 Hello, friends. Very good afternoon to all of you. My name is Sohail, and I work for a Wi-Fi security company, A-Type Networks. And the title of my talk is Wi-Fish Finder, Who Will Bide the Weight? And as the title indicates, this talk is going to be about a tool that can be used to discover Wi-Fi-enabled client devices, which are basically vulnerable to Wi-Fishing attack. So, let's start. Before we dive into the details of this tool, let me give you a little bit background of how it all started. As a security company, for the last two to three years, we have been conducting a lot of Wi-Fi scan in various cities in the world, and studying the trend of Wi-Fi security adoption. Some of the studies that we have published in the past are like financial district scan, and airport Wi-Fi scan study. And we found approximately 50% Wi-Fi networks were either using no encryption, or were using weak web encryption, in case of financial district scan. And the situation was even worse in case of airport scan study, in which we found approximately 70% Wi-Fi networks were using insecure Wi-Fi configuration. So, while we were conducting this scan study, we got an interesting idea to do this scan, which we'll see later. Like, there are places like airports where thousands of people from different part of the globe transit every day, and most of them are business travelers, and carry Wi-Fi-enabled clients like laptops, PDAs, smartphones, et cetera. So, we thought instead of traveling to different, different locations and scanning Wi-Fi networks, or access point installed in the buildings, why not scan these people's carrying Wi-Fi enabled devices? Can we do our Wi-Fi scan study based on client data? And the answer was yes. A very interesting client-based scan study was possible right there, instead of us going to different, different location. So, with this thought in mind, we started collecting client data. And here is a sample of client data that we have, we had collected sometime back using a tool called AeroDump ANGIE. And as you can see on the left-hand side, there are a lot of MAC addresses mentioned, basically client MAC addresses. And on the right-hand side, you can see the SSID, probing SSID lists are mentioned. Basically, the clients were found to be probing for these Wi-Fi networks. And as you can see in some of these cases, clients are also probing for multiple Wi-Fi networks. So what happens basically, you use your Wi-Fi enabled client devices to connect to Wi-Fi network at your home, then at your workplace, or whenever you visit some hotel or let's say airport, you connect hotspot Wi-Fi networks. So whenever you connect your client device to Wi-Fi network, the memory of these Wi-Fi networks gets saved into your client devices. And wherever you go, basically your client keeps on looking for the presence of those Wi-Fi networks, right? So that's the reason why these clients are found to be probing for multiple SSIDs. And if you take a closer look of this probed SSID list, we see some of the popular names here, like T-Mobile, which is basically a popular hotspot service provider. And one can easily say that this network must be open Wi-Fi network. But let me ask you, can someone precisely give any other probed SSID, security of any other probed SSID, let's say like Boyakasha or Hoffman? Probably not. But in order to continue our scan study, for us it was very important to find out the security of probed SSID. So at this point of time, we posed one question to ourself, can security mode of each probe network from a roaming client be determined? And with this question in mind, we started building a tool, and right now we have a tool ready with us, that is called Wi-Fish Finder. So when you run this tool, basically, you get to know about different Wi-Fi clients available in the vicinity. So the first column is about Wi-Fi client MAC address. The second, which is a shaded area. Second column is telling you about the security of those probe networks. Third column is about, it actually tells you about the security of the posture of that client for that particular SSID, whether client is vulnerable or secure. And if it is vulnerable, what are the reasons for that? And the last column is about probed SSID. So let's take a live demo, look at the live demo of this tool. I have a Wi-Fish Finder running here on a backtrack machine. I have a backtrack machine here, and I'm running this tool, and I'll be using my Wi-Fi client devices. There are a couple of Wi-Fi profiles saved into my client devices, and we'll see whether this tool is able to find out the security of those probed SSID or not. But before that, I mean, tool can also be used to find out security of all Wi-Fi clients present in the range. So let me run that tool just to show you what happens, and then we'll do a demo for my client. So as you can see, a lot of clients are appearing, and they are actually probing for different Wi-Fi networks. So extreme right column is about probed SSID or network for which they are looking. And on the left side, you can see in some of these cases, let me stop and drag it a little bit up. See, in some of these cases, it has already discovered the security of those probed SSID. So first SSID is just like a ROM, and the security configured for this particular client is web. So one of the clients present here is actually probing for this SSID. So I hope the person who is using must be knowing about that. So this is how actually Wi-Fi's finder finds out the security of probed SSID. Let me run this tool to find out security of my probed SSID coming out from my client. I'm running right now here just to find out security of probed SSID for my client because we'll see some of the interesting thing coming up. So let me talk a little bit about the implementation part, and by the time we will finish the implementation, we will have something ready to see there. So let me put one question as a Nive user, if you have to find out security of probed SSID without using this tool, how would you do that? And the simplest answer I could find out, why not put one access point and configure that access point with the same SSID for which this client is looking, and see if client connects to that or not. If client connects to that access point, it means it is configured for the same security, right? And if client does not connect to that access point, then probably we'll try changing the configuration, security configuration of that access point, try each and every possible configuration one by one and see if client connects to that access point or not. But then there are practical issues associated with this manual approach. The approach is not really scalable to handle probes coming for multiple SSIDs. The approach is also not scalable to handle probes for coming from multiple clients. And then of course, there are different 11 security configurations possible, and which means the turnaround time to find out the security of single SSID would be much higher if we use this manual approach. So then the question is, how WIFISH Finder is different than this? And the answer is, it is not doing anything different than this, but it is doing it smartly. All these steps are basically automated in WIFISH Finder. So it handles probes from multiple SSIDs, it handle probes coming out from multiple clients, and the all possible security configurations are properly handled here. So basically, as soon as WIFISH Finder sees a probing request coming out from any client, it basically simulates a virtual WIFI network environment around that probing client. Just to let the user feel like it is actually present in an authorized WIFI network environment. And that's how it actually finds out. So in order to help you understand about the implementation part, let me use one simple example here. Let's assume that this is a client which is actually looking for a WIFI network, WXYZ, and the client is configured for WPA2, okay? So as soon as this tool finds a probing request for that WIFI network, it sends a response to that client, saying that, hey, WXYZ is available right here and it's open. And it waits for client to connect to that. So of course, client is not going to connect because security configurations are not matching in this case. So after some time, tool is also going to send a response to client, saying that, hey, WXYZ is available right here and it is configured in web mode. Same thing happens. So after some time, tool is going to send, it sends basically a probe response to client, saying that, hey, WPA configuration is now available and see if you can connect. And finally it sends a WPA2 configuration. As soon as client finds a WPA2 configuration with the same WIFI network, it finds, oh, the security configuration is matching. So it initiates the client connection establishment process with that network. So it sends authentication frame and receives authentication frame and finally it sends a SOC request frame. So these are the frames which are basically required to do a connection establishment. As soon as the tool receives a SOC request frame, it finds out the security of that probed SSID because for the first time a SOC request frame is the frame in which client reveals the security of any probed SSID. So the idea was to create an environment where client sends a SOC request packet for a particular given SSID. So that's how WIFI find out the security of any SSID. So let's get back to WIFISH. So in fact, conference are also one of those locations where people from different parts basically gather. And so we did some small scan study right here and here are the findings. And with this tool from thousands of miles away, I know basically what kind of WIFI network people are using at their home. So here are the network that is configured. You can see probed SSID as a home, one, two, three home net. And I was able to find out the security of that network from thousands of miles away. And I also actually found some of these, some of the users are actually using access point in a default configuration without changing the security of that box without changing the SSID name. I also found some of the guys who are actually using a very secure WIFI network, like Mr. Hacker who has actually named the probed SSID as wall hacker and using CCMP, WPS stuff. But let me tell you one thing that your client is still vulnerable because it's still willing to make a connection with an insecure WIFI network. You can see the security of other probed SSID coming out from your laptop. We also found some of the clients were actually infected from viral SSID or ad hoc SSID means they can connect and they can establish peer-to-peer connection. So the fact of the matter is that with this tool, a WIFI scan, client-based WIFI scan study is possible, but what else? Can we leverage this tool for something else? And the answer is yes, why not? How about doing a client security assessment or vulnerability assessment? And the reason for that is that there are attacks which are known to work against client which are configured to connect to security-enabled WIFI networks only. For example, if your client is configured to connect to, let's say, web-encrypted network, then one can actually try Caffle RTA attack and hack that client. If your client is configured to connect to WPA, appreciate key-based WIFI networks, let's say, then one can actually try dictionary attack against that client using latest Air Crack NG tool. And finally, if you are thinking that you are using WPA 2.1x WIFI network, let me tell you, someone can actually try PIP attack. So the tool can be used to find out or identify such vulnerable client well in advance. So that's how we can do a security assessment using this tool. Recently, we have, in fact, added one more feature in this tool. So if you use this tool, you will be able to find out whether a client is actually vulnerable to PIP attack or not. So let me tell you briefly what the PIP attack is all about. There are clients which only connect to WPA WPA 2.0 best WIFI networks. So while configuring those networks, if you left the server certificates validation check, if you left that box unchecked, then basically your client becomes vulnerable to WIFI networks. Which means client will never be able to differentiate between authorized WIFI networks and rogue WIFI networks and can be victimized anytime. So this tool is capable of detecting such clients and raising a flag for that. So the way it works, as soon as it detects a client is actually probing for .1x WIFI network, it also initiates higher level authentication with that EAP authentication, basically. In which case, it sends a fake server certificate to that particular client expecting that client not to respond to that fake server certificate. And as soon as it gets a response from clients saying that, hey, server certified is verified and I want to proceed further, it marks that client as a PIP vulnerable because it knows it can only happen if client is not doing a server validation check, right? So that's how this tool is actually detecting a PIP vulnerable client. So let me go back and show you. I had a profile configured for PIP vulnerable. See, couple of SSIDs you can see here which are coming out from my laptop and the tool has actually found the security of those WIFI networks. So I have a profile here right now which is actually configured and there is no server certificate check for that and we'll see this tool will flag that client as a vulnerable against PIP attack. And then there are many other profiles saved here. So generally it takes approximately four to five minutes to find out the security of all probed SSID presenting single client cache. So with this, let me continue further and finally the conclusion will come back to see what's the output of that tool. The conclusion is that a lot of measures have been taken to secure WIFI infrastructure, both access point and client present in the same environment, same vicinity. But an isolated roaming client is still need adequate security cover to protect it against honey parts. We believe that this tool can be served as a security assessment tool and can be used by security auditors or network admins to find such vulnerable clients in their office environment. And we have put this tool, initial version of this tool for download purpose on this. The link is available. So this is all about WIFI's finder. Thanks if you have any questions, you may. Yes. Could you please bit louder? If a laptop is already connected, it sends probe request, but it depends, actually depends on the transmit power of, at what transmit power this tool is transmitting. So basically client actually keeps on looking for best available WIFI networks. So in case if you are closer to that, then that will happen, you'll find out the security. But most of the time it works smoothly if client is actually a roaming client not connected to any WIFI network. Yeah, sorry, sorry. See, that's a very good question actually. And the question he's asking that, why are you saying WPA2 as a secure when someone can actually launch dictionary attack? So basically it's, see dictionary attack is not, it works if you are choosing a very weak password, right? But no one can actually predict about what kind of password somebody is using. So sometimes it will work, sometimes it will not work. Secure, I'm saying only for those WIFI networks which are configured for .onex and not using pre-shared key stuff. So mainly for those kind of networks. And they are not vulnerable to peep attack. That's it. Thank you very much. I'll be available to take any further questions.