Олег Купреев - Обзор и демонстрация нюансов и трюков из...
TRANSCRIPT
802.11 tips and threats@090h
7iP5 Li571. Conditions: weather/time/other 2. Antenna inside and outside3. HW4. SW5. RF6. Channel plan(s)7. “Good” news 4 everyone (CRDA, Syste.md)8. TP-Link 722n as hamradio9. 802.11 @ OS X10. Some stupid phun if some time remains
Independent conditionsWeather:•H2O + RF = ? Remember borsch in microwave.•WWW - Wardriving/Warwalking/Warsitting 8). IT’S TiME TO HACK!!•DFS*Happy hours:•WEP - anytime•WPS - night•WPA-Personal - evening•WPA-Enterprise – 9:00 or when normal people come to the job? 8)Other:•Depends on your neighbors, interference, PRNG, ISP, etc..
Antenna types• Omnidirectional• Uda Yagi• Panel• Parabolic• Sector
Omnidirectional antenna
Omnidirectional Antenna RF Gain Pattern
Uda Yagi
Use “Uda Yagi Calculator” 4 DIY*
Omnidirectional Antenna RF Gain Pattern
Hardware• No silver bullet. TP-Link TL-WN722N best choice for beginner.• WPS brute –> Alfa AWUS 036H• Handshake capturing -> MIMO card. MAC80211+Ralink chips rule.• Deauth => Any card with INJMON• Wisipi = KARMA + custom soft => TP-Link: 3020, 3040, 3220, 4300• WiFi Pineapple -> MARK IV, MARK V• Google Nexus (Kali Nethunter compatible)• INJMON_WITHOUT_EXTERNAL_CARD -> Nokia N900, N9
Software• Kali, Kali Nethunter, BlackArch, ArchAssault• kismet, horst, • Aircrack-NG, Pyrit, cowpatty• reaver-wps, WPSPIN.sh, wpscrack, Bully, pixie-wps, WPSIG• Wifite (forked)• KARMA, MANA, Hostapd-WPE• https://github.com/0x90/wifi-arsenal• https://github.com/0x90/wps-scripts• WISPI http://semaraks.blogspot.ru
/2014/12/wispi-ver-11-for-tp-link-mr3020-mini.html
- RF?
- No… 8(
- 2.4GHz, 5GHz!
RF• 700MHz – ITS in Japan• 900 MHz (802.11ah) – US unlicensed• 2.4 GHz (802.11b/g/n) – everyone uses @ home• 3.6 GHz, 4.9GHz (802.11y) – US, Public Safety WLAN 50 MHz of spectrum
from 4940 MHz to 4990 MHz (WLAN channels 20–26) are in use by public safety entities in the US.• 5 GHz (802.11a/h/j/n/ac) – 802.11ac is what you should use @ home• 5.9 GHz (802.11p) – Wireless Access in Vehicular Environments (WAVE),
ITS in EU• 60 GHz (802.11ad) – WiGig. 7Gbit/s, 10m, beamforming, HDMI over WiFi
Channels, plans and the world.
802.11b channel center frequency
802.11b• Channel 1• Channel 6• Channel 11• Channel 14
802.11g/n (20 MHz)
• Channel 1• Channel 5• Channel 9• Channel 13
802.11g/n (40 MHz)• Channel 1+5 (Upper)• Channel 5-1 (Lower)• Channel 5+9 (Upper)• Channel 9-5 (Lower)• Channel 9+13 (Upper)• Channel 13-9 (Lower)
2.4GHz channel plan
2.4GHz channel plan for US
Channel plansTheory:•US => 1,6,11•WORLD => 1,5,9,13IRL fcukups:•wtf is channel plan?•40MHz bandwith will give me more speed!•More AP power will give me more speed!•More antennas will give me more speed!
Interference indoor
Gr337z fly 2 JBFC
5GHz around the world
Meanwhile in RussiaТакже во исполнение протокольной записи к решению ГКРЧ от 19 августа 2009 г. № 09-04-09, ГКРЧ решила[16] (п.2):Выделить полосы радиочастот 5150-5350 МГц и 5650-6425 МГц для применения на территории Российской Федерации за исключением городов, указанных в приложении № 2 [1], РЭС фиксированного беспроводного доступа гражданами Российской Федерации и российскими юридическими лицами без оформления отдельных решений ГКРЧ для каждого физического или юридического лица.Brief: 802.11a/h/j/n channels: 36-64, 136-165.
5GHz freedom? Depends on weather. DFS.
Country limitations
HACKER = NO_LIMITS• Patched wireless-db https://github.com/0x90/wireless-regdb• Pathched CRDA https://github.com/0x90/crda-ct• Install script https://github.com/0x90/kali-scripts
UDEV IFACE NAMING• wlan0 -> wlp3s0• mon0 -> wlp3s0mon• wlan1 -> wlp0s20u9• mon2 -> wlp0s29f7u2mon• All mon0 based bash scripts fcuked up• Lorcon + PyLorcon2 broken
ath9k low level• http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/
• Ath9k/ath9k_htc open source driver, firmware• FFT disable• Channels: -19-
if ath9k.driver.has_sw_limits() && ’kernel patching’ in hacker.skills[]:hacker.patch(ath9k.driver)ath9k.channel = -5ath9k.power = 30ath9k.bandwith = 5
ath9k spectral scan • Fluke Spectral Analyser = many $$$• Atheros AR92XX, AR93XX chips support spectral scan (???) • http://pages.cs.wisc.edu/~patro/htc_spectral/0003-Update-spectral-
scan-calls-to-support-both-ath9k-and.patch • http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/
spectral scan plot
ath9k advanced• echo "$bandwidth" >
/sys/kernel/debug/ieee80211/$phy/ath9k/chanbw• ls /sys/kernel/debug/ieee80211/phy*/ath9k_htc/registers/• ath9k_htc AP mode client fw limit
https://lists.ath9k.org/pipermail/ath9k-devel/2013-April/010513.html• echo '1' > /sys/kernel/debug/ieee80211/phy0/ath9k/disable_ani • iw --debug dev wlan0 info
802.11 hacking @ OS X• No INJ, only RFMON => No sending deauth frames*• Use reaver-wps, aircrack-ng, tcpdump from mac ports• airport cmd with RFMON support
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport• Scapy patched for RFMON @ OSX https://github.com/0x90/scapy-osx• WPSIK • PrivateFrameworks: Apple80211, CoreWLAN, etc…• Horst to be patched
7HR3475• PWN via MosMetro_Free • WPS_FAST_PWN = pingen + pixie wps + fork(wifite, reaver)• KARMA, MANA, HOSTAPD-WPE - pros and cons• I’LL CALL YOU @ WPA2 PWD (greetings fly 2 d0znpp)
KARMA/MANA/ROGUE AP
KARMA vs MANAKARMA•Client->ProbeRequest ESSID=FreeWiFi•ProbeReply ESSID=FreeWiFi BSSID=00:13:37…•+ PineAP @ Mark V == beconizer by ESSID listMANA•PNL gathering (capture broadcast)•Beacon Broadcast•Hidden SSID
QUESTIONS? PWN’EM ALL!
@090h/[email protected]
Code @•http://github.com/0x90/• http://github.com/dc7499