/
In air they wander, we exist to blow their cover!!!!
In air they wander, we exist to blow their cover!!!!

In air they wander, we exist to blow their cover!!!! - PowerPoint Presentation

danika-pritchard
danika-pritchard . @danika-pritchard
Follow
133 views | Public

In air they wander, we exist to blow their cover!!!! - Description

An approach to evil twin detection from a normal user side 0 Forewords Who we are Amrita C Iyer Senior QA Associate Who kills boredom by fuzzing applications i dotcdotamritaat ID: 541768 Download Presentation

Tags :

packet wireless wired access wireless packet access wired evil twin approach source point rogue scapy fuzzing approaches parameters data

Please download the presentation from below link :


Download Presentation - The PPT/PDF document "In air they wander, we exist to blow the..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Share:

Link:

Embed:

Presentation on theme: "In air they wander, we exist to blow their cover!!!!"— Presentation transcript

Slide1

In air they wander, we exist to blow their cover!!!!

{An approach

to evil twin detection from a normal user side}Slide2

0

ForewordsSlide3

Who we are???

Amrita C.

Iyer

Senior QA Associate.

Who kills boredom by

fuzzing

applications.

i

[dot]c[dot]amrita[at]

gmail

[dot]com

Rushikesh D.

Nandedkar

Information Security Researcher.

nandedkarhrishi

[at]

gmail

[dot]comSlide4

Agenda

Introduction and some details

The Evil Twin

Fuzzed Packet Approach

Things we learned

Related work

Potential approaches

Conclusions

AcknowledgementsSlide5

1

Introduction and some detailsSlide6

Overview

What .11 is blamed for?

Victims

.11 modes

Stumbling and

Sniffing

Scanning

How?Slide7

What .11 is blamed for?

A hole in the network perimeter (open wireless networks,

wep

, bad

configs

).

Loose link in client’s security:

Offensive rogue access points

Eavesdropping in socially dense areas

Connectivity

messups

Slide8

?

So, a lot of mess and mash in the air

And as a matter of fact,

“These all deeds are not very much detectable, generally!”Slide9

Victims!!!

(

1

)

Courtesy to the omnipresence and ease of access of wireless:

Mobile phones

Cameras

Printers

Gaming consoles

Laptops, desktops …. …. …. ….

More and more places to be equipped with

wi-fi

.Slide10

Victims!!!

(

2

)

The perimeter generals:

UTMs

Packet

Analysers

All in all, many victims ………………..… awaiting exploitation

 !Slide11

.11 modes

The 802.11 hardware can be operated in many modes:

Managed: acts as a station

AdHoc

: acts as an

AdHoc

station

Master: acts as an access point

Monitor (RFMON): shows everything seen by radio.

(

synonymous to promiscuous mode in .3

)Slide12

Stumbling and Sniffing

Stumblers query the card firmware to see what networks are detectable in the local radio periphery.

Pros:

Don’t require special drivers

.

Cons:

See less number of networks

Can not capture data packets

.

Source:

Dragorn

, Kismet Presentation.Slide13

….

Sniffers like

Wireshark

,

Tcpdump

or Kismet are capable of capturing raw data frames.

Sniffers can capture data packets.

Broadly operates in monitor mode.

Source:

Dragorn

, Kismet PresentationSlide14

Scanning

In our context of discussion, scanning is referred to the activity where we are discovering access points in local radio periphery.Slide15

How ?

Probe requests/responses.

Beacon frames.

Combination of probes and beacons.Slide16

2

The Evil TwinSlide17

Overview

Who is Evil Twin?

Some Terms…

Where to find them all together?

Some boring text on Evil Twin

So much of concern.. uh!

Stats from Black Hat US 2013Slide18

Defending clients on

open

AP

is very hard !

~Mike Kershaw, BH-DC- 2010

.Slide19

We tried understanding this statement in more depths.

And eventually we happened to meet the wireless

predator

…Slide20

The Evil Twin Slide21

Who is

Evil Twin

??Slide22

Some terms….

Access Point

SSID

Station/Host/NodeSlide23

Where to find them all together?

Open Wireless Networks:

Basic IEEE 802.11 implementation.

Never does any exchange of any secret.

Airports, cafes, colleges, offices etc.

23

Of 34Slide24

Some boring text on Evil Twin

A phishing Wi-Fi AP that looks like a legitimate one (with the same SSID).

Typically occurred near free hotspots, such as airports, cafes, hotels, and libraries.

Hard to trace since they can be launched and shut off suddenly or randomly, and last only for a short time after achieving their goal.Slide25

So much of concern..

u

h!Slide26

Stats from Black Hat US 2013

Time frame, 24 hours.

Number of legitimate devices found, 1300.

Number of rogue devices found, 1900.

Number of Users found for keynote session, 3500.Slide27

3

Fuzzed Packet ApproachSlide28

Overview

What is

fuzzing

?

Assumptions

Which fields are of interest?

Scapy

usage.

Results

.Slide29

What is

fuzzing

?

Fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data (“fuzz”). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. [WIKIPEDIA]

Fuzzing is a Black

B

ox software testing technique, which basically consists in finding implementation bugs using malformed data injection in automated fashion. [OWASP]Slide30

Assumptions

Host wireless network interface card is up and tuned on monitor mode.

Packet injection is working.

Host has

aquired

an IP address on the suspected AP’s network.Slide31

Parameters of interest!!!

Source : nmap.orgSlide32

Parameters of interest!!!

Source : nmap.orgSlide33

Parameters of interest!!!

Source : nmap.orgSlide34

Scapy usage

Scapy is python module/library.

Used as a packet manipulation program.

Helps write, read and inject packets and frames as per the user’s imagination.

More information is at

http://secdev.org/projects/scapy

.Slide35

….

What did we use:

conf.iface

= “mon0”

i

= IP(

dst

=“IP address of

Suspecious

AP”,

chksum

=

1234

)

Legit checksum= 4567

sr

(

i

/TCP(

chksum

=

2498

, flag= 0x01))

Legit checksum= 2345

Bad

checksm

,

Fin

flag

.Slide36

Results

Response from Legitimate AP,

RST

Response from Rogue AP,

No response

Same old scanning logic:

Unsolicited Fin should be dropped and RST be sent in response.

In case of Rogue AP, somehow kernel may not be behaving this way and accepting packet

.Slide37

4

Things We LearnedSlide38

Things we learned…

The behavior of the wireless network interface card.

Confirming live

distro

and cancelling usage of the VMs.

Alfa cards worked great but Intel built-in chipsets and Cisco wireless adaptors were also competent.

Yet another way to understand the wireless networks.Slide39

5

Related Work Slide40

Related work

1. RF Monitoring

2. Wired and wireless connection considerationSlide41

RF Monitoring (1)

Monitors RF and gathers information at Switches and Routers .

Compares with known authorized list.

Eg

.

Airdefense

, scans intranet RF and compares fingerprint.Slide42

RF Monitoring (2)

An approach where dedicated sensors are used for scanning.

They use parameters like SSID, MAC, location information etc.

The information collected based on the above said parameters is compared against a verified list.Slide43

RF Monitoring (3)

Sends a verifier packet

If

received by internal sensor, AP is internal and hence evil twin.

Source:

Raheem

Beyah

and

Aravind

Venkataraman

,

IEEE

Security

& Privacy Magazine

, Vol. 9, No. 5, 2011.Slide44

Wired and wireless connection consideration (1)

Checks connectivity, is it wired to wireless (auth), wireless to wireless(auth), wired to wireless (

unauth

), by host.

They refer to the

prepopulated

authorization list.

The parameters they take in account are, round trip time, entropy etc. and the statistical analysis performed on them.Slide45

Wired and wireless connection consideration (2)

Another approach calculates clock skew of the access point and builds the relevant fingerprint.

Later these details are used in some machine learning algorithms for training detection models

.

Source: Jana et. al

.

Slide46

Wired and wireless connection consideration (3)

Proposes a model named ET sniffer.

Counts the round trip time for a packet to travel from host to server.

Differentiates on the basis of packet travelled on the wireless link and on wired link.

Assumes that wired link is always one hop away.

Source: Yang et. al. Slide47

Wired and wireless connection consideration (4)

Proposes a model named

WiFiHop

.

Sends a watermark packet (know only to user) to the internet.

Listen on the channel to find the existence of the watermark packet.

If found, evil twin is detected.

Overcomes the problem where packet is travelling through more than one wireless hops.Slide48

Why we need one more approach?

Existing approaches has certain limitations. Majority of them implements some special hardware or setup to make the detection work, which sometimes requires highest level privileges.

The approaches existent, are initially designed by taking in account Wireless Network Admin as a detecting authority but not the normal

user

.

Fuzzed packet approach

User side approach.

Works with WNIC available with our laptops.

Uses

scapy

which is readily available in backtrack.Slide49

6

Potential ApproachesSlide50

Potential Approaches

Still there lies a potential in protocols like IGMP, BGP to build intelligence about the rogue access point.

Maybe use of techniques similar to “

traceroute

” to know the wired transfer time and then exclude/subtract them to minimize the noisy effect at wired side.

Mobile implanted

WiFi

tethered hotspots are yet to be tested with our approach and stand a strong contender to legitimate access point and rogue access point as well.Slide51

7

ConclusionSlide52

Conclusion

We have proposed an investigator packet, Malicious Access point Nailing Utility (MAN_U), which in response from access point will deliver the result whether the access point is legitimate or rogue

.

With an economical mundane setup, a normal user is able to detect evil twin. No specific admin/access rights are needed.

Along with the proposed approach, we have been working on few more approaches.

The complete work is submitted for patent and is under procedure. Slide53

8

AcknowledgementsSlide54

Acknowledgements

Vivek

Ramachandran

(Wireless Security

Megaprimer

).

Joshua Wright, Phil

Biondi

(Scapy mailing list).

Laurent

butti

(Wi-Fi Fuzzing).

Michael

Ossmann

(

HackRF

).

Dr. U. V.

Kulkarni

(Guide).

Dr.

Nandakishor

Ranade

(Mentor).Slide55

?Slide56

/../

ThankYou

/../