WiFi Hacking Workshop: Part 1

Hak5

Put together by a band of IT ninjas, security professionals and hardcore gamers, Hak5 isn't your typical tech show. We take on hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the homebrew scene. Then we wrap it all up with a... Read More

WiFi Hacking Workshop --------------------- Introduction ------------ - Darren Kitchen - Hacker - irc.dal.net #phreaks - ezines: NPA, 2600, Phrack - Podcast: Hak5 - Media - Discovery - Revision3 - G4 TechTV - TWiT - CNET - New York Times - Hack Across America - Security Researcher Convenience vs Quality / Security --------------------------------- Record, Tape, CD, iTunes/DRM. WTF 8mm, VHS, DVD, Netflix Buffering. WTF Convenience > Quality Convenience > Security Trust WiFi ---- Term comes from WiFi Alliance, a trade assocation that promotes IEEE 802.11 technologies and certifies products "WiFi" is a branding term introduced in 1999. Catchier than IEEE 802.11 WiFi takes advantage of the unlicensed ISM spectrum ISM Band -------- In 1985 the FCC unlicensed the "ISM Band" Industrial Scientific and Medical A previously reserved Radio Band for equipment EX: A Microwave Oven operates at 2.45 GHz Demo: 2.4 GHz Microwave Burrito ------------------------------- ~/ubertooth-r434/host/specan_ui/ubertooth-specan-ui Among other spectrum the ISM band includes: 902 - 928 MHz (Region 2 only) 2.4 - 2.5 GHz 5.725 - 5.875 GHz ITU Regions ----------- ITU: International Telecommunications Union - Agency of the United Nations specializing in shared global use of radio, satellite and telecommunications Region 1: Europe, Africa, Middle East, Former Soviet Union Region 2: North and South America, Greenland, Pacific Islands Region 3: Asia and Oceania WiFi Legacy ----------- In 1991 AT&T begins working on a wireless technology called WaveLAN Now known as WaveLAN Classic Operated in 900 MHz spectrum Developed in the Netherlands as a technology for wireless cashier systems Supported data rates of 1 and 2 Mega Bits Per Second (AKA: Ass Slow) WiFi Since Then --------------- 1997: 802.11-1997 "Legacy" 1-2 Mbps now obsolete 1999: 802.11a - 5GHz & 54 Mbps - Orthogonal Frequency-Division Multiplexing - Same as ADSL, Power Line Networking, WiMax - Signal Range Lower, didn't penetrate walls as well - "Late to market" 1999: 802.11b - 2.4GHz & 11 Mbps - First mainstream - Same media access method as 802.11-legacy - CSMA/CA - Carrier Sense Multiple Access with Collission Avoidance - Due to overhead, max real world throughput of 6-7 Mbps 2003: 802.11g - Best of both world between A and G - Uses 2.4 GHz (B) and OFDM (G) - Problems in dense areas, only 3 non-overlapping channels - Adopted early with draft specifications 2009: 802.11n - Theretical maximum of 600 Mbps - Uses both 2.4 and 5 GHz bands - 40 MHz wide channels, double that of 802.11g - Backwards compatible with 802.11g - MIMO - Multiple Input Multiple Output - 4 channels and 4 antennas - Parallel operation - Outside the scope of this discussion - PreCoding - Spetial Multiplexing - Diversity Coding 201?: 802.11ac - Theretically 1 Gbps - Even wide channels, 80 MHz and 160 MHz - More MIMO, 8x8 vs 2x2, 3x3 and 4x4 - Support for Hellabits of data WiFi Channels ------------- 802.11a,b,g,n slice up their spectrum into channels Channels are padded by whitespace 802.11b on 2.4GHz uses 22MHz wide channels Whitespace 5 mhz unsed spectrum buffers each channel Channels and Overlap: --------------------- channel 1: Centered at 2.412 GHz begins at 2.400 and ends at 2.422 GHz Channel 2: Centered at 2.417 GHz begins 5 MHz past where Channel 1 began. Channel 3: Centered at 2.422 GHz begins 5 MHz past where Channel 2 began. ....etc, etc... to Channel 14 Non-Overlapping Channels: Channels 1, 6, 11 and 14 are discrete Demo: Channels -------------- iwconfig wlan2 iwconfig wlan2 channel 1 iwconfig wlan2 | grep Frequency Channel Availability -------------------- Channels and power are regulated by country: - North America: channels 1 - 11 - Everywhere else: channels 1 - 13 - Japan: Channels 1 - 14 Demo: Going to Japan -------------------- iw reg get iwconfig wlan2 channel 14 iw reg set JP iwconfig wlan2 channel 14 Knowing your Interface ---------------------- NIC: Network Interface Card (Doesn't have to be a card, can be a USB dongle) Not all WiFi adapters, or NICs, can handle all 6 modes of WiFi* *More on that soon MAC: Media Access Control Three popular schemes: MAC-48 EUI-48 EUI-64 EUI: Extended Unique Identifier 48-bit MAC's have an address space of about 281 trillion possabilities Won't run out until 2100 Who makes MACs? IEEE - the Institute of Electrical and Electronics Engineers You know 'em as the folks who made IEEE 802.3 (Ethernet) or IEEE 802.11 (WiFi) OUI: Organizationally Unique Identifier First 3 octets of a MAC specific to network manufacturer Demo: Find MAC Address ---------------------- ifconfig | grep HWaddr Trivia: MAC Addresses were originally born out of a Xerox Ethernet addressing scheme, which is why the OUI for the Xerox Corporation is 00-00-00 through 00-00-09 MAC Addresses are "burned in" to the ROM ...but you can still change them * You may want to assign what is known as a "locally administered address" * The typical ways to change these in software are only temporary * So you would have to run these commands on every boot If you're a blackhat, you probably don't want to leave footprints Tip: San Francisco's SFO airport provides 45 minutes of free WiFi ........per unique MAC address DEMO: Mac Change ---------------- ifconfig wlan0 down ifconfig wlan0 hw ether de:ad:be:ef:c0:fe ifconfig wlan0 up macchanger -r wlan0 #random address every time