5GHz Electronic Warfare: Reliable Rogue AP Attacks on 802.11n/ac Networks

got an hour okay cool questions questions are awesome alright so my name is Jo Ryan I'm a personal security consultant and co-founder at a company called visual silence were basically boutique security consulting firm testing red teaming do but anyways yeah that's that's me we must get that Marcus okay so this is a talk primarily about Wireless and testing actually it's to talk about problems that people face when they're purchasing like where those ten testing kits networks using technology that's been created within the past like five ten years or so but we really talk about wireless pen testing we kinda have to talk about you know what is it what will enterprise Wi-Fi configuration is going to look

like anybody here absolutely professionally managed a enterprise Wi-Fi network or yeah okay cool excellent these guys talking about okay so so most like enterprise Wi-Fi networks they're gonna have like you know a dedicated components for different functions that people are going to use on network you're gonna have a guess internet it's a straight leg out the and this guest Wi-Fi it's gonna be pretty much just you know what it says it's there to provide it you know internet company - yes you know you're also going to a corporate network access this to meet once for lockdown welcome welcome come see you're gonna have your corporate life at Network and that's usually you know for access to internal resources and it's a

lot more locked out because that's where some employers I'm using to do all their day-to-day jobs you know it's a really well set up network they'll probably be looking ufd network as well so you can get those two places on isolated network from the done and across the tenet wean everything else but the key thing is they're gonna be very little security for all of these but the one that really really care about is the corporate lifeline because that's the one that's actually getting to it does that actually start you know moving further into the network and you know getting access to you know resources laptop stuff like that so if you know about the

penalties you know about the corporate welcome to corporate wise which you should walk down using WPA EAP the reason why they use WPA EAP is it unlike the pre-shared key style 258 which is an internet password the kind of really username and password just ap that actually provides encryption on a user by user basis so you know once you start together above looking at like 15 20 users or so now everyone has their views situation where everyone has their encryption key which is why they use the EAP for court life on it unless you're talking that ICS state environment so it's probably just in case there right so if I can exact dummy PAP if you

actually afford everyone pretty much or mostly you know if you were competitive super well you pretty quickly you know become accustomed to you know ratings PSK numbers you know you just come to the WPA handshake and get them to crack the what you get on the network so pap you can't really do that so you have to use something called a broken px a converts you reach these constant hours and you know compute X pretty cool they're kind of a bread and butter of wireless pen testing and you know fundamentally there's a couple different variations that most fundamental one is called a twin attack basically what it rogue ap attack does is you 4-cyl into

devices to connect so let's say we have this this wireless network here and see these these four laptops are connected to this access point and have this one yes ID and you know if we were creates a our own excellent the same has to be and preferably channel of this actual entities of us are connected to if you absolutely can't provide a better signal to these devices and the target networks access point it selects large to drop their connection for the target connect to you and now you have them in the middle and when you think about you know how EAP works which is we're just talking about when you type in a username and password to get off the

court Wi-Fi there's an authentication server running in the background that's who you actually complete the authentication process it still basically an open access point so this is the attack that you use to get access to those kinds never to the force the device to get it to you and then they authenticate with your out medications server you capture a challenge response grabbed it and then use the notice cracker which was taken off that never this is kind of a good very quick respective it's here to specifying the East Lady of the let's our network and you know we're just gonna start this this Rho VP here and skip this take a little section over here yeah okay

so you should see a offenses AP enabled very shortly there we go and we're tucking the SC evil Corp and which is he sort lisa kline device watch that connects and there we go at it son of Cassius and it essentially take the attachments of crap them and then you get on the Wi-Fi so it's pretty cool the problem is that you know I mean when we're looking at modern wireless networks well actually in order to understand actually forego to that there are two ways to performance attack there's the variation to show me which is that you provided better signals for me right and that's the others are going to tae-sik my eyes to to Rome tiro ap by

providing a better connection the more commonly you're going to be using a technique called conversion which is what essentially you're doing is you deny access to the EP that the client is connected to and then you provide it different you know same network they have different vs ID and that will cause them to you roam from deep

I followed us okay so um right so as I was saying coercion right they're connected to an access point you start spamming the up packets to to the access point the clients gonna love our connect to this they start looking for different accents a network to connect see they connect to yours because it just happened to be there waiting with open arms you know and you end up with a man the bill situation like before most you know that the problem is that like most water hardware that you'll run into you and when trying to attack me refers Wi-Fi network Jesus the newest variations of the eleven protocol everyone know Juanita developing this would not go to the data

to limit us oh so you did eleven it's basically just a fancy way of saying Wi-Fi it's the standard but the two latest versions of that rated 11 MACD it's a total of an end the problem is that existing tools for performing these roving the attacks the either dolts supported a live an entry to Lebanese sea at all or they do it but you have to like spend a lot of time you know editing config files and just generally hate your life will try to get this attacker and if you're been on time box offense that's actually all ten sets are different time box because you want to use your time as efficiently as possible but yeah I mean the problem

is like you talk to that so to the basement so yeah you're kind of screwed there so why is this relevant well into the lemonade until it makes secret my totally better throughput dead and you eliminate so the Jesus own age two orders of the protocol that were used you know essentially and an AC built off of people you know ang and you know kind of expanded so you provide the exciting max capabilities to kind understand like like this this is a problem for four attackers eight is eleven aviators alone AC they've provided much better throughput and much better signal then these older version of the protocol if you consider that aids below the G you're looking at like

a maximum of like 54 megabits per second star so the maximum allowed by the protocol so it's an 11 n which is the next step up it's below utility season 11 AC actually because you know even that's with this but actually theoretically you can reach speeds of 600 900 megabits per second that's realistically you're probably gonna cop out around 300 the theoretical limits like 600 900 so what does this mean well okay if you look at these these uh these frequency graphs here we have a 211 B I'm swimming here we have an 8 at 11 G is 1 and here's her massive and if you know of an excellent with all that bandwidth there and we talked about

about be able to win attacks that such that it is that you're providing a better signal to this device and you're gonna try to get it to commute well if you're working it's a little G your captive 54 megabits per second and you know all the exploits are attacking their pump thing out you know at least 300 megabits per second you're you're not gonna be able get back to work not easily unless you're like right up next to the yeah so it's good that means that coercion is you know where you actually at the authentic kidnaps point gets Rome to you there's pretty much really viable option those cases these days so you know I guess the question is

change the tag data it's 11 attacks aplenty it's a lungi excellent well yeah you can do that and that's where coercion comes in to create an 811 G access point which is what most the tools have to do and then to get these devices to actually connect to you you just start spend with the off magnets the reason why this doesn't always work I wanted to use this you know time take a look at this example here if he's to target X points in the top left and right you have the rogue actors one in the bottom here so this view and the very bottom Center these two devices are the ones that you want to you know basically gets a

connect to you so you can steal Reds for them essentially well you know they're connected to this guy here and this guy is using a two eleven ten one of the rights using it it's at 11:10 so you spam D all packets got a saxophone in the top left and hoping that it connects to you but instead up they just roll to the other foot alright another deal span this guy with the up packets to yeah but then they just run back to the person and you could literally sit here for hours until eventually you get lucky and it connects to you but you will eventually get lucky I mean that this but that's a horrible way to spend your

clients money right it's just for hours trying to yeah so I guess you know the obvious question here is can't you solve this problem just by the authentic way the authenticating will via these accidents well sure but now you need three Wi-Fi interfaces be the first Wi-Fi interface to do the the Ruby feed you the one to do the first the authentication and then the other one to the other to simultaneously concurrently should I say get thinking the second access point alright that's a big deal I just plug through Wi-Fi definition a computer but what if they have free access points when I give for interfaces all right what if they have four this keep going on and on when you think

about your typical you think about a place like us how many ApS are in the room you can unless you're like that that that goofy Wi-Fi Wi-Fi cactus guy so that's pretty awesome but like unless you're that guy we're not going to be able to anybody him like you know if you might run into a situation where he just does not have enough Domino's let's back suit to get the story so I mean this is quickly get out of hand it's another solution of seeing I do not endorse this or recommended but I have people doing this it's a lot of data 211 NHD access points pretty much stick exclusives like the Thuggee Hertz spectrum so you put up your own axis

when 2.4 gigahertz spectrum this GM the entire fluffier hood spectrum using SDR it's tight with you random into the funnier spectrum essentially this is a wonderfully horrible idea but I mean it's essentially out of work jam it and then this force them to kind of come back down to earth to blue sheeting 2.4 gigahertz that one exact view it works yeah I mean the problem is that you know you know what else uses the fun to your spectrum airplane radar yeah so like yeah so I'm obviously precautions to attend a pertussis there and because of that is very legal team well Jim spent I think let alone the hurts micro is unsafe as well so

exactly like yeah a couple eats other options but really this is just kind of you know honestly it's been you know many many years since these protocols come out realistically from offensive side things we need a tool that can create a piece against eliminates whoever they see I put the two point four gigahertz if my favorite spectrums the sock you know it's a 45-minute talk so I'm primarily going to focus on and plug it so part 2 at some point about AC but can't really treat either one enough detail or do both well let's talk about why David eliminated so hard well I mean for one thing X is what configuration is highly complicated if

you're trying to configure a row a to you that's just using G just you know give it a channel basis ID you know number came a few parameters then you stand out but it works it's a little more complicated with these with it's a high throughput in a very high throughput protocols though additionally your access points have to be 11 H compliant it work - work on DFS channels we'll talk a little bit more about what that means essentially has to do with every every other thing you just talked about and also they're just thing called basis overlap retention prevention which we'll talk about that has to be circumvented if we're good to you though

I think we should talk a little bit more by a 211 and itself just to kind of Excalibur deal with it there are five main technical improvements offered by a total of nine and the first ones the club multiple-input multiple-output or my mo l so spatial multiplexing there's also channel bonding that's reported also they offer a really short Guardian rule which is which is great and there's some athletic improvements as well are primarily going to six the first three because of time and relevance but yeah so multiple input multiple output essentially what that is is that you know you know if you're not using most play with month multiple output you essentially can only send

data on if you have let's say two antennas you can only send streams look at one at a time what's what about but you can actually break up a single data stream into most spatial streams each of which is transmitted by at antenna so number of spaces to have is limits that pretty much loaded by the number of tens you have so you have a six and tennis you can actually break your your your signal up into like six pieces if you have six antennas and just transmit or of it at once so you know basically the transmitted stuff faster which is which is why it's great there's also this really cool feature a feature

called spatial multiplexing and you know so to kind of understand what spatial multiplexing it's almost easier to just talk about what the network does when it doesn't have one doesn't use spatial multiplexing so here at the side Graham you have a transmitter on the left or Seaver on the right and this big error thing is the operating channel that this this access point is using and these little red dots are that's your data stream and you can see we only have one data stream that wants per channel and that's the limitation imposed by impose that you're not using spatial multiplexing one day this tree per channel obviously that's very inefficient so the cool thing about the

spatial multiplexing is lets you send multiple data streams per channel so you can see now we have these two data streams so they're all going you know into the same channel that greatly improves the efficiency of the access point so how does it do this well actually you go back to that my little thing we're talking about where you break up a different data streams you know into different spatial streams which is handled by different antenna and that's kind of how you do that

the third important feature is channel bonding so your personal utility channel this is assuming something close at the end which is the kind of system were gonna be using there's another way of doing this that uses the 22 data cursed handles call it the PSSs and it's not terribly widely used somewhat let's really talk about it but just be aware that's there but for the most part if you don't something called an OFDM access point and you know so able to eleven channels they're 20 megahertz wide so basically if you look at this with the frequency spectrum here each of these it's gonna be like a 20 megahertz spectrum and so this big thing on the

left is a it's essentially a that this represents the single 20 megahertz ass to point so I mention the traditional it's a 11 Channel it starts one megahertz wide channel bonding actually lets you combine two or more Acheson channel notation channels with it's 11 it's two channels you combine two adjacent channels to create a single larger 40 megahertz channels since it doubles your bandwidth which makes it you know very powerful so you know compared this here to this and you can see a lot more stuff that's now you have two channels working right next to each other as one giant channel they just talking all this data there are some other improvements introduced by it's 11

as I mentioned there's a short guard animal and there's also some approvers to back but this is before you five-minute presentations so not really gonna go over them here so matter too much but when this is what's all this mean for pen testers well okay let's think about all this complexity we'll just add it to to Wi-Fi and if you're you know tuned rotate the exact you're such like a greeting acts like three scratches and software and you know just to think about like what you have to do do this using its lemon in you first has a Chuck select a channel okay 20 megahertz 40 megahertz not a big deal right did it's a select a nominee channel okay

sorry you know that's not a big deal either now I have to select a hardware mode that works with with that on 20 channel it's gonna be a or B depending on whether it's 2.4 but there's good that's a Sager HTTP parameters correctly so at this point the problem here is ballooning and then we're not done yet you also have to decide whether it's about an IFC connection series T at this point and there's like three or four different ways to figure that and you also dyslexic appropriate number spaces changed for your hard work and you know bonus if you chose a 40 mega channel purchasing on which you probably already to the Sun with a place that's secondary

channel above or below your primary channel because if you go look at this spectral graph here and your primary channels channel one you trying to put your you know your secondary channel below it you're gonna go off the edge the graph here it's not working you know if you get any of this stuff wrong hostapd which is the ellipse utility that used to create access points it's gonna refuse to start or just silently fail and you're gonna hate your life so hence the lack of like how the Fox support for this stuff there is a method to this madness I just need to know what the configurations options are for any given situation yeah or or you can just automate it and

use to a little hamlet configuration for you which is kind of what we're doing here so to kind of show you how we've done that right here we're making a video at 11:00 and accident point and you see here that we've just we haven't specified the harbor Monet or B we just selected harbor mode and and the channel and it's automatically gonna figure out you know whether it means a specified partner mode a or partner mode B based on the context and see here it's automatically selected her motive is in the channel selection and we can successfully skip this forward a bit we're gonna successfully launch the attack there so there's a harder mode selection initially

yes I don't get PowerPoint guys I'm sorry okay yeah so that's cool that would be because that will give you a single 20 megahertz editable of an accent you probably want to do for you get the peg Hertz channel with them if you're dealing with eight it's gonna live an ad so that that's why we have a way of actually if you want to do a 40 megahertz wide channel you just use this this Doolittle channel with flagged you see up here it's kind of going off the side of the screen they're going to the this side we just such handle it to 40 then and it will figure out when you do this will automatically figure out

where's for the secondary channel given although on the Korean fire and also Lee you know what a cannon can't do it based on your primary channel so you see it's doing it here and to sit for it yep and it just kind of bursts out the box you know that there are several situations you can find yourself in where you there you know both putting the secondary channel above or below the primary Channel I mean both those are validating might want to manually specify which one you want to use so if that's the case you can just manually specify it using the HT 40 flat and HD 40 actually corresponds to a value in the hosts IP

config file it's what's the lights 240 if you're wondering but you just put the plus if you want the secondary channels to go above that so you see that you just do plus you want to go both and you do - you want to go below and then if you want just cake for you just type motto but that's the fall so if you're doing that much it's kind of I use the flag at all so the second challenge here is that you know is we're gonna do Robi up the attacks on using it to the logo to love an N and works with a lock and a full potential of the five bigger spectrum we

need to achieve something called eight eleven age compliance was that mean well so we mentioned that certain parts the five paper spectrum are used by radar specifically airplane radar and weather whatever they are most other stuff we don't mess with so because of this they're actually regulations enforced by the FCC EU and all these other or Melanie or organizations and you know basically these regulations dictate is is well they pretty much state that if you're running an access point on any of these channels that are that overlap with airplane radar you have to be your access point has to be capable detecting and avoiding radar so this is probably a cool I mean this is actually a feature

that you plug didn't know your home router pass but your your your home routers actually if you use these channels which it probably does it's it's also a radar detector because it you know periodically it's going to be checking to see it's going to be listening for the everything fear if you text from if it detects the president's favorite airplane radar actually has to shut by law to shut down the access point wait 30 seconds then start looking for a new channel it does not have airplane are so just rarely takes another elspeth operate on and if it you know if you if it the picture they're playing right on that channel it has to do it again

actually there's pretty interesting denial service attack where you just simulate airplane radar near one of these access points and on all channels and it's just unable to run at that point alone you think about it's kind of a lot of work today you could just use the authentication packs and achieve exactly the same thing but it's a cool group of concepts but yeah I mean if you want to legally operate out the FS channels you're gonna have to be quiet to do it if you have a client that's running on the FS your notes you're gonna have to operate up DFS channels well do is the best way possible so you're going to operate the offensive

line access point that's also safety issues convention

but yeah so you know how we've addressed this well we've had this implies that you've hammered out of this tool that enable you to love an age and what this does is it grants access to BFFs channels you still fit you know if you're using just like run the mill like version of linux you're gonna have to patch a kernel to enable DFS that's on you because we're not really in the business of like writing kernel patches it's like that's your operating system is kinda but why draws between you know software and what the users you know yeah if you've got that if you've got a if you have a an operating system this patch to me would be at best and

relevant kernel modules and stuff like that you can use be pretty parent to pull them and to enable access to the DFS channels there's also a flag in there and this is really for research purposes only that's just not for you so that's that of a lab environment that's very illegal to do this and it's actually two flags you have to combine in order to kind of prefer that this is what really what you want to do what you can you can foresee remember to use the FS channels without the FS enabled don't do that outside of a Faraday cage please but it's the staircase needed so yeah that's the offense that's the third thing the second thing I don't have to

get a sorority attacks working on on its eliminate the third or final and if this works actually kind of funny yeah we have to circumvent something called is this overlap protection so I could look at this this is actually uh was the prototype that it's kind of putting together basically what's happening here is that we're trying to create an access point on channel 157 and you kind of see air out there but there's a this thing fails actually sort of it's so great snacks when it's not where you can put the X point which is the best here this is way that says switching own and own primary and secondary channel due to PSS overlapped

with and has a BS I gave another absolutely so what's going on here well there's this part of the RFC in a towards one end that insists that you are not allowed to occupy the same primary channel as another access point and if you do detect that there's another access point running on that primary channel you have to go pick another one because CRC's right follow me RFC's well so I'm just thinking about this this is actually not a legal requirement engineer requirements of Hydra leaking up with FCC doesn't care about this so you know well I'll go over that a second but yeah basically what would happen here is that we create this access point for attendant to the same

on the same primary channel to another for the 40 megahertz access point and it just moved us automatically to different channels we want to do this is a problem because if we think about how evil twin that verse it's beneficial to occupy the same SSD and channel as another 18 order forces find ways to connect to you if you can't do that well it's the harder so essentially this kind of breaks the whole thing that we try to do here fortunately we can resolve this is you're just by patching hostapd tune or basis conflicts that was the video once again this is so let the software that used to create access points it turns out that it only really you know that I

kind of look at the business people we've just been designing that people make their own routers because people have very masculine hobbies but some people like to be thrown routers and use them kind of like raspberry pies and stuff like that I guess there's a little community around doing this and cut to them they've figured out that well you don't necessarily once you follow this because though the neighboring a bunch of following this it sucks so they're actually a lot of a lot of packets out there for most APD really simple passes that disable this feature and the reason why it's so easy to save this feature is that hostapd it only checks for these neighborhood

neighboring access points on started and it just starts running so checks will lessen it's just that vehicle and it starts the access point there's like literally two functions well it's wonderful basically the same function with two different files and you just have to basically perform the very similar modification there's this this really interesting function here called I should believe into the leaven check scam I wonder what that does oh this is common cancers checklist a favorite DSS's from scan to see whether for 40 megahertz it's a lot of for accurately standard quality blah blah and if you scroll that a little bit in that function if you're just even a live statement here that you know depending

on the results of this if statement you may end up moving to different channels in the presence of a of a neighboring access point using the same tale that you're trying to create or so the solution here if you want to catch here if you want to catch those they would equally not to do this not full of URC and as you just make sure that this statement always evaluates to false and patchy arresting media so we built that in the next time you see this up the spectrum for ever lately just running before 2 gigahertz an access point on the same primary channel assault guys here I had I was gonna give them a

don't mess with the Centers stuff but so well yeah that's how that works so uh yeah so we've added that cine camera as well but I mean this room was everything we've got it so we've we've had a not that battle box support for five figures for a piece we've had any visible and compatibility you know AC is gonna start to we've added support for wmm for good measure interested in what that is talk to you later and we've also made sure to eat it's a lot of compliance so you can actually do this stuff about now doing bad things and the cool thing is also Dominus by providing a little bit of configuration as possible since we can just create the

X 1 and verse just great repent Buster's it's really lazy tear out the source code that you have doc Pomus less holes this lets you hammer and that's what hit any questions

a question

so now you're talking very talk about like the Cisco Meraki groovey style yeah

one would think one would think so that's if you enable and a lot of people don't but every now and then you get to get that but here here's here's the caveats of that right all right so you think about how we're oh maybe it's networks you're not attacking the access point you're attacking the cleanser connect to the data point these attacks still work in fact they're actually work more effectively often if you attack things to places when they're not connected to you but they're not connected to the x1 first so for example if you think of a karma attack you're just basically taking stuff like these places to connect to you they don't still they have to be connected to

like an actual access point for that to happen you can do the same thing with needles when attacked as well I guess what I'm saying here is that it's not actually happening precedent and where to get this attack to work so if you have any kind of situation with these devices believe yours your enterprise but they're configured to connect to your network using we versions of the AP then all the attacker has to do is just follow your employees Li out to lunch or something like that then all in there and so I'm this so yeah it's so like I think you know I definitely always encourage the use of we're outside yes because it says long ago that that's the

death principle you know it's it's the right thing to do especially because it'll be Denali Oh 90 95 percent of us one of eight attackers but you're always gonna have that one that testing company just do about it that just follows your employees system where that won't work as for whether you can bypass the the IDs itself well that's interesting question it depends on the implementation there are other now we're talking about like basically like people that like the last bypass but then I'm going like Wireless there are ways to do it but it's just a question of like you know how thoroughly implements it is is the particular person to doing some of them are really

good admittedly and require a lot of work really well on some of them are fairly between I know

I'm sorry one of these races

so they're number with us and if we're talking about the evil twin attack that you talked about the beginning with the most obvious ways that you look for an axe to point with a lady or MAC address it's not correspond to one of yours so you just using one CT that's easily changed exactly so that's where you get into so there once again this is kind of copy IDs there's this whole like rabbit little methods that they use you there are a lot of things that you can look at sequence numbers signal fluctuations of signal strength that's one of them a lot of them actually what they'll do is that they'll bill actually will pay them to

the access points a lot of commercial solutions what they do is they actually pay attention to the fine devices that are connected to your asset look you can think that's worried of you know you know like all the other laptops are connected to your network and then when these devices suddenly like bill noticed oh well suddenly this device that is connected to this access point that's supposedly on my network but I'm not receiving any traffic from this hmm so they'll bring that access point down and then start attacking attack and it's so like that the better the better idea systems work out of it and admittedly it works reasonably well the problem is I'm convinced there's probably a way to

get around that set up lifted it won't because I'm simple but there's yeah but I think the more fundamental problem is it won't save you if you if you just wait till those places are further away from that worker that ids not develop anymore but that's just kind of the overview calibers bigger questions

yes he does it does however okay so the new codes down there's definitely that so simply what what you're capturing there are its two components usually to perform this kind of attack it's gonna be against a technology about EAP or TTLs but underlying principles are very similar you capture a challenge to capture a response you can then crack these to obtain such as a plaintext radius passwords so you're not actually attacking the encryption itself that's kind of like a packet sacra so detect the encryption in this case you're actually just recovering a plaintext password the interesting thing about turnaround time doing this if you keep it simple and less happen to you and number of years ago there's a some

research done by two researchers named Moxie Marlinspike and David Holden they broke SSL strip but yeah so essentially the dudes who cryptographic weaknesses antennas ciampi to if you change your post administrate dictionary attack to recover these fan support instead you need to divide and conquer attempt to recover the hash of the password which is not it's it's not plain text but it's its password equivalent you can actually reduce your key space to - I think it was like AI think it's like senators had basically like are you guys familiar with like three des yeah it basically a message about chopping - it was out of three BS so you can reduce it to very her you

know things like 64 bits encryption or something like that and that's trivial ticket to crack so the actual turnaround for cracking this is not as well just kind of what makes this attack so scary if you're using or using you can TLS know this is actually relevant so if you have like a situation where all your wireless devices are connected using certs this whole thing falls apart the problem is that before it was a recovering network amendment certs are hard especially those needs to get the buy-in from the relevant people to deployed set serves that's why the adoption rate is very poor

Wow all right decimal if it goes all right thanks very much [Applause]