analysis Warwalking … ........................................................... 2-14 Kismet Filtering ................................................................................ 2-15 – 2-16 Kismet Filtering Examples ............................................................... 2-17 – 2-18 Mobile Warwalking Tools ............................................................................ 2-19 WiFiFoFum ................................................................................................. 2-20 Wireless-Side Analysis Wireless LAN IDS ................................................. 2-21 Wireless LAN IPS ....................................................................................... 2-22 Correlating Devices to Wired Net .................................................... 2-23 – 2-24 Locating Rogues Manual Analysis with SNR ................................... 2-25 – 2-26 Kismet Signal Quality Reporting ................................................................. 2-27 Commercial Location Analysis .................................................................... 2-28 AirMagnet Analyzer .................................................................................... 2-29 Locating Rogues Triangulation ................................................................... 2-30 WIDS Triangulation .................................................................................... 2-31 Locating Rogues Cheating with CDP ......................................................... 2-32 Locating Rogues Cheating with MAC Address Variations ............... 2-33 – 2-34 Summary ......................................................................................... 2-35 – 2-36

Labs ............................................................................................................................. -- 2-37

Identify rogues with Nmap

Examine RSSI data with Wireshark and Kismet

Workbook Lab 5 - Rogue Network Threats Pages 5-1 – 5-9

Backup (Additional Content) ................................................................... 2-38 -- 2-40 Network Port Knocking ............................................................................... 2-39 WKnock ...................................................................................................... 2-40

http://www.insecure.org/

http://www.willhackforsushi.com/code/rogueap.nse




617.2 Module 8: Wireless Hotspot Networks .............................. 3-1 ----- 3-41 The Good, The Bad, and the Ugly

Hotspot Wireless Networks........................................................................... 3-2 Tools for this Module .................................................................................... 3-3 Kismet – www.kismetwireless.net Firesheep – http://codebutler.github.com/firesheep ICMPTX– http://thomer.com/icmptx/ Macshift – http://macshift.natetrue.com pul – http://pickupline.berlios.de/ tcpdump – http://www.tcpdump.org (Unix / Linux) http://www.winpcap.org/ (Windows) Ettercap– http://ettercap.sourceforge.net Metasploit Framework– http://metasploit.org Definitions and Terms .......................................................................... 3-4 – 3-5 Hotspot Architecture ............................................................................ 3-6 – 3-7 “attwifi” Hotspot Access Procedure – Captive Web ...................................... 3-8 Subscriber Redirect ...................................................................................... 3-9 AT&T WiFi Network Access........................................................................ 3-10 Hotspot Controller Vulnerabilities ............................................................... 3-11 guestBOX ................................................................................................... 3-12 Service Theft ................................................................................... 3-13 – 3-14 ICMPTX ...................................................................................................... 3-15 ICMPTX Traffic ........................................................................................... 3-16 Session Hijacking ....................................................................................... 3-17 MAC Address Impersonation ...................................................................... 3-18 Pickupline ................................................................................................... 3-19 Information Disclosure Threats ................................................................... 3-20 OSCAR Messaging .................................................................................... 3-21 Spoofed Provider ........................................................................................ 3-22 Verizon MiFi................................................................................................ 3-23 Hotspot Impersonation ............................................................................... 3-24 Common HTTP Vulnerability ...................................................................... 3-25 Sidejacking ................................................................................................. 3-26 Firesheep ................................................................................................... 3-27 Firesheep Interface ..................................................................................... 3-28 Firesheep – http://codebutler.github.com/firesheep Adding Handlers ......................................................................................... 3-29 Non-WiFi Firesheep .................................................................................... 3-30 Defensive Measures – Information Security Administrator ......................... 3-31 Defensive Measures – Consumer .............................................................. 3-32

Summary ..................................................................................................................... -- 3-33



http://codebutler.github.com/firesheep

http://thomer.com/icmptx/

http://macshift.natetrue.com/

http://pickupline.berlios.de/


http://www.winpcap.org/

http://ettercap.sourceforge.net/

http://metasploit.org/

http://codebutler.github.com/firesheep



Backup (Additional Content) ................................................................... 3-34 -- 3-41 Hotspot Motivators ...................................................................................... 3-35 Ferret ............................................................................................... 3-36 – 3-37 Hamster ...................................................................................................... 3-38 Hamster Sidejacking (1) ............................................................................. 3-39 Hamster Sidejacking (2) ............................................................................. 3-40 Defensive Measures - Provider .................................................................. 3-41


617.2 Module 9: Assessing WEP Networks ................................ 4-1 ----- 4-52 Valuable lessons from a severely flawed encryption protocol

Introduction ................................................................................................... 4-2 Tools for this Module .................................................................................... 4-3 Wireshark – www.wireshark.org Kismet – www.kismetwireless.net nwepgen – http://linux-wlan.org/ (included in the linux-wlan package)

wep_crack – http://www.lava.net/~newsham/wlan (Dead Link) WEPAttack – http://wepattack.sourceforge.net John the Ripper– http://www.openwall.com/john Aircrack-ng – http://www.aircrack-ng.org Aireplay-ng – (included in the Aircrack-ng package) Ariodump-ng – (included in the Aircrack-ng package) Airdecap-ng – (included in the Aircrack-ng package) Definitions and Terms .......................................................................... 4-4 – 4-5 Introduction to WEP ............................................................................. 4-6 – 4-7 WEP Key Selection ...................................................................................... 4-8 IV Transmission ............................................................................................ 4-9 WEP Framing ............................................................................................. 4-10 XOR Truth Table ............................................................................. 4-11 – 4-12 Introduction to RC4 ..................................................................................... 4-13 RC4 Algorithm ............................................................................................ 4-14 WEP ICV Processing .................................................................................. 4-15 WEP Encryption Process ........................................................................... 4-16 WEP Decryption Process ........................................................................... 4-17 WEP Failures .............................................................................................. 4-18 Key Selection Weaknesses ........................................................................ 4-19 Linksys Key Generation .............................................................................. 4-20 wep_crack .................................................................................................. 4-21 WEPAttack ...................................................................................... 4-22 – 4-23 WEP Failures – No Key Rotation Mechanism ............................................ 4-24 WEP Failures – Key is Reversible from Cipher Text .................................. 4-25 FMS Attacks – Aircrack-ng ......................................................................... 4-26 Aircrack-ng Example ....................................................................... 4-27 – 4-28 Accelerating IV Collection ........................................................................... 4-29 Replaying ARP Packets ............................................................................. 4-30 ARP Traffic Injection ................................................................................... 4-31 Aireplay-ng ...................................................................................... 4-32 – 4-34 Dynamic vs. Static WEP ............................................................................. 4-35 Inverse Inductive Attack ............................................................................. 4-36 Aireplay-ng Inverse Induction ..................................................................... 4-37 PRGA Determination Attacks ..................................................................... 4-38 airtun-ng ..................................................................................................... 4-39 airtun-ng Example ...................................................................................... 4-40




http://linux-wlan.org/

http://www.lava.net/~newsham/wlan

http://wepattack.sourceforge.net/

http://www.openwall.com/john

http://www.aircrack-ng.org/


– (Module 9, continued from previous page) – Identifying WEP Networks .......................................................................... 4-41 DWEP EAPOL – Key Exchange ................................................................. 4-42 Method for Cracking WEP (1) ..................................................................... 4-43 Method for Cracking WEP (2) ..................................................................... 4-44 wesside-ng ...................................................................................... 4-45 – 4-46 Decrypting WEP Traffic - Wireshark ........................................................... 4-47 Decrypting WEP Traffic – airdecap-ng ....................................................... 4-48 Securing WEP (Not So Easy) ..................................................................... 4-49 Summary ......................................................................................... 4-50 – 4-51

Lab – Wireless Auditing ............................................................................................. -- 4-52

Examining WEP Traffic

Recovering the WEP key

Decrypting WEP Traffic

Workbook Lab 6 - Attacking WEP Networks Pages 6-1 – 6-15 : Answers on Pages 6-16 – 6-19


– END –




617.3 Module 10: Auditing Cisco LEAP Networks ...................... 1-1 ----- 1-33

Auditing Cisco’s Proprietary Wireless Security Mechanism

Introduction ................................................................................................... 1-2 Tools for this Module .................................................................................... 1-3 Wireshark – www.wireshark.org Asleap – www.willhackforsushi.com/Asleap.html Kismet – www.kismetwireless.net FreeRADIUS – www.freeradius.org Rainbow Crack – www.antsight.com/zsl/rainbowcrack/ (Dead Domain)

http://project-rainbowcrack.com/ Definitions and Terms .......................................................................... 1-4 – 1-5 LEAP Background ........................................................................................ 1-6 LEAP Goals .................................................................................................. 1-7 Identifying LEAP ........................................................................................... 1-8 Identifying LEAP Examples .......................................................................... 1-9 Microsoft CHAPv2 (NT LANMAN) .............................................................. 1-10 LEAP Five-Way Handshake ....................................................................... 1-11 LEAP Five-Way Example ........................................................................... 1-12 MS-CHAPv2 Passwords ............................................................................. 1-13

( ntlmhash = md4(Unicode(password), passlen * 2 ) LEAP MS-CHAPv2 Response .................................................................... 1-14 MS-CHAPv2 DES Keying ........................................................................... 1-15 Calculating the 3rd DES Key ....................................................................... 1-16 Asleap ........................................................................................................ 1-17 Asleap Processing ...................................................................................... 1-18 Asleap Example .......................................................................................... 1-19 Asleap Requirements ................................................................................. 1-20 Generic MS-CHAPv2 Attack ....................................................................... 1-21 RainbowTables ........................................................................................... 1-22 LEAP Man-in-the-Middle ............................................................................ 1-23 Impersonating LEAP ................................................................................... 1-24 Bad LEAP, Fixed Challenge ....................................................................... 1-25 RainbowTables - Modified .......................................................................... 1-26 Suggestions for Securing LEAP ................................................................. 1-27 Summary .................................................................................................... 1-28 Review Questions ............................................................................ 1-29 – 1-30



http://www.willhackforsushi.com/Asleap.html


http://www.freeradius.org/

http://www.antsight.com/zsl/rainbowcrack/

http://project-rainbowcrack.com/


– (Module 10, continued from previous page) – Additional Reading ..................................................................................... 1-30 Cryptanalysis of Microsoft’s PPTP Authentication Extensions (MS-CHAPv2)

http://www.schneier.com/paper-pptpv2.pdf

Cisco’s recommendations for continued use of LEAP http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801

cc901.html Review Question Answers ............................................................... 1-30 – 1-32

Lab – Auditing LEAP ....................................................................................... ------ 1-33

Wireshark – open capture file, identify networks using LEAP

Wireshark – identify the five-way handshake & challenge/response data

Asleap – Recover LEAP passwords

Workbook Lab 7 - Auditing LEAP Networks Pages 7-1 – 7-8 : Answers on Pages 7-9 – 7-10

617.3 Module 11: Wireless Client Exposure & Vulnerabilities ... 2-1 ----- 2-40 Attacking and Compromising 802.11 Client Systems

Introduction ................................................................................................... 2-2 Tools for this Module .................................................................................... 2-3 AirPWN – http://sourceforge.net/projects/airpwn DNSPWN – www.metasploit.org Airtun-ng – www.aircrack-ng.org Airbase-ng – www.aircrack-ng.org Metasploit – www.metasploit.org IPPON – http://code.google.com/p/ippon-mitm/ WiFiDEnum – https://labs.arubanetworks.com/wifidenum

Definitions and Terms ................................................................................... 2-4 Client Threats ............................................................................................... 2-5 Hotspot Injection (1) ..................................................................................... 2-6 Hotspot Injection (2) ............................................................................ 2-7 – 2-8 AirPWN .............................................................................................. 2-9 – 2-10 AirPWN Example ........................................................................................ 2-11 DNSPWN.................................................................................................... 2-12 PSPF (Publicly Secure Packet Forwarding) ............................................... 2-13 PSPF Filtering ............................................................................................ 2-14


http://www.schneier.com/paper-pptpv2.pdf

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html

http://sourceforge.net/projects/airpwn

http://www.metasploit.org/



http://www.metasploit.org/

http://code.google.com/p/ippon-mitm/

https://labs.arubanetworks.com/wifidenum


– (Module 11, continued from previous page) – Defeating PSPF .......................................................................................... 2-15 Airtun-ng ..................................................................................................... 2-16 Metasploit 3.3 ............................................................................................. 2-17 Metasploit Quick-Start ..................................................................... 2-18 – 2-19

“show” – Show exploits/payloads, etc o “show payloads” – Show only payloads o “show options” – Options for an exploit o “show targets” – Option for target versions

“search foo” – Search for a givien string

“use” – Use a specific exploit

“info” – Info for specific exploit

“set” – Configure exploit behavior o Mandatory: “set PAYLOAD foo”

“exploit” – Launches Exploit

“sessions” – Show post-exploit sessions

Payload Selection ....................................................................................... 2-20 Attacking PNL ............................................................................................. 2-21 Karmetasploit .............................................................................................. 2-22 Karmetasploit Setup ................................................................................... 2-23 karma.rc (metasploit.com/users/hdm/tools/karma.rc) ................................. 2-24 Karmetasploit Example .................................................................... 2-25 – 2-26 Using karma.db .......................................................................................... 2-27 Wireless Driver Bugs .................................................................................. 2-28 Broadcom Driver Bug ................................................................................. 2-29 Broadcom Driver Flaw ................................................................................ 2-30 Metasploit Console ..................................................................................... 2-31 IPPON ........................................................................................................ 2-32 IPPON Setup .............................................................................................. 2-33 IPPON Customization ................................................................................. 2-34 Unsolicited Java Update ............................................................................. 2-35 Protecting Clients ............................................................................ 2-36 – 2-37 WiFiDEnum ................................................................................................ 2-38 Summary .................................................................................................... 2-39

Lab .................................................................................................................... ------ 2-40

Using AirPWN to manipulate client systems

Introduction to Metasploit with Fake AP module

Workbook Lab 8 - Client Attacks Pages 8-1 – 8-15


617.3 Module 12: Assessing WPA2-PSK Networks .................... 3-1 ----- 3-35 Introduction to WPA2 with Shared Key Security

Introduction ................................................................................................... 3-2 Tools for this Module .................................................................................... 3-3 cowpatty – www.willhackforsushi.com/Cowpatty.html Aircrack-ng – www.aircrack-ng.org Wireshark – www.wireshark.org Airdecap-ng (part of the Aircrack-ng suite) – www.aircrack-ng.org Pyrit – http://code.google.com/p/pyrit/ WirelessKeyView– www.nirsoft.net/utils/wireless_key.html

Definitions and Terms .......................................................................... 3-4 – 3-5 Introduction to Hashing ........................................................................ 3-6 – 3-7 HMAC=HASH(KEY XOR opad | HASH(KEY XOR ipad | DATA)) Introduction to WPA/WPA2 .......................................................................... 3-8 WPA/WPA2 Keys, Keys and More Keys ...................................................... 3-9 WPA2-PSK PMK Derivation ....................................................................... 3-10 PMK=PBKDF2(passphrase, ssid, ssidlen, 4096, 256) WPA2 PTK Derivation ..................................................................... 3-11 – 3-12

PTK=PRF(PMK, “Pairwise Key Expansion, AA, SPA, ANONCE, SNONCE) PTK Mapping .............................................................................................. 3-13 WPA2 Four-Way Handshake........................................................... 3-14 – 3-15 WPA2 Four-Way Capture ........................................................................... 3-16 Identifying WPA2-PSK ................................................................................ 3-17 wlan_mgt.tag.number eq 221 or wlan_mgt.tag.number eq 48 WPA2-PSK Beacon Advertisement (1) ....................................................... 3-18 WPA2-PSK Beacon Advertisement (2) ....................................................... 3-19 WPA2-PSK Passphrase Selection ............................................................. 3-20 Auditing the PSK ........................................................................................ 3-21 Cowpatty .................................................................................................... 3-22 Cowpatty Process ....................................................................................... 3-23 Cowpatty Example ...................................................................................... 3-24 Aircrack-ng ................................................................................................. 3-25 Precomputed Hash Files ............................................................................ 3-26 CUDA Acceleration - Pyrit .......................................................................... 3-27 wpacracker.com ......................................................................................... 3-28 Commercial / Built using an Amazon EC2 Cluster Exploiting Client PSK .................................................................................. 3-29 WirelessKeyView ........................................................................................ 3-30 Social Engineering Passphrase .................................................................. 3-31 airdecap-ng................................................................................................. 3-32 Securing WPA2-PSK .................................................................................. 3-33


http://www.willhackforsushi.com/Cowpatty.html




http://code.google.com/p/pyrit/

http://www.nirsoft.net/utils/wireless_key.html


– (Module 12, continued from previous page) – Summary .................................................................................................... 3-34

Lab – Wireless Auditing ........................................................................................ ------ 3-35

Wireshark – open capture fie, identify networks using WPA-PSK

Wireshark – Identify the Four-Way handshake and PTK input data

Cowpatty – Mount a dictionary attack against the PSK

Workbook Lab 9 - Auditing WPA/PSK Networks Pages 9-1 – 9-16: Answers on Pages 9-17 – 9-18

617.3 Module 13: Assessing PEAP Networks ............................. 4-1 ----- 4-44 Modern Secure Authentication and Encryption Methods

Introduction ................................................................................................... 4-2 Tools for this Module .................................................................................... 4-3 Wireshark– http://www.wireshark.org Odyssey Client – http://www.funk.com

http://www.juniper.net/us/en/products-services/software/ipc/odyssey-access-client/oac/

Cain & Abel – http://www.oxid.it FreeRADIUS WPE – http://www.willhackforsushi.com/FreeRADIUS_WPE.html

Definitions and Terms .......................................................................... 4-4 – 4-5 Introduction to PEAP + WPA ........................................................................ 4-6 Legacy Authentication Challenge ................................................................. 4-7 PEAP Solution .............................................................................................. 4-8 PEAP Dilemma ............................................................................................. 4-9 TLS Establishment ..................................................................................... 4-10 PEAP Transaction ...................................................................................... 4-11 Enterprise WPA / WPA2 ............................................................................. 4-12 Enterprise WPA Key Distribution ................................................................ 4-13 Advantages of EAPOL-Key Method ........................................................... 4-14 Attacks Against PEAP + WPA .................................................................... 4-15 PEAP Authentication Attack ....................................................................... 4-16 Authentication Attack Example ................................................................... 4-17 Key Distribution Attack ............................................................................... 4-18 RADIUS Security ........................................................................................ 4-19



http://www.funk.com/



http://www.oxid.it/

http://www.willhackforsushi.com/FreeRADIUS_WPE.html



RADIUS Attack (1) ...................................................................................... 4-20 RADIUS Attack Illustrated (1) ..................................................................... 4-21 RADIUS Attack (2) ...................................................................................... 4-22 RADIUS Attack Illustrated (2) ..................................................................... 4-23 RADIUS Weakness .................................................................................... 4-24 Cain & Abel – RADIUS Attack .................................................................... 4-25 RADIUS Server Validation .......................................................................... 4-26 PEAP Weakness ........................................................................................ 4-27 Windows WZC (1) ...................................................................................... 4-28 Windows WZC (2) ...................................................................................... 4-29 Windows WZC (3) ...................................................................................... 4-30 Attacking PEAP Deployments .................................................................... 4-31 FreeRADIUS WPE .......................................................................... 4-32 – 4-33 Attacking MS-CHAPv2 ............................................................................... 4-34 Protecting PEAP + WPA Networks ............................................................. 4-35 Windows Supplicant Properties .................................................................. 4-36 Client Username Disclosure ....................................................................... 4-37 Securing Authentication Server .................................................................. 4-38 Disable Unsed EAP Types ......................................................................... 4-39 Overall Wireless Defenses ......................................................................... 4-40 Summary ......................................................................................... 4-41 – 4-42 Backup ....................................................................................................... 4-43 Amplifying Password Quality ...................................................................... 4-44


– END –


SANS SEC617 (GAWN): Wireless Ethical Hacking, Penetration Testing, and Defenses


617.4 Module 14: Deficiencies in the TKIP Protocol ................... 1-1 ----- 1-39

Understanding the weaknesses in the common encryption protocol for WPA and WPA2 networks

Introduction ................................................................................................... 1-2 Tools for this Module .................................................................................... 1-3 jrockets – www.willhackforsushi.com/code/jrockets-0.1.tgz tkiptun-ng (part of the Aircrack-ng suite) – www.aircrack-ng.org Definitions and Terms ................................................................................... 1-4 About the TKIP Protocol ............................................................................... 1-5 TKIP Security Mechanisms........................................................................... 1-6 Rekeying Key Reuse Attacks ....................................................................... 1-7 TKIP Per-Packet Integrity Check ......................................................... 1-8 – 1-9 IV Sequence Enforcement Replay Attacks ................................................. 1-10 IV Sequence Enforcement Defeating Replay Attacks ................................. 1-11 TKIP Fixes WEP Replay Attack .................................................................. 1-12 July 2005: QoS Complicates Matters ......................................................... 1-13 Wait … Really? They did That? .................................................................. 1-14 TKIP QoS Replay Attack ............................................................................ 1-15 TKIP Replay Attack Impact ......................................................................... 1-16 jrockets ....................................................................................................... 1-17 TKIP Plaintext Recovery Attack .................................................................. 1-18 WEP ICV Attack – Chopchop .......................................................... 1-19 – 1-20 TKIP Encryption / Decryption........................................................... 1-21 - 1-22 TKIP Traffic Decryption Exploit ................................................................... 1-23 TKIP Chopchop ICV Attack ............................................................. 1-24 – 1-25 Attack Result .............................................................................................. 1-26 Another Michael Weakness ........................................................................ 1-27 Practical TKIP Attack Example ................................................................... 1-28 tkiptun-ng .................................................................................................... 1-29 TKIP Defense Strategies (1) ....................................................................... 1-30 TKIP Defense Strategies (2) ....................................................................... 1-31 TKIP Defense Strategies (3) ....................................................................... 1-32 Beware Bad Recommendations ...................................................... 1-33 – 1-34 Product-Specific Steps ............................................................................... 1-35 Monitoring (1) ............................................................................................. 1-36 Monitoring (2) ............................................................................................. 1-37 Future of TKIP ............................................................................................ 1-38 Summary .................................................................................................... 1-39

http://www.willhackforsushi.com/code/jrockets-0.1.tgz



617.4 Module 15: DoS Attacks on Wireless Networks................ 2-1 ----- 2-43 Understanding the Threat, Tools, Techniques and Defenses

Denial of Service Attacks .............................................................................. 2-2 Tools for this Module .................................................................................... 2-3 WaveBubble (Hardware)– http://www.ladyada.net/make/wavebubble/ Wireshark– http://www.wireshark.org file2air – http://802.11ninja.net/code/file2air-0.4.tgz (Dead Link) mdk3 – http://homepages.tu-darmstadt.de/~p_larbig/wlan/ hunter_killer_imp (available on a limited basis by request) send Josh an email to request a copy at: [email protected] Definitions and Terms .......................................................................... 2-4 – 2-5 Impact Examples .......................................................................................... 2-6 Wi-Fi Intravenous Pumps ............................................................................. 2-7 For more reading of the Wi-Fi IV Pumps check out WiFi Planet– http://www.wifiplanet.com/columns/article.php/3402721 Alaris Medical Systems– http://www.carefusion.com/medical-products/infusion/alaris-system/index.aspx Wi-Fi Credit Card Processing ....................................................................... 2-8 Types of 802.11 DoS Attacks ....................................................................... 2-9 802.11 DoS Attack Targets ........................................................................ 2-10 Physical Medium Attacks (1) ...................................................................... 2-11 Physical Medium Attacks (2) ...................................................................... 2-12 Wave Bubble .............................................................................................. 2-13 Medium Transmission Attack...................................................................... 2-14 Intersil Prism2 Test Utility ........................................................................... 2-15 RF Jamming Legality .................................................................................. 2-16 Commercial and DIY Options ..................................................................... 2-17 IEEE 802.11 MAC Attacks .......................................................................... 2-18 Authentication / Association Flood (Persistent Attack) ............................... 2-19 Deauth / Disassoc Flood (Non-Persistent Attack) ............................ 2-20 – 2-21 Deauthenticate Attack Illustration ............................................................... 2-22 file2air – Packet Injection ............................................................................ 2-23 file2air – Deauthenticate Flood (Persistent Attack) .......................... 2-24 – 2-25

-I –interface – Specify an interface name

-r --driver – Driver type for injection

-f --filename – Specify a binary file contents for injection

-c --channel - Channel Number

-n --count – Number of packets to send

-w --delay – Delay between packets (uX for usec or X for seconds)

-t --fast - Alias for -w u10000 (10 packets per second)

-d --dest - Override the destination address

-s --source - Override the source address


http://www.ladyada.net/make/wavebubble/


http://802.11ninja.net/code/file2air-0.4.tgz

http://homepages.tu-darmstadt.de/~p_larbig/wlan/

mailto:[email protected]

http://www.wifiplanet.com/columns/article.php/3402721

http://www.carefusion.com/medical-products/infusion/alaris-system/index.aspx

http://www.carefusion.com/medical-products/infusion/alaris-system/index.aspx



-b --bssid - Override the BSSID address

-q --seqnum - Override the sequence number (leading 0x for hex value)

-p --pieces - Fragment the payload into X pieces

-h --help - Output this help information and exit

-v --verbose - Print verbose info (more -v’s for more verbosity)

mdk3 ........................................................................................................... 2-26 mdk3 Deauth Amok Mode .......................................................................... 2-27 Charon - mdk3 GUI .................................................................................... 2-28 Deauth Verification - 802.11w ..................................................................... 2-29 Beacon DS Set DoS ........................................................................ 2-30 – 2-31 802.11 Medium Management ..................................................................... 2-32 Hidden Node Problem ................................................................................ 2-33 RTS / CTS Medium Management ............................................................... 2-34 Medium Reservation Attack (Non-Persistent Attack) .................................. 2-35 RTS / CTS Co-opting Example ................................................................... 2-36 Range in DoS Attacks ................................................................................ 2-37 IEEE 802.11 Stance on DoS ........................................................... 2-38 – 2-39 Defensive Measures ................................................................................... 2-40 Summary ......................................................................................... 2-41 – 2-42

Lab – WLAN DoS Attack ....................................................................................... ------ 2-43

Work with a partner as a “victim” station

Mount a deauthenicate flood attack using file2air, aireplay-ng

Workbook Lab 10 - Denial of Service Attacks Pages 10-1 – 10-12: Answers on Page 10-13


617.4 Module 16: Fuzzing Attacks ............................................... 3-1 ----- 3-41 Using malformed data to identify new vulnerabilities

Introduction ................................................................................................... 3-2 Tools for this Module .................................................................................... 3-3 File2air – www.willhackforsushi.com/File2air.html Metasploit – http://metasploit.org Scapy – http://www.secdev.org/projects/scapy/ Codenomicon – http://www.codenomicon.com Wireshark – http://www.wireshark.org LORCON– http://802.11ninja.net/svn/lorcon/

Definitions and Terms ................................................................................... 3-4 Protocol Fuzzing ........................................................................................... 3-5 How We Think .............................................................................................. 3-6 The Value of Fuzzing .................................................................................... 3-7 802.11 Protocol Fuzzing ............................................................................... 3-8 SSID Information Element ................................................................. 3-9 – 3-10 Selecting Protocol Targets .............................................................. 3-11 – 3-12 Random vs. Defined Fuzzing...................................................................... 3-13 Fuzzing Wireless Network .......................................................................... 3-14 Metasploit 3.3 Fuzzers ............................................................................... 3-15 Codenomicon 802.11 Fuzzer ..................................................................... 3-16 Codenomicon WiFi Test Case .................................................................... 3-17 Utility 802.11 Packet Injection..................................................................... 3-18 Creating New file2air Packets..................................................................... 3-19 Example Modification ...................................................................... 3-20 – 3-21 Using file2air ............................................................................................... 3-22 Using Scapy / Python ...................................................................... 3-23 – 3-24 Useful Scapy Functions ................................................................... 3-25 – 3-27

ls() – List available packet types

ls(packettype) – List parameters for this packet you can specify

hexdump(packet) – Print contents

fuzz(…) – Fuzzy packet, Scapy changes unspecified parameters

RandMAC() – Generate a random MAC address

sendp(packet) – Send the packet, can be looped with fuzz() to send each

More Scapy / Python Functions ....................................................... 3-28 – 3-29

RandNum(1,10) – Generate a random number between 1-10

RandString(10) – Generate a random string, random length 1:10

RandString (RandNum(1,10)) – Random string, random length 1:10

random.getrandbits(N) – Generate a random number N bits long (“import random”

first)

socket.ntohl(num) – Reverse byte-order of a 4-byte number (“import socket” first)

socket.ntohs(num) – Reverse byte-order of a 2-byte number


http://www.willhackforsushi.com/File2air.html


http://www.secdev.org/projects/scapy/

http://www.codenomicon.com/


http://802.11ninja.net/svn/lorcon/


– (Module 16, continued from previous page) – Operational Notes ....................................................................................... 3-30 Plan of Attack - What to Explore ................................................................. 3-31 Recording Traffic ........................................................................................ 3-32 TShark ........................................................................................................ 3-33 Monitoring Your Target ............................................................................... 3-34 When is Fuzzing Appropriate? .................................................................... 3-35 Responsible Disclosure ................................................................... 3-36 – 3-37 Conclusion .................................................................................................. 3-38

Lab .......................................................................................................................... ------ 3-39

Fuzzing a partner’s workstation

Goal is to understand what is involved in fuzz testing – If you find a BSoD, that’s an extra bonus!

Expected Probe Response ......................................................................... 3-40

STA sends probe request

AP sends probe response

STA expects: – Capability information for BSS – SSID od BSS (or cloaked SSID) – Supported data rates, maybe extended – DS parameter (channel of AP)

The Target .................................................................................................. 3-41

Work with a lab partner booted in Windows

AP sends probe response

Target runs NetStumbler: – Frequent probe requests make it more receptive to responses – SSID od BSS (or cloaked SSID) – Select a single AP to stay on-channel

Workbook Lab 11 - IEEE 802.11 Driver Fuzzing Pages 11-1 – 11-38


617.4 Module 17: Bridging the Airgap ......................................... 4-1 ----- 4-38 Leveraging client compromises to attack remote wireless networks

Tools for this Module .................................................................................... 4-2 Metasploit – http://metasploit.org netsh – Windows Native (Except Home Editions) NetMon – http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en nm2lp – http://www.inguardians.com/tools/

Airport – Integrated in OS X crowbarKC – http://www.georgestarcher.com/?p=233

skyhook.sh – http://www.hackingexposedwireless.com/chapter06/skyhook.sh

Introduction ................................................................................................... 4-3 Conceptually … ........................................................................................... 4-4 Bridging the Airgap ....................................................................................... 4-5 Limitations .................................................................................................... 4-6 Bridging the Airgap: Windows....................................................................... 4-7 Meterpreter Remote Control ......................................................................... 4-8 Meterpreter Quick Start ..................................................................... 4-9 – 4-10

“sysinfo” – Get system information

“shell” – Drops into cmd.exe

“ps” – List processes

“migrate” – Migrate to another process

“execute” – Run executable command

“download” / “upload” – RX /TX files

“reg” – Interact with remote registry

System Check ............................................................................................ 4-11 Leveraging Remote Profiles ....................................................................... 4-12 Wireless Discovery .......................................................................... 4-13 – 4-14 Remote VNC with Meterpreter ......................................................... 4-15 – 4-16 NetMon Capture ......................................................................................... 4-17 nm2lp .......................................................................................................... 4-18 Creating a New Connection ............................................................. 4-19 – 4-20 Bridging the Airgap: OS X .......................................................................... 4-21 OS X System Check ................................................................................... 4-22 OS X Discovery .......................................................................................... 4-23 Keychain Attack ............................................................................... 4-24 – 4-25 crowbarKC .................................................................................................. 4-26





http://www.inguardians.com/tools/

http://www.georgestarcher.com/?p=233

http://www.hackingexposedwireless.com/chapter06/skyhook.sh


– (Module 17, continued from previous page) – Open Keychain ........................................................................................... 4-27 Network Connect on the Command Line .................................................... 4-28 OS X Manual Connect (1) .......................................................................... 4-29 OS X Manual Connect (2) .......................................................................... 4-30 OS X Manual Connect (3) .......................................................................... 4-31 Challenges and Cautions ........................................................................... 4-32 Skyhook Wireless ....................................................................................... 4-33 skyhook.sh and Google Maps .................................................................... 4-34 Conclusion ....................................................................................... 4-35 - 4-36 Backup ....................................................................................................... 4-37 WiGLE Search ............................................................................................ 4-38


– END –


SANS SEC617.5 (GAWN): Wireless Ethical Hacking, Penetration Testing, and Defenses

Wireless Security Exposed Part 4

617.5 Module 18: Attacking DECT Wireless ................................ 1-1 ----- 1-29

Exploiting the Digital Enhanced Cordless Telephone Specification

Tools for this Module .................................................................................... 1-2 Wireshark – http://www.wireshark.org dect_cli – https://dedected.org/trac (Bad Cert) dectshark – https://dedected.org/trac (Bad Cert) , patch for NA scanning at

http://willhackforsushi.com/code/dectshark-jlw.diff dect-decoder.sh – http://willhackforsushi.com/code/dect-decoder.sh

Definitions and Terms ................................................................................... 1-3 Introduction ................................................................................................... 1-4 DECT Foundation (ETSI) ............................................................................. 1-5 Cordless Phone Problems Today ................................................................. 1-6 Where DECT Excels ..................................................................................... 1-7 Architecture .................................................................................................. 1-8 PHY Fundamentals ...................................................................................... 1-9 MAC Architecture ....................................................................................... 1-10 DECT Security ............................................................................................ 1-11 DECT Authentication .................................................................................. 1-12 DECT Standard Cipher ............................................................................... 1-13 Team deDECTed ........................................................................................ 1-14 DECT Attack Hardware .............................................................................. 1-15 deDECTed Tools ........................................................................................ 1-16 DECT Network Scanning dect_cli ............................................................... 1-17 dectshark .................................................................................................... 1-18 DECT Network Scanning: dectshark .......................................................... 1-19 DECT and Wireshark .................................................................................. 1-20 DECT Audio Eavesdropping ....................................................................... 1-21 DECT Audio Eavesdropping System Prep ................................................. 1-22 DECT Audio Eavesdropping Data Capture ................................................ 1-23 DECT Audio Eavesdropping Audio Extraction ............................................ 1-24 DECT Decode Example ............................................................................. 1-25 Other DECT Attacks ................................................................................... 1-26 DECT Security Strategies ........................................................................... 1-27 Conclusion .................................................................................................. 1-28

Lab .......................................................................................................................... ------ 1-29

Inspecting DECT Traffic

Authorized Audio Eavesdropping

Workbook Lab 12 - Attacking DECT Wireless Pages 12-1 – 12-8


https://dedected.org/trac

https://dedected.org/trac

http://willhackforsushi.com/code/dectshark-jlw.diff

http://willhackforsushi.com/code/dect-decoder.sh


617.5 Module 19: Attacking ZigBee ............................................. 2-1 ----- 2-47 Exploiting ZigBee and IEEE 802.15.4 Environments

Tools for this Module .................................................................................... 2-2

Daintree Sensor Network Analyzer (SNA) – Commercial, http://www.daintree.net/index.php

ZENA Network Analyzer – Commercial, http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1406&dDocName=en520682 , a simple Python script that can set the channel and sniff packets on the ZENA hadware is available at http://www.willhackforsushi.com/?p=198 Wireshark – http://www.wireshark.org KillerBee – http://code.google.com/p/killerbee

GoodFET – http://goodfet.sourceforge.net

Definitions and Terms ................................................................................... 2-3 Introduction ................................................................................................... 2-4 What is ZigBee? .......................................................................................... 2-5 Why does the World Need ZigBee? ............................................................. 2-6 Why do Attackers Care About ZigBee? ........................................................ 2-7 Smart Thermostats ....................................................................................... 2-8 Siemens APOGEE Field Level Network Controller ....................................... 2-9 Kwikset SmartCode ................................................................................... 2-10 MGM City Center, Las Vegas ..................................................................... 2-11 ZigBee Background .................................................................................... 2-12 ZigBee Devices .......................................................................................... 2-13 PHY Layer Topologies ................................................................................ 2-14 MAC Layer....................................................................................... 2-15 – 2-16 NWK Layer ................................................................................................. 2-17 CCM* Protocol ............................................................................................ 2-18 Security Modes ........................................................................................... 2-19 Key Provisioning ......................................................................................... 2-20 Authentication ............................................................................................. 2-21 Upper-layer ZigBee Security....................................................................... 2-22 Microchip ZENA $150 ................................................................................. 2-23 ZENA Windows Sniffer ............................................................................... 2-24 Daintree SNA Basic ......................................................................... 2-25 – 2-26 KillerBee ..................................................................................................... 2-27 KillerBee Hardware ..................................................................................... 2-28 RZUSB Firmware ....................................................................................... 2-29 Installing KillerBee ...................................................................................... 2-30 KillerBee Arsenal ........................................................................................ 2-31


http://www.daintree.net/index.php

http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1406&dDocName=en520682

http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1406&dDocName=en520682

http://www.willhackforsushi.com/?p=198


http://code.google.com/p/killerbee

http://goodfet.sourceforge.net/


– (Module 19, continued from previous page) – KillerBee Demo ........................................................................................... 2-32 KillerBee Attack Example (1) ...................................................................... 2-33 zbdsniff ....................................................................................................... 2-34 KillerBee Attack Example (2) ........................................................... 2-35 – 2-36 zbreplay ...................................................................................................... 2-37 KillerBee Attack Example (3) ...................................................................... 2-38 zbfind - Device Location Tracking ............................................................... 2-39 Analyze It: GoodFET .................................................................................. 2-40 GoodFET Example ..................................................................................... 2-41 Key Recovery: zbgoodfind .......................................................................... 2-42 Decrypt It .................................................................................................... 2-43 Thoughts on ZigBee ........................................................................ 2-44 – 2-45 Conclusion .................................................................................................. 2-46

Lab .......................................................................................................................... ------ 2-47

Examining ZigBee traffic in Wireshark

Working with KillerBee and stored capture files

Workbook Lab 13 - Attacking ZigBee Wireless Pages 13-1 – 13-14


617.5 Module 20: Bluetooth Security Threats ............................. 3-1 ----- 3-43 Examining Bluetooth technology and associated threats to Enterprise Networks

Introduction ................................................................................................... 3-2 Tools for this Module .................................................................................... 3-3 Bluesnarfer – www.alighieri.org/tools/bluesnarfer.tar.gz BlueZ – www.bluez.org BlueScanner – https://labs.arubanetworks.com/bluescanner/ BTScanner – www.pentest.co.uk/src/btscanner-2.1.tar.bz2 Definitions and Terms ................................................................................... 3-4 Bluetooth Specification ................................................................................ 3-5 Bluetooth FHSS Channels ............................................................................ 3-6 FHSS Transmitter ......................................................................................... 3-7 Bluetooth Piconets ........................................................................................ 3-8 Bluetooth Transmitters ................................................................................. 3-9 Physical Links and Frames ......................................................................... 3-10 Bluetooth Protocol Stack ................................................................. 3-11 – 3-12 Bluetooth Addressing ................................................................................. 3-13 Bluetooth Baseband Header ........................................................... 3-14 – 3-15 LMP Exchange ................................................................................ 3-16 – 3-17 Host Controller Interface (HCI) ................................................................... 3-18 Logical Link Control and Adaptation Protocol ............................................. 3-19 Joining the Piconet (1) ................................................................................ 3-20 Joining the Piconet (2) ................................................................................ 3-21 Bluetooth Profiles ....................................................................................... 3-22 Bluetooth Security Options ......................................................................... 3-23 Bluetooth Link Authentication ..................................................................... 3-24 Bluetooth Link Encryption ........................................................................... 3-25 Bluetooth PINs ............................................................................................ 3-26 Exploiting Bluetooth Range ........................................................................ 3-27 Long-Range Bluetooth ............................................................................... 3-28 Bluetooth Rogue AP ................................................................................... 3-29 Bluesnarf Attack ......................................................................................... 3-30 Blueline Attack ............................................................................................ 3-31 Cabir Wireless Worm .................................................................................. 3-32 10th World Athletics Championships Helsinki, FI ........................................ 3-33 Organizational Auditing .............................................................................. 3-34 BlueScanner.org ........................................................................................ 3-35 BTScanner.................................................................................................. 3-36 btfind ........................................................................................................... 3-37 Establishing a Policy ........................................................................ 3-38 – 3-39 Device Configuration .................................................................................. 3-40 Conclusion ....................................................................................... 3-41 – 3-42

Lab .......................................................................................................................... ------ 3-43

Identifying Bluetooth Transmitters – Evaluate device services & Extract friendly name

Lab is written for Linux, btscanner

You may optionally use Windows BlueScanner if desired Workbook Lab 14 - Bluetooth Analysis

Pages 14-1 – 14-19

http://www.alighieri.org/tools/bluesnarfer.tar.gz

http://www.bluez.org/

https://labs.arubanetworks.com/bluescanner/

http://www.pentest.co.uk/src/btscanner-2.1.tar.bz2


617.5 Module 21: Advanced Bluetooth Threats .......................... 4-1 ----- 4-38 Digging deeper in the Bluetooth protocol and exploit mechanisms

Introduction ................................................................................................... 4-2 Tools for this Module .................................................................................... 4-3 btpincrack – http://openciphers.sourceforge.net/oc/btpincrack.php BTCrack – http://www.nruns.com/_en/security_tools_btcrack.php (Dead Link)

http://www.brothersoft.com/btcrack-58142.html FTS4BT – http://www.fte.com/products/fts4bt.aspx frontline – Only accessible in a source code repository using the CVS utility:

$ cvs –d :pserver:[email protected]:/home/cvs login [press enter] $ cvs –d :pserver:[email protected]:/home/cvs co bt

BlueZ tools – www.bluez.org (also check your Linux distro) BTScanner – www.pentest.co.uk/src/btscanner-2.1.tar.bz2

Bluape – http://www.willhackforsushi.com/code/bluape.rb Cisco Spectrum Expert (CSE) – http://www.cisco.com/ ussp-push – http://www.xmailserver.org/ussp-push.html CarWhisperer – http://trifinite.org/trifinite_stuff_carwhisperer.html obexftp – http://triq.net/obexftp.html (also check your Linux Distro) Bluetooth Stack Smasher (BSS) – http://www.secuobs.com/news/05022006-bluetooth10.shtml

Definitions and Terms ................................................................................... 4-4 Understanding Pairing ................................................................................. 4-5 Step 1: Initialization Key – K inint .................................................................. 4-6

K init = E22(IN_RAND, BD_ADDR, PIN) Step 2: Link Key – K ab ................................................................................. 4-7

K ab=E@!(LK_RANDa, BD_ADDRa) XOR E21(LK_RANDb, BD_ADDRb))

Subsequent Connection Keying ................................................................... 4-8 SRESv =E1(Kab, AU_RANDv, BD_ADDRc)

Pairing Authentication Attack ........................................................................ 4-9 btpincrack ................................................................................................... 4-10 BTCrack ..................................................................................................... 4-11 BTCrack Statistics ...................................................................................... 4-12 Practical PIN Cracking ................................................................................ 4-13 Attacking the E0 Cipher .............................................................................. 4-14 Commercial Sniffers ................................................................................... 4-15 FTS4BT ...................................................................................................... 4-16 “Transforming a Bluetooth Dongle into a Bluetooth Sniffer” ....................... 4-17 frontline ....................................................................................................... 4-18 Non-discoverable Devices .......................................................................... 4-19 “Hello IT, have you tried turning it off and on again?” ...................... 4-20 – 4-23


http://openciphers.sourceforge.net/oc/btpincrack.php

http://www.nruns.com/_en/security_tools_btcrack.php

http://www.brothersoft.com/btcrack-58142.html

http://www.fte.com/products/fts4bt.aspx

http://www.bluez.org/

http://www.pentest.co.uk/src/btscanner-2.1.tar.bz2

http://www.willhackforsushi.com/code/bluape.rb

http://www.cisco.com/

http://www.xmailserver.org/ussp-push.html

http://trifinite.org/trifinite_stuff_carwhisperer.html

http://triq.net/obexftp.html

http://www.secuobs.com/news/05022006-bluetooth10.shtml

http://www.secuobs.com/news/05022006-bluetooth10.shtml


– (Module 21, continued from previous page) – Bluetooth Access Code .............................................................................. 4-24 Discovering the Undiscoverable ................................................................. 4-25 Retrieving the Sync Word (1)...................................................................... 4-26 Retrieving the Sync Word (2)...................................................................... 4-27 Sync Word Result ....................................................................................... 4-28 BNAP, BNAP Project .................................................................................. 4-29 Bluetooth Enumeration ............................................................................... 4-30 CarWhisperer ............................................................................................. 4-31 Headset as a Listening Bug ........................................................................ 4-32 Bluetooth Keyboard Attack ......................................................................... 4-33 USRP2 All-Channel Sniffer .............................................................. 4-34 – 4-35 gr-bletooth ....................................................................................... 4-36 – 4-37 Device Auditing ........................................................................................... 4-38 Evaluating Your Own Devices ......................................................... 4-39 – 4-40 Bluetooth Stack Smasher ........................................................................... 4-41 Summary .................................................................................................... 4-42


– END –



Book 617.6 Wireless Security Strategies and Implementation

617.6 Module 22: Wireless LAN Intrusion Detection Tech ......... 1-1 ----- 1-45

Selecting and Implementing WLAN IDS

Introduction ................................................................................................... 1-2 Introduction to WLAN IDS ............................................................................ 1-3 IDS Background ........................................................................................... 1-4 True Positive or False Positive? ................................................................... 1-5 Event of Interest? ......................................................................................... 1-6 Deployment Models – Overlay...................................................................... 1-7 Deployment Models – Integrated .................................................................. 1-8 The Players .................................................................................................. 1-9 AirDefense (now part of Motorola) - http://www.airdefense.net/ AirMagnet - http://www.airmagnet.com/ AirTightNetworks - http://www.airtightnetworks.net/ Aruba Networks - http://www.arubanetworks.com/ Cisco Systems - http://www.cisco.com/en/US/products/ps9817/index.html Identifying Attacks ...................................................................................... 1-10 Signature Analysis ...................................................................................... 1-11 Example Attack: NetStumbler ..................................................................... 1-12 NetStumbler Scan ...................................................................................... 1-13 Evading Signature Analysis ........................................................................ 1-14 Trend Analysis ............................................................................................ 1-15 Example Attack: EAPOL Logon .................................................................. 1-16 EAPOL Login Event Hack or Benign Event? ................................... 1-17 – 1-18 Anomaly Analysis ....................................................................................... 1-19 Sample Attack: Fragmented Packets (1) .................................................... 1-20 Sample Attack: Fragmented Packets (2) .................................................... 1-21 Your Turn: 1................................................................................................ 1-22 Your Turn: 2................................................................................................ 1-23


http://www.airdefense.net/

http://www.airmagnet.com/

http://www.airtightnetworks.net/

http://www.arubanetworks.com/

http://www.cisco.com/en/US/products/ps9817/index.html


– (Module 22, continued from previous page) – Your Turn: 3................................................................................................ 1-24 Your Turn: 4................................................................................................ 1-25 Your Turn: 5................................................................................................ 1-26 Your Turn: 6................................................................................................ 1-27 Your Turn: 7................................................................................................ 1-28 Your Turn: 8................................................................................................ 1-29 WLAN IDS Evaluation Features ................................................................. 1-30 Features: Event Aggregation ...................................................................... 1-31 Event Aggregation Example ............................................................ 1-32 – 1-33 Light Bulb Deployment ............................................................................... 1-34 Secure Communication Protocol ................................................................ 1-35 Learning Mode Support .............................................................................. 1-36 Intrusion Prevention Services ..................................................................... 1-37 Integration with Third-Party IDS .................................................................. 1-38 Deployment Considerations........................................................................ 1-39 Facility Coverage ........................................................................................ 1-40 Dwell Time .................................................................................................. 1-41 Logging Fidelity .......................................................................................... 1-42 Event Storage, Trend Analysis ................................................................... 1-43 Summary ......................................................................................... 1-44 – 1-45


617.6 Module 23: “Other” Wireless Attacks ................................ 2-1 ----- 2-46 Identifying common wireless vulnerabilities affecting organizations

Introduction ................................................................................................... 2-2 Tools for this Module .................................................................................... 2-3 GNURadio – http://gnuradio.org/redmine/projects/gnuradio/wiki USRP – www.ettus.com Keykeriki – http://www.remote-exploit.org/?page_id=598 Hobbylab USB Oscilloscope and Logic Analyzer – www.hobbylab.us/

Gammu – www.gammu.org gsmdecode – http://wiki.thc.org/

GSSM – http://wiki.thc.org/ gsm-tvoid – http://wiki.thc.org/

Definitions and Terms ................................................................................... 2-4 War Spying ................................................................................................... 2-5 War Spying Popularity .................................................................................. 2-6 Mobile WarSpy Platform ............................................................................... 2-7 WarSpying Box ............................................................................................. 2-8 WarSpying Mitigation .................................................................................... 2-9 Software Defined Radio (SDR) ................................................................... 2-10 USRP Hardware ......................................................................................... 2-11 Programming USRP ................................................................................... 2-12 Wireless Keyboards .................................................................................... 2-13 Manufacturer Motivators ............................................................................. 2-14

“Security suffer when cost, efficiency and simplicity are priorities” Keyboard Paring Procedure ....................................................................... 2-15

“Unique identifier necessary to avoid device collisions” Keyboard Security ...................................................................................... 2-16 Microsoft Optical Desktop 1000/2000 Analysis........................................... 2-17 Moser’s Analysis Indicates … .................................................................... 2-18 Keykeriki v2 ................................................................................................ 2-19 Hacking Your Own Devices ........................................................................ 2-20 What You’ll Need ........................................................................................ 2-21 Kensington Wireless Remote .......................................................... 2-22 – 2-23 Wireless Remote Schematic....................................................................... 2-24 Modified Hardware ..................................................................................... 2-25 Monitoring / Analysis Tool .......................................................................... 2-26 Data Analysis .............................................................................................. 2-27 Device Speculations ........................................................................ 2-28 – 2-29

“Embedded wireless can be a threat. We can assess the threat with docs, a reference source, analysis tools and creativity.”


http://gnuradio.org/redmine/projects/gnuradio/wiki

http://www.ettus.com/

http://www.remote-exploit.org/?page_id=598

http://www.hobbylab.us/

http://www.gammu.org/

http://wiki.thc.org/




– (Module 23, continued from previous page) – Group Spatial Mobile (GSM) Interception ................................................... 2-30 GSM Operation ........................................................................................... 2-31 Demodulating GSM .................................................................................... 2-32 GSM Reference Source ............................................................................. 2-33

$ gammu --nokiadebug nhm5_587.txt v20-25, v18-19 $ gsmdecode -x <out.xml >decode.txt

gsmdecode ................................................................................................. 2-34 GSSM Project ............................................................................................. 2-35 GSSM Wireshark Integration ...................................................................... 2-36 GSM Encryption ......................................................................................... 2-37 A5 / 1 Weaknesses ..................................................................................... 2-38 Precomputed Attack ................................................................................... 2-39 gsm-tvoid .................................................................................................... 2-40 GSM Sniffing Exposure .............................................................................. 2-41

“Total cost to decrypt GSM: $4000” GSM Attack Defenses ................................................................................ 2-42 Summary ......................................................................................... 2-43 – 2-44

Lab .......................................................................................................................... ------ 2-45

Pick one or more of the following devices to assess on the FCC site.

Identify the nature of the devices: - RX, TX or Both? - Frequency in use - Modulation mechanism - TX power (when applicable)

Workbook Lab 15 - Other Wireless Analysis

Pages 15-1 – 15-3 Pick Your Target(s) ......................................................................................... 2-46


617.6 Module 24: EAP and Cipher Suite Selection ..................... 3-1 ----- 3-24 Recommendations and guidance on selecting authentication and encryption methods

Introduction ................................................................................................... 3-2 Selecting an EAP Type ................................................................................. 3-3 EAP / TLS ............................................................................................ 3-4 – 3-5 PEAPv0 / EAP-MSCHAPv2 “PEAP” .................................................... 3-6 – 3-7 PEAPv1 / EAP-GTC “The Other PEAP” .............................................. 3-8 – 3-9 PEAPv2 / Generic “PEAP-TLV” ....................................................... 3-10 – 3-11 TTLS ........................................................................................................... 3-12 EAP-FAST (1) ............................................................................................. 3-13 EAP-FAST (2) .................................................................................. 3-14 – 3-15 PEAP-EAP-TLS .......................................................................................... 3-16 EAP Summary ............................................................................................ 3-17 TKIP Features ............................................................................................ 3-18 CCMP Features .......................................................................................... 3-19 WPA vs. WPA2 ........................................................................................... 3-20 WPA2 Advantages Over WPA......................................................... 3-21 – 3-22 Summary ......................................................................................... 3-23 – 3-24

Additional Reading: George Ou Blog on EAP mechanisms in respect to their ecceptance as “secure” by the Wi-Fi Alliance - http://blogs.zdnet.com/Ou/?p=67

George Ou Blog on EAP-FAST titled “EAP-FAST: The LEAP and PEAP Killer?” - http://www.bandwidthco.com/whitepapers/netforensics/wireless/leap-peap/EAP-FAST%20The%20LEAP%20and%20PEAP%20killer.pdf

A Review of the differences between WPA and WPA2 - http://www.networkworld.com/columnists/2006/091106-wireless-security.html

http://blogs.zdnet.com/Ou/?p=67

http://www.bandwidthco.com/whitepapers/netforensics/wireless/leap-peap/EAP-FAST%20The%20LEAP%20and%20PEAP%20killer.pdf

http://www.bandwidthco.com/whitepapers/netforensics/wireless/leap-peap/EAP-FAST%20The%20LEAP%20and%20PEAP%20killer.pdf

http://www.networkworld.com/columnists/2006/091106-wireless-security.html


617.6 Module 25: Configuring and Securing Wireless Clients .. 4-1 ---- 4- 27 Managing Client Configuration Settings and Security Properties

Introduction ................................................................................................... 4-2 Assumptions so Far ...................................................................................... 4-3 Client Certificate Trust .................................................................................. 4-4 Windows Root CA’s ...................................................................................... 4-5 Adding a New Root Authority........................................................................ 4-6 Manual Certificate Distribution ...................................................................... 4-7 Group Policy Automation .............................................................................. 4-8 Import Root Certificate .................................................................................. 4-9 Client Wireless Settings .............................................................................. 4-10 Configuring Clients with GPO ..................................................................... 4-11 Editing GPO Object .................................................................................... 4-12 Adding Wireless Network Policy ................................................................. 4-13 GPO Wireless Policy Settings (1) ............................................................... 4-14 GPO Wireless Policy Settings (2) ............................................................... 4-15 GPO Wireless Policy Settings (3) ............................................................... 4-16 GPO Wireless Policy Settings (4) .................................................... 4-17 – 4-18 GPO Wireless Policy Settings – PEAP ............................................ 4-19 – 4-20 GPO Wireless Policy Settings – EAP / TLS ................................................ 4-21 Third-party Deployment Tools .................................................................... 4-22 Odyssey Client Manager ............................................................................ 4-23 Odyssey Client Administrator ..................................................................... 4-24 New Odyssey Client Installer ...................................................................... 4-25 Configuring WZC in Scripts ........................................................................ 4-26 Summary .................................................................................................... 4-27


617.6 Appendix: Deploying a Certificate Authority ................... A-1 ---- A-25 Using OpenSSL or Windows 2003 Server

Introduction .................................................................................................. A-2 OpenSSL Installation ................................................................................... A-3 OpenSSL Basics ......................................................................................... A-4 Setting up the CA Environment .......................................................... A-5 – A-6 OpenSSL Configuration File ................................................................ A-7 - A-8 Windows XP OID Extensions ...................................................................... A-9 Generate the Root CA (1) ............................................................... A-10 – A-11 Generate the Root CA (2) .......................................................................... A-12 Generate the Root CA (3) .......................................................................... A-13 Generate the CSR (1) ................................................................................ A-14 Generate the CSR (2) ................................................................................ A-15 Sign the CSR (1) ....................................................................................... A-16 Sign the CSR (2) ....................................................................................... A-17 Sign the CSR (3) ....................................................................................... A-18 Windows 2003 Server CA ......................................................................... A-19 Win2k3 Type Wizard ................................................................................. A-20 Win2k3: Generate CSR ............................................................................. A-21 Request CSR - IIS 6.0 ............................................................................... A-22 Win2k3: Sign CSR ..................................................................................... A-23 Win2k3: Sign CSR (2) ............................................................................... A-24 Summary ................................................................................................... A-25

Book 617.6 Wireless Security Strategies and Implementation

– END –

Documents

SEC617 (GAWN): SANS Wireless Ethical Hacking, Pen Testing ... · SEC617 SANS Wireless Ethical Hacking, Penetration Testing and Defenses – Index Page 6 of 38 SANS SEC617 (GAWN) Wireless