 So, who here has ever had a real-time clock fail on their laptop 26 minutes before their talk started at DEF CON? Just me then. All right. Great. So, this is my first time at DEF CON and I am going to learn to back up my slides from now on. Hey, let's do a talk. Do you have the button? No? I'll just stand here. It's cool. My name is Rick Farina. Nobody here knows who that is. I'm also zero chaos. I do a little bit of work on the air crack team, but the fact of the matter is this fantastic gentleman right here is Mr. X. So anybody here ever crack a WebKey? And somebody give this man a round of applause. All right. So, as I said, this is Thomas Dio Trep, founder of Air Crack NG. My name is Rick Farina. I just kind of hang out and goof off and come up with some funny stuff. So we've got a little bit of stuff we'd like to talk to you about today, a little bit of Air Crack NG stuff. And then we've also done a little bit of our own research individually and just some random fun places of the world. So we'll talk about a little bit. Some of the topics in this presentation may be used to break the law in new and exciting ways. Of course, we don't recommend breaking the law, and it is your responsibility to check your local laws, blah, blah, blah, blah, blah, no, in all seriousness, folks, part of this talk is definitely something that will get you arrested by the feds if you do something wrong. So I will highlight that, and I will warmly recommend that you don't do it. My code release was also on the laptop that exploded, so I will totally have that out later today, I promise. Again, my laptop exploded, so my little AP contest is going to be postponed until tomorrow. Tomorrow in the Wi-Fi village, I'm going to put up an access point. All you have to do is tell me what frequency it's on and what its MAC address is. That's it. Anybody here think they can do that? All right. So if you can do it, first hour of it, I'll give it like two hours maybe, I'll buy you a ubiquity SRC card. All you have to do is tell me what frequency and my MAC address. If it takes you too long, maybe I'll give you 50 bucks towards a nice atheros card, and if it takes all day, then I'll give you a hearty handshake and a pat on the back for finally downloading my patch and figuring out what I did. Okay? I'm going to turn it over to Thomas here, and we're going to talk a little bit about some new stuff we've done in Aircrack, and hopefully you guys will think it's funny. So for Web attacks, for Web attacks, you can sniff passively, but it's slow, and you have to wait a long time to get enough packets to create. And now there's no more weak IV, but you can use replay. Unfortunately replaying is a bit nosy. You can easily find a signature. For example, on our replay, you can see on the host, just open the DCP dump on the interface, and you will see a lot of ARP. There's also some features on the access points that can prevent getting IVs. For WPA, for pre-shad key, you need to get both sides of the communication, and you need to be in range of both the clients and the access points. And for enterprises, nearly impossible to crack it passively, but most cases of EAP are not easy to manage to meet them. We've seen nearly all attacks focused on the access points, but access points are getting more and more secure. There's new features in it, PSPF, client isolation, you can see strong authentication, and now the APs are no longer unguarded backdoor. We're going to attack the clients. Tools are appears recently, but it's not easy to use, and there are other requirements. Here's a few tools, web-off, Cafe Latte, it's a new attack we developed that turns any IP packet into a hot packet. For WPA, there's no public implementation for PSK, and for enterprise, we have a free radius WPE, thanks to Brad and Josh, but it still requires hardware access points. To attack the client, there's many separate tools that are not easy to use, and the implementation is not always there, and the configuration is not easy until now. We developed AirBase and G, it's a full monitor mode access point. It merges a few tools into one, and it also works in ad hoc mode. It's easy, and it's fast, and deadly for keys. There's a few abilities of AirBase and G, you can do the Avaltrin, do a fake access point that looks like the access point of your company, OnlyPot or Karma. It implements web attack, here it attacks Cafe Latte. You can also get the end shake without having the access point. You only need the client, and they will soon see WPA Enterprise attacks. AirBase and G is a soft AP, you can use web on it with Open or Shade Key, Cafe Latte attack, and here it attacks, as I said. You can capture WPA access points, can manipulate packets, even decrypt web packets and resend them. You can also filter, add some filters to avoid disturbing nearby networks. Some of the filters are on the BSID, and you can also use ESSID, because by default it catches everything. Any client probing for a network will be attached to AirBase. It also implements mic filtering like you can see on your access points. Here's a few examples, you can easily capture the WPA end shake. The access point will be called MyAP. You can also develop scripts to manipulate packets. You have to use dash wire per case, and then start another script in another console. The script is given in every archive of aircraft and G, you can find it in the test directory. You can also do soft access points, meaning it looks like a real one. You can connect to the access points. You can ping the computers with SSH. You can even connect to Internet via this computer. So, Rick, we'll continue. So AirBase and G is kind of a combination of a bunch of projects that the guys in the aircraft team have been having for years now, setting up multiple access points, trying to crack everything in site. I had a friend of mine that was just using a little AirBase and G. In this track, I believe it was just the other day, cracked about three or four cell phones with it. It's a really fun tool, and really all the access point securities there these days, it's getting a lot better. Anything especially deployed recently is going to be pretty tight. But now the clients are a lot more fun. I don't talk about just attacking the clients directly, but the fact is this doesn't promise a win either. This just makes it a lot easier. When access points first started out, nobody was really looking there. Nobody thought of the security. Now it's the clients that are shifting the focus towards the clients now. So there are actually ways to defend this. APs are being configured more securely. The clients need to as well. So the simple defenses are actually covered really well on Josh Wright's website, Will Hack for Sushi. I'll have a full list of stuff at the end of this. There's a lot of really important things you can do. I warmly recommend you check it out. There's actually group policy objects for those of you poor people that have to administer Windows boxes. I'm guessing it's most of the audience. There's actually a very, very great way to set up some of these things. It's very well covered by Josh, so I'm telling you the bad things. And I tell you that the defenses are there. You just have to look for them. So as I said, we're going to talk a little bit about some personal projects now. So we were working on the air-based stuff for a while, and I don't know, I get bored really easily. So I like atheros cards. Who else likes atheros? Anybody? A couple of people like atheros. They're really nice. They're called software-defined radios. And I was going through the frequency set, and I saw, you know, okay, I can use the US frequency set. That looks a little weird. I mean, is the card really not capable of transmitting on those frequencies in the middle? I mean, seriously? It's missing 400 megahertz out of the middle of the spectrum. What about the license bands? Who here has a Ubiquiti Super Range card bus? It's a fantastic card. I just blew one of them up yesterday. Really nice. If you go to Ubiquiti's website and several other manufacturers as well, they also have licensed radios. Sell things from military usage, public safety, all kinds of really interesting applications. Very, very expensive stuff. And it operates on 4.920 gigahertz. 4.95.1. They really tripled the cost of the radio and made a different one. I wonder if we can do that without making an extra radio. So it turns out that as a software-defined radio atheros actually does do most of that fun stuff in the software. So what do we do? Unfortunately, as you all know, atheros is very nervous about people doing things like, I don't know, changing the frequency set that the card supports. So they release a binary-only HAL for mad Wi-Fi. Works pretty well unless you want to do hacking stuff. But nobody here likes closed-source binaries, do you? Okay, so Ath5K was actually released by the community. It was approved by atheros. It was acceptable. Nobody got sued over it. It was really great. And so here we are with a driver that almost works that you can do whatever you want with. So let's take a look. If it's driven by a binary HAL and Ath5K is the new stuff, let's take a look at Ath5K. So on the mad Wi-Fi mailing list not too long ago, a gentleman by the name of Kugud Suman, apologize if I mispronounce your name. If you're here, I'd love to talk to you. He released a patch to do the debug regulatory domain. Basically, it allows all of the channels that atheros officially supports according to their own testing. Well, there's some really entertaining comments in the Ath5K code set this to one to disable regulatory domain restrictions. Oh, you thought that one was funny. What about this one? The transceiver supports frequencies from 4.920 to 6100 and from 2312 to 2732. Wow, that's kind of funny. What's that down at the bottom in Japan? 4.8 gigahertz. Isn't that reserved for the DOD in this country? Huh. So yesterday, your card could support 2412 to 2462, 5180, 5320, 5745, 5825. My driver kind of supports about 600 channels. So when you set the debug regulatory domain, you can now go from 2.192 gigahertz to 2.732 on the BG and 4,800 to 6,000. We'll talk about that in just a second. You'll notice I only go up to 6,000. You'll also notice I mentioned I turned a really nice Wi-Fi card into a brick. So the gentleman upstairs, the hardware hacking village, actually have a really nice spectrum analyzer. When I started transmitting on 6.1 gigahertz, the card stopped transmitting. It still listens very well, but the preamp doesn't seem to work very hot anymore. So what's on these new frequencies? This is why I mentioned you will very much get in trouble. We have your fixed point to point DOD. Some amateur radio guys here. Amateur radio, I just got my license like two weeks ago so I could play with this stuff. So you can now use 2300 to 2310, 2390, 2450 for your access point. I mean, you don't even need encryption at that point. Who's looking? Certainly not me. Fixed satellite, point to point instructional TV, fixed satellite, radio astronomy, Department of Defense. This is why you will get in trouble, folks. I'm releasing this patch. I'm giving it to you. As soon as I get it off my laptop, honestly. The problem is, is I've disabled transmit. You can monitor everything you want in this country. It's perfectly legal. If you transmit on a satellite frequency, the feds will be on your doorstep in about 15 minutes. If you transmit on a DOD frequency, they won't bother knocking. Okay? Let's look at some of the higher frequencies. Little more DOD, public safety, radio astronomy, radio location, which means radar, ground-based radar. More amateur frequencies? Yes, that's right. We can run new access points now. And more satellite. Again, if you choose to modify my patch and start transmitting, I would really appreciate it if you talked to me. If you have an amateur radio license, I'd be happy to make sure you stay within your proper limits. If you happen to transmit a satellite frequency, I apologize to your next of kin. Okay? Spectrum analyzer. I did go upstairs and test all this with a spectrum analyzer. And I was on my way upstairs to take pictures of the spectrum analyzer when the real-time clock on my laptop failed and it shut down and wouldn't boot back up. So, as you might have noticed, I was a little late to my own talk, and they wouldn't let me borrow the spectrum analyzer to show you. So, if you guys really want to see this, we'll just all crowd the hardware village upstairs. I'd be happy to show you how it works. Again, I've already lost at least one Wi-Fi card and probably severely damaged the second one. Thanks, Michael. By the way, I really appreciate it. These settings may differ from card to card, so if you were to fix it to transmit again, I take no responsibility for you blowing up your card, just so you know. Okay? Limitations, when adding in all these new channels, there's a lot of problems. Most of these license frequencies, especially in the 900 megahertz with some of the public safety gear as well, they just kind of fudge things. So, let's say you have mad Wi-Fi and you have a licensed radio and you say, I want to be on channel one. Well, for the licensed radio, it's going to say channel one, but it's going to set the frequency of 4920. So, if you were to use aero dump or kismet today, it would set the right frequency and it would pick that up, but all you'd see is that it's on channel one. Not very helpful. It's just done to make things easier so you don't actually have to modify things that are visible to the user so that they can keep these things hidden from you. Obviously, it breaks a lot of things. So, aero dump NG, we modified to support all the frequencies. Only the channels are shown in the display right now and you kind of lose some of the really important header information. Yeah, we'll probably fix that. Kismet can't set the channels at all. It displays channels, not frequencies, but it does save very usable P-CAP files which is nice to go back and read in Wireshark. So, a lot of the improvements needed for this, SNFers are too trusting. They see a beacon packet says I'm on channel six. They log an access point on channel six. Doesn't matter if channel six is 2.6 gigahertz. It's just I'm on channel six. It was never really intended to deal with this broken stuff like channel number fudging. Thank you to all the manufacturers that decided that was the best way to do it. So, they really need to be improved. But wait, after I submitted this talk, I finally convinced Dragorn that it actually really was setting these channels. So, we fixed Newcore in about two minutes after arguing with me for six months and fixed everything. So now Kismet not only reports the frequencies the packets are received on. It automatically calculates what the center frequency is and shows that to you as well. The AeroDumpNG updates are being made right now and we should be releasing that with 1.0 and it should work very nicely. Not that the DOD would run web. I left my white hat in the speaker room, honestly. Please, please, please. It is legal in this country to monitor whatever you want. If you transmit on these frequencies, you will go to jail. I promise. If you have a license and you want to transmit on some of this stuff, I'd be happy to help you. If you don't have a license, I really recommend leaving the patch as it is. Okay? Have fun everybody. Enjoy. And we will be taking questions after this. So I've been working on web cloaking. I think you still remember the talk of last year. The Emperor has no clock. Okay. Basically web is still used and some companies still use it for like wireless backcode readers, wireless payment. It works by inserting chaff in the air. It's a good idea, but unfortunately, you only have half the bandwidth. So on an 11 megabit network, instead of having 700 kilobytes per second or 600, you only have 300. And even sometimes, you don't even need to filter out clock packets. Craig and G just find the key directly. Just give the file and boom, you get the key. How to break it? There's no public documentation about it, so I had to analyze capture files. What I noticed is that every data packet is clocked. For every packet you have a clocked packet. And at least the packet from the access point are protected as they have to check for the clients. Management frames and control frames are not clocked. Also notice that the packet size of the clocked packet are the same as the original packet. So you can easily find and match the packets on the network. It may be placed with sequence numbers. In most cases, it's a bit different than the sequence number of a real packet. For example, if you have a real packet with a sequence number of five, it can be three or four or six or seven, maybe a little bit more, but not more than that. And as I said, only data packets are clocked, meaning that only packet of type two and subtype zero are clocked. You can also find what are the clocked packets by checking the signal. You can see that the signal is different than the access point. That's this way where I did it. So here's a capture file. You can find the sequence number of 3669. And you can see a bit upper around there that there is another data packet that has the same sequence number and a bit lower here. Another data packet has that same sequence number. So we know that management frames are not clocked. So we can say that this beacon has a real sequence number and those two data packets are clocked. With the implementation of a tool, we have no idea what's the real implementation of web clocking. And since we don't care about the key used by the sensor or if the data used in the packets are real or not, so the idea was using filters to remove clocked packets. We have a QNTS signal filter that gets the average signal and then can filter out the clocked packet. We also have a few filters for sequence numbers. We base our analysis for each filter on packets that are known not to be clocked. And then combine filters in a different order. So as I say, we know that all management frames, the control frames are not clocked. We first save a base filter that is always applied. I just explained on the capture file if any packet with an unknown status like data packets don't know if it is clocked or not. If this data packet has the same sequence numbers as a beacon, for example, or any other management frames, then it's a clocked packet. We can filter out. And the other filter we have is a signal filter. We get the average signal of all packets we know that are not clocked. We allow a small margin of error, really small, and packets outside of this margin are clocked. It should be clocked. Here's a few numbers. There is an unfiltered capture file that contains both clocked and unclogged packets. You can see that there is 400,000 packets with data packets, and only 200,000 were decrypted successfully, meaning that the rest is clocked packets. You can see that half of these packets were clocked. In the filtered capture file, you can see that with our filters, we filter a lot of packets. We only have 50,000 clocked packets left, but that's enough to correct it. And on the clocked capture file, we can check that to make sure that our filters are correct. You can see that there is more than 100,000 packets clocked that we found, and only 2,000 are decrypted successfully with the key of the access point, meaning that with this filter, the signal filter, it's not perfect, but it's already really good, and it doesn't give a lot of errors. So here's a query in G on the filter file. It just decrypt successfully a key, and you can see that it doesn't... Not all packets can be decrypted with that key. So there's a few clocked packets left. They will be released soon, so stay tuned and check on some version often. So as security researchers, I kind of feel it's our duty to the world to assume that we are probably not the smartest people in the world. As such, when I find something new or the Aircraft team finds something new or Thomas individually finds something new, we always want to share it, because since we're not the smartest people in the world, somebody else thought about it first. They just weren't polite enough to tell you. There's a lot of things in this talk that are probably vulnerabilities you didn't know about, or that are when you patch your driver, you'll find some vulnerabilities you didn't know about. Use this for good. We all want to do things that are fun. We all want to tell people about everything, and we all like our jobs. So just to make sure, we've got the lawyer lottery set up. FCC guys, it's me, and Thomas Rice Aircraft, I have nothing to do with it. So anybody from the DOD, stop in. We'll be hanging out in the Q&A and the wireless village, and I'd really love to know how you guys are using this in practice, because I see you guys have a lot of frequency space reserved. We have the updated slide presentation on this laptop. That time I reserved to upload it kind of went out the window as I took four laptops apart in the speaker room. We will have a full bibliography posted. It will be posted later this weekend. I'll give you links to all the fun stuff. I will show you all the patches, and I will tell you all the mitigations for what we found. With that in mind, we'll have a few minutes for questions, and then we'll carry on to the speaker room. If you could please use the microphones if you have a question. I think there's a mic somewhere around here. Okay, so the question is, can you apply WPA Enterprise to a rainbow table attack? Rainbow tables are actually only used for pre-shared key, because enterprises, you're really attacking the EAP exchange, not the encryption itself, not the pass phrase, there isn't really one. An enterprise approach, basically what you do, and Josh Wright and Brad, sorry I can't remember your last name, did a really great presentation on this at Shmoo. It is available for download, but basically they put up a fake access point, and then they have a rogue radius server behind it. They just pretty much dumps your username and password to a file. So we've almost got that in AirbaseNG. It should be released fairly shortly here. The question is, is the patches for the drivers, is that available for Ath9K? I can't code to save my life, so no, it's not, because I was working on Ath5K for the past few days without sleep, but tomorrow is a new day, and I was going to go out and do that for Ath9K as well. Channel bandwidth support is not in that driver yet for Ath5K. For Ath9K, I believe it supports 20 and 40, and yeah, I don't plan to remove that, but I didn't patch in the half and quarter rate channels yet. That's number three on my to-do list, actually. Absolutely. Actually, my real-time clock was fried by Michael. I blame Michael Dell. No, I actually had loaded the real-time clock driver because it wasn't loading itself, and I noticed a whole lot of really great interrupt errors, so I don't think that the device was working by the Wi-Fi. However, yeah, some of the outside frequencies did have a little bit of a harmonic, and like I said, I got the card up to 6.0 gigahertz, and it was looking good, and I got it up to 6.1, and all of a sudden, it wasn't transmitting anymore, so we took it back to another laptop and we tested it out and hit the pre-amplifier blue. You've taken your card out and the pinky size was hot. The rest of the card was ice cold because just the pre-amplifier exploded. It was really cool. Another question? So the question is, can you use like an embedded box to allow for the X-Range? The problem actually is only the fact that the driver's immature. Ath5K supports station mode and it supports monitor mode. It does support injection, although I disabled that. It doesn't do access point mode. It doesn't even do ad hoc mode properly in my testing, so as soon as that driver matures a little bit, I would definitely be using a 5.925 gigahertz access point, as I am authorized by the FCC to do. The question is to modify the card to use more bandwidth. There is definitely a limit in there. I know that mad Wi-Fi can handle up to 40 with no problem at all. I've not tried to push it farther. It does not work as you'd expect unless your purpose is to jam the frequency. If you enable more bandwidth, you can't monitor more because even if you're on a 40 megahertz wide channel on channel 6, you won't see the 20 megahertz or the 10 or the 5 traffic. You're monitoring the whole thing so your hopping algorithm is different so you don't get the dynamic spread spectrum properly. So the question is how does the atheros driver play with the new atheros end cards? That's actually a really great question. F5K was a project by the BSD team for quite some time and it works very well for the ABG cards. Atheros just released F9K maybe a little bit better than a week ago so that theoretically here it works really well but I've kind of had my head stuck into F5K for a while so I'll let you know tomorrow if you're curious. I artificially limited the card based on what the spectrum analyzer told me. The card will accept being supported to 1.002 gigahertz and then the top end was 6.995 gigahertz. Can it really receive on those frequencies? That's a really great question. I didn't have anything to transmit on those frequencies. I transmitted on a frequency or two and the card exploded so many packets through for sure. As for the antennas, if you use an antenna, a Wi-Fi card with built-in antenna, it is definitely not tuned for that. It will feed back from the antenna and it will blow your preamp. I mean, I'm assuming. However, they make a lot of good cards that have antenna connectors and you can always build your own cable and connect it to the proper kind of antenna. I don't know, maybe I just don't have the equipment to do it. If you have the right antenna, I'm willing to bet the card will explode. I've already tested with one of mine and you let me know how it works out. Any questions? No? Thank you. Anybody else? We will be hanging out up in the Wi-Fi village and that is right next door to the hardware hacking village. As soon as I can get the patch up, I'd be happy to show people how it works and it will be posted to Aircrack's website as soon as physically possible. And again, if you're DOD, you know where to find me, I would really love to know what you're using those frequencies for.