SecurityTube, Wireless Lan Security Megaprimer notes: part 7 (MAC Filtering)

October 17, 2011, 1:30 am

The SecurityTube video is here.

MAC filtering comes from wired networking. MAC addresses can be spoofed easily. We can sniff packets and find mac addresses. This way we can easily get a valid MAC, spoof it and get access to the network.

0. Turn on MAC filtering on your AP and allow a client (e.g. your iPhone)

1. Perform a capture with wireshark as before.
1.1 Add a filter on the AP address it should look like this: “wlan.addr == APMACADDRESS”
1.2 Add a filter to remove beacon frame (right click type/subtype on a beacon frame, and apply as “and not” filter.

2. Attempt to connect using aireplay:

aireplay-ng --fakeauth 10 -e ESSIDNAME (e.g. SecurityTube) mon0

2.1 Run wireshark while doing the above.
2.2 Check that you can see “Unspecified failure (0x0001)”.

3. Fire up aerodump again, montioring the channel that your AP is on:

aerodump-ng mon0 --channel XX

You should see your AP listed in the first list. Note it’s BSSID here. Then look down the second list, which shows station, you should see the same BSSID. Next to this BSSID will be a station MAC address. Make a note of this MAC address, it’s the client connected to the AP.

4. Try to authenticate using that MAC address:

aireplay-ng --fakeauth 10 -e ESSIDNAME mon0 -h MACADDRESSFROM3

Fire up wireshark while you’re doing this, check that you can see “Successful (0x0000)”.

MAC address filtering is useless!

Tags: , , , ,
Category: Uncategorized  |  1 Comment

SecurityTube, Wireless Lan Security Megaprimer notes: part 6 (Finding hidden SSIDs)

October 17, 2011, 12:13 am

The video is here.

Hidden SSID means, to turn off SSID broadcasting in the beacon frames.

* Beacon frames have NULL in SSID (tag length is 0)

* A security though obscurity technique.

Set your AP not to broadcast it’s SSD, check that the SSID length is 0 in wireshark.

While the beacon frame does not contain the SSID, Probe and association request packets do!

Passive solution: Monitor for connections extract SSID from Probe/association request packets.

Passive Method

aerodump-ng mon0 # Find the access point with ESSID <length: 0>
iwconfig wlan0 channel XX #set the channel of the access point above
wireshark # start a capture as usual, run it in the background
aerodump-ng mon0 --channel <CHANNEL> # fire up aerodump on the channel found above

Now connect a client, aerodump will automatically figure out the network name and show it.

Also take a look at the wireshark dump and see if you can find the SSID.

Active Method

Force the network to send Probe/Association packets. We’re going to force de-authanticate one or all clients.
They will reconnect and then we can grab the SSID.

To send deauthentication packets:

aireplay-ng --deauth 0 -a HIDDENAPMAC mon0

While your running the above command, have aerodump-ng running in another window, you should see the SSID appear here.

Tags: , , , ,
Category: Uncategorized  |  Comment

SecurityTube, Wireless Lan Security Megaprimer notes: part 5 (Dissecting WLAN Headers)

October 16, 2011, 8:58 pm

Vivek’s video is here.

Basic Terminology

STA: Station (Wireless Client)

BBS: Basic Services Set (AP and clients in infrastructure or Ad-Hoc Clients)
* Infrastructure BSS: Setup using Access point
* Independent BSS: Ad-Hoc network

BSSID: Basic Service Set Identifier
* Infrastructure Mode: MAC address of AP
* Ad-hoc Mode: Randomly chosen address by first device. (IBSS)

DS: Distribution System (connects APs in ESS).
* The LAN connecting APs together.

ESS: Extended Service Set (set of BSSs)
* Basically everything (BSSs + DS)

WLAN Packet Header

Looking at a beacon frame (could be any frame)

0. Open a frame in wireshark
0.1 Take a look at the “Frame section”
* Contains meta information about the packet, received time etc.

0.2 Take a look at the “Radiotap Header”
* Received from card
* Signal strength (Useful for intrusion detection, can be used to triangulate clients)
* Channel frequency etc.

0.3 WLAN Headers, open “IEEE 802.11 Beacon Frame” section
* Frame type information (subtype)

1. All WLAN Packets have the following fields:
* Frame Control (2 bytes)
* Duration/ID (2 bytes)
* Address 1 (6 bytes)
* FCS (4 bytes) (Checksum)

1.1 Frame Control:
* Bitfield containing a bunch of information:
* Protocol
* Default value 0, may change with major revision (currently always 0)

* Type/Subtype
* Type – Management, Control or Data frame
* Sub-types of each of these.

* To DS and From DS
* Indicate where the packet is going:

To DS From DS Info
0 0 STA to STA in the same IBSS (ad-hoc) or management and control frame
0 1 Exiting the Distribution System (DS) (e.g. AP to client)
1 0 Entering the DS (e.g. client to AP)
1 1 Used in Wireless Distribution System (WDS, e.g. extending Wifi network)

* More frag: are more fragments of frame following (data and management only).
* Retry: Indicates that this frame is a retransmission (data and management only).

* Power Management: Indicates if client is in power save mode or active mode. (power save e.g. battery)
* More Data: Indicates that there’s more data queued up to be sent.
* Protected frame: Indicates if frame body in encrypted or not.
* Order: Indicates that all frames must be processed in order.

Check you can see all this in wireshark (Type and subtype are shown twice)

1.2 Duration/ID field
* Used to set “NAV” (Network Allocation Vector).
* NAV is the minimum time to wait before transmission
(tells other clients please wait this long for this packet transmission to complete)

1.3 Address fields
* Depends on type/sub-type (Source address, destination address, BSSID address)

1.4 Sequence Control
* Sequence number of the packet AND Fragment number of the packet.

Check you can see all this in wireshark!

1.5 QoS (quality of service)…

1.6 Frame body: The data payload
* management frame information
* data transmission

1.7 FCS: CRC check over the MAC header and Frame body
* Easy to “fix” FCS if we modify the frame.

Tags: , , , ,
Category: Uncategorized  |  Comment

SecurityTube, Wireless Lan Security Megaprimer notes: parts 1 to 4

October 15, 2011, 11:42 pm

These are my notes on Parts 1 to 4 of the security tube wireless security videos here.

I’m using Backtrack verison 5 R1 whereas Vivek is using version 4. The only different so far is that mdk is on the path, so I can just type “mdk” to launch it.

Part 1

This is the wireless device used in all the videos:

Alfa Networks AWUS036H USB Wifi device

* Integrated into Braktrack
* Allows for packet sniffing
* Allows for packet injection
* 1W output

Will also need a AP, two laptops. Some smartphones may be interesting.

Install Backtrack (tutorials use Backtrack 4R2).

Attached the USB Wifi device and connect to VirtualBox if you’re using that.

Part 2

0. Backtrack doesn’t startx, so type startx if you want it.

1. Bring up the wifi card:

ifconfig wlan0 up

2. You need to create a monitor mode interface for monitoring:

airmon-ng # without args shows cards
airmon-ng start wlan0 # creates monitor interface
iwconfig # check that the card is in monitor mode

3. Load Wireshark (at a command prompt type “wireshark”).

4. Start a capture, from the “Capture menu”: Capture->Interfaces->mon0 (start)
4.1 Note: Wireless card can only monitor one channel at a time.
4.2 Note: Different countries have different channels and allowed power levels.

5. You can force card on to specific channel for example:

iwconfig wlan0 channel 1

6. Some tools can hop between channels showing traffic, for example airodump:

airodump-ng --band bg mon0

Part 3: Beacon Frames

Three types of packets: Management, Control, Data (there are subtypes of these too)
You can find a LOT of information here: 802.11 specs: http://standards.ieee.org/about/get/802/802.11.html

Access points are configured with SSIDs. That’s a network name, used for discovery. SSID can be for one AP or multiple APs. To allow clients to find them access points broadcast “Beacon Frames”.

1. Capturing Beacon frames with wireshark:

ifconfig wlan0 up      
airmon-ng start wlan0
wireshark&amp;amp;amp;

2. Examine the beacon frame. Select a beacon frame in wireshark.
2.1 Look at Management frame header.
2.2 Note that there are “Fixed parameters” and “Tagged parameters”
2.3 “Fixed Parameters”: Look in “Capabilities Information”, it tells you if it’s an AP or not.
2.4 “Tagged Parameters”: note you can see supported rates and the device channel. Possibly encryption information.

3. Attackers can inject their own beacon frames! We’re going to show you how.

3.1 We’ll use MDK to create beacon frames. Type the following to get info on mdk:

mdk --help b # shows info about beacon flooding

To broadcast beacon frames, type the following:

mdk3 mon0 -b -n PWNEDSSID

You should be able to see the network PWNEDSSID on other devices!

Part 4: Dissecting AP-Client Connections

Note1: Vivek plays around a lot with wireshark filters in this video, some of it isn’t strictly required, but it gets you used to using filters.

Note2: Make *SURE* you are filtering to/from the correct MAC addresses. I found this partiuclarly important if you have a lot of Apple hardware around…

0. Setup an open access, access point.

1. We’re going to connect a smartphone or PC to this AP, so have a client ready.

2. Make sure wifi is off on the smartphone/PC.

3. Set the channel of the Backtrack laptop wifi card to the same channel as the open access point, as follows:
3.1 As before, use airodump-ng mon0 to display the channel the AP is on.
3.2 As before, use iwconfig wlan0 channel to change the card to that channel.

4. Make a capture of the traffic using wireshark (as before).

5. Filter for traffic not to/from our access point and filter out beacon frames.
5.1 The filter will eventually read as (wlan.addr == ACCESSPOINTMAC) && !(wan.fc.type_subtype == 0x08)
5.2 You can build this filter by pointing and clicking in wireshark:
Open a beacon frame, under “802.11 Beacon frame” right click on “Source address”, select “apply as filter”->Selected
Edit the filter box change “wlan.sa” to “wlan.addr”.

Under “IEEE 802.11 Beacon frame” select “Type/Subtype”. Right click, select “apply as filter”->”and not selected”

6. Attach the client smartphone/laptop to the network.

7. Add another address to the filter. This is the client address.
7.1 remove the && !(wan.fc.type_subtype == 0x08) portion of the filter.
7.2 In the “IEEE 802.11” section of the packet select the MAC of the client and right click:
“apply as filter”->”and selected”

8. Remove the (wlan.addr == ACCESSPOINTMAC) part of the filter. Your filter should just read:
(wlan.addr == CLIENTMAC), where CLIENTMAC is the mac address of your smartphone/PC.

9. Take a look at the packet trace in wireshark.
9.1 Find the first “Probe Request” from the smartphone/PC.
9.2 Note that it’s a Broadcast packet.
9.3 Note that below that packet you can see a “Probe Response” coming from your access point.
9.4 Client may also send out “Probe Requests” to networks previously connected to.

10. Add the access point mac to the filter. As before right click the access point address and select “apply as filter”->”add selected”.
Change wlan.sa to wlan.addr.

11. Scroll down a little, you should be able to find a packet labeled “Authentication” from your AP to the client.
11.1 Note that the Authentication packet from the client as “Authentication SEQ: 0x0001” and the reply has “SEQ: 0x0002”.

12. Now we see the association packets.
12.1 Note that the client sends an “Association Request”
12.2 Note that the AP replies with an “Association Response”

13. After that we should be able to see data packets, such as ARP requests etc.

14. Vivek makes some interesting observations about the packet exchange, and wireless state machine:

Tags: , , , ,
Category: Uncategorized  |  Comment
« Previous Entries
Next Entries »