 Straight to the tool. No slides. Test, test. I'm Beedle. I'm with the Shreemoo Group. This is Bruce Potter with the Shreemoo Group, founder of the Shreemoo Group. And if you caught his cool blue sniff tool or front end to Red Fang the other day, make sure you get to the website and help him out with some MAC addresses for the blue sniff tool. Disclaimer is going to be coming up. Example hotspot setup and weaknesses. Roguay P's 101 basically and then a demo of Air Snarf. And then if we have time we might tell people how they could probably mitigate some sort of risk here. Disclaimer, behave yourself. Next slide. Test, test. Example hotspot setup. Basically how a hotspot is set up so I can turn this way but I can't turn that way. Alright. Basically how example hotspots are or any hotspot, real hotspots are. You visit the hotspot provider usually before you test, test. There we go. Basically you visit the hotspot provider's website before you ever actually visit the hotspot. You create a username and password. In some cases you tie this to a credit card. Then you visit the actual hotspot with a wireless device, either a PDA or a laptop with an actual Wi-Fi card in it. Power on, you associate, you get an IP from DHCP server, DNS, default router, all that stuff. Then when you open up a web browser what usually happens is there's a local redirect. It brings up a nice little splash screen that says username and password please enter here. At that point you're kind of authenticated to the local hotspot and they open up a little hole in the firewall or their local firewall for you and they no longer force you to redirect to the splash screen. They actually let you do web browsing and that sort of stuff. Usually some sort of cache or timeout value associated with the IP and MAC address. But for the most part you're free to do what you want there. Remember when you log in there's back end authentication, some sort of radius server. It can be a global radius server that covers the entire nation such as the case with T-Mobile Starbucks. And when you authenticate remember your credit card that you gave at the beginning when you logged in or created your username and password is tied to that login and will be charged. If you're doing pay for play or if you're doing a monthly flat fee and you're just using it every month. Question is, is this secure? You guys want to know? That's great man. Alright so here's a little graphic foo. Alright first we have an access point with an SSID of good guy. We have our client card come in with an SSID basically set to any or default. What usually happens is that they associate to the SSID or the access point with the SSID of good guy and their SSID effectively becomes good guy. What happens here if a stronger or closer access point comes within range of the Wi-Fi card here? Basically depending on what signal to noise ratio is in play here, they can actually be disassociated from the access point of good guy and re-associate to the SSID or the access point with the SSID of bad guy and their SSID effectively becomes bad guy. This can and does happen without the user's knowledge. Now what's really interesting is that if the bad guy decides to set his SSID to good guy well at that point all bets are off because the user definitely won't know what's happening. So here are some other screenshots that we took while we were over at Black Hat and you have your client card and some sort of utility that shows you signal and noise. A better utility for graphing signal and noise believe it or not, Net Stumbler. If you actually click on a MAC address under Net Stumbler you'll actually get the signal and noise ratio in a nice little graphical format. Here is the hallway sitting at Black Hat and the access points there at Black Hat. As you can see that's pretty good signal. Receive sensitivity for most cards or really good cards around negative 68 dB and basically the stronger the signal from the access point as opposed to the noise as you see this is up here about negative 60 dB as we go higher and higher up into less negative numbers and then positive numbers obviously that's a better signal and the card will pick that out of the air and say great I'm hooked up. Well this is our rogue access point and we're sitting in the hallway here and the guy that's sitting next to me goes fuck because basically what we have here is a rogue access point running at negative 30 dB when the closest other access point in terms of a Black Hat access point is at negative 60 dB. Just for reference every 3 dB is basically a two times increase in power. We're talking about 30 dB difference here and a little side joke here we were at the racetrack last weekend and they have this thing called sound control at the racetrack because the locals well they really don't like the race cars running around. Well sound control says that the maximum sound on your car can be 103 dB. Well one guy runs around and comes back off the track and they say they black flagged him actually pulled him off the track he was at 109 dB. Well you try and explain to somebody that's well like myself a redneck that likes to race and say you're running at 109 dB the max is 103 dB. Shit man it's only six. I can fix that. Wrong. You're going to take the motor out of it. Alright looking again here at Knudts Thumbler we're actually looking at the access points in the MAC addresses and you see our Black Hat rogue access point is actually just a Netgear card in host AP mode and basically sitting there bump the power up or anything like that but the closer you are to somebody they're basically freaking out because they've been bounced off of the network. It can be a graceful bounce and that you have the same IP address scheme and they won't actually notice that they're moving over to another network it's really nice that people can migrate from one network to another like that and sometimes or most of the times actually since you don't have the same IP address scheme or they have an ARP cache that they won't actually recognize that they're going to the same default router anymore these individuals will say damn I can't get to the network. Oh man. Okay this is some itchy and scratchy foo the other day that don't worry about it. Basically I wanted to show you that regardless of where the actual signal is and say a building if you have strong signal in a building you have marginal signal outside the building and you say I'm good because I have great signal inside my building and nobody's going to bother me if they bring a rogue access point just the exterior of my building because it'll never overpower the signal that's inside the building. However there are things called amps. Rogue access points let's talk about rogue access point 101 basically a rogue access point is an unauthorized access point. Traditionally we're talking about corporate back doors or employees that decide they're going to fire up an access point in their office and allow anybody that's within range to basically get on the internet without any type of authentication. Also corporate espionage you pay the janitor 20 bucks he goes up into the next floor or the next building and drops an access point on the actual internet for you. Cheap corporate espionage at that. And from that point you simply either aim your antenna at the floor and you're picking up the corporate your competitor at the next floor or you aim the antenna at the building across the street and you're picking up their network there. Thank you janitor. Hot spots. Rogue access points for hot spots. Well we're talking about denial of service for one. If you set up an access point well we actually had something not too recently as far as personal telco and Starbucks guys I believe somebody was cramming somebody else's channel or something like that denial of service occurs with just regular Wi-Fi. But if you were actually setting this up in a protest mechanism you could set up a rogue access point and anywhere that you went for those hot spots if you didn't like that hot spot provider you just send everybody to a redirect that says save the moose. That's the user credentials. That's really what we're talking about today and the idea is if you pull up a rogue access point and you give the same sort of splash screen for the users that are actually entering that hot spot provider's area they're going to see the splash screen and they're not going to know any better because basically there's no authentication mechanism between the actual station and the actual AP. So they say I'm on an AP I've got my IP address I've got a splash screen it's asking me for a username and password and I'm going to give it to them. AP cloning that's kind of what we're talking about here. Hot spot rogue AP mechanics. Okay so how do you build a hot spot rogue access point or a rogue access point in general. Basically you're creating a competing hot spot. The access point can actually be another AP and then you back in it with an actual Linux or open VSD box whatever your flavor or you can actually run a card and host AP mode and then the card actually becomes the AP. You create or modify a captive portal behind the AP. If you're familiar with no cat off or YCAP or other types of tools that are captive portals basically they are redirectors that bring you to a splash screen and request a username and password at which point you're then authenticated and allowed through to the network. So you can create a modify captive portal to instead of actually do any back end authentication or actually concerning people with actually giving them access you instead just capture usernames and passwords. So you redirect the user to a splash screen, denial of service we talked about saving the moose and theft of user credentials. Now a bold attacker somebody with big brass ones is going to walk straight to ground zero and actually flip open their laptop and actually fire up host AP and actually snark usernames and passwords right there at the hot spot. They're drinking coffee. Somebody that's not so bold is going to drive by with their truck and a big antenna and either a one or maybe four watt amp if they've got military access and basically blast the entire hot spot as they drive by. They can either knock people off or they can just grab new users. They might be able to park at which point they just go through the entire metropolitan area gathering new usernames and passwords from each hot spot. They never actually have to go inside. Air snarf, air snarf is nothing special. It is a shell script. Basically what we're doing here is we're simplifying the process of setting up a rogue access point. We have host AP, HTTPD, GACPD. We're using a net DNS Perl module and a script that I wrote basically just as local resolving of DNS and basically an IP tables rule. It's simple example rogue access point and we're going to demonstrate it now. While I'm just firing this up Bruce is going to talk about defense. Howdy. So here's the deal. I like to talk about defense because I'd like to think there's some good to be had about all this so if you don't want to listen to the defense and just want to think about attack just watch what he's doing and just kind of zone me out. There's been a couple of talks here at Black Hat this year that have been really refined attacks, advanced and refined attacks against wireless networks. The technology, everybody sitting here kind of walks out the door and understands this stuff. But here's the deal. It's basically the same technology we had three or four years ago. We're just getting better as an attacker community to say, look here's the whole thing in a package. Just pull the bow off and go rape everybody around you. Excellent. This is ridiculous that there's still infrastructure out there that's vulnerable to this type of thing. So what we need to do as the professionals, the security professionals side of the world is deploy more secure infrastructures. This problem of rogue access points is really one of authentication. Right now there's no reasonable way, excuse me, two years ago there was no reasonable way to authenticate people at the network level at the link level. So what ended up happening is people punted there all the way up to the top and said, hey, you know the default authentication token is a web browser. So we'll make all these fricking web portals and drive everybody to them and take their credit card numbers. And we just kind of ignore all the weaknesses that are lower down and hope they don't get screwed in the process. So technologies have been developed, namely 802.1x. How many people have heard of it? How many people have deployed it? Excellent. 802.1x is a link level authentication protocol. I'm going to talk on that right now. I gave a speech on it last year at Black Hat. It's a good starting point with lots of references and whatnot going to the website. There's the plug. 802.1x gives you link level authentication and it allows you to do it in an extensible way. So you can do it with say just a password scheme, you know, something that's pretty easy to deploy. Or you can do more complex certificate based schemes. And importantly, you can do bi-directional authentication. This is critical. Okay, right now the problem is the access point is really worried about authenticating you or the backend application, but you're not authenticating anything beyond that point. Unless it throws up an SSLR in your browser, you don't know how to damn things wrong. So 802.1x and the kind of Uber God that's coming out of 802.11i, which is the new wireless security specification that's got new link level encryption and new link level authentication, including 802.1x, is really going to be the future of where we're going to go and where these attacks are going to stop. If you have a corporate network today and you have things you want to protect, deploy 1x, deploy mutual authentication through something like TTTLS or there's only two Ts in that, or some other EAP mechanism that gives you that capability. Otherwise, just, you know, forget about it and go home and get drunk. You ready? Yeah, doesn't fit in there. Can you fry this up? Stretch in here. Alright, so basically, if you get to an actual hotspot and you see this, that's probably somebody experimenting with Air Snarf. So that's just FYI for all of you here. What we're doing here is we're simulating, we're simulating a redirect and basically anything that I enter up here, this is kind of difficult because I don't have it locally displayed here, but if I go into A-Ware, Christ. If I go to ESPN or I go to any other type of site, and oh, that's why I created these buttons. CNN or something like that, basically I'm just getting the same page over and over and over, and then I'm going to select. We enter a username and password, and then we log in. Yeah, yeah. So we get an error message. Usually this is what the error message would be. The network's not available. Please try again. Give me another username and password. Now, what we can do is we can actually switch this around. So if we all know with Apache, we can do virtual hosting. So not only are we doing, say, something for just this URL, but we can dynamically change it. Say, we don't want to actually give people the local redirect or the air snarf redirect. We want to do something like, if anybody goes to PayPal, we give them a PayPal logo and a username and password prompt. The same thing applies. Like I said, we can do it for another popular site, Hotmail. And people are going to say username, password, Hotmail, prompt, yeah. Or I just got disconnected. In some cases these people are just going to be disconnected from somebody firing up a rogue access point. The next site that they're going to try and visit, or maybe even they were in the middle of a Hotmail session, the next time they pop up it's going to say username and password. And you can make these web pages really pretty and convincing. These are kind of dumb. But now let's say, let's say you actually wanted to do something like Starbucks. Do we have that there? So we pull up the URL for a Starbucks T-Mobile site. And somebody's going to look at that and they're going to say username and password, sure. The idea though is that you can actually use this for good. Let's say you're a government person and you're interested in finding out where the local bad guys or terrorists are actually doing their coffee drinking and that sort of thing. And you want to grab their username and password while they're on the internet. Yeah, we got something for that. So every time they go to Slash. Now they log in at their local Alkata coffee joint. Where is that? There we go, Alkata coffee. Every time they log in here, Osama. We're going to grab username and password, give them a little message. Now, let me see if I can't move to one of the other screens. Give me a second. I'll show you where the actual passwords are stored. Now, in one version of Aerosnark we've got a mail to root. So obviously you're running this on your local box UR root and you can look at everything there. In this case, we actually have Apache. We're running it just with a log sent out and it's in CSV format. So later on and it rotates the logs too. Each time you fire up Aerosnark it rotates the logs so that you have just this running list of logs. So we've actually got somebody logging in to CNN, username and password. Osama apparently likes boys. Bring it on. All right. Here's the interesting point of all of this. You can do this with a laptop and you can do this with host AP. That's what it's running on right now. This is right now running on a Zorus, which means this is my rogue access point. Basically, I can go into a Starbucks anywhere in the nation, put it in my pocket, turn it on, order my coffee and walk out with my coffee and my usernames and passwords. That's what you got the recharger in the car for, man. Let's get back to the slides real quick. We'll wrap this up. And you guys have seen this replay, replay, replay, replay. Bruce talked about defense strategies, other defense strategies that we'd just like to recommend. For the guys that are actually running hotspots, local AP awareness. And individuals that are in corporations that are concerned about people setting up rogue access points and directing usernames and passwords to corporate credentials. What you want to do is be aware of the local access points. Be aware of your MAC addresses, be aware of the actual access points. Yes, you can fake MAC addresses. Yes, you can run around with fake AP even and freak out people that are running like Air Magnet, Air Defense or something like that. Another thing is customer education. That's key. You have to make your users aware that this threat exists. Anybody else that's out there in actual Starbucks, they don't know that this can happen to them. So they're just going to walk in there and be vulnerable to something like this. One-time authentication mechanisms. I don't know if it's true, but at one point the rumor was that McDonald's and their hotspots, they were going to set it up so that when you actually ordered your Big Mac, for an extra buck, you could get like Wi-Fi access. And at the bottom of your receipt, it would print like a little pin that you would use. Just like when you go up to the gas station and you get like a full tank of gas, you pay an extra buck and they give you like a car wash and you get a one-time authentication for that. Well, it's the same thing. If you use one-time authentication here and you're only charging a buck for the actual access, if somebody actually does grab the actual pin here and for authentication purposes, what are you out? You're out of buck. You're out of buck or the customer's out of buck. My personal belief is that for hotspots, you should be charging for hotspot access. It's not enough to be charging me $5 for a cup of coffee. Now you want to charge me like $5. What we're talking about here is that Wi-Fi access should be a value-added feature to your business. And it's going to attract people there and they're going to sit there and they're going to buy more coffee. They're going to buy more little bagels and donuts and all that other sort of... And the idea is that you don't actually need to charge for it in order to actually make up your losses because they're really not that big. Here are some links. AirSnarf will be at airsnarf.schmoo.com. Right now, there's a placeholder there. But here, I'll show you the website actually in existence in a minute. HostAP, there's a link for HostAP. Some people think that HostAP is hard to set up. For Red Hat, there's actually a kernel or an RPM that you can set up for the kernel. So it's just an RPM command. If you're looking for hotspots, www.hotspotlist.com. Other wireless portal software, Personal Telco has a list of wireless portal software. So if you're not interested in using AirSnarf for your purposes, you can go grab yourself some other portal software and try and modify it for your purposes. I actually want to underscore that. You know, this has all been a security talk so far and how to subvert portals and things of that nature. Anyone that's actually set up a wireless portal, there's some software out there that people have been using. Things like YCAP and NoCat and things of that nature. This actually makes it dandy, a little wireless portal if you're going to set that kind of thing up. It's pretty straightforward, works great, has all the redirection, virtual is built in. This is the good use, not the evil use. So, you know, what not, try it out. The website basically looks like that. There's a link for the actual presentation. There's the actual tarball for Red Hat Linux 9. We did that for the masses there. And if you really want to just mess around with your Zorus, and I'm telling you it takes a little bit of work to actually get it done, but we've actually put a tarball up there for the Zorus version and we've actually cross-compiled DECPD for the Zorus so that you don't have to. Thank you very much. Well actually, any questions? Five minutes I think. Goons, five? All right, you fire it. Yes. Go ahead, portable road access point. No sir, you're okay. For your portable road access point, do you use any amplification for the signal in order to stomp out Starbucks? You can use an amp and it's going to stomp over somebody. There's no doubt about it. It's also helpful to send the authentication packets to the clients to get them to kick the hell off the previous access point. I believe there's a tool that was presented earlier today or yesterday that did that. That could be integrated in pretty effectively to get people to just bounce forcibly. Other questions while the din is rising? You sir, all the way in the back because I'm looking for a challenge. Any other questions? Yes, yes. What about access points that you use as a sell for authentication on the scratch pages? Here's the crazy thing is that when the user actually logs in the first time, sometimes they're redirected to an ACTBS site. If they're really concerned and they actually are paying attention to the lock icon, you could create an entire SSL-based Apache website, but I'm saying it's not that difficult to just trick people into actually authenticating right with you. They're not going to pay attention to the lock. Well, you said a lot of good things about 802.1x, but in HostAP Demon, the user N Demon, there is actually a support for little authentication server which can obviously support 802.1x. So do you think you will implement fake in 802.1x authentication, at least for EAP MD5 or something like that in the future version? Oh, in the future version of Arizona after the trick out. The question here is basically there are certain 1x authentication mechanisms that are only one way. Just because you do 1x doesn't mean you have bidirectional authentication. So if people are raising the bar and using unidirectional authentication, i.e. all they're doing is verifying the client, the client isn't verifying the network, you can still spoof that. So, you know, the EAP MD5 mechanism is basically a challenge response, and you can just respond back with, yeah, that was a good password, we're welcome to network. So, yeah, I mean that's something that I think as we see the demand, we'll get integrated in. It looks like a one line of code and that's not basic. Yeah, what I've also considered as far as like a future version of Verisnaf, we were going to work on it, is the idea of actually integrating the D off portion and actually bumping people off of the wireless network or something like Air Jack. So, you can combine this with other different types of utilities, certainly. Any other questions? What about the amplification issues? You said that in order to be a rogue point, you need to be much more powerful than the original one. Is it something that comes out of the box or is there anything you should apply for that? I think the question is why do you need to be stronger than the other access point? How do you actually... Well, in some cases the cards actually support bumping up from their normal transmission rate or transmission power rate. And the Cisco cards are obviously an example. They can run at 100 milliwatts. The Cineo cards, they run at 200 milliwatts. And normal access points are usually, in the cases of the commercial ones, they're using like Orinoco AP2000s, which are only running at about 30 milliwatts per card. Nice cards, nice access point, but if you show up with a Cisco 352, you've got 100 milliwatts right there and you're obviously higher. If you go with a Cineo 200 milliwatts, then you're obviously higher. If you use an Orinoco and then take a pigtail off the Orinoco cable into a 500 milliwatts amp and then straight onto an 8 dB Omni, then you're obviously going to overpower the local hotspot. I was wondering is there any possibility of doing a true man in the middle attack by spoofing the MAC address of the default router that they thought they were connecting to so that you could maintain a connection and they would never realize they'd been hijacked and you could sniff their traffic? All of the nice tricks that you might have seen at Black Hat when the guys from mentally were talking about eater cap and man of the middle attacks, all those things apply here on the wireless network as well as long as you can associate to the local access point. In fact, at Black Hat they were telling everybody to make sure they put static ARP entries in for the default router. We're done here, thank you very much and if you have any other questions, see us. Make sure you're clear on out of here as fast as you can and we'll go with you and we'll be outside if you have questions.