1
00:00:06,430 --> 00:00:08,430
- What threats might we encounter

2
00:00:08,430 --> 00:00:11,030
in either our wireless networks,

3
00:00:11,030 --> 00:00:15,500
or what threats can we
impose on wireless networks?

4
00:00:15,500 --> 00:00:17,200
We're gonna talk about confidentiality,

5
00:00:17,200 --> 00:00:18,530
integrity, and availability,

6
00:00:18,530 --> 00:00:19,505
the CIA triad,

7
00:00:19,505 --> 00:00:22,140
which you may or may not have heard of

8
00:00:22,140 --> 00:00:23,760
in the coming slides.

9
00:00:23,760 --> 00:00:25,840
So how can we evade access?

10
00:00:25,840 --> 00:00:28,137
We got MAC Spoofing, Ad-hoc Networking,

11
00:00:28,137 --> 00:00:30,240
Misconfigured APs, and Rogue APs.

12
00:00:30,240 --> 00:00:33,010
We're gonna talk about all these
in these subsequent slides.

13
00:00:33,010 --> 00:00:35,330
But let's talk about
CIA triad stuff first.

14
00:00:35,330 --> 00:00:37,020
Let's talk about integrity.

15
00:00:37,020 --> 00:00:38,150
So what is integrity?

16
00:00:38,150 --> 00:00:39,943
It is the,

17
00:00:41,204 --> 00:00:43,200
I call it an assumption

18
00:00:43,200 --> 00:00:45,223
that the data has not been manipulated.

19
00:00:46,350 --> 00:00:51,350
So how can we compromise the
integrity of wireless networks?

20
00:00:52,910 --> 00:00:57,720
We have six strategies
listed here on this slide,

21
00:00:57,720 --> 00:00:59,712
from Initialization Vector Replay,

22
00:00:59,712 --> 00:01:03,110
injection of frames into
the wireless network,

23
00:01:03,110 --> 00:01:05,662
replaying data, replaying
authentication data,

24
00:01:05,662 --> 00:01:07,419
injecting data frames,

25
00:01:07,419 --> 00:01:11,180
replaying RADIUS authentication frames.

26
00:01:11,180 --> 00:01:13,462
On the confidentiality
side of things which is,

27
00:01:13,462 --> 00:01:16,793
I have this data, can
somebody else see it?

28
00:01:17,720 --> 00:01:20,620
What strategies can be employed

29
00:01:20,620 --> 00:01:23,540
in order to compromise confidentiality?

30
00:01:23,540 --> 00:01:25,390
Several options listed
here for that as well.

31
00:01:25,390 --> 00:01:28,390
Machine-in-the-Middle,
HoneySpot, cracking WEP,

32
00:01:28,390 --> 00:01:30,250
this would, you know, break the encryption

33
00:01:30,250 --> 00:01:32,663
and you could get access to the data.

34
00:01:32,663 --> 00:01:35,530
Session Hijacking, Evil Twin,

35
00:01:35,530 --> 00:01:36,890
as well as Eavesdropping.

36
00:01:36,890 --> 00:01:39,072
We're gonna talk about a
lot of these concepts here

37
00:01:39,072 --> 00:01:40,407
within this lesson.

38
00:01:40,407 --> 00:01:43,670
And then finally, in the CIA
triad we have availability

39
00:01:43,670 --> 00:01:46,747
and that is, is the
resource or data available

40
00:01:46,747 --> 00:01:50,070
when it needs to be accessed?

41
00:01:50,070 --> 00:01:52,966
What threats are there to
compromise availability

42
00:01:52,966 --> 00:01:55,810
of the wireless network itself?

43
00:01:55,810 --> 00:01:57,950
We have Denial of Service, Floods,

44
00:01:57,950 --> 00:02:00,470
both Deauth and Beacon.

45
00:02:00,470 --> 00:02:03,770
That's Deauthentication, that
is the forceful kicking off

46
00:02:03,770 --> 00:02:06,270
of a client from a wireless network.

47
00:02:06,270 --> 00:02:07,930
Disassociation attacks,

48
00:02:07,930 --> 00:02:11,134
and then finally the
actual physical requisition

49
00:02:11,134 --> 00:02:13,470
of the Access Point itself.

50
00:02:13,470 --> 00:02:15,700
So if you were to pick up the Access Point

51
00:02:15,700 --> 00:02:16,980
and walk away with it,

52
00:02:16,980 --> 00:02:19,760
that is a method to compromise

53
00:02:19,760 --> 00:02:22,350
the availability of the wireless network,

54
00:02:22,350 --> 00:02:25,313
that that particular
Access Point is serving.

55
00:02:26,300 --> 00:02:29,190
We have Rogue Access Point
attacks and the Evil Twin attack.

56
00:02:29,190 --> 00:02:30,820
Let's talk about both of these.

57
00:02:30,820 --> 00:02:32,780
So if you have a wired network,

58
00:02:32,780 --> 00:02:34,533
we have switches here, we have a router,

59
00:02:34,533 --> 00:02:37,541
we have some access points
plugged into that switch.

60
00:02:37,541 --> 00:02:40,760
If I get access to that
physical environment

61
00:02:40,760 --> 00:02:42,844
where and I can plug
something into the wall,

62
00:02:42,844 --> 00:02:46,330
that is eventually connected to a switch

63
00:02:46,330 --> 00:02:48,280
that is, you know, part of the network,

64
00:02:49,320 --> 00:02:53,726
could I then stick an
access point on the network?

65
00:02:53,726 --> 00:02:56,300
Now these wireless networks often extend

66
00:02:56,300 --> 00:02:57,921
past the walls of a building.

67
00:02:57,921 --> 00:03:01,380
So if I get physical
access to an environment,

68
00:03:01,380 --> 00:03:02,990
let's say I put on my orange vest,

69
00:03:02,990 --> 00:03:05,195
I put on my hardhat, I grab the ladder,

70
00:03:05,195 --> 00:03:07,780
and I grab my duffle bag full of tools.

71
00:03:07,780 --> 00:03:11,210
Maybe at the bottom of that
bag is a wireless access point.

72
00:03:11,210 --> 00:03:12,528
Doesn't need to be anything fancy,

73
00:03:12,528 --> 00:03:16,010
just grab a off the shelf
wireless access point.

74
00:03:16,010 --> 00:03:19,250
And let's say I get past
that first layer of security,

75
00:03:19,250 --> 00:03:21,160
the person sitting at a desk

76
00:03:21,160 --> 00:03:22,760
when you walk in the front door.

77
00:03:23,670 --> 00:03:27,050
I get past that and I can just
freely roam the office space.

78
00:03:27,050 --> 00:03:29,240
I take out that access point,
I plug it into that switch,

79
00:03:29,240 --> 00:03:30,907
make sure it's close to a wall,

80
00:03:30,907 --> 00:03:33,071
go get in my car, join the network.

81
00:03:33,071 --> 00:03:37,310
And now I have access to the
wired network on the inside.

82
00:03:37,310 --> 00:03:41,730
Completely bypassed any perimeter
security that might exist

83
00:03:41,730 --> 00:03:43,910
up towards the internet.

84
00:03:43,910 --> 00:03:45,710
This is the Rogue Access Point attack.

85
00:03:45,710 --> 00:03:46,810
It is the attachment

86
00:03:46,810 --> 00:03:50,188
of a wireless access point to an existing

87
00:03:50,188 --> 00:03:54,307
local area network, which
would allow someone to join

88
00:03:54,307 --> 00:03:59,253
and completely bypass any
perimeter defenses you might have.

89
00:04:00,300 --> 00:04:02,100
Humans are quite often the weak point

90
00:04:02,100 --> 00:04:05,977
when it comes to network security.

91
00:04:05,977 --> 00:04:09,070
Now, there is a point listed here

92
00:04:09,070 --> 00:04:10,440
at the bottom of the slide,

93
00:04:10,440 --> 00:04:12,053
strict enforcement of access-port

94
00:04:12,053 --> 00:04:14,782
access control policies can prevent this.

95
00:04:14,782 --> 00:04:16,582
That's a bit of a tall order.

96
00:04:16,582 --> 00:04:21,120
Being able to know the MAC
address that is commonly used

97
00:04:21,120 --> 00:04:23,890
meaning the MAC OUI prefix,

98
00:04:23,890 --> 00:04:26,556
those first three bites of the MAC address

99
00:04:26,556 --> 00:04:28,780
and blacklisting those.

100
00:04:28,780 --> 00:04:30,260
Meaning you'd have to know all the vendors

101
00:04:30,260 --> 00:04:32,180
that create access points.

102
00:04:32,180 --> 00:04:33,520
You have to know all the OUIs

103
00:04:33,520 --> 00:04:36,430
and then blacklist them
across your network,

104
00:04:36,430 --> 00:04:40,850
or do static Mac address
permissions on the switch.

105
00:04:40,850 --> 00:04:43,163
It can get extremely complicated.

106
00:04:44,090 --> 00:04:45,570
However, provided you want to go

107
00:04:45,570 --> 00:04:47,930
to that level of detail
with your security,

108
00:04:47,930 --> 00:04:49,065
then you could have,

109
00:04:49,065 --> 00:04:52,084
you could protect yourself
from this particular attack.

110
00:04:52,084 --> 00:04:56,870
It's more valuable to simply train people.

111
00:04:56,870 --> 00:04:59,117
Question, why are you
in my space? (laughs)

112
00:04:59,117 --> 00:05:03,813
And why are you plugging in
an access point under my desk.

113
00:05:05,250 --> 00:05:07,295
Misconfigured AP attack.

114
00:05:07,295 --> 00:05:10,440
This isn't, I wouldn't call
this necessarily an attack.

115
00:05:10,440 --> 00:05:12,452
It's more of an accident.

116
00:05:12,452 --> 00:05:15,310
So SSIDs are often

117
00:05:16,570 --> 00:05:18,840
assumed to be passwords,

118
00:05:18,840 --> 00:05:20,390
some form of authentication.

119
00:05:20,390 --> 00:05:24,970
However, the SSIDs are freely
broadcast in beacon packets

120
00:05:24,970 --> 00:05:28,450
unless you have explicitly
disabled that functionality.

121
00:05:28,450 --> 00:05:30,390
So it's easy to know SSIDs.

122
00:05:30,390 --> 00:05:31,850
You can turn on your laptop.

123
00:05:31,850 --> 00:05:33,700
You can click a little dropdown.

124
00:05:33,700 --> 00:05:36,122
You can see all the networks
that exist around you.

125
00:05:36,122 --> 00:05:41,120
Don't rely on SSIDs for
any form of authentication.

126
00:05:41,120 --> 00:05:44,150
Don't rely on hidden SSIDs

127
00:05:44,150 --> 00:05:46,503
for any form of protection.

128
00:05:47,570 --> 00:05:48,770
Ad-hoc connection attack.

129
00:05:48,770 --> 00:05:53,480
This does rely upon the
wired client being infected

130
00:05:53,480 --> 00:05:54,510
by something.

131
00:05:54,510 --> 00:05:56,794
That malicious software could then

132
00:05:56,794 --> 00:05:58,930
turn the particular computer,

133
00:05:58,930 --> 00:06:01,630
in this case is a laptop
plugged in with a wire

134
00:06:01,630 --> 00:06:03,034
to a wired network,

135
00:06:03,034 --> 00:06:05,750
could be a desktop with Wi-Fi capability

136
00:06:05,750 --> 00:06:07,980
and then turning on ad-hoc mode.

137
00:06:07,980 --> 00:06:09,340
So most devices today,

138
00:06:09,340 --> 00:06:11,140
whether it's a cell phone, a laptop,

139
00:06:11,140 --> 00:06:12,900
do still have this functionality

140
00:06:12,900 --> 00:06:15,160
to do ad-hoc wireless networking.

141
00:06:15,160 --> 00:06:17,594
And it allows you to
do point to point Wi-Fi

142
00:06:17,594 --> 00:06:21,570
between two devices without
an access point in the way.

143
00:06:21,570 --> 00:06:25,820
So if you are able to fire up Metasploit,

144
00:06:25,820 --> 00:06:27,968
send that email with a malicious payload.

145
00:06:27,968 --> 00:06:30,580
This particular user
happens to click on it,

146
00:06:30,580 --> 00:06:33,000
installs some software, turns on ad-hoc,

147
00:06:33,000 --> 00:06:36,470
and then you have bypassed
the perimeter defenses

148
00:06:36,470 --> 00:06:39,463
which might exist sort of
out in this area right here.

149
00:06:40,818 --> 00:06:42,686
The HoneySpot attack.

150
00:06:42,686 --> 00:06:46,420
HoneySpot attack is where
you take an access point

151
00:06:46,420 --> 00:06:50,340
and you try to replicate an
existing wireless network.

152
00:06:50,340 --> 00:06:51,840
Let me give you an example of this.

153
00:06:51,840 --> 00:06:53,810
You go to a popular coffee shop

154
00:06:53,810 --> 00:06:55,170
and they offer free Wi-Fi

155
00:06:55,170 --> 00:06:56,520
because they want you to stay there

156
00:06:56,520 --> 00:06:58,848
and drink as much coffee as possible.

157
00:06:58,848 --> 00:07:01,310
They're offering free Wi-Fi.

158
00:07:01,310 --> 00:07:03,004
They're broadcasting some SSID

159
00:07:03,004 --> 00:07:04,963
for their customers to use.

160
00:07:06,000 --> 00:07:09,200
What would happen if
you have an access point

161
00:07:09,200 --> 00:07:10,033
in your backpack,

162
00:07:10,033 --> 00:07:13,090
running off of a battery
that used the same SSID

163
00:07:13,090 --> 00:07:14,143
as that coffee shop,

164
00:07:14,143 --> 00:07:16,740
you could potentially lure victims

165
00:07:16,740 --> 00:07:18,287
to join your access point.

166
00:07:18,287 --> 00:07:21,070
Once they have joined your access point,

167
00:07:21,070 --> 00:07:22,150
then you have access

168
00:07:22,150 --> 00:07:24,820
and provided you give them
internet access, of course.

169
00:07:24,820 --> 00:07:27,260
Once you have them joined
to your access point

170
00:07:27,260 --> 00:07:29,020
you have access to their data.

171
00:07:29,020 --> 00:07:30,930
Data that is flowing from their computer

172
00:07:30,930 --> 00:07:32,240
towards the internet

173
00:07:32,240 --> 00:07:34,590
is now going through a
device that you control.

174
00:07:38,592 --> 00:07:40,110
AP MAC spoofing.

175
00:07:40,110 --> 00:07:41,710
We touched on this previously,

176
00:07:41,710 --> 00:07:43,700
when we talked about
changing your MAC address

177
00:07:43,700 --> 00:07:44,960
on your computer.

178
00:07:44,960 --> 00:07:48,200
Some wireless services
will use the MAC address

179
00:07:48,200 --> 00:07:51,200
as a form of authenticator, in that

180
00:07:51,200 --> 00:07:54,660
when you try to service it
says you need to pay to serve.

181
00:07:54,660 --> 00:07:57,030
So you would then enter
your credit card information

182
00:07:57,030 --> 00:07:58,630
and it uses your MAC address

183
00:07:58,630 --> 00:08:03,145
as the identification mechanism
for that paid-for service.

184
00:08:03,145 --> 00:08:04,846
Once that person disappears

185
00:08:04,846 --> 00:08:07,090
or even while they're still there,

186
00:08:07,090 --> 00:08:08,840
if you assume their Mac address

187
00:08:08,840 --> 00:08:11,683
might you then be able
to have free access?

188
00:08:13,560 --> 00:08:15,093
Bypassing that pay wall.

189
00:08:17,430 --> 00:08:18,810
Deauthentication.

190
00:08:18,810 --> 00:08:23,190
This is purposefully built
into the Wi-Fi standard.

191
00:08:23,190 --> 00:08:26,667
We have this quote here
from Joshua Wright in 2005

192
00:08:26,667 --> 00:08:29,600
"Sanctioned technique to
inform a rogue station

193
00:08:29,600 --> 00:08:32,260
that they have been
disconnected from the network."

194
00:08:32,260 --> 00:08:34,280
You can fake these things

195
00:08:34,280 --> 00:08:36,852
so you can send a deauth
packet to anyone out there

196
00:08:36,852 --> 00:08:40,530
and they will disconnect from the network.

197
00:08:40,530 --> 00:08:41,363
Most of the time.

198
00:08:41,363 --> 00:08:44,156
Provided it reaches the
intended destination. (laughs)

199
00:08:44,156 --> 00:08:45,920
It's sent to the host.

200
00:08:45,920 --> 00:08:47,360
You're spoofing the source MAC.

201
00:08:47,360 --> 00:08:50,691
That is the source MAC of the actual BSSID

202
00:08:50,691 --> 00:08:53,440
that they are connected to.

203
00:08:53,440 --> 00:08:55,450
You must be within range of this client

204
00:08:55,450 --> 00:08:56,713
so they can hear you.

205
00:08:57,900 --> 00:08:59,910
And why would we want to do this?

206
00:08:59,910 --> 00:09:01,210
It's because we need to capture

207
00:09:01,210 --> 00:09:04,260
that message integrity
check that happens with WPA

208
00:09:04,260 --> 00:09:06,759
and that is only done
upon initial connection.

209
00:09:06,759 --> 00:09:10,770
So if we deauth the client
while we're capturing packets

210
00:09:10,770 --> 00:09:14,270
they reassociate, deauth
them again, reassociate,

211
00:09:14,270 --> 00:09:17,413
we can capture that MIC much faster.

212
00:09:19,940 --> 00:09:23,020
You can also compromise availability

213
00:09:23,020 --> 00:09:24,590
by doing a denial of service

214
00:09:24,590 --> 00:09:26,930
by sending deauths to everyone.

215
00:09:26,930 --> 00:09:29,140
You'll notice in this example here

216
00:09:29,140 --> 00:09:33,608
we have omitted the client
when using the aireplay command

217
00:09:33,608 --> 00:09:35,260
with the deauth packet.

218
00:09:35,260 --> 00:09:37,290
And I think on the previous
slide, I had an example.

219
00:09:37,290 --> 00:09:38,480
Let's run through this example

220
00:09:38,480 --> 00:09:40,120
and then we'll talk about the next one.

221
00:09:40,120 --> 00:09:43,523
So aireplay deauthentication
attack specified here

222
00:09:43,523 --> 00:09:46,640
is one particular frame.

223
00:09:46,640 --> 00:09:48,640
We're gonna send the access point

224
00:09:48,640 --> 00:09:50,350
that we are going to spoof.

225
00:09:50,350 --> 00:09:53,080
And then the client to be deauthenticated,

226
00:09:53,080 --> 00:09:55,000
followed by the wireless network

227
00:09:55,000 --> 00:09:57,771
we want to send this deauth packet on.

228
00:09:57,771 --> 00:10:01,210
So when it comes to deauthing everybody,

229
00:10:01,210 --> 00:10:02,714
we simply omit the client

230
00:10:02,714 --> 00:10:04,984
and we'll send it out wlan0.

231
00:10:04,984 --> 00:10:06,557
This is our access point.

232
00:10:06,557 --> 00:10:11,557
And deauth, if we do a zero as the option.

233
00:10:12,469 --> 00:10:13,990
After the deauth attack

234
00:10:13,990 --> 00:10:17,300
then it will just keep
sending deauths to everybody.

235
00:10:17,300 --> 00:10:18,930
Jamming.

236
00:10:18,930 --> 00:10:22,480
Very important to note, this is illegal.

237
00:10:22,480 --> 00:10:25,380
At least here in the
United States where I am,

238
00:10:25,380 --> 00:10:26,670
this is illegal.

239
00:10:26,670 --> 00:10:28,260
But these products do exist.

240
00:10:28,260 --> 00:10:29,757
It is possible to procure these

241
00:10:29,757 --> 00:10:32,866
and purposefully interfere
with wireless networks,

242
00:10:32,866 --> 00:10:37,222
Wi-Fi cellular, handheld type radios.

243
00:10:37,222 --> 00:10:38,983
You can get a jammer for it.