active 802 11 fingerprinting gibberish and secret
play

Active 802.11 Fingerprinting: gibberish and secret handshakes to - PowerPoint PPT Presentation

Mar 19, 2023 •195 likes •426 views

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008 This talk in 5 minutes (1) How it started? TC7, Johnny Cache:

  2. Active 802.11 Fingerprinting: gibberish and “secret handshakes” to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008

  3. This talk in 5 minutes (1) “How it started?” ● TC7, Johnny Cache: different 802.11 clients responded differently to change of BSSID in Auth & Assoc Resp. – Wow, TCP/IP stack fun all over again! (“You are in a maze of twisty implementations, all slightly different”).

  4. This talk in 5 minutes (2) “What is this about?” AP vs clients: is it “ Can the castle fight off barbarians?” More like: “Can the peasants find the right castle?” Famous attacks on clients fake the castle (i.e., the AP): ● Shmoo: “802.11 bait: badass tackle ...” (TC7, '05) ● Dai Zovi, Macaulay: KARMA (CanSecWest '05) ● Simple Nomad: “Hacking the friendly skies” ● Cache & Maynor: “Hijacking a MacBook in 60 sec” ● The Month of Kernel Bugs (Nov 2006), ...

  5. This talk in 5 minutes (3) “What's in a fingerprint?” ● With enough resources and observations, you can fingerprint almost anything – Timings, Electric or RF signal, Fourier analysis, ... ● When cheap and straightforward, it's fun – ... like different code logic ( Nmap & friends) ● Lots of protocol states & fields => lots of differences – ... and some combinations are gibberish – 802.11 has lots of these even in L2 headers: (e.g., mismatched type and flags in Frame Control ) So test how your AP reacts to gibberish, at a glance. If the picture is different, it's likely NOT your AP.

  6. This talk in 5 minutes (4) “AP responses at a glance” Linksys WRT54g: Prism II HostAP soft AP: Madwifi-ng soft AP: Auth Requests with non-sensical combinations of flags

  7. BAFFLE ● Written in Ruby 1.9 ● Uses Ruby LORCON from Metasploit – forever indebted to the authors! ● Builds pcap/BPF filters for 802.11 frames from Ruby objects ● A special language for describing tests, stimuli and training

  8. “Where we fit in” “Usual and Customary” “Cruel and Unusual” Passive Packets/Frames Packets/Frames SinFP Nmap L4 / L3 P0f Xprobe J.Cache U5 duration field L2 BAFFLE Fuzzers Franklin et al. probe timings

  9. Some history ● L3 TCP/IP stack fingerprints: – Classics – New developments ● Countermeasures ● L2 802.11 fingerprinting

  10. The Noble Art of L3 Fingerprinting: “part of a complete TCP/IP VA kit” ● Nmap (1998, 2006--) – 2 nd gen. OS fingerprinting: http://nmap.org/osdetect/ ● Xprobe (2001, 2002—2005) ● “fuzzy logic” ● P0f , the passive fingerprinter (2000, 2006) ● preceded by “Siphon”, adopted by Ettercap, many others ● SinFP (2005) ● attempts single-port, 3-packet OS fingerprinting ● ...

  11. The Noble Art of L3 Fingerprinting --Countermeasures-- ● Smart, Malan, Jahanian (USENIX, 2000) – “Defeating TCP/IP OS stack fingerprinting” – scrubbers suppress “cruel and unusual” packets, breaking known signatures ● Kathy Wang (DC-12, 2004) – “Frustrating OS fingerprinting with Morph” – don't just mess up signatures, emulate them ● Niels Provos (USENIX, 2004) – “A virtual honeypot framework”, Honeyd – ... emulate them for entire honeynets

  12. The Noble Art of L3 Fingerprinting --Timing-related-- ● Tony Capela (DC-11, 2003): Ping RTT – “ Fashionably late - what your network's RTT tells... ” ● Kohno, Broido, Claffy (2005): Clock skew – “Remote Physical Device Fingerprinting” paper ● Dan Kaminsky (2005): IP timers – Fragment reassembly timeouts differs between stacks ● ... many others

  13. Timeline ● 1998: Nmap gets OS fingerprinting – 2000: “Scrubbers” suggested to remove anomalies – 2001: Norm (Handley et al.) normalized TCP at 100,000 pkts/sec (against IDS evasion) ● 2001: Xprobe fingerprints less-used but “normal” ICMP, etc. – 2004: Honeyd fakes responses of different OSes [see nmap.prints, xprobe2.conf]; Morph ● 2003, 2005: Timing-related fingerprinting – ?

  14. 802.11: a whole new L2 ● Johnny Cache (Toorcon, 2005) – “802.11 VLANs and Association Redirection” – different client responses to BSSID change in Auth Response and Assoc Response frames from AP ● Johnny Cache (Uninformed 5, 2006) – “Fingerprinting 802.11 implementations via statistical analysis of the duration field” – Passive. “Client associates, gets an IP, loads a few webpages” ● Franklin et al. (USENIX Sec, 2006) – “Passive link layer 802.11wireless device driver fingerprinting” – Client scanning behavior, time intervals between probes ● ...

  15. State machines and “extra bits”: TCP Some fields are meaningless in at least some of the states. Nmap says hello.

  16. 802.11 states and fiddly bits Not all flags make sense for all types & subtypes. Not all flags make sense for all states. Hello BAFFLE.

  17. Can a client station trust an AP? ● Is this AP one of a trusted group, or evil faker? ● Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. ● Problem solved, right? ● Not exactly: are all these exchanges bug-free ?

  18. Your L2 is possessed by the devil ● “Hijacking a MacBook in 60 seconds” ● “The month of kernel bugs”, ... Probe Request -- Probe Response rates, essid, ... Laptop Wireless Access Point Laptop

  19. 802.11 fiddly bits ● Type/Subtype: Mgmt, Control or Data / various modes ● ToDS , FromDS : frame from or to distribution system – zero on management and control frames ● MoreFrag : more L2 fragments to follow ● PwrMgmt : station goes into Power Save mode (PS) ● MoreData : AP has data buffered for station in PS mode

  20. So many combinations

  21. Gibberish ● ToDS and FromDS set on Probe & Auth Requests – unspecified on Mgmt and Contol frames ● MoreFrags on Probe Reqs and Auth Reqs – will the AP wait for more, ignore or respond? ● MoreData from station to AP (say what?) So: send lots of garbage frames, listed for responses (varying source MACs helps) Laptop ? Wireless Access Point

  22. “Secret handshake with an AP” ● All you really know about an AP is its BSSID/MAC ● Don't trust your driver? ● Scared of getting too close with an AP before you can learn anything about it through crypto? (and you have to get pretty intimate to use crypto) ● Choose some weird things than your APs do ● Check if the BSSID in question does them

  23. Thanks! ● Johnny Cache for the many inspirations ● Joshua Wright and Mike Kershaw for LORCON ● Uninformed and Toorcon crews ● everyone else who helped us (authors of Ruby, Lapack, Metasploit, ...)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting Robert

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting Robert

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting Robert Beverly , Arthur Berger Naval Postgraduate School MIT/Akamai March 20, 2015 PAM 2015 - 16th Passive and Active Measurement Conference

583 views • 33 slides
k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
A New Paradigm For Network Security Through Experiences From Reality (ANPFNSTEFR) Mohit Lad,

A New Paradigm For Network Security Through Experiences From Reality (ANPFNSTEFR) Mohit Lad,

A New Paradigm For Network Security Through Experiences From Reality (ANPFNSTEFR) Mohit Lad, UCLA Mohit Lad, Outrageous 06 Structure of the talk Background and motivation Gibberish More Gibberish A slide with the text

307 views • 16 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Active Aging: Benefits of an Active Lifestyle on Health and Well-being in Lifestyle on Health

Active Aging: Benefits of an Active Lifestyle on Health and Well-being in Lifestyle on Health

Active Aging: Benefits of an Active Lifestyle on Health and Well-being in Lifestyle on Health and Well being in Later Life Dorothy Farrar Edwards PhD y Department of Kinesiology-Occupational Therapy Unraveling the Secret to Aging Well

877 views • 45 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views • 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting & Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps & Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

832 views • 69 slides
set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the international launchpad of a new Australian owned moisturizer specifically formulated for airline passengers and cabin crew. Aviation

493 views • 3 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry Association Members Meeting 9 May 2018, Wellington UNCLASSIFIED 2 Estate Regeneration: Building DEI capability through an Alliance TOP SECRET

715 views • 17 slides
1 What makes something a secret? What is worth keeping secret? Should secrets be

1 What makes something a secret? What is worth keeping secret? Should secrets be

S E W OME N S B USINE SS : CRE T I NOUS R S , A NT OGY , AND T HE NDIGE IGHT HROPOL H INDMARSH I AND B RIDGE C ONT RSY SL ROVE 1 What makes something a secret? What is worth keeping secret? Should secrets be revealed?

260 views • 14 slides
Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t ) = 0.22 ppm s 0 39.0

699 views • 38 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer Security, Matt Bishop Snort http://snort.org Distributed IDS DShield http://dshield.org Dark address space

590 views • 21 slides
Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security

Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security

http://www.rit.edu/cybersecurity Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security Rochester Institute of Technology Center Mission Research Interdisciplinary Real-world Human-centered

838 views • 57 slides
Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

926 views • 38 slides
P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth April 27, 2020 EuroSec 2020 PANDAcap 1 In this Talk Motivation for this work Overview of

1.17k views • 35 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis University of Western Macedonia pradoglou@uowm.gr Nets Netsoft 2020 2020 Under SPEAR Project A u t h o r s UOWM TECNALIA TE SID SIDROCO CERTH

550 views • 20 slides

More recommend