wi fi advanced fuzzing wi fi advanced fuzzing
play

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France - PowerPoint PPT Presentation

Oct 18, 2023 •271 likes •1.05k views

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

  1. Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI – France Télécom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development

  2. Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 2 France Telecom Group research & development

  3. Who Am I? � Network security expert at R&D labs � Working for France Telecom – Orange (a major telco) � Speaker at security-focused conferences � ToorCon, ShmooCon, FIRST, BlackHat US, hack.lu … � Wi-Fi security centric ;-) � “Wi-Fi Security: What’s Next” – ToorCon 2003 � “Design and Implementation of a Wireless IDS” – ToorCon 2004 and ShmooCon 2005 � “Wi-Fi Trickery, or How To Secure (?), Break (??) and Have Fun With Wi-Fi” – ShmooCon 2006 � “Wi-Fi Advanced Stealth” – BlackHat US 2006 and Hack.LU 2006 • Some words also on 802.11 fuzzing… Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 3 France Telecom Group research & development

  4. Released (Some) Tools � Last year we released new tools and techniques � Raw Fake AP: an enhanced fake AP tool using RAW injection for increased effectiveness � Raw Glue AP: a virtual AP catching every client in a virtual quarantine area � Raw Covert: a 802.11 tricky covert channel using valid ACK frames � Advanced Stealth Patches: madwifi patches to acheive stealth at low cost • Tricks to hide yourself from scanners and wireless IDSes � All this stuff is available at � http://rfakeap.tuxfamily.org Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 4 France Telecom Group research & development

  5. Agenda � 802.11 overview � What is fuzzing? � Design and implementation of a 802.11 fuzzer � (Some) discovered vulnerabilities � A real-world example: the madwifi vulnerability � Final words and demonstrations Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 5 France Telecom Group research & development

  6. Overview � A new vulnerability will be disclosed � The “fuzzing tool” will not be released today � But some 802.11 fuzzing scripts will be described � Will demystify 802.11 driver vulnerabilities � Talk focused on vulnerability discovery not exploitation � If Murphy’s law is wrong, some (working) demonstrations ;-) Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 6 France Telecom Group research & development

  7. Introduction Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 7 France Telecom Group research & development

  8. What We Were Aware of… � Wi-Fi weakens entreprise’s perimetric security � Weak Wi-Fi network infrastructures (open, WEP, misconfigured WPA) � Rogue or misconfigured access points (open access points) � But also weakens client’s security � Rogue access points in public zones (conferences, hot spots…) � Fake access points attacking (automagically) clients [KARMA] � Trafic injection within clients’ communications [AIRPWN, WIFITAP] � Unfortunately all these issues are hardly detectable � Without specific tools (Wireless IDS…) Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 8 France Telecom Group research & development

  9. What We Guessed… � Implementation bugs in 802.11 drivers � Developped in C � Numerous chipsets � Numerous developpers � Heterogeneous implementations regarding security • Equipment manufacturers (not chipsets’) � Obsolete driver packages � Promising implementation bugs! � Potential arbitrary ring0 (kernel) code execution • Bypassing all classic security mechanisms: AV, PFW, HIPS… � Remotely triggerable within the victim’s radio coverage • Not necessarly been associated to a rogue access point! � Quite cool, no?!? ☺ Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 9 France Telecom Group research & development

  10. What Happened… � First public announcement at BlackHat US 2006 � Johnny Cache and David Maynor presentation [DEVICEDRIVERS] � Month of Kernel Bugs on November, 2006 [MOKB] � Apple Airport 802.11 Probe Response Kernel Memory Corruption (OS X) � Broadcom Wireless Driver Probe Response SSID Overflow (Windows) � D-Link DWL-G132 Wireless Driver Beacon Rates Overflow (Windows) � NetGear WG111v2 Wireless Driver Long Beacon Overflow (Windows) � NetGear MA521 Wireless Driver Long Rates Overflow (Windows) (*) � NetGear WG311v1 Wireless Driver Long SSID Overflow (Windows) (*) � Apple Airport Extreme Beacon Frame Denial of Service (OS X) � But also under Linux (*) found by our fuzzer � Madwifi stack-based overflow (*) • Potentially all recent unpatched Linux distributions running on an Atheros chipset Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 10 France Telecom Group research & development

  11. Potential Targets? � Nowadays Wi-Fi technologies are ubiquitous! � All recent laptops � Most entreprises are equipped with Wi-Fi devices � More and more home boxes (DSL gateways…) � More and more cellular phones (VoIPoWLAN) � Video gaming consoles, digital cameras, printers… � But also, protection / analyser mechanisms may be vulnerable � e.g. wireless IDS/IPS, sniffers (tcpdump)… � So many (potentially) vulnerable Wi-Fi implementations! ☺ Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 11 France Telecom Group research & development

  12. 802.11 Station Attack Overview Active Scan (probe requests) Probe Response (or Beacon) Vulnerable Phone Exploit + Shellcode Probe Response (or Beacon) Exploit + Shellcode Attacker Active Scan (probe requests) ) n o c a e B o r Vulnerable Laptop ( e e s n d o o c p l s e l e h R S e + b t o o i r l P p x E Active Scan (probe requests) Vulnerable PDA � 802.11 exploits a.k.a. 0wn3d by a 802.11 frame! ;-) Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 12 France Telecom Group research & development

  13. Observations � Device drivers are potentially less audited than mainline kernels (Windows, Linux) � If so, 802.11 drivers may be remotely exploitable with ring0 privileges � Within radio coverage of the victim � Most chipset manufacturers were hit by implementation bugs � Atheros, Intel, Broadcom, Realtek, Orinoco… � Preventing exploitation means � Updating its driver (if patched driver is available!) � Switch off the wireless switch (or remove the wireless NIC) Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 13 France Telecom Group research & development

  14. 1 st Step: Finding These Vulnerabilities! � Closed source drivers � Black box testing � Reverse engineering � Open source drivers � Black / White box testing � Source code auditing � Reverse engineering drivers is time consuming � Especially when you haven’t any clue… � Source code auditing is only possible if source code is available! � � Black box testing may be useful in both cases… Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 14 France Telecom Group research & development

  15. 802.11 Fuzzing? Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 15 France Telecom Group research & development

  16. Fuzzing? (1/2) � Really hard to define… � Security community / industry loves this kind of hyped / buzzed words! ;-) � Some definitions � Fuzz Testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed or semi malformed data injection in a automated fashion. [OWASP] � Fuzz testing or fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data ("fuzz"). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. [WIKIPEDIA] � Common part � Software testing technique that consists in finding implementation bugs • 1 st definition: with malformed or semi malformed data injection • 2 nd definition: with random data Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 16 France Telecom Group research & development

  17. Fuzzing? (2/2) � Fuzzing is by far one of the best price / earning ratio ;-) � Reverse engineering load of drivers is costly and boring � Implementing a basic fuzzer may be low cost � Discovered implementation bugs will thus the most obvious ones � But fuzzing will (probably) not help you finding ‘complex’ bugs � Simply because all testing possibilities cannot be performed due to • Lack of time versus all test possibilities • Protocol specificities (states) Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 17 France Telecom Group research & development

  18. Some Fuzzing Successes � Month of Browser Bugs and Month of Kernel Bugs � Most vulnerabilities discovered thanks to fuzzing techniques � Take a look at LMH’s fsfuzzer [FSFUZZER] � Really basic but _so_ effective! ☺ � Some open source fuzzers � SPIKE (Immunity): multi-purpose fuzzer [SPIKE] � PROTOS suite (Oulu University): SIP, SNMP… [PROTOS] � A extensive list of fuzzers is available at: � http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti – p 18 France Telecom Group research & development

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and

Uncovering Zero-Days and advanced fuzzing How to successfully get the tools to unlock UNIX and Windows Servers About the presentation Whoami Introduction 0days and the rush for public vulnerabilities And Advanced fuzzing techniques

432 views • 31 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee

Razzer: Finding Kernel Race Bugs through Fuzzing Dae R. Jeong Kyungtae Kim Basavesh Shivakumar Byoungyoung Lee Insik Shin Korea Advanced Institute of Science and Technology Seoul National University Purdue

1.17k views • 47 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma

ParmeSan: Sanitizer-guided Greybox Fuzzing USENIX 2020 *some pages borrowed from Zheyu Ma background What is fuzzing: feed random inputs to trigger as many crashes and hangs as possible What is state-of-the-art of fuzzing research:

494 views • 18 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li,

Hawkeye: Towards a Desired Directed Grey-box Fuzzing Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, Yang Liu October 18, 2018 1 Mutation Based Grey-box Fuzzing General-purpose Grey-box Fuzzing: Cover more

476 views • 33 slides
No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk

No source? No problem! High speed binary fuzzing Nspace & @gannimo About this talk Fuzzing binaries is hard! Few tools, complex setup Fuzzing binaries in the kernel is even harder! New approach based on static rewriting High

488 views • 46 slides
WELCOME First Australasia Symposium AGENDA 09:00 ~ 09:15 Welcome & Introductions 09:15 ~

WELCOME First Australasia Symposium AGENDA 09:00 ~ 09:15 Welcome & Introductions 09:15 ~

WELCOME First Australasia Symposium AGENDA 09:00 ~ 09:15 Welcome & Introductions 09:15 ~ 09:30 Who we are and update on PSL 09:30 ~ 09:45 Company overview, solutions, new revenue opportunities 09:45 ~ 10:00 Power Survey offering (

994 views • 36 slides
Limits on State Taxation in a Post Wayfair World November 21, 2019 CIRCULAR 230 NOTICE &

Limits on State Taxation in a Post Wayfair World November 21, 2019 CIRCULAR 230 NOTICE &

Limits on State Taxation in a Post Wayfair World November 21, 2019 CIRCULAR 230 NOTICE & OTHER DISCLAIMERS 2 Circular 230 Notice Any U.S. tax advice contained herein was not intended or written to be used for the purpose of avoiding

705 views • 28 slides
Statement by Maud Perdriel-Vaisssiere, UNCAC Coaliton for the discussion panel on Special

Statement by Maud Perdriel-Vaisssiere, UNCAC Coaliton for the discussion panel on Special

Statement by Maud Perdriel-Vaisssiere, UNCAC Coaliton for the discussion panel on Special Measures against grand corrupton at the UNCAC Implementaton Review Group Briefng for NGOs in Vienna, Austria on 4 June 2015 Internatonal immunites

521 views • 3 slides
Surveillance for Emerging Threats to Pregnant Women and Infants: Data for Action Sept eptember

Surveillance for Emerging Threats to Pregnant Women and Infants: Data for Action Sept eptember

Accessible version: https://www.youtube.com/watch?v=0LsGory9nPk CDC PUBLIC HEALTH GRAND ROUNDS Surveillance for Emerging Threats to Pregnant Women and Infants: Data for Action Sept eptember ember 18, 18, 201 2018 1 Mind the Gap: Missed

811 views • 70 slides
Self-Employment Tax and NIIT for LLCs and Higher Income Individuals: Navigating the Complex

Self-Employment Tax and NIIT for LLCs and Higher Income Individuals: Navigating the Complex

Presenting a 110-Minute Encore Presentation of the Webinar with Live, Interactive Q&A Self-Employment Tax and NIIT for LLCs and Higher Income Individuals: Navigating the Complex Interplay WEDNESDAY, FEBRUARY 18, 2015 1pm Eastern |

1.34k views • 96 slides
Non-Profit Board Governance and Development Hosted By Mike Gallagher March 23, 2017

Non-Profit Board Governance and Development Hosted By Mike Gallagher March 23, 2017

Non-Profit Board Governance and Development Hosted By Mike Gallagher March 23, 2017 Introduction Todays Agenda-Governance Legal Responsibilities Board Structure & Committees Board Meetings Your Executive Director

510 views • 24 slides
STATE INVESTMENT COUNCIL BILL RICHARDSON STEVEN K. MOISE GOVERNOR STATE INVESTMENT OFFICER Status

STATE INVESTMENT COUNCIL BILL RICHARDSON STEVEN K. MOISE GOVERNOR STATE INVESTMENT OFFICER Status

##### State of New Mexico STATE INVESTMENT COUNCIL BILL RICHARDSON STEVEN K. MOISE GOVERNOR STATE INVESTMENT OFFICER Status of Ennis Knupp Recommendations Updated 7/01/10 As Listed in Ennis Knupp Report Recommendations Requirement Priority

265 views • 5 slides
Recent Legislation and the Future of Fines and Criminal Court Costs in Texas Counties 2018 CDCAT

Recent Legislation and the Future of Fines and Criminal Court Costs in Texas Counties 2018 CDCAT

Recent Legislation and the Future of Fines and Criminal Court Costs in Texas Counties 2018 CDCAT Winter Conference San Marcos, Texas February 7, 2018 Judge Ryan Kellus Turner General Counsel and Director of Education Texas Municipal Courts

437 views • 19 slides

More recommend