An approach to evil twin detection from a normal user side 0 Forewords Who we are Amrita C Iyer Senior QA Associate Who kills boredom by fuzzing applications i dotcdotamritaat ID: 541768
Download Presentation The PPT/PDF document "In air they wander, we exist to blow the..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
In air they wander, we exist to blow their cover!!!!
{An approach
to evil twin detection from a normal user side}Slide2
0
ForewordsSlide3
Who we are???
Amrita C.
Iyer
Senior QA Associate.
Who kills boredom by
fuzzing
applications.
i
[dot]c[dot]amrita[at]
gmail
[dot]com
Rushikesh D.
Nandedkar
Information Security Researcher.
nandedkarhrishi
[at]
gmail
[dot]comSlide4
Agenda
Introduction and some details
The Evil Twin
Fuzzed Packet Approach
Things we learned
Related work
Potential approaches
Conclusions
AcknowledgementsSlide5
1
Introduction and some detailsSlide6
Overview
What .11 is blamed for?
Victims
.11 modes
Stumbling and
Sniffing
Scanning
How?Slide7
What .11 is blamed for?
A hole in the network perimeter (open wireless networks,
wep
, bad
configs
).
Loose link in client’s security:
Offensive rogue access points
Eavesdropping in socially dense areas
Connectivity
messups
Slide8
?
So, a lot of mess and mash in the air
And as a matter of fact,
“These all deeds are not very much detectable, generally!”Slide9
Victims!!!
(
1
)
Courtesy to the omnipresence and ease of access of wireless:
Mobile phones
Cameras
Printers
Gaming consoles
Laptops, desktops …. …. …. ….
More and more places to be equipped with
wi-fi
.Slide10
Victims!!!
(
2
)
The perimeter generals:
UTMs
Packet
Analysers
All in all, many victims ………………..… awaiting exploitation
!Slide11
.11 modes
The 802.11 hardware can be operated in many modes:
Managed: acts as a station
AdHoc
: acts as an
AdHoc
station
Master: acts as an access point
Monitor (RFMON): shows everything seen by radio.
(
synonymous to promiscuous mode in .3
)Slide12
Stumbling and Sniffing
Stumblers query the card firmware to see what networks are detectable in the local radio periphery.
Pros:
Don’t require special drivers
.
Cons:
See less number of networks
Can not capture data packets
.
Source:
Dragorn
, Kismet Presentation.Slide13
….
Sniffers like
Wireshark
,
Tcpdump
or Kismet are capable of capturing raw data frames.
Sniffers can capture data packets.
Broadly operates in monitor mode.
Source:
Dragorn
, Kismet PresentationSlide14
Scanning
In our context of discussion, scanning is referred to the activity where we are discovering access points in local radio periphery.Slide15
How ?
Probe requests/responses.
Beacon frames.
Combination of probes and beacons.Slide16
2
The Evil TwinSlide17
Overview
Who is Evil Twin?
Some Terms…
Where to find them all together?
Some boring text on Evil Twin
So much of concern.. uh!
Stats from Black Hat US 2013Slide18
Defending clients on
open
AP
is very hard !
~Mike Kershaw, BH-DC- 2010
.Slide19
We tried understanding this statement in more depths.
And eventually we happened to meet the wireless
predator
…Slide20
The Evil Twin Slide21
Who is
Evil Twin
??Slide22
Some terms….
Access Point
SSID
Station/Host/NodeSlide23
Where to find them all together?
Open Wireless Networks:
Basic IEEE 802.11 implementation.
Never does any exchange of any secret.
Airports, cafes, colleges, offices etc.
23
Of 34Slide24
Some boring text on Evil Twin
A phishing Wi-Fi AP that looks like a legitimate one (with the same SSID).
Typically occurred near free hotspots, such as airports, cafes, hotels, and libraries.
Hard to trace since they can be launched and shut off suddenly or randomly, and last only for a short time after achieving their goal.Slide25
So much of concern..
u
h!Slide26
Stats from Black Hat US 2013
Time frame, 24 hours.
Number of legitimate devices found, 1300.
Number of rogue devices found, 1900.
Number of Users found for keynote session, 3500.Slide27
3
Fuzzed Packet ApproachSlide28
Overview
What is
fuzzing
?
Assumptions
Which fields are of interest?
Scapy
usage.
Results
.Slide29
What is
fuzzing
?
Fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data (“fuzz”). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. [WIKIPEDIA]
Fuzzing is a Black
B
ox software testing technique, which basically consists in finding implementation bugs using malformed data injection in automated fashion. [OWASP]Slide30
Assumptions
Host wireless network interface card is up and tuned on monitor mode.
Packet injection is working.
Host has
aquired
an IP address on the suspected AP’s network.Slide31
Parameters of interest!!!
Source : nmap.orgSlide32
Parameters of interest!!!
Source : nmap.orgSlide33
Parameters of interest!!!
Source : nmap.orgSlide34
Scapy usage
Scapy is python module/library.
Used as a packet manipulation program.
Helps write, read and inject packets and frames as per the user’s imagination.
More information is at
http://secdev.org/projects/scapy
.Slide35
….
What did we use:
conf.iface
= “mon0”
i
= IP(
dst
=“IP address of
Suspecious
AP”,
chksum
=
1234
)
Legit checksum= 4567
sr
(
i
/TCP(
chksum
=
2498
, flag= 0x01))
Legit checksum= 2345
Bad
checksm
,
Fin
flag
.Slide36
Results
Response from Legitimate AP,
RST
Response from Rogue AP,
No response
Same old scanning logic:
Unsolicited Fin should be dropped and RST be sent in response.
In case of Rogue AP, somehow kernel may not be behaving this way and accepting packet
.Slide37
4
Things We LearnedSlide38
Things we learned…
The behavior of the wireless network interface card.
Confirming live
distro
and cancelling usage of the VMs.
Alfa cards worked great but Intel built-in chipsets and Cisco wireless adaptors were also competent.
Yet another way to understand the wireless networks.Slide39
5
Related Work Slide40
Related work
1. RF Monitoring
2. Wired and wireless connection considerationSlide41
RF Monitoring (1)
Monitors RF and gathers information at Switches and Routers .
Compares with known authorized list.
Eg
.
Airdefense
, scans intranet RF and compares fingerprint.Slide42
RF Monitoring (2)
An approach where dedicated sensors are used for scanning.
They use parameters like SSID, MAC, location information etc.
The information collected based on the above said parameters is compared against a verified list.Slide43
RF Monitoring (3)
Sends a verifier packet
If
received by internal sensor, AP is internal and hence evil twin.
Source:
Raheem
Beyah
and
Aravind
Venkataraman
,
IEEE
Security
& Privacy Magazine
, Vol. 9, No. 5, 2011.Slide44
Wired and wireless connection consideration (1)
Checks connectivity, is it wired to wireless (auth), wireless to wireless(auth), wired to wireless (
unauth
), by host.
They refer to the
prepopulated
authorization list.
The parameters they take in account are, round trip time, entropy etc. and the statistical analysis performed on them.Slide45
Wired and wireless connection consideration (2)
Another approach calculates clock skew of the access point and builds the relevant fingerprint.
Later these details are used in some machine learning algorithms for training detection models
.
Source: Jana et. al
.
Slide46
Wired and wireless connection consideration (3)
Proposes a model named ET sniffer.
Counts the round trip time for a packet to travel from host to server.
Differentiates on the basis of packet travelled on the wireless link and on wired link.
Assumes that wired link is always one hop away.
Source: Yang et. al. Slide47
Wired and wireless connection consideration (4)
Proposes a model named
WiFiHop
.
Sends a watermark packet (know only to user) to the internet.
Listen on the channel to find the existence of the watermark packet.
If found, evil twin is detected.
Overcomes the problem where packet is travelling through more than one wireless hops.Slide48
Why we need one more approach?
Existing approaches has certain limitations. Majority of them implements some special hardware or setup to make the detection work, which sometimes requires highest level privileges.
The approaches existent, are initially designed by taking in account Wireless Network Admin as a detecting authority but not the normal
user
.
Fuzzed packet approach
User side approach.
Works with WNIC available with our laptops.
Uses
scapy
which is readily available in backtrack.Slide49
6
Potential ApproachesSlide50
Potential Approaches
Still there lies a potential in protocols like IGMP, BGP to build intelligence about the rogue access point.
Maybe use of techniques similar to “
traceroute
” to know the wired transfer time and then exclude/subtract them to minimize the noisy effect at wired side.
Mobile implanted
WiFi
tethered hotspots are yet to be tested with our approach and stand a strong contender to legitimate access point and rogue access point as well.Slide51
7
ConclusionSlide52
Conclusion
We have proposed an investigator packet, Malicious Access point Nailing Utility (MAN_U), which in response from access point will deliver the result whether the access point is legitimate or rogue
.
With an economical mundane setup, a normal user is able to detect evil twin. No specific admin/access rights are needed.
Along with the proposed approach, we have been working on few more approaches.
The complete work is submitted for patent and is under procedure. Slide53
8
AcknowledgementsSlide54
Acknowledgements
Vivek
Ramachandran
(Wireless Security
Megaprimer
).
Joshua Wright, Phil
Biondi
(Scapy mailing list).
Laurent
butti
(Wi-Fi Fuzzing).
Michael
Ossmann
(
HackRF
).
Dr. U. V.
Kulkarni
(Guide).
Dr.
Nandakishor
Ranade
(Mentor).Slide55
?Slide56
/../
ThankYou
/../