Martin Suess
martin.suess@csnc.ch
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
WiFi Exploited
Martin Suess
martin.suess@csnc.ch
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Agenda
g Introduction
g WiFi Security Measures & Threats
g Demo
g MadWifi Exploited
g Remedy?!
g Probability of an attack
g Remediation
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
WiFi Security & Threats
Internet
?
? ?
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Packet Injection - MadWifi
g MadWifi
g Opensource wireless driver for atheros based wireless LAN NICs
g Platforms
g Various Linux distros
g Mac OSX (part of OSX, user cannot really do much)
Application 1
Application 2
hardware...
...
g Well known wireless LAN
drivers/chipsets
g Madwifi (Atheros chipset)
g Prism
g ... LORCON
madwifi[ng|old]
every driver
prism54
wlan-ng
hostap
airjack
g Solution: Driver abstraction
...
framework LORCON!
g http://802.11ninja.net/lorcon
g Valid SSID IE
g Overlength SSID IE
Application 1 Application 2
HTTP 200....
Operating System
Network Other
Interface Hardware
Application 1 Application 2
Operating System
802.11
802.11Frame
Frame 0
0
0 Driver 0
802.11
802.11Frame
Frame
0 Network
Interface x
Kernel
Network Other
Interface Hardware
Playing with
802.11[a|b|g]
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Finding Vulnerabilities – Demo
g packet_sender
g based on LORCON -> works with many drivers
g self coded -> better knowledge of functionality
g more protocol-aware -> fuzzing more effective
MadWifi Exploited
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Environment
Shellcode
connects back
EXPLOIT root@victim# _
GLÄRNISCHSTRASSE 7
POSTFACH 1671
CH-8640 RAPPERSWIL
Tel.+41 55-214 41 60
Fax+41 55-214 41 61
team@csnc.ch www.csnc.ch
Remedy?!
g Best effort
g Disable wireless devices whenever possible
g Keep reading the news with an eye on driver vulnerabilities
g Regularly apply patches
g Avoid public wireless networks and use wired networks instead
g Work with low privileged user
g MadWifi
http://madwifi.org/
g LORCON
http://802.11ninja.net/lorcon
g Airbase
http://www.802.11mercenary.net/
g Milw0rm
http://www.milw0rm.org/
http://www.milw0rm.org/exploits/3389
g Metasploit
http://www.metasploit.org/
AP Access Point