SlideShare a Scribd company logo

Improvement in Rogue Access Points - SensePost Defcon 22

Download as PPTX, PDF
SensePost
SensePost

A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana

1 of 45
Downloaded 255 times
Manna from Heaven: Improvements in Rogue AP Attacks Defcon 22 2014 Ian de Villiers & Dominic White
Disclaimer & Updates These are an early version of our slides and the tools, our data and the slides will all be updated by the time of our Defcon talk. You can access these updates at: • Slides http://slideshare.net/sensepost • Tools http://github.com/sensepost/manna • Overview http://www.sensepost.com/blog/
whois Ian de Villiers & Dominic White Hackers @ SensePost We Hack | Build | Train | Scan Stuff @iandvl & @singe {ian|dominic} @sensepost.com info/research/jobs @sensepost.com
Why Wi-Fi? • 800 million new devices each year • Consumer standard for mobile devices • Widely deployed – City-wide projects • Increase in “cloud” services use & deployment – E-mail, Social Networking • Directly correlates to target (user, home or org)
The State of Wifi Hacks • We can get devices to connect to Rogue Aps – KARMA by Dino Dai Zovi & Shane Macaulay 2004 • http://www.wirelessdefence.org/Contents/KARMAMain.htm • We can intercept & crack auth creds to networks – coWPAtty by Joshua Wright 2004 • http://www.aircrack-ng.org/doku.php?id=aircrack- ng&DokuWiki=1d69bf65c0a318129fd5a94a62b344cc – Freeradius-wpe by Joshua Wright and Brad Antoniewicz 2008 • http://www.willhackforsushi.com/?page_id=37 – Asleap then CloudCracker Josh Wright 2003 then Moxie Marlinspike 2013 • We can intercept creds over the network – Firesheep Eric Butler 2010 • http://codebutler.com/firesheep/ – Hamster & Ferret Errata Rob 2007 • http://blog.erratasec.com/2007/08/sidejacking-with-hamster_05.html – dsniff Dug Song 2000 • http://www.monkey.org/~dugsong/dsniff/ • We can downgrade/intercept SSL – sslstrip & sslsniff Moxie Marlinspike 2009 • http://www.thoughtcrime.org/software/sslstrip/
If nearly every layer of our wifi stack is vulnerable: Why can’t we just walk around With creds falling from the sky?
Let’s fix that This talk will cover – Improvements in rogue AP attacks – Extensions to support secure networks – Improvements in MitM – Integration of existing attacks into a single tool • Release of MANA toolkit – MitM and Authenticated Network Attack toolkit
A Wifi Primer • Wireless Fidelity (brand from Wi-Fi Alliance) • Extension of wired Ethernet protocol 802.11<x> a/b/g/n/ac • A plethora of wireless technologies exist (3G, WiMax, WDS, Bluetooth). We’re ignoring those. • Usually used for LAN, limited MAN/WAN/PAN • Can operate in Infrastructure or Ad-hoc modes • Uses 2.4Ghz or 5Ghz range (junk bands)
A Wifi Primer • 3 types of packets – Management – Probes/Beacons – Control – RTS/CTS – Data – The goods • We’re mostly interested in Management frames at this point
Finding Wifi Networks
Connecting to a Wi-Fi Network
Connecting to a Wi-Fi Network • Client sends probe • Station responds to probe • Client sends authentication request – A formality, nobody uses shared key networks, all open – SSID sent in the clear, even if hidden • AP acknowledges authentication • Client sends association request – Contains capabilities e.g. rates • AP sends association response Management Packets Unauthenticated in Open Network
KARMA ATTACKS
KARMA Attacks
KARMA Attacks • Device will probe for remembered nets (preferred network list [PNL]), even when not near them • We just respond as the normal network would – Hey “home network” you there? – Uh, sure, I’m “home network” • First presented in 2004 by Dino dai Zovi & Shane Macaulay • Modern implementations: – airbase-ng by Thomas d'Otreppe • Software only, no master mode needed – hostapd-1.0-karma by Robin Wood (digininja) • Used on the Hak5 pineapple
Why this works? • Networks/ESSIDs can have multiple APs (e.g. corporate nets) – BSSID doesn’t have to match – Devices need to switch APs as they move • Anti-spoofing done at higher level – WEP & WPA/2 PSK • AP & STA prove they know the key to each other) – EAPs • other proof, like TLS validation • Devices probe directly for networks on their PNL – We built snoopy off of this single flaw
It doesn’t work well • iOS devices significantly reduced the amount they probe since iOS 7 • Android devices only connected when you explicitly joined the network – Didn’t show up in the available network list in modern android • Same for Linux (shared wpa_supplicant code) • Windows devices varied greatly across versions • Only Macs (OSX) seemed to auto-connect to any of these networks!
Finding Wifi Networks
Improving KARMA • Turns out our AP needs to respond to the broadcast probe as well as the directed probe • It also turns out we can send multiple probe responses for different networks (ESSID) from the same BSSID • Process – Watch for directed probes – Build per-MAC view of PNL – Respond to a broadcast probe with directed responses for each network in PNL • This increases our karma attack significantly! • Implemented in our hostapd mod included in MANA
Still Problems • Snoopy screwed us (yay) • iOS devices barely probe • iOS has promised to introduce MAC randomisation on probe (not seen yet) • Android had changes committed in July 2014 to reduce probes (fix low-power offload probing) • wpa_supplicant got the patches, so Linux too
Hidden Networks
Finding Specific/Hidden Networks
iOS Hidden Net Hrrmm? • Devices with hidden networks on their PNL need to probe for them all the time • But iOS devices don’t – This is impossible! • Turns out, iOS only probes for hidden nets when at least one hidden network is in- range
Passive Network Identification
Solution • Run a hidden network, or beacon out hidden network frames with the normal beacon • Also, deauth users from currently connected APs to force re-scan • Rely on other devices to leak network names (e.g. their laptop/tablet, co-workers, fellow airport travellers etc.) – “loud mode” changes mana’s behaviour to not track PNL per device, but to re-broadcast all networks to all devices – Very noisy!
Karma Summary • Current KARMA attacks don’t work well anymore – Few devices auto-join rogue networks – Networks don’t show up as available so mistaken clicks missed – Devices probe less • MANNA improves this – Responds to broadcast probes – Coaxes iOS hidden networks to be probed – Can rely on other, less secure devices to disclose the PNL
Demo Time • Demo of devices in the room responding to MANA attacks • We have prevented association to limit legality impacts i.e. you should see the networks in your wifi list
EXTENDING KARMA TO SECURE NETS
Devices Match Networks on Security Flags
Problem • No support for secured networks in KARMA • Devices expecting a “secured” network won’t connect – User can manual connect – Android shows as different network – iOS shows as open, can click with no warning – OSX shows as open, connecting gives warning
Solution • We already know we can respond with multiple probe responses for different networks from a single BSSID • So, we can respond with multiple probe requests with different security settings • Some devices will connect to the one they have in their PNL • But, there’s a problem …
More Wifi theory - WPA
EAP-TLS
PEAP
Auto-Crack & Add • PEAP we can capture the MSCHAPv2 challenge/response if no cert validation – Currently, people use freeradius-wpe by Joshua Wright and Brad Antoniewicz – But, hostapd has it’s own RADIUS server – Now, so does mana, no need to run a separate server • (initial patch from Brad) • WPA/2 we can capture the first 2 parts of the handshake • Send them for cracking with your favourite tool – CloudCracker (chapcrack), Asleap, coWPAtty, aircrack-ng, hashcat, john • Add the results back to manna! – i.e. auto create a network with the correct security setting, PSK key or EAP user:password combination – Also, CREDS FROM THE SKY! • This only works on “easy” creds, hard take too long
Demo • Demonstration of a device attempting to connect to a PEAP network • MANA will rogue-AP it, grab the MSCHAPv2 challenge & crack it • Will then create the user and re-rogue • Device will connect
MAN IN THE MIDDLE
MitM introduction • Getting clients to connect is only half the battle • Benefits of MitM are rapidly declining – Devices try to check if connection is legit – Tools no longer work (dsniff, firesheep, etc.) – Karmetasploit only gives us a handful of mail creds – HSTS defeats sslstrip – Mobile Apps auto cert validation defeats SSL MitM
Am I Online? • Needed for MitM with no-upstream (e.g. on planes, down mines, in faraday cages ;) • Devices make a request to a site on public Internet to check if online – iOS devices hit 1 of over 200 sites with a random request – BlackBerry, Android, Windows all make a single request to a known destination • MANA includes bundle of apache sites that implement all of these
FireLamb • Firesheep isn’t maintained and no longer works • Enter firelamb • Simple python script that does the same • Writes output to firefox profile for easy cookie loading
HSTS Partial Bypass • Updates to sslstrip by LeonardoNVE @ BlackHat Asia • Includes intercepting DNS server, dns2proxy • Process – Browser requests http://www.google.com/ – sslstrip returns redirect to wwww.google.com – dns2proxy mirrors DNS for www.google.com -> wwww.google.com – sslstrip rewrites links from www.google.com to “alternate” domains – Browser has no HSTS setting for wwww.google.com – Client continues in plaintext
Malicious iOS Profiles • Config Profiles allow tons of changes to the device, including – New root CA, for MitM – New open wifi networks to keep KARMA going – Ability to prevent it’s removal • Can push these to the device over HTTP (no need for mail SE, but could do that too) • Requires users hit install and type their passcode – Tough sell  – But can prevent removal after that • Allows much better MitM with new root CA – http://www.lacoon.com/blog/2014/07/security-disclosure- googles-ios-gmail-app-enables-threat-actor/ • Doesn’t defeat cert pinning though
Captive Portal SE • We want creds dammit! • Fake captive portal, designed to gather them • Tricks – Don’t interfere with normal comms (so we can still mitm auto interactions) – Use WISPr to get browser open early – Provides chance for iOS profile push & explanation – Provide option to go away so user can continue surfing – Provides a beef hook • Ask for creds using OAuth-lookalike • Our take included in MANA
Demo • Demo of a device joining our rogue network – Getting auto-mail fetch creds (ClearText mail or Microsoft ActiveSync over SSL) – Captive Portal demo – HSTS bypass on gmail/twitter/facebook – Pushing a malicious iOS config • Demo of enhanced MitM against well known app (will be disclosed after vendor fixes) – Example HTML5 WebView giving us data
Disclaimer & Updates These are an early version of our slides and the tools, our data and the slides will all be updated by the time of our Defcon talk. You can access these updates at: • Slides http://slideshare.net/sensepost • Tools http://github.com/sensepost/manna • Overview http://www.sensepost.com/blog/
Ad

Recommended

EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
EMBA Firmware Analyzer
 
Wpa supplicant introduction
Wpa supplicant introductionWpa supplicant introduction
Wpa supplicant introduction
awkman
 
Portafolio-Arquitectura de Maquinas
Portafolio-Arquitectura de MaquinasPortafolio-Arquitectura de Maquinas
Portafolio-Arquitectura de Maquinas
Wilmer Jose Duarte Lopez
 
Function Level Analysis of Linux NVMe Driver
Function Level Analysis of Linux NVMe DriverFunction Level Analysis of Linux NVMe Driver
Function Level Analysis of Linux NVMe Driver
인구 강
 
Neutron packet logging framework
Neutron packet logging frameworkNeutron packet logging framework
Neutron packet logging framework
Vietnam Open Infrastructure User Group
 
Virtual Box
Virtual BoxVirtual Box
Virtual Box
urumisama
 
linux software architecture
linux software architecture linux software architecture
linux software architecture
Sneha Ramesh
 
Linux Interview Questions And Answers | Linux Administration Tutorial | Linux...
Linux Interview Questions And Answers | Linux Administration Tutorial | Linux...Linux Interview Questions And Answers | Linux Administration Tutorial | Linux...
Linux Interview Questions And Answers | Linux Administration Tutorial | Linux...
Edureka!
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)
anandvaidya
 
Fundamentos del Software Libre
Fundamentos del Software LibreFundamentos del Software Libre
Fundamentos del Software Libre
Carlos Macallums
 
Aplicaciones de Escritorio y Web
Aplicaciones de Escritorio y WebAplicaciones de Escritorio y Web
Aplicaciones de Escritorio y Web
anfo24
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Centos SO
Centos SOCentos SO
Centos SO
scorpion_esab
 
Sistemas operativos de red de microsoft
Sistemas operativos de red de microsoftSistemas operativos de red de microsoft
Sistemas operativos de red de microsoft
Alex Armando
 
Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南
Shengyou Fan
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
Bud Siddhisena
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Presentation on linux
Presentation on linuxPresentation on linux
Presentation on linux
Veeral Bhateja
 
OpenStack Cinder
OpenStack CinderOpenStack Cinder
OpenStack Cinder
Deepti Ramakrishna
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course
Ali Abdo
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training
The Linux Foundation
 
Proceso de arranque de un so
Proceso de arranque de un soProceso de arranque de un so
Proceso de arranque de un so
Shirley Contreras Ulloa
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
Anil Kumar Pugalia
 
Sistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etcSistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etc
Juan Pablo Ramírez García
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copy
Rishi Kumar
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
Ad

More Related Content

What's hot (20)

Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)
anandvaidya
 
Fundamentos del Software Libre
Fundamentos del Software LibreFundamentos del Software Libre
Fundamentos del Software Libre
Carlos Macallums
 
Aplicaciones de Escritorio y Web
Aplicaciones de Escritorio y WebAplicaciones de Escritorio y Web
Aplicaciones de Escritorio y Web
anfo24
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Centos SO
Centos SOCentos SO
Centos SO
scorpion_esab
 
Sistemas operativos de red de microsoft
Sistemas operativos de red de microsoftSistemas operativos de red de microsoft
Sistemas operativos de red de microsoft
Alex Armando
 
Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南
Shengyou Fan
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
Bud Siddhisena
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Presentation on linux
Presentation on linuxPresentation on linux
Presentation on linux
Veeral Bhateja
 
OpenStack Cinder
OpenStack CinderOpenStack Cinder
OpenStack Cinder
Deepti Ramakrishna
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course
Ali Abdo
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training
The Linux Foundation
 
Proceso de arranque de un so
Proceso de arranque de un soProceso de arranque de un so
Proceso de arranque de un so
Shirley Contreras Ulloa
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
Anil Kumar Pugalia
 
Sistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etcSistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etc
Juan Pablo Ramírez García
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copy
Rishi Kumar
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)
anandvaidya
 
Fundamentos del Software Libre
Fundamentos del Software LibreFundamentos del Software Libre
Fundamentos del Software Libre
Carlos Macallums
 
Aplicaciones de Escritorio y Web
Aplicaciones de Escritorio y WebAplicaciones de Escritorio y Web
Aplicaciones de Escritorio y Web
anfo24
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Centos SO
Centos SOCentos SO
Centos SO
scorpion_esab
 
Sistemas operativos de red de microsoft
Sistemas operativos de red de microsoftSistemas operativos de red de microsoft
Sistemas operativos de red de microsoft
Alex Armando
 
Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南Visual Studio Code 快速上手指南
Visual Studio Code 快速上手指南
Shengyou Fan
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
Bud Siddhisena
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Presentation on linux
Presentation on linuxPresentation on linux
Presentation on linux
Veeral Bhateja
 
OpenStack Cinder
OpenStack CinderOpenStack Cinder
OpenStack Cinder
Deepti Ramakrishna
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course
Ali Abdo
 
OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training OSSNA18: Xen Beginners Training
OSSNA18: Xen Beginners Training
The Linux Foundation
 
Proceso de arranque de un so
Proceso de arranque de un soProceso de arranque de un so
Proceso de arranque de un so
Shirley Contreras Ulloa
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
Anil Kumar Pugalia
 
Sistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etcSistemas operativos,características,tipos, clasificación, etc
Sistemas operativos,características,tipos, clasificación, etc
Juan Pablo Ramírez García
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copy
Rishi Kumar
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 

Viewers also liked (20)

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacks
jselvi
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Pour les fans de scènes pornographiques totalement revivifiantes gratis
Pour les fans de scènes pornographiques totalement revivifiantes gratisPour les fans de scènes pornographiques totalement revivifiantes gratis
Pour les fans de scènes pornographiques totalement revivifiantes gratis
badloser3825
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Security Proposal
Security ProposalSecurity Proposal
Security Proposal
chris20854
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
Wireless Abc
Wireless AbcWireless Abc
Wireless Abc
chris20854
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
pinkflawd
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Wireless Backhaul
Wireless BackhaulWireless Backhaul
Wireless Backhaul
Swarnashruti Jupudi
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Wardriving & Kismet Introduction
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet Introduction
Lance Howell
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacks
jselvi
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
SensePost
 
Pour les fans de scènes pornographiques totalement revivifiantes gratis
Pour les fans de scènes pornographiques totalement revivifiantes gratisPour les fans de scènes pornographiques totalement revivifiantes gratis
Pour les fans de scènes pornographiques totalement revivifiantes gratis
badloser3825
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
SensePost
 
Security Proposal
Security ProposalSecurity Proposal
Security Proposal
chris20854
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
SensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
SensePost
 
Wireless Abc
Wireless AbcWireless Abc
Wireless Abc
chris20854
 
La Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren'tLa Quadrature Du Cercle - The APTs That Weren't
La Quadrature Du Cercle - The APTs That Weren't
pinkflawd
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Wireless Backhaul
Wireless BackhaulWireless Backhaul
Wireless Backhaul
Swarnashruti Jupudi
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Wardriving & Kismet Introduction
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet Introduction
Lance Howell
 
Ad

Similar to Improvement in Rogue Access Points - SensePost Defcon 22 (20)

Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computing
madhurbyheart
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
Web identity part1
Web identity part1Web identity part1
Web identity part1
Islam Azeddine Mennouchi
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
GeekNightHyderabad
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
firewalls.pdf
firewalls.pdffirewalls.pdf
firewalls.pdf
MattMarino13
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
Jasleen Kaur
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
GeekPwn Keen
 
cyber forensics-enum,sniffing,malware threat.ppt
cyber forensics-enum,sniffing,malware threat.pptcyber forensics-enum,sniffing,malware threat.ppt
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
254460979-ishant abcd-098765432222-1.ppt
254460979-ishant abcd-098765432222-1.ppt254460979-ishant abcd-098765432222-1.ppt
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 
Wireless and how safe are you
Wireless and how safe are youWireless and how safe are you
Wireless and how safe are you
Marcus Dempsey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIHlecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
Wifi direct p2p app
Wifi direct p2p appWifi direct p2p app
Wifi direct p2p app
geniushkg
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
Wajahat Rajab
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea
 
KKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - AntonyKKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - Antony
Liyao Chen
 
Threats to Mobile Computing
Threats to Mobile ComputingThreats to Mobile Computing
Threats to Mobile Computing
madhurbyheart
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
Web identity part1
Web identity part1Web identity part1
Web identity part1
Islam Azeddine Mennouchi
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
GeekNightHyderabad
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
firewalls.pdf
firewalls.pdffirewalls.pdf
firewalls.pdf
MattMarino13
 
Network sec 1
Network sec 1Network sec 1
Network sec 1
Jasleen Kaur
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
Nilesh Sapariya
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
GeekPwn Keen
 
cyber forensics-enum,sniffing,malware threat.ppt
cyber forensics-enum,sniffing,malware threat.pptcyber forensics-enum,sniffing,malware threat.ppt
cyber forensics-enum,sniffing,malware threat.ppt
mcjaya2024
 
254460979-ishant abcd-098765432222-1.ppt
254460979-ishant abcd-098765432222-1.ppt254460979-ishant abcd-098765432222-1.ppt
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 
Wireless and how safe are you
Wireless and how safe are youWireless and how safe are you
Wireless and how safe are you
Marcus Dempsey
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIHlecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
Wifi direct p2p app
Wifi direct p2p appWifi direct p2p app
Wifi direct p2p app
geniushkg
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
Wajahat Rajab
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea
 
KKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - AntonyKKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - Antony
Liyao Chen
 
Ad

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
SensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineering
SensePost
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
SensePost
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
SensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
When good code goes bad
When good code goes badWhen good code goes bad
When good code goes bad
SensePost
 
A new look into web application reconnaissance
A new look into web application reconnaissance A new look into web application reconnaissance
A new look into web application reconnaissance
SensePost
 
objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
SensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
SensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
SensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
SensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineering
SensePost
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
SensePost
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
SensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
When good code goes bad
When good code goes badWhen good code goes bad
When good code goes bad
SensePost
 
A new look into web application reconnaissance
A new look into web application reconnaissance A new look into web application reconnaissance
A new look into web application reconnaissance
SensePost
 

Recently uploaded (20)

2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 

Improvement in Rogue Access Points - SensePost Defcon 22

  • 1. Manna from Heaven: Improvements in Rogue AP Attacks Defcon 22 2014 Ian de Villiers & Dominic White
  • 2. Disclaimer & Updates These are an early version of our slides and the tools, our data and the slides will all be updated by the time of our Defcon talk. You can access these updates at: • Slides http://slideshare.net/sensepost • Tools http://github.com/sensepost/manna • Overview http://www.sensepost.com/blog/
  • 3. whois Ian de Villiers & Dominic White Hackers @ SensePost We Hack | Build | Train | Scan Stuff @iandvl & @singe {ian|dominic} @sensepost.com info/research/jobs @sensepost.com
  • 4. Why Wi-Fi? • 800 million new devices each year • Consumer standard for mobile devices • Widely deployed – City-wide projects • Increase in “cloud” services use & deployment – E-mail, Social Networking • Directly correlates to target (user, home or org)
  • 5. The State of Wifi Hacks • We can get devices to connect to Rogue Aps – KARMA by Dino Dai Zovi & Shane Macaulay 2004 • http://www.wirelessdefence.org/Contents/KARMAMain.htm • We can intercept & crack auth creds to networks – coWPAtty by Joshua Wright 2004 • http://www.aircrack-ng.org/doku.php?id=aircrack- ng&DokuWiki=1d69bf65c0a318129fd5a94a62b344cc – Freeradius-wpe by Joshua Wright and Brad Antoniewicz 2008 • http://www.willhackforsushi.com/?page_id=37 – Asleap then CloudCracker Josh Wright 2003 then Moxie Marlinspike 2013 • We can intercept creds over the network – Firesheep Eric Butler 2010 • http://codebutler.com/firesheep/ – Hamster & Ferret Errata Rob 2007 • http://blog.erratasec.com/2007/08/sidejacking-with-hamster_05.html – dsniff Dug Song 2000 • http://www.monkey.org/~dugsong/dsniff/ • We can downgrade/intercept SSL – sslstrip & sslsniff Moxie Marlinspike 2009 • http://www.thoughtcrime.org/software/sslstrip/
  • 6. If nearly every layer of our wifi stack is vulnerable: Why can’t we just walk around With creds falling from the sky?
  • 7. Let’s fix that This talk will cover – Improvements in rogue AP attacks – Extensions to support secure networks – Improvements in MitM – Integration of existing attacks into a single tool • Release of MANA toolkit – MitM and Authenticated Network Attack toolkit
  • 8. A Wifi Primer • Wireless Fidelity (brand from Wi-Fi Alliance) • Extension of wired Ethernet protocol 802.11<x> a/b/g/n/ac • A plethora of wireless technologies exist (3G, WiMax, WDS, Bluetooth). We’re ignoring those. • Usually used for LAN, limited MAN/WAN/PAN • Can operate in Infrastructure or Ad-hoc modes • Uses 2.4Ghz or 5Ghz range (junk bands)
  • 9. A Wifi Primer • 3 types of packets – Management – Probes/Beacons – Control – RTS/CTS – Data – The goods • We’re mostly interested in Management frames at this point
  • 11. Connecting to a Wi-Fi Network
  • 12. Connecting to a Wi-Fi Network • Client sends probe • Station responds to probe • Client sends authentication request – A formality, nobody uses shared key networks, all open – SSID sent in the clear, even if hidden • AP acknowledges authentication • Client sends association request – Contains capabilities e.g. rates • AP sends association response Management Packets Unauthenticated in Open Network
  • 15. KARMA Attacks • Device will probe for remembered nets (preferred network list [PNL]), even when not near them • We just respond as the normal network would – Hey “home network” you there? – Uh, sure, I’m “home network” • First presented in 2004 by Dino dai Zovi & Shane Macaulay • Modern implementations: – airbase-ng by Thomas d'Otreppe • Software only, no master mode needed – hostapd-1.0-karma by Robin Wood (digininja) • Used on the Hak5 pineapple
  • 16. Why this works? • Networks/ESSIDs can have multiple APs (e.g. corporate nets) – BSSID doesn’t have to match – Devices need to switch APs as they move • Anti-spoofing done at higher level – WEP & WPA/2 PSK • AP & STA prove they know the key to each other) – EAPs • other proof, like TLS validation • Devices probe directly for networks on their PNL – We built snoopy off of this single flaw
  • 17. It doesn’t work well • iOS devices significantly reduced the amount they probe since iOS 7 • Android devices only connected when you explicitly joined the network – Didn’t show up in the available network list in modern android • Same for Linux (shared wpa_supplicant code) • Windows devices varied greatly across versions • Only Macs (OSX) seemed to auto-connect to any of these networks!
  • 19. Improving KARMA • Turns out our AP needs to respond to the broadcast probe as well as the directed probe • It also turns out we can send multiple probe responses for different networks (ESSID) from the same BSSID • Process – Watch for directed probes – Build per-MAC view of PNL – Respond to a broadcast probe with directed responses for each network in PNL • This increases our karma attack significantly! • Implemented in our hostapd mod included in MANA
  • 20. Still Problems • Snoopy screwed us (yay) • iOS devices barely probe • iOS has promised to introduce MAC randomisation on probe (not seen yet) • Android had changes committed in July 2014 to reduce probes (fix low-power offload probing) • wpa_supplicant got the patches, so Linux too
  • 23. iOS Hidden Net Hrrmm? • Devices with hidden networks on their PNL need to probe for them all the time • But iOS devices don’t – This is impossible! • Turns out, iOS only probes for hidden nets when at least one hidden network is in- range
  • 25. Solution • Run a hidden network, or beacon out hidden network frames with the normal beacon • Also, deauth users from currently connected APs to force re-scan • Rely on other devices to leak network names (e.g. their laptop/tablet, co-workers, fellow airport travellers etc.) – “loud mode” changes mana’s behaviour to not track PNL per device, but to re-broadcast all networks to all devices – Very noisy!
  • 26. Karma Summary • Current KARMA attacks don’t work well anymore – Few devices auto-join rogue networks – Networks don’t show up as available so mistaken clicks missed – Devices probe less • MANNA improves this – Responds to broadcast probes – Coaxes iOS hidden networks to be probed – Can rely on other, less secure devices to disclose the PNL
  • 27. Demo Time • Demo of devices in the room responding to MANA attacks • We have prevented association to limit legality impacts i.e. you should see the networks in your wifi list
  • 29. Devices Match Networks on Security Flags
  • 30. Problem • No support for secured networks in KARMA • Devices expecting a “secured” network won’t connect – User can manual connect – Android shows as different network – iOS shows as open, can click with no warning – OSX shows as open, connecting gives warning
  • 31. Solution • We already know we can respond with multiple probe responses for different networks from a single BSSID • So, we can respond with multiple probe requests with different security settings • Some devices will connect to the one they have in their PNL • But, there’s a problem …
  • 34. PEAP
  • 35. Auto-Crack & Add • PEAP we can capture the MSCHAPv2 challenge/response if no cert validation – Currently, people use freeradius-wpe by Joshua Wright and Brad Antoniewicz – But, hostapd has it’s own RADIUS server – Now, so does mana, no need to run a separate server • (initial patch from Brad) • WPA/2 we can capture the first 2 parts of the handshake • Send them for cracking with your favourite tool – CloudCracker (chapcrack), Asleap, coWPAtty, aircrack-ng, hashcat, john • Add the results back to manna! – i.e. auto create a network with the correct security setting, PSK key or EAP user:password combination – Also, CREDS FROM THE SKY! • This only works on “easy” creds, hard take too long
  • 36. Demo • Demonstration of a device attempting to connect to a PEAP network • MANA will rogue-AP it, grab the MSCHAPv2 challenge & crack it • Will then create the user and re-rogue • Device will connect
  • 37. MAN IN THE MIDDLE
  • 38. MitM introduction • Getting clients to connect is only half the battle • Benefits of MitM are rapidly declining – Devices try to check if connection is legit – Tools no longer work (dsniff, firesheep, etc.) – Karmetasploit only gives us a handful of mail creds – HSTS defeats sslstrip – Mobile Apps auto cert validation defeats SSL MitM
  • 39. Am I Online? • Needed for MitM with no-upstream (e.g. on planes, down mines, in faraday cages ;) • Devices make a request to a site on public Internet to check if online – iOS devices hit 1 of over 200 sites with a random request – BlackBerry, Android, Windows all make a single request to a known destination • MANA includes bundle of apache sites that implement all of these
  • 40. FireLamb • Firesheep isn’t maintained and no longer works • Enter firelamb • Simple python script that does the same • Writes output to firefox profile for easy cookie loading
  • 41. HSTS Partial Bypass • Updates to sslstrip by LeonardoNVE @ BlackHat Asia • Includes intercepting DNS server, dns2proxy • Process – Browser requests http://www.google.com/ – sslstrip returns redirect to wwww.google.com – dns2proxy mirrors DNS for www.google.com -> wwww.google.com – sslstrip rewrites links from www.google.com to “alternate” domains – Browser has no HSTS setting for wwww.google.com – Client continues in plaintext
  • 42. Malicious iOS Profiles • Config Profiles allow tons of changes to the device, including – New root CA, for MitM – New open wifi networks to keep KARMA going – Ability to prevent it’s removal • Can push these to the device over HTTP (no need for mail SE, but could do that too) • Requires users hit install and type their passcode – Tough sell  – But can prevent removal after that • Allows much better MitM with new root CA – http://www.lacoon.com/blog/2014/07/security-disclosure- googles-ios-gmail-app-enables-threat-actor/ • Doesn’t defeat cert pinning though
  • 43. Captive Portal SE • We want creds dammit! • Fake captive portal, designed to gather them • Tricks – Don’t interfere with normal comms (so we can still mitm auto interactions) – Use WISPr to get browser open early – Provides chance for iOS profile push & explanation – Provide option to go away so user can continue surfing – Provides a beef hook • Ask for creds using OAuth-lookalike • Our take included in MANA
  • 44. Demo • Demo of a device joining our rogue network – Getting auto-mail fetch creds (ClearText mail or Microsoft ActiveSync over SSL) – Captive Portal demo – HSTS bypass on gmail/twitter/facebook – Pushing a malicious iOS config • Demo of enhanced MitM against well known app (will be disclosed after vendor fixes) – Example HTML5 WebView giving us data
  • 45. Disclaimer & Updates These are an early version of our slides and the tools, our data and the slides will all be updated by the time of our Defcon talk. You can access these updates at: • Slides http://slideshare.net/sensepost • Tools http://github.com/sensepost/manna • Overview http://www.sensepost.com/blog/

Editor's Notes

  • #14: This is how networks show up in your network list when searching for wifi networks on your device.
  • #15: When you join a network, this interaction happens.
  • #18: KARMA attacks do exactly the same thing as a normal association, it’s just an evil AP instead of the actual AP doing it.
  • #22: This is why KARMA attacks weren’t working well, we weren’t responding to the broadcast probes.
  • #25: In trying to figure out the issue, we went to the place we should always see probes, hidden networks. Hidden networks don’t return the ESSID in response to broadcast probes.
  • #26: The AP only gives up it’s name if the device probes for it specifically (i.e. you must know the name already).
  • #28: This means that iOS devices are passively looking for beacons from hidden networks. Why not do that for all networks?
  • #33: Probe responses contain a flag indicating whether they are WEP, WPA/2 PSK, WPA/2 EAP etc. This is used as part of the “uniqe” match for PNL networks.
  • #35: This specific part is still under heavy testing at the time of writing.
  • #36: We don’t have the creds. But, we can have our rogue AP act as a WPA/2 network and send the first packet, and we capture the second. We don’t have the right key, and can’t generate the Temporal key, but we have anonce and snonce and a MIC from the client, so we can attempt to brute the key until we can generate a MIC for the snonce that matches the clients. Josh Wright’s coWPAtty tool first did this.
  • #37: With EAP, we have a similar problem, but if the client isn’t validating correctly, we can MitM. EAP TLS is mutually authenticated so we can’t here (just included for a simpler decription).
  • #38: We can MitM PEAP and PEAP-like EAPs most of the time. This is because most configurations don’t validate the server cert, and even when they do, there is no CN name match, it’s purely on authority. A successful MitM gets up an MSCHAPv2 challenge response (depending on setup).