More MitM makes Mana mostly mediate mischievous Messages

Video thumbnail (Frame 0) Video thumbnail (Frame 1392) Video thumbnail (Frame 2817) Video thumbnail (Frame 3874) Video thumbnail (Frame 5127) Video thumbnail (Frame 6145) Video thumbnail (Frame 7736) Video thumbnail (Frame 8767) Video thumbnail (Frame 11458) Video thumbnail (Frame 12550) Video thumbnail (Frame 14060) Video thumbnail (Frame 14879) Video thumbnail (Frame 15717) Video thumbnail (Frame 19047) Video thumbnail (Frame 25960) Video thumbnail (Frame 27540) Video thumbnail (Frame 30897) Video thumbnail (Frame 32098) Video thumbnail (Frame 34318) Video thumbnail (Frame 35142) Video thumbnail (Frame 36117) Video thumbnail (Frame 37301) Video thumbnail (Frame 40492) Video thumbnail (Frame 42494) Video thumbnail (Frame 44053) Video thumbnail (Frame 45067) Video thumbnail (Frame 47679) Video thumbnail (Frame 52499) Video thumbnail (Frame 54551) Video thumbnail (Frame 55275)
Video in TIB AV-Portal: More MitM makes Mana mostly mediate mischievous Messages

Formal Metadata

Title
More MitM makes Mana mostly mediate mischievous Messages
Alternative Title
Practical and Improved Wifi MitM with Mana
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In 2014, we released the mana rogue AP toolkit at DEF CON 22. This fixed KARMA attacks which no longer worked against modern devices, added new capabilities such as KARMA against some EAP networks and provided an easy to use toolkit for conducting MitM attacks once associated. Since then, several changes in wifi client devices, including MAC randomisation, significant use of the 5GHz spectrum and an increased variety of configurations has made these attacks harder to conduct. Just firing up a vanilla script gets fewer credentials than it used to. To address this mana will be re-released in this talk with several significant improvements to make it easier to conduct rogue AP MitM attacks against modern devices and networks. After years of using mana in many security assessments, we've realised rogue AP'ing and MitM'ing is no simple affair. This extended talk will provide an overview of mana, the new capabilities and features, and walk attendees through three scenarios and their nuances: Intercepting corporate credentials at association (PEAP/EAP-GTC) Targeting one or more devices for MitM & collecting credentials "Snoopy" style geolocation & randomised MAC deanonymization As a bonus, you'll be able to download a training environment to practise all of this without requiring any wifi hardware (or breaking any laws).
Point (geometry) Hacker (term) Multiplication sign Betti number Analytic continuation Message passing
Data mining Software Video tracking Mathematical singularity Software testing Software framework Probability density function Geometry
Point (geometry) Default (computer science) Mathematics Software View (database) Electronic mailing list Bit Spectrum (functional analysis) Number
Execution unit Client (computing) Spectrum (functional analysis)
Point (geometry) Data management Software Wireless LAN Frame problem Spectrum (functional analysis) Asynchronous Transfer Mode
Existential quantification Randomization Table (information) Information Link (knot theory) Uniqueness quantification 1 (number) Mass Function (mathematics) Content (media) Mereology Electronic signature Mathematics Software Different (Kate Ryan album) Computer configuration Internetworking Configuration space Associative property Address space Metropolitan area network Asynchronous Transfer Mode
Point (geometry) Trail Enterprise architecture Server (computing) Implementation Twin prime Transport Layer Security Multiplication sign Plastikkarte Computer network Public domain Mereology Frame problem Medical imaging Mathematics Data management Software Password Universe (mathematics) Quicksort Wireless LAN
File Carving Ripping Real number Moment (mathematics) Motion capture Function (mathematics) Client (computing) Revision control Message passing Radius Software Integrated development environment Hash function Phase transition Hash function Electronic visual display Quicksort Freeware Identity management Computer-assisted translation Asynchronous Transfer Mode
Email Android (robot) Suite (music) Hoax Code Decision theory Set (mathematics) Public domain Client (computing) Mereology Special unitary group Public key certificate Online chat Computer configuration Single-precision floating-point format Diagram Information security Sanitary sewer Covering space Moment (mathematics) Interior (topology) Transport Layer Security Bit Perturbation theory Regulärer Ausdruck <Textverarbeitung> Complete metric space Connected space Data mining Type theory Hash function Chain output Configuration space Right angle Figurate number Quicksort Simulation Fundamental theorem of algebra Session Initiation Protocol Associative property Point (geometry) Web page Implementation Functional (mathematics) Server (computing) Service (economics) Computer file Dependent and independent variables Transport Layer Security Cursor (computers) Computer icon Twitter Revision control Goodness of fit Object-oriented programming Causality Profil (magazine) String (computer science) Authorization Computer-assisted translation Metropolitan area network Authentication Default (computer science) Execution unit Dependent and independent variables Wechselseitige Information Validity (statistics) Server (computing) Consistency Client (computing) Ultraviolet photoelectron spectroscopy Interprozesskommunikation Wind tunnel Radius Software Password Wireless LAN Window
Point (geometry) Dependent and independent variables Interior (topology) Multiplication sign Public domain Client (computing) Mereology Public key certificate Event horizon Emulation Root Internetworking Computer configuration Phase transition Computer-assisted translation Identity management Noise (electronics) Information Moment (mathematics) Interior (topology) Transport Layer Security Shareware Connected space Software Hash function Password Internet service provider Phase transition Self-organization Normal (geometry) Configuration space Quicksort Identity management Asynchronous Transfer Mode Associative property
Point (geometry) Dependent and independent variables Computer file Dependent and independent variables Line (geometry) Content (media) Client (computing) Content (media) Hash function Personal digital assistant Phase transition Password Identity management
Point (geometry) Computer file Multiplication sign Authentication Client (computing) Content (media) Distance IP address Local Group Peer-to-peer Phase transition Nichtlineares Gleichungssystem Default (computer science) Information management Dependent and independent variables Closed set Content (media) Bit Event horizon Broadcasting (networking) Software Password Phase transition Configuration space Identity management Address space
Server (computing) Dependent and independent variables Interior (topology) Transport Layer Security Client (computing) RAID Mereology Local Group Web 2.0 Software Integrated development environment Case modding Musical ensemble Router (computing) Address space Default (computer science)
Authentication Medical imaging Wind tunnel Right angle Asynchronous Transfer Mode
Point (geometry) Keyboard shortcut Server (computing) Implementation Interior (topology) Client (computing) Cryptography Graphical user interface Type theory Synchronization Communications protocol Local ring Multiplication sign Default (computer science) Execution unit Standard deviation Email Electronic mailing list Client (computing) Bit Cartesian coordinate system Cryptography Mechanism design Software Uniform resource name Configuration space Finite-state machine Encryption Quicksort
Point (geometry) Hoax Computer file Interior (topology) Client (computing) Mereology Public key certificate Perspective (visual) Heegaard splitting Spherical cap Atomic number Software testing Configuration space Computer-assisted translation Personal identification number Default (computer science) Enterprise architecture Keyboard shortcut Cryptography Connected space Root Software Hash function Password Self-organization Right angle Quicksort Table (information) Communications protocol Window
Point (geometry) Scripting language Complex (psychology) Computer file Weight Bit rate Web browser Open set Wiki Spherical cap Software Computer configuration Network socket Configuration space Video game Quicksort Lie group Information security Asynchronous Transfer Mode
Filter <Stochastik> Point (geometry) 1 (number) Mereology Medical imaging Latent heat Computer configuration Different (Kate Ryan album) Hacker (term) Computer hardware Energy level Office suite Router (computing) Firmware Address space Metropolitan area network Physical system Cybersex Default (computer science) Weight Binary code Moment (mathematics) Electronic mailing list Bit Complete metric space Frame problem Shareware Data management Software Integrated development environment Auditory masking Computer science Point cloud Wireless LAN
Frame problem Asynchronous Transfer Mode Tape drive Bit rate Local Group Software Core dump Computer hardware Cuboid MiniDisc Default (computer science) Module (mathematics) Workstation <Musikinstrument> Simulation Link (knot theory) Computer simulation Device driver Kernel (computing) Broadcasting (networking) Software Interface (computing) Physics Compilation album Encryption Simulation Asynchronous Transfer Mode
Multiplication sign .NET Framework 1 (number) Public domain Bit Client (computing) Twitter Neuroinformatik Medical imaging Software Repository (publishing) Computer hardware Mathematical singularity
Sinjin cable thief hello everyone so this is the first time I've spoken out loud for like a day and a half because I lost my voice and I've been walking around like a Betty Hannibal Lecter so if I suddenly start squeaking like a teenage boy please forgive me I'm just gonna be sucking on this thing so today we're gonna be talking about some Wi-Fi Wi-Fi hacking stuff in particular we're going to be talking about rogue access point attacks or evil access point attacks or whatever you feel like calling them and it's a kind of a continuation of a talk that we did in 2014 we're really something called the manna toolkit so the way we're gonna talk about stuff is there's three scenarios and you might not be doing exactly what the scenario is describing but I'm just using them as examples to kind of go through some of the capabilities tools and techniques that will be releasing today so my name's
singe this is Michael Kruger underscore cable thief but we're trying to call him squid oh boy so if you're looking to give him a nickname please help us out there we work at a company called sense post it's a penetration testing company they South African London and we've been going for about 18 years we were told we weren't allowed to use PowerPoint so this is a PDF that used to be an animated gif from the corner so yeah all right so the first story we're
going to jump straight in in 2012 a colleague of mine Glenn Wilkinson and Daniel Cuthbert released something called Snoopy and you only ever use Snoopy three people oh sorry i sorry I can't hear you here so Snoopy is was a framework for tracking wireless devices trying to make geo locate them based on networks that they were looking for and then using the fact that the device ID was unique unfortunately in 2018 Snoopy
is dead yeah they killed Snoopy and and the primary reason Snoopy is dead is because there's been some changes to the way device manufacturers make their their things work across Wi-Fi so the first thing is that passive sniffing is mostly doesn't work anymore that's what your reasons are going to now and the other thing is that device manufacturers have changed the default behavior that instead of a device going hey is my home network nearby it just says hey are there networks nearby and is one of them my home network so it does it tries not to reveal the network's it's looking for and it's preferred network list but I first spoke about the the spectrum issue so this is
a really awesome tool called Wi-Fi Explorer it's commercial but if you want to play with Wi-Fi it's it's good it's not a hacking tool it's more like a understanding tool and this is their default view for the Wi-Fi spectrum so in the 2.4 gigahertz and 5 gigahertz spectrum actually that bottom one was something a snapshot I took at the blackhat keynote that Perez gave it's just an insane number of access points and when you look at a picture like this you get the idea that the 5 gigahertz spectrums a little bit bigger than the 2 gigahertz spectrum but in reality the 2 gigahertz spectrum has a three non-overlapping 20 megahertz channels so if you put something on channel 1 & 2 they technically overlap but the 5 gigahertz spectrum has 24 non-overlapping and channels so what that means is if we were to draw this to scale it looks a little more like this
there's way more 5 gigahertz spectrum available for Wi-Fi then there is 2.4 gigahertz and so if you want to passively monitor all of that stuff before you know you could do things like hopping channels and stuff now if you're hopping through all of these channels you're just gonna miss lots of it so instead you have to engage in the very practical and very good-looking attack
like this it's really great for up sick clients trying to never see you coming yeah so the pineapple on the top it distracts them so that's not hugely practical to try and get and figure out what devices are doing in the Wi-Fi around you and we want to do it with
that you know I'm from Africa with cheap and so what we can do is we present ourselves as an access point and Wireless declines are already very good at finding access points and then broadcasting their management frames at them so if we're an access point then the devices come to us we
have to go to them and monitor all of the spectrum and so this is why it's quite desirable to do some of these more active attacks rather than passive attacks for for tracking purposes the other thing that changed is devices are probing much less and for some reason we were a little precedent in 2014 with that so we implemented something called loud mode which provides an ability for manner and tools that use something similar to learn networks nearby and rebroadcast them so maybe your device isn't actively probing for bob's House of Pain but you're older iPad in your back pocket is or somebody you went there with last night is and then we can learn that that's a network that somebody might be connecting to and rebroadcast of to your devices and learn at any of my networks but the problem we
end up with is anonymous devices so manufacturers wanted to make it that you couldn't uniquely identify devices so increasingly they use these randomized MAC addresses and that's what you see flying around last year at DEFCON Denton Gentry or gantry I'm sorry if I'm butchering that did some really cool work into creating unique signatures for Wi-Fi devices and that got built into host IP which is predominantly what what man is built off of and so that gave us a really cool way of D anonymizing devices you probably can't tell but I drew that myself and okay so let me give you a practical example of what that looks like thank you I mean this is the best part of the whole talk just we care
alright so if we've got four devices so we've got four MAC addresses and they're all probing for some non unique network called internet so if they're probing for something unique then maybe we could identify a device that because no other devices are probing for that but these ones we don't know what device is which now the one thing we've implemented mana is random device detection so the output will mark whether something's are randomized to MAC address or not so if we put that stuff in there and this is taken from an actual mana output and imported into multigo which makes this really easy so we can see that the two randomized MAC addresses and two non randomized MAC addresses so we can maybe start making some guesses that some belongs to the other but we don't know which randomized belongs to which legit MAC address and we don't even know that these randomized probes belong those MAC addresses so what we did is we took Denton's work and we extended it to generate the signatures also for devices before Association so that in manner we can get these device signatures so if we put that in there this shows that there's two devices so probe one and three belong to one device and probe two and four belong to another device and so the he did some really cool work and allows us to effectively do naanum eyes devices so things like Snoopy can work again because you've got something like loud mode getting them to advertise the network's they connect to and then you've got signatures which allow you to deal anonymize the device so you can start tracking individual devices again and be creepy and I'm not showing you lots of detail about how to do that stuff because for a change I put a lot of work into documentation and so like the hostapd manner wiki's got a massive amount of information labeling all of the different configuration options and what they do and how to make it work I'll give you links to these things at the end so don't worry too much about taking pictures now okay so
that that first scenario is talking about tracking and probing and it's it's kind of well-trod territory we've made some some changes there I didn't want to spend too much time on it so next we're going to look at enterprise networks so these are eep eep eep TLS kind of things that most people are running at companies and so this is the domain with some like hostapd wpe wireless per image edition has traditionally done its work and mana was also doing some of the stuff in 2014 we've made some changes there the nice thing about having like both of this capability in mana is you can get lots of devices to connect to you and you can also get lots of passwords from devices so being good at getting devices to connect you also helps for this part all right so the
most common implementation is evil to an attack and so this is Spock's evil twin from the Mirror Universe and evil to an attack you create an access point that looks the same as the legit access point that you want to go after and like when people talk about it they mostly say oh that's what you do you just make another access point but in reality you've got fancy enterprises access points that implement all sorts of crazy ADA to 11ac stuff really well with well engineered antennas placed in the ceiling and you're walking around with like a dinky Alfa card and your backpack now you're probably not going to beat the enterprise ap and so what often happens is then people do things like the Earth's and and so people start implementing management frame protection 802 11 w and this becomes much harder so actually the way I'd recommend you do this is go buy a fancy enterprise access point like a ruckus or in Aruba and then you can use manners just a plain backhand radio server and it'll actually capture the creds there now this is something that's already implemented in hostapd WP and if any of you familiar
with Celeste Barbour so she takes pictures of celebrities and then she kind of rips them off and it's pretty hysterical most of them are her awkwardly wearing underpants so this was the least awkward one I could find and so where the Celeste Barbour to hostapd wpe with with mana so Brad Antonio vich Joshua Wright in 2008 they released the free radius WP and the sleep tools which sort of were the first attacks against each network so you could capture credentials and and crack them so that
stuff's been in in mana for a while I've cleaned it up the output that people kept sending me rude messages saying I have to hand carve things into hash captain stuff so now just displays it right but what I've also done is I've extended it so it does more eat modes at the moment it does about 13 different eat modes it'll try and capture credits plaintext chap and as chap Emma's chat version to GTC things like that and about seven of those fairly well tested in real client environments and that's working quite well but we did some other stuff too and I want to take you through so here's another back of the napkin
drawing I attempted to describe how connections work so the first thing that happens is a Wi-Fi connection if you're familiar with air replay if you do a fake off it's that first part and then these tunneled oops so people TTLs their security comes from this TLS session that it creates so the idea is we use best practice TLS stuff and then we can do crappy mschap inside that tunnel because it's protected by TLS now the sort of fundamental flaw and all of this and I'll cover in a bit more detail now is we don't have a very good way of validating certificates in the wireless world and I'll get into that a second and so then you've got this MS chat challenge response now Emma's chat version two provides a method for proving that the access point knows the password and proving that the client knows the password so that what we did in 2014 is he did this auto crack and AD thing so that if you capture the password it'll try and crack it and if it's weak enough you can quickly add it to the radius users file if the device tries to reconnect you can then also man-in-the-middle then but then brad in hostapd wpe implemented something he called each success so instead of doing that because the access point can't prove that it knows the password if it hasn't cracked it it would just send an e p-- success method back and and I just I thought this was silly because you know why would that work and then Michael kept telling me I must make it work and he wouldn't let up really wouldn't let up and so I eventually spent a hot evening digging through code trying to figure this out and what actually turns out is that all Mac and iOS devices and have a broken implementation so they won't validate that the access point actually knows the password if you send an e p-- success they'll just be like okay sure I'll connect so it's and I mean from iOS 9 I've tested it on iOS my latest one on here my latest Mac cause I've reported it to Apple we kind of had the discussion on Twitter so and read it built this functionality ages ago so it's not really a zero-day but it's an interesting thing to to know so you don't need to use things like auto crack an ad with iOS they'll just connect and then the the other thing is the
certificate validation problem so on the left hand side is the legitimate certificate chain for Def Con Wi-Fi certificate and on the right hand side is a cloned version of that chain that I built using a colleague of mine Rogan doors this tool called a Bastille which is good for cloning certificate chains rather than just an individual certificate and now on something like iOS and and some other supplicant devices if you connect to a Wi-Fi network it'll pop up the certificate and it could be signed by a valid sir - 30 and it'll still pop up the certificate for you to hand so if I saw the certificate on the right and it had all the DEF CON things everything looks exactly the same except for the fingerprint because of the hashes are going to come up differently and and humans aren't very good at memorizing long strings of hashes so for things that that try and force you to validate on the actual certificate that becomes problematic if you aren't doing automated rollout to client devices and even then if you are doing automated rollout to client devices we've got this problem with IT where client devices tend to stop being compliant your policies and you always end up with that one MSO eight oh six seven or that one fully configured supplicant then on the flip side there's a bunch of supplicants which will validate on the CA the certificate authority so WPA supplicant used in Linux and Android does that windows default configuration will do that and so here you can see that Def Con bought a certificate from digi suit so I can go spend a hundred and fifty dollars I mean they know let's encrypt exists right and then I can buy a certificate with the same CA it doesn't have to be a Def Con certificate I can present that on my rogue access point and devices will connect to it I test it just to make sure I wasn't going crazy I used def cons configuration complete with your username and your password all involved my rogue access point and the things happily connected to it so that and there's no option in WPA supplicant at the moment to validate on the actual certificate which is kind of stupid and and in Windows you've got an option to validate on the actual hostname so you can see it's Wi-Fi reg DEFCON dot org I can't buy a certificate for DEFCON dot org domain so if you validate on the actual server name like DEFCON instructed you to then actually Windows is in a pretty good place and for iOS they pushed out yeah it's only one guy of Microsoft's paying you were and then for iOS they they pushed out a mobile profile like an MDM basically Apple configuration profile to validate on the exact search which works quite well although I fat-fingered it and I've not been able to connect to the Wi-Fi you know so we've got this problem with Wi-Fi so if any of you saw produces keynote at blackhat and she was talking about how they were trying to get rid of SSL or HTTP HTTP pages and they've got this you know inconsistent set of iconography I was thinking what a nice problem to have like when your problem is just trying to get people to do something everyone knows they should and you need to make some icons more consistent Wi-Fi devices don't even have a consistent way of validating server certificates I mean we're we're in a pretty bad place there and and all of this is just talking about if somebody's actually trying to put effort into validation because most of us and most users will click on the Wi-Fi network type in your username and password and yeah whatever the certificate okay but the general recommendation is to use something like EEP TLS so again very advanced diagram of EEP TLS and what TLS does is it does away with the certificates I mean the passwords and you just have certificates oh it's mutual authentication so you've got a client certificate and you've got a server certificate yeah it's fixed we'll just use you TLS so the problem is with normal TLS you create an encrypted tunnel and then the communications can continue in Wi-Fi it's a kind of a once-off authentication afterwards the tunnels torn down then you have the WPS you a handshake and their normal Wi-Fi stuff so what that means is if the client is not validating the service certificate then you can just accept whatever certificate it sends you and we a now your man in the middling and ETLs so you tell us isn't necessarily a fix for this as a matter of fact it comes down to the exact same security decision as people TTLs decisions is a single certificate validation of the server certificate so all of that problem with the server with certificate validation and Wi-Fi kicks back in and so this was actually implemented manner in 2015 by meatballs thanks guy and then I broke it sorry and and then I fixed it again about a month ago so that works again okay but then Michael one day was cracking some Wi-Fi hashes and he noticed that hash cat I mean let me go
here at the moment hash cat uses mode five five zero zero I think for cracking mschap hashes which is also M T L M v1 y es s and he thought hey there's this empty LM real a thing maybe I could do like an MS chap relay and so he came up with what he's calling sycophant it's a play on supplicant and so the idea is that you can have two separate devices you can have mana being a rogue access point negotiating a session with a victim device and then you can have WPA sycophants negotiating a session with the legitimate target access point so those two don't need to be physically near each other they just need an internet connection so you can be targeting someone at their house and then have the the other thing at and the target organization and what's really nice about this is you don't have to crack the password so if it's a harder password to track and it's going to take a little longer you still get connected to the network fairly instantly and and so Michaels going to give you a demo of what that looks like and we're going to release that toolset today
Thank You Dominic so I've got broken this demo down into three parts the first two parts do happen simultaneously because the two things need to be happening at the same time but the first part is I'm just going to show you what manner looks like when it's pretending to be any the corporate AP and then the second part is supplicant retrieving the required information from manner to connect to the legitimate corporate AP so in this scenario we can imagine that there's a chap at home he's got his device for the BYOD network but it also uses domain creds so if we just relay this thing we should be able to connect to the normal AP or the normal legit corporate domain so here's the command for for running manner this we put on a PI and throw it in his garden and hopefully our access point is stronger than his little root or he got from his internet service provider and hopefully he's not any of those certificates properly pinned and those sorts of things so I'm just cramping out the relevant information otherwise there's a lot of noise so I'm just scraping for sick of phantom Manor I've added a config option to mana to say enable sick event which just instructs it to not use to not generate all it still generates a challenge but to not use that challenge rather retrieve a challenge from my supplicant sycophant so that may be passed to the client so I just run this and we wait for a chap to connect here they've initiated a connection with us so the phase one identity and the phase two identity phase one establishes that outer tunnel phase two is starting the actual EEP the mschap handshake there is a delay after this because now signifies our starting up on the other side as trying to play catch-up so it's quickly connecting to the actual corporate AP and getting the challenge which is then passed a manner to present to the client
so that we may get a valid response as
you can see here it's retrieved the first earth challenge contents is what hostapd our rogue generated but we don't want to use that one so there's all challenge contents after copy which it's actually gone from the legit access point we send that to the client John in his bedroom and his phone has decided that our access point looks more appealing so it knows the password it generates a response using our hash mana takes that response writes it to a writes it down to a file and essentially passes it onto to my sycophant and we get the hash anyway in case we want to crack it later yeah so then next we have
the other half of this equation which is my sycophant WP a sycophant I'm running it using the the adapter ending in u6 thanks new naming convention once again wrapping up the relevant data and I'm also grepping for a knee failure which just to show that there's not one it's so we run it Oh in the config is now so this is now happening near in proximity in close proximity to the an actual legit corporate ap because we want to connect to it so this portion has to run close to close to your client right so then you just put where you want to connect to in the config file using the standard sick of all supplicant syntax and we don't need creds so we leave those blank cool so what we got here has phase one came in phase two came in and subsequent immediately vol sigmav and immediately starts to connect to the access point it gets the challenge data passes translated to mana and waits for the response mana at this point has been waiting for a little while the clients been waiting for a little while they're both edgy and they immediately come back with the response see yeah the mana contents cool take that response we pass it off to the access point access point goes ok cool it you showed me you know the password EEP success you're done now you're connected brilliant I
specifically didn't run DHCP this time just to show this bit where we don't have an IP address so I then run a DHCP client just to get an IP this is just to prove that we do have full comms to the network I connect it to I get an IP of 1000 5 I double check it and then I attempt to connect to a service or
server on the clients network I go back
because I'm lazy and I copy it but yeah essentially I'm gonna connect to a web server or an 8080 and we get we automatically just connect to people's Wi-Fi cool thank you very much
[Applause]
[Music] so we're gonna release that stuff today and WPS if sycophant in the mods - manner so that you can you can do this attack yourself Michael's used it successfully on some of our client engagements so it's a practical working attack that works in live live environments and then to the most important part coming up with a name
Michael sent me this image which was deeply disturbing which we later found out was called squirtle boy which was easy I'm not sure it made it less disturbing so this is why we really want Michael to be known as squirtle boy from that one okay so interestingly back in
and in 2002 oh I'm never gonna get these names right let me look at them look them up on my phone here so in osakan with Nia me and Nyberg wrote a paper in 2002 about Mallory in the middle tunneled authentication modes and from that the IETF spec for this thing in 2004 made short included a section on
defending against these attacks so if
you zoom in there's something called cryptographic binding or crypto binding and the point of crypto binding is to make sure that some of the keying material used in the outer TLS and session is used in the inner EEP method so that they can be you know that the same device that relaying isn't happening and so it's always disappointing to implement an attack and thank you the first and then find out that the standards had a defense against it for over a decade on the flip side people don't seem to be turning on crypto binding and we think that's really just because of a lack of practical attacks that said thanks to synchronicity we were definitely not the first 2014 Peter Robbins released a similar sort of an attack but it was against a specific thing that Apple was doing I think something around leap in a why sec paper 2014 which Apple then fixed it wasn't a full implementation and then this morning 15 minutes before we woke up someone logged an issue against manna asking for this as a feature request and linking to a paper that had been written in 20:16 and sent to the foster mailing list by CRA hey cine AK i'm so sorry for butchering that name and so he also has a partial implementation it was done against the the e p-- state machine in host AP and WPS applicant but as far as we could tell it's not a full working practical implementation just yet so we think this is the first practical implementation of this attack that can be can be used by people and so because there's no practical implementation of the attack or certainly not a widely known one what you see is that the default configs for a lot of networks don't turn on crypto binding so here's a picture of microsoft's radio server configuration and by default they will not disconnect clients that don't have crypto binding so because this is something needs to be done on the client-side the access the radio server can detect whether it's been done in disconnect clients which makes it slightly less usable i guess but a bit more secure so maybe that's why they didn't do it there as they don't want to make it harder for people to get on the network but here's a fully updated
Windows 10 default connection dialog and their crypto bindings not enabled either host AP tries to do some crypto binding by default so there are some places where they try to do it but most people aren't running hostapd networks and their enterprise organizations and so for the most part crystal crypto binding doesn't seem to be turned on you can go to non crypto binding but I think the biggest defense against these sorts of attacks is just to make sure that your client devices are properly validating the server certificate that gets presented because if that's done then this part doesn't matter too much as I won't get past the tunneled the outer TLS negotiation because they'll say that's not the right access point your fake all right okay so those two scenarios is once the first one is getting a bunch of devices to connect to you and being able to figure out which device is doing what the second one was doing doing eeep attacks oh sorry one other thing is you would have seen hash cat and atoms pmk ID thing anyone is interested in wpa2 handshake cracking put some basic stuff in just to try like if a client ever sends a pmk ID to just log that into the same file I need to do way more testing to see if that's if it's a practical attack from a rogue access point perspective but that might be fun okay so now we're gonna look at some submit some stuff so back in 2014
we released the manna toolkit and the idea there was lots of people take and then you can omit them as you know for granted but the reality was if particularly new to this you have to sort of orchestrate networking and access point stuff and protocol stuff and that can be quite quite a lot to do and then with the increase in certificate pinning and things like HSTs mmm it's about to get breathy with things like certificate pinning in HSTs it's not sort of a given that you're going to be able to man in the middle all the things and get all of the passwords so the big problem we ran into with manna toolkit is the ability to construct pipelines we were using IP tables to redirect traffic from one place to another place so for example you can SSL strip something but you can't then ask the traffic through to SSL split maybe there's some IP tables gurus in here who can show us how to do it but um it wasn't it wasn't Pleasant and then Along Came better cap so better
cap written by evil socket in go it can do all of this stuff and is really fantastic so initially I actually we wanted to get evil suck it up on the stage talk about some of the stuff but he's got a whole bunch of really cool Wi-Fi attack things built into to better cap so if you want to do captive portal attacks or you want to be browsers through you mitten and all sorts of other things then you can now do that with better cap so we're just effectively deprecating manna toolkit and saying use better cap it's better and just a big big shot hut - evil socket for the awesome work he's done in there I know based on the issues that get logged that guy take some bullets
the other problem you face is trying to orchestrate setting up a network and all the net well the Wi-Fi network and all of the networking it's okay so I'm seeing people waving hands and Michael found a cool tool written and maintained by a guy named oblique called create AP and what this does is just makes it really easy to say create access point and Bridget between this network in this network or mattered as without all of the sort of complexity that manna toolkit brought in however there was some things that it didn't do it doesn't lie to create networks certainly doesn't allow you to do manner modes and it doesn't allow you to create more than one Wi-Fi network sometimes you might want to create more than one Wi-Fi network because probes don't say what kind of security principle they're connecting to so you might want to present an open PSK and EEP network and see which one it connects to so Michael made berate AP which is a fork of create ap that can do all of these things that's something else we're releasing today so it does all that networking and access point orchestration for the most obvious ways in which you would use mana toolkit to do this stuff if you want to get into the the detail of all the other config options then you can hand craft your own config files and do it that way we've written it all up in the wiki but this just makes life much easier so that's an example ignore the - and that crept in there but this is an example of setting up a mana deep malicious access point that's if you don't have the - and netting traffic from wlan0 to s0 called evil Corp that's if any of you use mana toolkit to edit in some of the scripts this is way easier than any of the stuff and we did before okay and then there's
also a bunch of really cool proportionality options that have been built into mana sees the sniper rifle proportionality so by default men is a bit of a flame thrower like it'll just target every device it sees in any network it sees that if you're on an engagement where you've got specific scope you might want to limit it to specific devices or specific networks or if you're in law enforcement or something and you've got a specific mandate you might want to limit what it does so we built a bunch of options in there like SSID filters that was contributed by a guy named cyber devil but one of the things we think is really cool is we extended Mac ACLs down to a management frame level so any of you should be familiar with the way MAC address ACLs work on Wi-Fi you know your home router does it you can say only these MAC addresses can connect you can see the AAP but if you try and connect and you're not in there you'll get rejected so we brought that down to management frame level so if the access point receives a probe request sorry if the management if the access point receives a probe request from a disallowed MAC address then it's not even going to respond to the probe request so that means the most part it won't even show up in their list of available networks also provides some ability to kind of hide from people who might be looking for these devices or wireless intrusion prevention systems and we think it's quite cool and then I borrowed a concept from the aircraft guys they've got this idea of binary net masks so that you can kind of mask out certain bits in a MAC address so you can do things like anything with this Oh UI you know any of these devices can connect with these cons but it also allows you to do things like full randomized MAC addresses go full mana on them but when they try and connect be a little more circumspect about checking what the MAC address is so it's a really flexible way of dealing with with different MAC addresses and then lastly if you want to get into Wi-Fi hacking it's really difficult to practice on the one hand you've got to buy Hardware you've got to make sure that chipset works with what you're doing and so for example the those new black alphas the chunky ones those things because they're doing more stuff and firmware you can't use manners probe manipulation stuff the radio stuff will work but not not those things so you wanna make sure you get the right hardware and then also it's really difficult to kind of not target people you don't mean to you know you might be testing between your two devices but it's in while it's like man in the middling somebody next door anytime somebody's playing with the stuff in the office we just plug into the wired network because it's like dossing the Wi-Fi I've even had really weird situations in busy environments where it ends up kind of tossing Bluetooth and which is kind of strange so in 2014 we built some CTFs in AWS where you could practice Wi-Fi hacking which we're kind of proud of because Wi-Fi in the cloud is a thing now and today we're gonna release some docker images that let you well the moment is one dock image but hopefully some more dock images in future that allow you to practice some of these these things so you don't need any hardware it's not gonna target any live live environments and you've got some kind of known completion criteria so you can make sure that you're able to run these commands and they work so that's
actually Michael in the picture there if you look carefully and Michael's a kendo nerd and he told me that these wooden swords are a cool Chennai's so hardest problem in computer science naming things so I'm calling the environment Chennai Fi and I'm just gonna show you a little silly demo of what that looks like so
here's the docker talk of container running on my Mac and there's a whole nother story about so if you if you're running docker for Mac just don't try and do this on that there are ways but like I'm currently was asked to politely take that stuff down by Daka and so rather do it on on your Callie's or your Linux boxes because it needs certain kernel modules okay so here's the docker container doesn't have anything any hardware plugged into it so if we look there's a w lam 0 which means there's a Wi-Fi device and if you if you use Ehrmann you'll see that that's a software simulator later 2:11 radios so there's this kernel module Mac 802 11 HW sim which allows you to simulate fake Wi-Fi devices that can connect to each other and so if you then run if you put one of those devices into monitor mode we've got some sticky tape sticky tape and chewing gum in the background which tries to figure out when you're you're doing these things so if you run aro dump you'll actually see Wi-Fi networks
and devices that are there again no hardware these aren't real things there's a WPA handshake so you can try and capture that handshake if you bring
up a banner network you'll see clients trying to connect to you you can capture those credentials and crack them and you can do all of this without needing any actual hardware so yeah we're gonna
release that docker image you can just docker pull it and run it and and away you go and that's that's kind of the end of our
talk so we're gonna we want i bought a domain called Wi-Fi dotnet but with ones w1f one net so a little bit later after this assembly will lend me a computer thanks guys I'm gonna push all of the tools we mentioned up there so that you can grab it and so don't be disappointed if you do it right now try and go to the chill room and do it and we also just want to use that as a bit of a repository for kind of how to do these attacks and which tools are working and keep updating that as time goes and maybe if some of you are playing with things in this room and it's going well you can send requests or all right lucky things for up there otherwise you can you can tell us you hated the talk on Twitter so I'm at singe and use underscore cable thief and we're gonna check a squirtle boys available and we're from sense post so thank you very much for your time and patience [Applause]
Feedback