wifi exploitation how passive interception leads to
play

WiFi Exploitation: How passive interception leads to active - PowerPoint PPT Presentation

Aug 17, 2023 •50 likes •680 views

WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution Solomon Sonya @Carpenter1010 What to

  1. WiFi Exploitation: How passive interception leads to active exploitation SecTor Canada Solomon Sonya @Carpenter1010 The problem always seems to become more tractable when presented with the solution… Solomon Sonya @Carpenter1010

  2. What to Expect  Hand-Waving!  Intro / Background  Building Knowledge Requirement  Deep Dive into 802.11 Protocol  Developing the Sensor  Live Demos!  Tagging and Geotracking people  802.11 Vulnerability Exposure  Security Protocol Enhancement http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13  Future Work  Questions WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 2

  3. Whoami … 3 Solomon Sonya @Carpenter1010

  4. Security at Present…  How far have we come?  Is it good enough?  Discovered vulnerabilities are fixed with patches  Known malware removed with AV (signature based)  Emerging malware “detected” via baselining (anomaly)  Digitally signed software  We still believe “Detection is the key”  Avg malware lifespan (depending on source) ~294-300+ days still!  Fallacy with Security:  Current [incorrect] view: start-state is secure, bolt on security from here  We’ll remain ahead of the adversary ; -) WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010

  5. Anatomy of a Cyber Attack Reconnaissance Scanning Penetration Pivot Privileges+ + Pillage Paralyze Stealth & Cover Tracks Persistence Solomon Sonya @Carpenter1010 Source: Solomon Sonya @Carpenter1010

  6. Updated Anatomy of a Cyber Attack Social Active & Engineering Reconnaissance/Research Passive Water-Hole Ping Sweep Drive-By ARP Scan Phishing Stage Exploits Scan Targets Port Knock XSS DNS Lookups Penetration Protocols IP Reservations Trojan Privileges++ Pivot Management Insider Protocols Pillage Paralyze Embedded Devices Evade Detection Maintain Access Source: Solomon Sonya @Carpenter1010

  7. Security of the Future  Root of the problem lies with how security is considered during creation and deployment:  Bolted-on vrs. Built-in approaches  Integration of Smart Devices  A country’s greatest spy  IoT … Are we ready? WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010

  8. Cell Phones: A country’s greatest spy  When was the last time you audited the permissions granted to your apps?  Is all of this necessary to show a light? (I would avoid apps like these!) http://www.snoopwall.com/wp-content/uploads/2014/10/Flashlight-Spyware- Appendix-2014.pdf Really?!!! WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010

  9. Thought Question… Even if we secured it all… What are we doing still to secure the protocols these devices are using to communicate? WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010

  10. How did we get here…  Researching threat intelligence last year  Sitting at an airport enroute to a conference, watching people pass by, I wondered if it is possible if I could determine where each person is coming from a priori …  Knew people usually carried cell-phone, smart device, and/or laptop on travels and these devices are constantly probing to connect to a known network  Hacker’s Mantra: “I wonder what happens if…” WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 10

  11. The Research has begun!  Developed the following research questions to direct new research project:  Is it possible to intercept PNL (preferred network list) probes to fingerprint certain people?  If so, can a profile be created to reveal the area-of-habitation (likely places of work, live, play)  Can we determine a likely device and alert on likely “places of interest” such that we can identify a person that works/lives at specific places? (Think Intel, Google, military, etc)  Can we expand profile on a person to determine their previous geolocations, SSIDS, and activity times within an area such that we can know when to expect a person within a particular area? (think home and work, etc …)  Determining each devices’ PNL, can we establish a rogue AP and MiTM a user’s device to route all traffic through our machine without the victim’s knowledge?!!!! Spoiler Alert: YES YOU CAN !!!! Let’s see how! WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 11

  12. Initial Knowledge Required…  802.11 Frames:  Management Frames: Setup and maintain communications  Authentication, Deauthentication  Association, Disassociation  Synchronization Messages  Probe  Beacon  Control Frames: Assist in frame delivery and reduces collisions  Acknowledgements, Request/Clear to Send, Block, Poll, End  Data Frames: Transport data from higher layers (HTTP, etc)  802.11 Client Authentication Process WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 12

  13. Initial Knowledge Required…  Distributed Computing (Efficiency, Optimization, Updates)  Socket Programming (Connections, T okenization)  Threads  Wrappers(Worker Process, Conversion, Parsing, Encryption, etc)  Coding not your thing? No problem, just use Theia! Demo coming in a few slides from now! WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 13

  14. Deep Dive: Management Frames - 1  Request / Response Frames  Authentication Frame Network member (wireless device NIC) signifies intention to join membership with access  point (AP)  Deauthenticaiton Frame Access point sends frame to member to terminate <secure> connection  This packet must be accepted and immediately terminates communications   Association Frame Synchronize resources between AP and NIC  NIC exchanges supported data rates, SSID, Encryption Protocol  If accepted, response from AP allows NIC to communicate with AP  Reassociation similar – used when NIC roams to AP with stronger signal   Disassociation Frame NIC wishes to gracefully terminate the association to allow the AP to reallocate memory  WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 14

  15. Deep Dive: Management Frames - 2  Probe Request Frame * * * (Think Marco – Polo…)  NIC queries for available AP’s or specific AP containing SSID within range  Transmitted on every channel the NIC supports to discover every compatible AP and AP with requested SSID  Supports roaming (with reassociation) to maintain established connection  Probe Response * * *  APs respond to requesting clients and provides synchronization information (data rates, SSID*, Encryption Protocol, etc)  Cloaked: AP will respond if probe includes correct SSID  Discover cloaked AP when associated member joins and probes for “hidden” SSID  Beacon Frame * * *  AP periodically broadcasts its presence and connection information (BSSID, supported data rates, Encryption Protocol, SSID (if not hidden)  Cloaked: AP sends beacons, but omits SSID WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 15

  16. Deep Dive: Control / Data Frames  Control Frames  Optional Frames: Request to Send (RTS) and Clear to Send (CTS)  Reduces frame collision  Not too common, but seen when AP has hidden SSID  Data Frames  Transport data frames after NIC has associated with AP WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 16

  17. 802.11 Pertinent Frame Subtype Identifiers  Authentication 0x0b  Deauthentication 0x0c  Association Request 0x00  Association Response 0x01  Reassociation Request 0x02  Reassociation Response 0x03  Probe Request 0x04 * * * (NIC is in the area)  Probe Response 0x05 (now know AP is in the area)  Beacon 0x08 (now know AP is in the area)  Request to Send (RTS) 0xb0 (usually present with hidden Aps)  Clear to Send (CTS) 0xc0  Control and Data frames handled in future research  More Info: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 17

  18. So… What do we do with this information? Let’s bring it together by understanding the 802.11 Authentication Process, PNL, and then let’s demo! 18 Solomon Sonya @Carpenter1010

  19. Client Authentication Process and PNL Device Access Point BROADCAST NETGEAR Probe Beacon http://www.alohaorganizers.com/4- productivity-tools-already-exist-iphone/ linksys Probe Response Free_Airport_WiFi http://www.alohaorganizers.com/4-productivity-tools-already-exist-iphone/ Authentication Response Device routinely probes to discover available access points Association Response in the area and rejoin previously associated networks Time Client Authentication Process Client Probe Activity WiFi Leakage: How passive interception leads to active exploitation * Solomon Sonya * @Carpenter1010 19

  20. Let’s Build the Sensor! 20 Solomon Sonya @Carpenter1010

Recommend

Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net

Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net

Lawful Interception in German VoIP-Networks 22C3, Berlin Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ Agenda What is Lawful Interception (LI)? Terms, Laws Lawful Interception in PSTN networks Lawful Interception

658 views • 27 slides
WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

Advanced Network Security WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi IEEE 802.11 standard Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications original

721 views • 48 slides
Generic Library Interception Generic Library Interception for Improved Performance Measurement

Generic Library Interception Generic Library Interception for Improved Performance Measurement

Generic Library Interception Generic Library Interception for Improved Performance Measurement for Improved Performance Measurement and Insight and Insight Ronny Brendel, Bert Wesarg, Ronny Tschter, Matthias Weber, Thomas Ilsche, Sebastian

419 views • 13 slides
WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

Advanced Network Security (2019-2020) WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home WiFi network IEEE 802.11 WEP WPA/WPA2/WPA3 Personal/Enterprise Eduroam Attacks 2

674 views • 45 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

11/20/2019 Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi Networks 15-441 Fall 2019 Profs Peter Steenkiste &amp; Justine Sherry Fall 2019 https://computer-networks.github.io/fa19/ 2

717 views • 10 slides
Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it

Reduce passive income, reduce taxes We help. You grow. What is passive income and why does it matter? Federal government changed rules, effective for tax years that begin after 2018. Canadian controlled private corporations (CPCC) Passive

193 views • 8 slides
Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive

Passive Gas System Design PRESENTED BY BRYAN WELDON P.E. Passive System Overview 01 Passive Components 02 Integrating and Upgrading 03 Questions 04 2 Passive System Overview ___ 3 Passive Gas System ___ 4 Passive Gas System Usually

332 views • 12 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi in your establishment then Zyppee would definitely be of interest, considering the high footfall your business enjoy 's

228 views • 10 slides
TRAINING PROGRAMME Lawful Interception &amp; Data Retention ETSI/TC LI Lawful Interception

TRAINING PROGRAMME Lawful Interception &amp; Data Retention ETSI/TC LI Lawful Interception

Statements on Standardisation (handover interface) Without standardisation each Service Provider can define its own mechanism / format for the delivery of the data (LI and/or DR) to the Monitoring Facility Without standardisation the

684 views • 57 slides
Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose

Passive Fire Protection For the Oil &amp; Gas Industry Passive Fire Protection What is purpose of fireproofing? To Save Lives To Preserve Assets To Prevent Escalation Passive Fire Protection Passive Fire Protection Passive Fire

311 views • 29 slides
WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a

479 views • 46 slides
and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk

and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk

SSL Interception Proxies and Transitive Trust Jeff Jarmoc Sr. Security Researcher Dell SecureWorks About this talk History &amp; brief overview of SSL/TLS Interception proxies How and Why Risks introduced by interception

744 views • 36 slides
A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

873 views • 38 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi at your branches then Magico would definitely be of interest, considering the high footfall your branches enjoy.

590 views • 9 slides
GOODNESS LEADS GOODNESS LEADS The intentions inside shape the actions outside! When we operate

GOODNESS LEADS GOODNESS LEADS The intentions inside shape the actions outside! When we operate

GOODNESS LEADS GOODNESS LEADS The intentions inside shape the actions outside! When we operate from a place of integrity, quality and big heartedness, we make a lasting difference in the world. When goodness leads, great results follow!

570 views • 31 slides
What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive

What Are Active and Passive Voice? Can you write definitions for active and passive voice? Active Voice In an active sentence, the subject performs the action (the verb) to the object . Passive Voice In a passive sentence, the thing

610 views • 14 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses &amp; Mitigation Techniques

899 views • 51 slides
WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The Possibilities WiFi Brand name for wireless networking under IEEE standard 802.11 _________________ Wireless access to the internet Distribute

258 views • 12 slides
Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the

Passive Transport (no energy input required) Passive Transport Passive transport is the movement of ions and other molecules across cell membranes without the need of energy input (ATP) Ions or molecules move from an area of higher

651 views • 33 slides
The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R.

The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R.

The Security Impact of HTTPS Interception NDSS 17 Z. Durumeric, Z. Ma, D. Springall, R. Barnes, N. Sullivan, E. Bursztein, M. Bailey, J. Alex Halderman, V. Paxson ! G R S N Presented by: Sanjeev Reddy o g Some Background How to TLS

696 views • 37 slides
ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya

ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya

ETSI &amp; Lawful Interception of IP ETSI &amp; Lawful Interception of IP Traffic Traffic Jaya Baloo RIPE 48 Jaya Baloo RIPE 48 May 3 Amsterdam, The May 3 Amsterdam, The Netherlands Netherlands Contents Contents Introduction to

1.08k views • 41 slides
Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St

Multivariate Solutions to Emerging Passive DNS Challenges Dr. Paul Vixie, CEO and Dr. Joe St Sauver, Scientist 1 Agenda Introduction Passive DNS, Including Times When Passive DNS May Not Work Well Overcoming Obfuscation Pillz

962 views • 47 slides
NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda

NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda

NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda Basic WiFi Architecture Monetized WiFi Architecture NVKs Solution providing EnGenius Professional AP EnGenius EWS SOLUTION NVK

642 views • 47 slides

More recommend