In air they wander, we exist to blow their cover!!!!

Download Report

Transcript In air they wander, we exist to blow their cover!!!! 

In air they wander, we exist to blow their cover!!!!
{An approach to evil twin detection from a normal user side}
0
Forewords
Who we are???
 Amrita C. Iyer
 Senior QA Associate.
 Who kills boredom by fuzzing applications.
i[dot]c[dot]amrita[at]gmail[dot]com
 Rushikesh D. Nandedkar
 Information Security Researcher.
 nandedkarhrishi[at]gmail[dot]com
Agenda








Introduction and some details
The Evil Twin
Fuzzed Packet Approach
Things we learned
Related work
Potential approaches
Conclusions
Acknowledgements
1
Introduction and some details
Overview
What .11 is blamed for?
Victims
.11 modes
Stumbling and Sniffing
Scanning
How?
What .11 is blamed for?
 A hole in the network perimeter (open
wireless networks, wep, bad configs).
 Loose link in client’s security:
 Offensive rogue access points
 Eavesdropping in socially dense areas
 Connectivity messups
?
 So, a lot of mess and mash in the air 
 And as a matter of fact,
“These all deeds are not very much
detectable, generally!”
Victims!!!
(1) Courtesy to the omnipresence and ease of
access of wireless:
 Mobile phones
 Cameras
 Printers
 Gaming consoles
 Laptops, desktops …. …. …. ….
More and more places to be equipped with wi-fi.
Victims!!!
(2) The perimeter generals:
 UTMs
 Packet Analysers
All in all, many victims ………………..… awaiting
exploitation  !
.11 modes
The 802.11 hardware can be operated in
many modes:
I.
II.
III.
IV.
Managed: acts as a station
AdHoc: acts as an AdHoc station
Master: acts as an access point
Monitor (RFMON): shows everything seen by
radio. (synonymous to promiscuous mode in
.3)
Stumbling and Sniffing
 Stumblers query the card firmware to see what
networks are detectable in the local radio
periphery.
 Pros: Don’t require special drivers.
 Cons:
• See less number of networks
• Can not capture data packets.
Source: Dragorn, Kismet Presentation.
….
 Sniffers like Wireshark, Tcpdump or Kismet
are capable of capturing raw data frames.
 Sniffers can capture data packets.
 Broadly operates in monitor mode.
Source: Dragorn, Kismet Presentation
Scanning
In our context of discussion, scanning is
referred to the activity where we are
discovering access points in local radio
periphery.
How ?
 Probe requests/responses.
 Beacon frames.
 Combination of probes and beacons.
2
The Evil Twin
Overview
Who is Evil Twin?
Some Terms…
Where to find them all together?
Some boring text on Evil Twin
So much of concern.. uh!
Stats from Black Hat US 2013
Defending clients on open AP is very hard !
~Mike Kershaw, BH-DC- 2010.
We tried understanding this statement in
more depths.
And eventually we happened to meet the
wireless predator…
The Evil Twin
Who is Evil Twin??
Some terms….
 Access Point
 SSID
 Station/Host/Node
Where to find them all together?
Open Wireless Networks:
 Basic IEEE 802.11 implementation.
 Never does any exchange of any secret.
 Airports, cafes, colleges, offices etc.
23 Of 34
Some boring text on Evil Twin
 A phishing Wi-Fi AP that looks like a legitimate
one (with the same SSID).
 Typically occurred near free hotspots, such as
airports, cafes, hotels, and libraries.
 Hard to trace since they can be launched and shut
off suddenly or randomly, and last only for a short
time after achieving their goal.
So much of concern.. uh!
Stats from Black Hat US 2013
Time frame, 24 hours.
Number of legitimate devices found, 1300.
Number of rogue devices found, 1900.
Number of Users found for keynote session,
3500.
3
Fuzzed Packet Approach
Overview
What is fuzzing?
Assumptions
Which fields are of interest?
Scapy usage.
Results.
What is fuzzing?
 Fuzzing is a software testing technique. The basic idea
is to attach the inputs of a program to a source of
random data (“fuzz”). If the program fails (for
example, by crashing, or by failing built-in code
assertions), then there are defects to correct.
[WIKIPEDIA]
 Fuzzing is a Black Box software testing technique,
which basically consists in finding implementation
bugs using malformed data injection in automated
fashion. [OWASP]
Assumptions
 Host wireless network interface card is up and
tuned on monitor mode.
 Packet injection is working.
 Host has aquired an IP address on the
suspected AP’s network.
Parameters of interest!!!
Source : nmap.org
Parameters of interest!!!
Source : nmap.org
Parameters of interest!!!
Source : nmap.org
Scapy usage
 Scapy is python module/library.
 Used as a packet manipulation program.
 Helps write, read and inject packets and frames
as per the user’s imagination.
 More information is at
http://secdev.org/projects/scapy .
….
What did we use:
 conf.iface= “mon0”
 i= IP(dst=“IP address of Suspecious AP”,
chksum=1234)
 Legit checksum= 4567
 sr(i/TCP(chksum=2498, flag= 0x01))
 Legit checksum= 2345
 Bad checksm, Fin flag.
Results
 Response from Legitimate AP,
 RST
 Response from Rogue AP,
 No response
 Same old scanning logic:
 Unsolicited Fin should be dropped and RST be
sent in response.
 In case of Rogue AP, somehow kernel may not
be behaving this way and accepting packet.
4
Things We Learned
Things we learned…
 The behavior of the wireless network interface
card.
 Confirming live distro and cancelling usage of
the VMs.
 Alfa cards worked great but Intel built-in
chipsets and Cisco wireless adaptors were also
competent.
 Yet another way to understand the wireless
networks.
5
Related Work
Related work
1. RF Monitoring
2. Wired and wireless connection
consideration
RF Monitoring (1)
 Monitors RF and gathers information at
Switches and Routers .
 Compares with known authorized list.
 Eg. Airdefense, scans intranet RF and
compares fingerprint.
RF Monitoring (2)
 An approach where dedicated sensors are
used for scanning.
 They use parameters like SSID, MAC,
location information etc.
 The information collected based on the
above said parameters is compared against
a verified list.
RF Monitoring (3)
 Sends a verifier packet
 If received by internal sensor, AP is internal
and hence evil twin.
Source: Raheem Beyah and Aravind Venkataraman, IEEE
Security & Privacy Magazine, Vol. 9, No. 5, 2011.
Wired and wireless connection
consideration (1)
 Checks connectivity, is it wired to wireless
(auth), wireless to wireless(auth), wired to
wireless (unauth), by host.
 They refer to the prepopulated authorization
list.
 The parameters they take in account are,
round trip time, entropy etc. and the statistical
analysis performed on them.
Wired and wireless connection
consideration (2)
 Another approach calculates clock skew of the
access point and builds the relevant
fingerprint.
 Later these details are used in some machine
learning algorithms for training detection
models.
Source: Jana et. al.
Wired and wireless connection
consideration (3)
 Proposes a model named ET sniffer.
 Counts the round trip time for a packet to
travel from host to server.
 Differentiates on the basis of packet travelled
on the wireless link and on wired link.
 Assumes that wired link is always one hop
away.
Source: Yang et. al.
Wired and wireless connection
consideration (4)
 Proposes a model named WiFiHop.
 Sends a watermark packet (know only to user)
to the internet.
 Listen on the channel to find the existence of
the watermark packet.
 If found, evil twin is detected.
 Overcomes the problem where packet is
travelling through more than one wireless
hops.
Why we need one more approach?
 Existing approaches has certain limitations. Majority of
them implements some special hardware or setup to make
the detection work, which sometimes requires highest
level privileges.
 The approaches existent, are initially designed by taking in
account Wireless Network Admin as a detecting authority
but not the normal user.
 Fuzzed packet approach
 User side approach.
 Works with WNIC available with our laptops.
 Uses scapy which is readily available in backtrack.
6
Potential Approaches
Potential Approaches
 Still there lies a potential in protocols like
IGMP, BGP to build intelligence about the rogue
access point.
 Maybe use of techniques similar to “traceroute”
to know the wired transfer time and then
exclude/subtract them to minimize the noisy
effect at wired side.
 Mobile implanted WiFi tethered hotspots are
yet to be tested with our approach and stand a
strong contender to legitimate access point and
rogue access point as well.
7
Conclusion
Conclusion
 We have proposed an investigator packet,
Malicious Access point Nailing Utility (MAN_U),
which in response from access point will deliver the
result whether the access point is legitimate or
rogue.
 With an economical mundane setup, a normal user
is able to detect evil twin. No specific admin/access
rights are needed.
 Along with the proposed approach, we have been
working on few more approaches.
 The complete work is submitted for patent and is
under procedure.
8
Acknowledgements
Acknowledgements
Vivek Ramachandran (Wireless Security
Megaprimer).
Joshua Wright, Phil Biondi (Scapy mailing
list).
Laurent butti (Wi-Fi Fuzzing).
Michael Ossmann (HackRF).
Dr. U. V. Kulkarni (Guide).
Dr. Nandakishor Ranade (Mentor).
/../ThankYou/../