802.11 tips and threats@090h

7iP5 Li57

1. Conditions: weather/time/other 2. Antenna inside and outside3. HW4. SW5. RF6. Channel plan(s)7. “Good” news 4 everyone (CRDA, Syste.md)8. TP-Link 722n as hamradio9. 802.11 @ OS X10. Some stupid phun if some time remains

Independent conditions

Weather:•H2O + RF = ? Remember borsch in microwave.•WWW - Wardriving/Warwalking/Warsitting 8). IT’S TiME TO HACK!!•DFS*Happy hours:•WEP - anytime•WPS - night•WPA-Personal - evening•WPA-Enterprise – 9:00 or when normal people come to the job? 8)Other:•Depends on your neighbors, interference, PRNG, ISP, etc..

Antenna types

• Omnidirectional• Uda Yagi• Panel• Parabolic• Sector

Omnidirectional antenna

Omnidirectional Antenna RF Gain Pattern

Uda Yagi

Use “Uda Yagi Calculator” 4 DIY*

Omnidirectional Antenna RF Gain Pattern

Hardware

• No silver bullet. TP-Link TL-WN722N best choice for beginner.• WPS brute –> Alfa AWUS 036H• Handshake capturing -> MIMO card. MAC80211+Ralink chips rule.• Deauth -> Any MAC80211 compatible card• KARMA + custom soft -> TP-Link: 3020, 3040, 3220, 4300• WiFi Pineapple -> MARK IV, MARK V• Google Nexus (Kali Nethunter compatible)• INJMON_WITHOUT_EXTERNAL_CARD -> Nokia N900, N9

Software

• Kali, Kali Nethunter, BlackArch, ArchAssault• kismet, horst, • Aircrack-NG, Pyrit, cowpatty• reaver-wps, WPSPIN.sh, wpscrack, Bully, pixie-wps, WPSIG• Wifite (forked)• KARMA, MANA, Hostapd-WPE• https://github.com/0x90/wifi-arsenal• https://github.com/0x90/wps-scripts

- RF?

- No… 8(

- 2.4GHz, 5GHz!

RF

• 700MHz – ITS in Japan• 900 MHz (802.11ah) – US unlicensed• 2.4 GHz (802.11b/g/n) – everyone uses @ home• 3.6 GHz, 4.9GHz (802.11y) – US, Public Safety WLAN 50 MHz of spectrum

from 4940 MHz to 4990 MHz (WLAN channels 20–26) are in use by public safety entities in the US.• 5 GHz (802.11a/h/j/n/ac) – 802.11ac is what you should use @ home• 5.9 GHz (802.11p) – Wireless Access in Vehicular Environments (WAVE),

ITS in EU• 60 GHz (802.11ad) – WiGig. 7Gbit/s, 10m, beamforming, HDMI over WiFi

Channels, plans and the world.

802.11b channel center frequency

802.11b

• Channel 1• Channel 6• Channel 11• Channel 14

802.11g/n (20 MHz)

• Channel 1• Channel 5• Channel 9• Channel 13

802.11g/n (40 MHz)

• Channel 1+5 (Upper)• Channel 5-1 (Lower)• Channel 5+9 (Upper)• Channel 9-5 (Lower)• Channel 9+13 (Upper)• Channel 13-9 (Lower)

2.4GHz channel plan

2.4GHz channel plan for US

Channel plans

Theory:•US => 1,6,11•WORLD => 1,5,9,13IRL fcukups:•wtf is channel plan?•40MHz bandwith will give me more speed!•More AP power will give me more speed!•More antennas will give me more speed!

Interference indoor

Gr337z fly 2 JBFC

5GHz around the world

Meanwhile in Russia

Также во исполнение протокольной записи к решению ГКРЧ от 19 августа 2009 г. № 09-04-09, ГКРЧ решила[16] (п.2):Выделить полосы радиочастот 5150-5350 МГц и 5650-6425 МГц для применения на территории Российской Федерации за исключением городов, указанных в приложении № 2 [1], РЭС фиксированного беспроводного доступа гражданами Российской Федерации и российскими юридическими лицами без оформления отдельных решений ГКРЧ для каждого физического или юридического лица.Brief: 802.11a/h/j/n channels: 36-64, 136-165.

5GHz freedom? Depends on weather. DFS.

Country limitations

SYSTEMD? SYSTE.MD

• wlan0 -> wlp3s0• mon0 -> wlp3s0mon• wlan1 -> wlp0s20u9• mon2 -> wlp0s29f7u2mon• All mon0 based bash scripts fcuked up• Lorcon + PyLorcon2 broken

ath9k low level

• http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/

• Ath9k/ath9k_htc open source driver, firmware• FFT disable• Channels: -19-

if ath9k.driver.has_sw_limits() && ’kernel patching’ in hacker.skills[]:hacker.patch(ath9k.driver)ath9k.channel = -5ath9k.power = 30ath9k.bandwith = 5

ath9k spectral scan

• Fluke Spectral Analyser = many $$$• Atheros AR92XX, AR93XX chips support spectral scan (???) • http://pages.cs.wisc.edu/~patro/htc_spectral/0003-Update-spectral-

scan-calls-to-support-both-ath9k-and.patch • http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/

spectral scan plot

ath9k advanced

• echo "$bandwidth" > /sys/kernel/debug/ieee80211/$phy/ath9k/chanbw• ls /sys/kernel/debug/ieee80211/phy*/ath9k_htc/registers/• ath9k_htc AP mode client fw limit

https://lists.ath9k.org/pipermail/ath9k-devel/2013-April/010513.html• echo '1' > /sys/kernel/debug/ieee80211/phy0/ath9k/disable_ani • iw --debug dev wlan0 info

802.11 hacking @ OS X

• No INJ, only RFMON => No sending deauth frames*• Use reaver-wps, aircrack-ng, tcpdump from mac ports• airport cmd with RFMON support

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport• Scapy patched for RFMON @ OSX https://github.com/0x90/scapy-osx• WPSIK • PrivateFrameworks: Apple80211, CoreWLAN, etc…• Horst to be patched

7HR3475

• PWN via MosMetro_Free • WPS_FAST_PWN = pingen + pixie wps + fork(wifite, reaver)• KARMA, MANA, HOSTAPD-WPE - pros and cons• I’LL CALL YOU @ WPA2 PWD (greetings fly 2 d0znpp)

KARMA/MANA/ROGUE AP

KARMA vs MANA

KARMA•Client->ProbeRequest ESSID=FreeWiFi•ProbeReply ESSID=FreeWiFi BSSID=00:13:37…•+ PineAP @ Mark V == beconizer by ESSID listMANA•PNL gathering (capture broadcast)•Beacon Broadcast•Hidden SSID

QUESTIONS? PWN’EM ALL!

@090h/root@0x90.ru

Code @•http://github.com/0x90/• http://github.com/dc7499