“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps.

Slides:



Advertisements
Similar presentations
Wireless LAN Security Understanding and Preventing Network Attacks.
Advertisements

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Mike Lynn & Robert Baird.
Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Network Attacks Mark Shtern.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Wi-Fi Structures.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
Handoff Delay for b Wireless LANs Masters Project defense Anshul Jain Committee: Dr. Henning Schulzrinne, Columbia University Dr. Zongming Fei, University.
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
Design Wireless Network 2
1 Configuring Linksys Wireless Router Prof. Valencia Community College.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.
Lecture 8 Modeling & Simulation of Communication Networks.
Wireless Hotspot Security
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e
KARMA KARMA Attacks Radioed Machines Automatically Kurt GrutzmacherGarrett Gee BayLISA – 02/18/06.
WiFiProfiler: Cooperative Diagnosis in Wireless LANs Ranveer Chandra, Venkat Padmanabhan, Ming Zhang Microsoft Research.
CWNA Guide to Wireless LANs, Second Edition
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Link Layer 5-1 Link layer, LAN s: outline 5.1 introduction, services 5.2 error detection, correction 5.3 multiple access protocols 5.4 LANs  addressing,
Handoff in IEEE Andrea G. Forte Sangho Shin Prof. Henning Schulzrinne.
1 C-DAC/Kolkata C-DAC All Rights Reserved Computer Security.
Wireless standards Unit objective Compare and contrast different wireless standards Install and configure a wireless network Implement appropriate wireless.
Project Idea #1 Project: Simulation in NS Learn how to use NS-2 Examine 2-3 papers that do benchmark studies Implement a simulation of the Drexel TAARP.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Chapter 8: Configuring Networking. Exploring the Network and Sharing Center 2.
What’s New in Fireware v11.9.5
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
Passive DAD Henning Schulzrinne Columbia University.
Wireless Encryption: WEP and cracking it. Eric Shea.
Wireless Networking & Security Greg Stabler Spencer Smith.
Link Layer5-1 Synthesis: a day in the life of a web request  journey down protocol stack complete!  application, transport, network, link  putting-it-all-together:
Attacking Automatic Wireless Network Selection Dino A. Dai Zovi and Shane A. Macaulay
Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.
CHAPTER 9 Sniffing.
Retina Network Security Scanner
ITI-510 Computer Networks ITI 510 – Computer Networks Meeting 6 Rutgers University Center for Applied Computer Technologies Instructor: Chris Uriarte.
Wireless Security Presented by Colby Carlisle. Wireless Networking Defined A type of local-area network that uses high-frequency radio waves rather than.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Wireless Hacking Lesson 13. Reminder As a reminder, remember that the tools and techniques that you learn this semester are only to be used on systems.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Wireless Technologies
LAN Vulnerabilities.
CSE 4905 Network Security Overview
802.11b Wireless Network Security
A Distributed DoS in Action
Network Security: DNS Spoofing, SQL Injection, ARP Poisoning
Chapter 5: Link Layer 5.1 Introduction and services
Presentation transcript:

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps

Agenda Windows XP Wireless Auto Configuration (WZCSVC) Wireless Client Attack Tool Creating an ALL SSIDs network (L1) Creating a virtual network (L2+) Exploiting client-side application vulnerabilities (L5) Demo All your layer are belong to us

Wireless Auto Configuration Algorithm First, Client builds list of available networks Send broadcast Probe Request on each channel

Wireless Auto Configuration Algorithm Access Points within range respond with Probe Responses

Wireless Auto Configuration Algorithm If Probe Responses are received for networks in preferred networks list: Connect to them in preferred networks list order Otherwise, if no available networks match preferred networks: Specific Probe Requests are sent for each preferred network in case networks are “hidden”

Wireless Auto Configuration Algorithm If still not associated and there is an ad- hoc network in preferred networks list, create the network and become first node Use self-assigned IP address (169.X.Y.Z)

Wireless Auto Configuration Algorithm Finally, if “Automatically connect to non-preferred networks” is enabled (disabled by default), connect to networks in order they were detected Otherwise, wait for user to select a network Continue scanning for networks

Attacking Wireless Auto Configuration Attacker spoofs disassociation frame to victim Client sends broadcast and specific Probe Requests again Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile)

Attacking Wireless Auto Configuration Attacker creates network MegaCorp with HostAP driver

Attacking Wireless Auto Configuration Victim associates to attacker’s fake network Even if preferred network was WEP (XP SP 0) Attacker can supply DHCP, DNS, …, servers

Wireless Auto Configuration Attacks A. Attacker can join created ad-hoc network Sniff network to discover self-assigned IP (169.X.Y.Z) and attack B. Create a more Preferred Network Spoof disassociation frames to cause clients to restart scanning process Sniff Probe Requests to discover Preferred Networks Create a network with SSID from Probe Request C. Create a stronger signal for currently associated network While associated to a network, clients sent Probe Requests for same network to look for stronger signal You can be 0wned while watching a DVD on a plane!

A Tool to Automate the Attack Track clients by MAC address Identify state: scanning/associated Record preferred networks by capturing Probe Requests Display signal strength of packets from client Target specific clients and create a network they will automatically associate to Compromise client and let them rejoin original network Connect back out over Internet to attacker Launch worm inside corporate network Etc. “Kismet” for wireless clients

L1: Creating An ALL SSIDs Network Can we attack multiple clients at once? Want a network that responds to Probe Requests for any SSID PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver Can modify driver to accept Associations for any SSID Can use second card to sniff for Probe Requests and forge Probe Responses Custom firmware would be better

L2: Creating a FishNet Want a network where we can observe clients in a “fishbowl” environment Once victims associate to wireless network, will acquire a DHCP address We run our own DHCP server We are also the DNS server and router

FishNet Services When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action Our custom DNS server replies with our IP address for every query We also run “trap” web, mail, chat services Fingerprint client software versions Steal credentials Exploit client-side application vulnerabilities

Fingerprinting FishNet Clients Automatic DNS queries wpad.domain -> Windows _isatap -> Windows XP SP 0 isatap.domain -> Windows XP SP 1 teredo.ipv6.microsoft.com -> XP SP 2 Automatic HTTP Requests windowsupdate.com, etc. User-Agent String reveals OS version Passive OS fingerprinting (p0f)

L5: Exploiting FishNet Clients Fake services steal credentials Mail and chat protocols (IMAP, POP3, AIM, YIM, MSN) Reject authentication attempts using non-cleartext commands Many clients automatically resort to cleartext when non-cleartext is not supported Attack VPN clients…

Client-Side Application Vulnerabilities Recent client-side vulnerabilities Microsoft JPG Processing (GDI+) Mozilla POP3 Heap Overflows GDK Pixbuf XPM Vulnerabilities … Exploits can make use of fingerprinting info

DEMO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.