WiFi Hacking Workshop: Part 1

This time on the show is part 1 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco, California.

This time on the show, part 1 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.

WiFi Hacking Workshop
---------------------

Introduction
------------
- Darren Kitchen
  - Hacker
  - irc.dal.net #phreaks
  - ezines: NPA, 2600, Phrack
  - Podcast: Hak5
  - Media
    - Discovery
    - Revision3
    - G4 TechTV
    - TWiT
    - CNET
    - New York Times
  - Hack Across America
  - Security Researcher

Convenience vs Quality / Security
---------------------------------
Record, Tape, CD, iTunes/DRM. WTF
8mm, VHS, DVD, Netflix Buffering. WTF
Convenience > Quality
Convenience > Security
Trust

WiFi
----

Term comes from WiFi Alliance, a trade assocation that promotes IEEE 802.11 technologies and certifies products
"WiFi" is a branding term introduced in 1999. Catchier than IEEE 802.11
WiFi takes advantage of the unlicensed ISM spectrum


ISM Band
--------
In 1985 the FCC unlicensed the "ISM Band"
Industrial Scientific and Medical
A previously reserved Radio Band for equipment
EX: A Microwave Oven operates at 2.45 GHz

	Demo: 2.4 GHz Microwave Burrito
	-------------------------------
	~/ubertooth-r434/host/specan_ui/ubertooth-specan-ui

Among other spectrum the ISM band includes:
902 - 928 MHz (Region 2 only)
2.4 - 2.5 GHz
5.725 - 5.875 GHz

ITU Regions
-----------
ITU: International Telecommunications Union
 - Agency of the United Nations specializing in shared global use of radio, satellite and telecommunications

Region 1: Europe, Africa, Middle East, Former Soviet Union
Region 2: North and South America, Greenland, Pacific Islands
Region 3: Asia and Oceania

WiFi Legacy
-----------
In 1991 AT&T begins working on a wireless technology called WaveLAN
Now known as WaveLAN Classic
Operated in 900 MHz spectrum
Developed in the Netherlands as a technology for wireless cashier systems
Supported data rates of 1 and 2 Mega Bits Per Second (AKA: Ass Slow)

WiFi Since Then
---------------
1997: 802.11-1997 "Legacy" 1-2 Mbps now obsolete
1999: 802.11a - 5GHz & 54 Mbps 
	- Orthogonal Frequency-Division Multiplexing
		- Same as ADSL, Power Line Networking, WiMax
	- Signal Range Lower, didn't penetrate walls as well
	- "Late to market"
1999: 802.11b - 2.4GHz & 11 Mbps
	- First mainstream 
	- Same media access method as 802.11-legacy
	- CSMA/CA
		- Carrier Sense Multiple Access with Collission Avoidance
	- Due to overhead, max real world throughput of 6-7 Mbps

2003: 802.11g
	- Best of both world between A and G
	- Uses 2.4 GHz (B) and OFDM (G)
	- Problems in dense areas, only 3 non-overlapping channels
	- Adopted early with draft specifications
2009: 802.11n
	- Theretical maximum of 600 Mbps
	- Uses both 2.4 and 5 GHz bands
	- 40 MHz wide channels, double that of 802.11g
	- Backwards compatible with 802.11g
	- MIMO
		- Multiple Input Multiple Output
		- 4 channels and 4 antennas
		- Parallel operation
	- Outside the scope of this discussion
		- PreCoding
		- Spetial Multiplexing
		- Diversity Coding
201?: 802.11ac
	- Theretically 1 Gbps
	- Even wide channels, 80 MHz and 160 MHz
	- More MIMO, 8x8 vs 2x2, 3x3 and 4x4
	- Support for Hellabits of data

WiFi Channels
-------------

802.11a,b,g,n slice up their spectrum into channels
Channels are padded by whitespace
802.11b on 2.4GHz uses 22MHz wide channels
Whitespace
5 mhz unsed spectrum buffers each channel

Channels and Overlap:
---------------------
channel 1: Centered at 2.412 GHz begins at 2.400 and ends at 2.422 GHz
Channel 2: Centered at 2.417 GHz begins 5 MHz past where Channel 1 began.
Channel 3: Centered at 2.422 GHz begins 5 MHz past where Channel 2 began.
....etc, etc... to Channel 14
Non-Overlapping Channels:
Channels 1, 6, 11 and 14 are discrete

	Demo: Channels
	--------------
	iwconfig wlan2
	iwconfig wlan2 channel 1
	iwconfig wlan2 | grep Frequency

Channel Availability
--------------------
Channels and power are regulated by country:
	- North America: channels 1 - 11
	- Everywhere else: channels 1 - 13
	- Japan: Channels 1 - 14

	Demo: Going to Japan
	--------------------
	iw reg get
	iwconfig wlan2 channel 14
	iw reg set JP
	iwconfig wlan2 channel 14
	
Knowing your Interface
----------------------

NIC: Network Interface Card
(Doesn't have to be a card, can be a USB dongle)
Not all WiFi adapters, or NICs, can handle all 6 modes of WiFi*
*More on that soon

MAC: Media Access Control
Three popular schemes:
	MAC-48
	EUI-48
	EUI-64

EUI: Extended Unique Identifier
48-bit MAC's have an address space of about 281 trillion possabilities
Won't run out until 2100

Who makes MACs?
IEEE - the Institute of Electrical and Electronics Engineers
You know 'em as the folks who made IEEE 802.3 (Ethernet) or IEEE 802.11 (WiFi)

OUI: Organizationally Unique Identifier
First 3 octets of a MAC specific to network manufacturer

	Demo: Find MAC Address
	----------------------
	ifconfig | grep HWaddr

Trivia: MAC Addresses were originally born out of a Xerox Ethernet addressing scheme,
which is why the OUI for the Xerox Corporation is 00-00-00 through 00-00-09

MAC Addresses are "burned in" to the ROM
...but you can still change them
* You may want to assign what is known as a "locally administered address"
* The typical ways to change these in software are only temporary
* So you would have to run these commands on every boot

If you're a blackhat, you probably don't want to leave footprints
Tip: San Francisco's SFO airport provides 45 minutes of free WiFi
........per unique MAC address

	DEMO: Mac Change
	----------------
	ifconfig wlan0 down
	ifconfig wlan0 hw ether de:ad:be:ef:c0:fe
	ifconfig wlan0 up
	macchanger -r wlan0 #random address every time