Wireless LAN 101 - stuff you ever have looked for

[brtw2003]

hi security fellows,
this is a quick summary of the wonderful world of WiFi and all great stuff you can play around with
and it's NOT another tutorial to explain the attacks over and over again, instead it will provide you
some general background and puts all existing resources together, to finally understand the full picture!

####################
### Wireless Kung-Foo ####
####################

___Understand the Basics___
http://www.wi-fiplanet.com/tutorials...le.php/1447501
http://packetlife.net/media/library/...02.11_WLAN.pdf
http://www.exploit-db.com/papers/296 <<<<!! good summary of all attacks !!>>>>>
http://wirelessdefence.org/Contents/...Framework.html <<<!!quick overview of various attacks/tools!!>>>


___Tools___
BackTrack4: /pentest/wireless
aircrack-ng, kismet-newcore,mdk3, msf3+karma, wifizoo, gerix-wifi-cracker-ng, (c)pyrit
airdrop-ng (will get more attention..watch it closely)

___Preparation___
.Driver issues and wifi hardware compatibility
unfortunately, for most users, using the correct combination of supported linux hardware+working drivers are the biggest issue. Currently 802.11n drivers don't support reliable injection and therefore stick with 802.11a/b/g - as it will still be in use for some years. Don't forget to get a card supporting 802.11a, so that you also can cover the 5GHz spectrum (many companies separate their 2.4/5GHz for special purposes, like WLAN mesh or for special devices and coverage. There are tons of online discussions, but the conclusion is simply: GET A CARD, which is 100% supported by the aircrack-ng suite:
http://www.aircrack-ng.org/doku.php?...bility_drivers
http://wiki.uni-konstanz.de/wiki/bin.../ListeChipsatz
http://madwifi-project.org/wiki/Compatibility
Recommendations:
-Alfa Networks AWUS036H b/g support (the newer one AWUS050NH has experimental injection support!)
-Ubiquiti SRC300mW a/b/g (there is an USB or Cardbus version, the new one SR71 (n support) similar issue like with 50h)

Notes on Linux Wifi drivers:
general intent of original drivers was to have wifi client access and not playing around with injection or listen for the complete 802.11 traffic, therfore any legacy drivers do need some kind of patching to support these type of attacks. On Microsoft OS platforms the only chance to get this done, is using the extremely expensive airpcap drivers/hardware, besides in Vista (starting with NDIS 6 you can use vistarfmon) you can enable monitor mode, but not inject anything. You have to remember, putting an interface in monitor mode, it will catch up a lot of traffic and therefore it's almost impossible to send/inject traffic over the same card, therefore for any reliable attack testing, you should always use 2 wifi cards!
Also be aware, through the sometimes strange driver behavior, if you have enabled monitor mode, always completley remove the driver module and re-insert it again, to ensure testing reliability (rmmod / modprobe you should know about it, don't reboot - you are using Linux ;-)

-MadWifi driver can not be used for atheros based USB cards (madwifi will/is replaced by ath5k/ath9k)
-Newer 2.6.x kernels use a complete new wireless subsystem, after years of messing with wifi drivers - this subsystem is called mac80211 stack



___Scanning____
.Tools
airodump-ng:
another great tool from the aircrack-ng-suite, simple to use & understanding output is straight forward through the fact it also supports the kismet format + reading gps data, this is really all you need, like using airgraph-ng to create some cool graphs from your wifi dumps

Kismet-newcore:
kismet has a long history and is really an amazing tool, unfortunately for the average wifi novice, difficult to navigate in the GUI and quite overwhelming features. Therefore many times the power of kismet is overlooked. Channel hopping is quite poweful and I'd recommend again two use two cards within kismet, one for channel hopping and second one for locking the channel hopper for interesting networks. The plugin feature is also quite useful and with the optional DECT module, you can also monitor DECT RF, besides that ZigBee/802.15.4 is already in progress as well - so get more familar with this tool!

WifiZoo:
Web Gui based and creates nice graphs (bssid,client relations etc), definitely worthwhile to check out!


___RF Attacks____
.I'm not getting to each individual attack, there are tons of online videos,discussion etc available, BUT you have to
understand the basics, so get familar with it - HIGHLY recommended reading(s):
http://www.slideshare.net/barcamp.my...u-exploitation
http://forums.remote-exploit.org/bt3...al-series.html
http://www.exploit-db.com/papers/296 <<<<!! good summary of all attacks !!>>>>>

.Easy start, use a simple GUI - great work done by the Gerix team:
python /pentest/wireless/gerix-wifi-cracker-ng/gerix.py

.airoscript (various attacks)
very good script, just run airopdate to download & compile latest version
Script is self-explaining (if you've never used it before, don't use airserv-ng, answer question with no)
Demo: http://forum.aircrack-ng.org/index.p...df&topic=803.0

.wessid-ng (effective for obtaining in a short time-frame a WEP key)
http://www.aircrack-ng.org/doku.php?id=wesside-ng



___WPA/WPA2 Bruteforce___
.Getting wordlists and rainbow tables
http://www.offensive-security.com/wpa-tables/
http://forums.remote-exploit.org/pen...-wordlist.html

.Read the basics
General: http://www.backtrack-linux.org/forum...ing-guide.html
http://www.youtube.com/watch?v=7BE-TmSE-YE <<<WPA Crack Pyrit Aircrack>>>
http://forums.remote-exploit.org/bt3...al-series.html <<<tons of good WLAN attack videos>>>



___Fun Stuff___
.Fake AP:
the most stable & coolest one: jasager/karma on the fon http://www.digininja.org/jasager/
Very powerful client side/social engineeering attack weapon and works very reliable..in combination
with metasploit+hamster&ferret+sslstrip a very,very powerful tool!!
http://www.h-i-r.net/2009/07/evil-wi...era-setup.html
http://www.h-i-r.net/search/label/evilwifi

besides jasager, you can do a cheaper setup with airbase+metasploit+karmetasploit support.
HowTo
http://www.offensive-security.com/me.../Karmetasploit
BTW: in many, many videos you'll see all these great automated client-side browser attacks and how easy it is to 0wn a client - I've to dissapoint you, in real-life running latest patched MS client and using web-aware malware/antivirus, you will be not very successful with these iframe attacks. Therefore go the social-engineering-way, think about the typical hotspot-user-usage, just create a simple trap and let him just download a little malicious PDF with his 'current bill' or whatever (jpg/flash/quicktime) - then you will get more success out of it with this kind of attack type. THIS IS ILLEGAL - therefore it should only be done in 'controlled environments'...so long: thanks, to German hacker paragraph :-()

.Wifi Fuzzing (beacons are your best friends..and also vendor specific extensions ;-)
read some basics, from Mr. HDM himself: http://www.uninformed.org/?v=6&a=2
even if it's from 2006, still a must-read if you wanna start seriously fuzzing 802.11
also you need a good knowledge about the protocol and frame types itself:

use metasploit+lorcon module
Install latest lorcon source:
$ cd /tmp
$ svn co https://802.11ninja.net/svn/lorcon/trunk/ lorcon
$ cd lorcon
$ ./configure --prefix=/usr && make && sudo make install
Install msf3 ruby lorcon
$ cd /opt/metasploit3/msf3/external/ruby-lorcon
$ ruby extconf.rb
$ make && make install

Start msf3 & look for the included 802.11 fuzzer's
$ cd /opt/metasploit3/msf3 && svn update
$ ./msfconsole
$ msf > search auxilary wireless

Other recommended 802.11 fuzzing tools:
-file2air, zulu or our best friend: scapy, codenomicon 802.11 test suite
http://www.codenomicon.com/resources...ss_WP_v1_0.pdf
http://www.blackhat.com/presentation...u-07-Butti.pdf



.Play with 'managed access point/lightweight access point' environments
many times overlooked, but in the average enterprise you will always find a centralized aka controller-based Access Point infrastructure.

Like the German guys at the Shmoocon '10 just have presented (Cisco WLCCP) - these types of protocols are usually vendor propritary, not really well documented and a lot of different management components are involved. I've done some private research 4 years ago on LWAPP and not too much have changed in CAPWAP/WLCCP ;-)
Playing with Cisco CCX-extensions are quite interesting as well.
Think about this:
'simple web application attack to the central management front-end (YES, all of the using web front-ends and all vendors care about feature sets NOT security - look for the most basic web attack vectors!!): all access points are nice sorted within the GUI (of course in a lame-setuped SQL-server environment!!), managed through profiles.
>>So what happens if you get access to these configuration profiles or getting access on WLAN controllers & client-roaming pre-auth credentials

...let's share your thoughts....

/brtw2003

[nightlybuild]

Thanks for this, I'm going to take a look at everything, looks like there's some good stuff that I never heard of before.

[vvpalin]

Just wanted to say thanks for all the usefull info, gave me some things to look into over the next few weeks when im done with my current project.

[enc0de]

Thanks for you support.

[WolverineOD]

Some very good reads here. You have increased my knowledge base. Cheers