wi fi advanced stealth
play

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, - PowerPoint PPT Presentation

Mar 07, 2023 •247 likes •610 views

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21, 2006 firstname[dot]lastname[AT]francetelecom[dot]com Who Are We? Network security geeks (?) in R&D labs Working for France Telecom -

  1. Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg – October 19-21, 2006 firstname[dot]lastname[AT]francetelecom[dot]com

  2. Who Are We? Network security “geeks” (?) in R&D labs • Working for France Telecom - Orange (major telco) Speakers at security-focused conferences • ShmooCon, ToorCon, FIRST, Blackhat, Eurosec… Wi-Fi security focused speakers ;-) • “Wi-Fi Security: What’s Next” – ToorCon 2003 • “Design and Implementation of a Wireless IDS” – ToorCon 2004 and ShmooCon 2005 • “Wi-Fi Trickery, or How To Secure (?), Break (??) and Have Fun With Wi-Fi” – ShmooCon 2006 2 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  3. 2006… We released 3 new tools at ShmooCon 2006 • Raw Fake AP: an enhanced Fake AP tool using RAW injection for increased effectiveness • Raw Glue AP: a Virtual AP catching every client in a virtual quarantine area • Raw Covert: a tricky 802.11 covert channel using valid ACK frames We introduced other tools at BlackHat US 2006 Tricks to “hide” access points and stations (madwifi patches) • From scanners and wireless IDS Raw Covert v2: new implementation (python) and features All this stuff is available at • http://rfakeap.tuxfamily.org 3 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  4. Wi-Fi Stealth Tricks 4 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  5. 802.11 Havoc! Since a couple of years, some wireless drivers are much more “flexible” than Prism2/2.5/3 based… Full RAW injection capabilities (possible to modify some critical fields like fragmentation, sequence number, BSS Timestamp…) • Demonstrated by Raw Fake AP, Raw Glue AP and Raw Covert Tweaking the driver may also become attractive! Such drivers are Madwifi-{old|ng} for Atheros chipsets Prism54.org for Prism54 chipsets Realtek… New capabilities implies new risks to address… Especially for Wireless IDS vendors 5 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  6. (Two Ways To) Achieve Stealth… Possibilities are somewhat infinite… • We decided to show only two ways that can be extended Tweaks in 802.11 drivers to implement a new “proprietary” protocol over 802.11 bands • Madwifi patches Covert channel using 802.11 valid frames • Raw Covert (as a proof-of-concept) 6 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  7. Hiding Ourselves 7 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  8. Quick Reminder IEEE 802.11 standards define what 802.11 is – At PHY and MAC layers – Modulation, frequencies… – State machine, frame fields… – Security mechanisms To be Wi-Fi compliant, every implementation must comply with the 802.11 standard and be certified by the Wi-Fi Alliance certification process Usual stuff if you want to (officially) be interoperable… 8 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  9. Main Idea What would happen if you implement your own 802.11 stack?! – Stations that probe for APs will (probably) not see you… – Wireless sniffers will (probably) not understand you, requiring manual inspection… – Wireless IDS will (probably) not detect you… Quite stealthy, no? What about your own (undetectable) personal AP? – Sure the CSO won’t appreciate ☺ – Sure wardrivers won’t appreciate either (until now…) 9 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  10. Implementation Successfully tested on Atheros chipsets with a patched madwifi-ng driver – Patched stations and access points will be able to see and associate themselves (they speak the same language) – But non patched stations will not see patched access points, and thus cannot associate to them Test bed – Windows XP supplicant and NetStumbler – Wireless Tools ( iwlist ) with • hostap , (unpatched) madwifi-ng , ipw2100 , prism54 10 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  11. Live Demonstration First, we set up a “special” Access Point one laptop with a patched madwifi-ng in master mode Then we scan for this AP with unpatched madwifi-ng iwlist (active scan facilities under *nix) Kismet (passive scanner under *nix) Netsumbler (active scanner under Windows) Then, we use our “special” client (patched drivers) Tada… it works… 11 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  12. Design Details 12 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  13. WTF Is This? Trivial Tweaks! What about changing FC field? ;-) What about a protocol version of 1? ;-) 802.11 is protocol version 0 What about swapping types? Management (value 0) Control (value 1) Data (value 2) Reserved (value 3) What about swapping subtypes? Is this a Probe Request or a Probe Response? ;-) 13 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  14. Not So Trivial Tweaks Everything is possible… Make your own MAC protocol SoftMAC: A Flexible Wireless Research Platform http://systems.cs.colorado.edu/projects/softmac GNU Radio: The GNU Software Radio http://www.gnu.org/software/gnuradio/ Universal Software Radio Peripheral (USRP) 14 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  15. Proto Tweak (1<>0) Chipset Driver iwlist Netstumbler Prism54 Prism54 1.2 Not detected Not tested Prism2.5 Hostap 0.4.4 Not detected Not tested Atheros ar5212 Madwifi-ng r1527 Not detected Not tested Atheros ar5211 2.4.1.30 (win) Not detected Not detected Centrino 2100 Ipw2100 1.1.3 Not detected Not tested Atheros Madwifi-ng OK ! Not tested patched 15 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  16. About Kismet Kismet runs in monitor mode Will spot some of our patched Access Points …it depends on the tweak Depends also on firmware driver filtering in monitor mode Or will report high « Discrd » packets number ☺ 16 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  17. 17 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  18. Raw Covert 18 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  19. Raw Covert (1/4) Covert channel In information theory, a covert channel is a communications channel that does a writing-between-the-lines form of communication. Source: Wikipedia, the free encyclopedia Writing between-the-lines Use valid frames to carry additional information Valid frames could be management, control or data frames This tool is ‘only’ an example! Possibilities are infinite! 19 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  20. Raw Covert (2/4) With 802.11, this may be performed by many means Using a proprietary protocol within valid or invalid frames It gives infinite possibilities thanks to RAW injection (Some) 802.11 frames are not considered as ‘malicious’ Control frames like ACK are lightweight and non suspicious! • Frame control (16 bits) • Duration Field (16 bits) • Receiver Address (48 bits) (Usually) not analyzed by wireless IDS • No source nor BSSID addresses ;-) only a receiver@! (Some) 802.11 drivers do not give back ACK frames in monitor mode (operated in the firmware: e.g. HostAP) Increasing stealthyness 20 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  21. Raw Covert (3/4) How it works? A client encodes the information and sends ACKs over the air A server listens for ACKs and tries to decode the information Basically, it uses a magic number in receiver address 2 bytes Basically, it encodes the covert channel in receiver address E.g. 4 bytes Several ACK frames are needed to send information 21 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  22. Raw Covert (4/4) Issues ACK frames can be missed, wireless is not a reliable medium! ;-) Detection may be performed (only) with anomaly detection Enhancements Basic remote shell and file transfer Tun/tap interface � DONE Possible enhancements for the covert channel Using invalid frames Using Information Elements in 802.11 frames (but could be easily detected) Using existing communications (clients and access points) 22 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  23. Raw Covert Enhancements (1/2) Invalid frames (in the 802.11 sense, i.e. proprietary frames) But would (?) be detected by any wireless IDS performing sanity check on every frame FCS invalid frames Should require driver/firmware modifications to inject bad FCS Wireless IDSs do not analyze such bad frames But should be detected with FCSerr statistics (even if harder to diagnose as a covert channel) 23 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  24. Raw Covert Enhancements (2/2) Invalid FCS monitoring Usually a bit is set by the firmware when a FCS is invalid Most drivers discard packets with bad FCS thanks to this information • HAL_RXERR_CRC for madwifi • rfmon_header->flags & 0x01 for prism54 HostAP driver has a facility • prism2_param interface monitor_allow_fcserr 1 24 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  25. Live Demonstration Live demo! Did you detect it? ;-) 25 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

  26. 26 Wi-Fi Advanced Stealth/October 2006/Butti-Veysset France Telecom Group

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST diogo.monica@ist.utl.pt Thursday, August 29, 13 Summary Motivation Problem statement Stealth C&amp;C using browsers Final remarks

606 views • 32 slides
Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer Origins of mitochondria o Prokaryotic cells including bacteria o Eukaryotic cells Slide 2 Stealth Peptides Mitochondria Function

256 views • 15 slides
The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA mario.natali@gmail.com ARI ARI Perugia EME Conference 2016, Venice Impedimentum pro occasione arripere Mario Armando Natali , I0NAA The stealt he stealth h dish

607 views • 19 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University

HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University

HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University http://hexhive.github.io Deployed defenses focus on memory corruption (c) AP Photo/RIA Novosti, Alexei Druzhinin, Government Press Service (c)

317 views • 18 slides
Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode)

Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode)

Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode) With Mahmoud Abo Khamis and Dan Suciu @ PODS 2017 Table of Contents Connecting the Dots Output Size Bounds and Information Theory Shannon-flow

2.22k views • 190 slides
Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN

Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN

Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN BNL) for the LSD Collaboration USQCD All Hands Meeting May 1, 2015 L attice S trong D ynamics Collaboration Xiao-Yong Jin Joe Kiskis James Osborn

408 views • 24 slides
Aim Higher Aim Higher with with Tony Monetti Tony Monetti It started with a dream Mom

Aim Higher Aim Higher with with Tony Monetti Tony Monetti It started with a dream Mom

Aim Higher Aim Higher with with Tony Monetti Tony Monetti It started with a dream Mom and Dad taking me for a ride LEADERSHIP IN ACTION VALUES BASED Game Changer UCM APPLY STEALTH APPLY STEALTH CORE VALUES Personal Integrity

415 views • 18 slides
Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard Kramer Technical University of Munich Institute for Communications Engineering ISIT 2020 Covert Communication Covert Communication vs. Secrecy:

269 views • 16 slides
A VHF AND UHF STEALTH ANTENNA SYSTEM FOR THOSE WHO LIVE IN HOAS HOA S (AND IF YOU LIKE YOUR

A VHF AND UHF STEALTH ANTENNA SYSTEM FOR THOSE WHO LIVE IN HOAS HOA S (AND IF YOU LIKE YOUR

A VHF AND UHF STEALTH ANTENNA SYSTEM FOR THOSE WHO LIVE IN HOAS HOA S (AND IF YOU LIKE YOUR SATELLITE SERVICE YOU CAN KEEP YOUR SATELLITE SERVICE YOU CAN KEEP YOUR SATELLITE SERVICE) By N5CEY 30 April 2016 March 2016 issue of QST had

662 views • 32 slides
IMPACTFUL PROGRAMS-- SELF-DIRECTED LEARNING A Program WHAT? Definition Value Goals and

IMPACTFUL PROGRAMS-- SELF-DIRECTED LEARNING A Program WHAT? Definition Value Goals and

IMPACTFUL PROGRAMS-- SELF-DIRECTED LEARNING A Program WHAT? Definition Value Goals and Purpose Success Passive/Stealth/DIY/Pop-UP/ Self- Directed What's in a NAME? STEALTH / PASSIVE / POP-UP / DIY / SELF-DIRECTED 75% OF THE WORK IS

357 views • 25 slides
Who Am I?

Who Am I?

2/23/2012 HTML5 Top 10 Threats Stealth Attacks and Silent Exploits Shreeraj Shah

681 views • 46 slides
Dividend Growth A Stealth Growth Strategy Using High- Yield Stocks Tim Plaehn Editor

Dividend Growth A Stealth Growth Strategy Using High- Yield Stocks Tim Plaehn Editor

Dividend Growth A Stealth Growth Strategy Using High- Yield Stocks Tim Plaehn Editor Automatic Income Machine Text the word Tim to 213-516-9803 for a copy of this presentation. Text the word Tim to 213-516-9803 for a copy of this

767 views • 28 slides
The Viator Series UAS Viator Products ALL COMPOSITE STEALTH FLYING WING 1 The Viator

The Viator Series UAS Viator Products ALL COMPOSITE STEALTH FLYING WING 1 The Viator

The Viator Series UAS Viator Products ALL COMPOSITE STEALTH FLYING WING 1 The Viator Series UAS The Viator Series The Viator Series is our new UAS family Viator is a flying wing and command &amp; control system of our own design

347 views • 14 slides
INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi Alexander Ermolov, Security

INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi Alexander Ermolov, Security

INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi Alexander Ermolov, Security researcher Embedi Maksim Malyutin, Security researcher Embedi About us Dmitriy Evdokimov CTO of Embedi d.evdokimov@embedi.com @evdokimovds Alexander

628 views • 59 slides
Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online

Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online

Advanced Nutrition Course Advanced Nutrition Course 6 Week Advanced Nutrition Live Online Training Course Week 5: Mind Body Connection Advanced Nutrition Course Advanced Nutrition Course Week 3 Recap Understanding emotions

670 views • 15 slides
on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

Forensics in the SoNIC Project on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim Weatherspoon Cornell University International Workshop on Trustworthiness, Accountability, and Forensics in the Cloud

693 views • 31 slides
COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based on a course by Tony Morton Term 2 2014/15 Course summary To develop an understanding of what research in information security is about,

460 views • 24 slides
ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

On the Cost-Effectiveness of TrustZone Defense on ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY Contents Abstract and Introduction Related Work Cache-Based Security Threats and Attack

618 views • 25 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure,

Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure,

Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure, quipe Abstraction Mehdi Bouaziz Friday, May 11 2012 Static Analysis of Security Properties by Abstract Interpretation Mehdi Bouaziz, cole normale

839 views • 29 slides
Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH,

Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH,

Analyzing the Impact of Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH, CPH, CPHQ LMiller@Comagine.org Comagine Health, formerly Oregon Health Care Quality Corporation, Qualis Health and

393 views • 15 slides
Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao Cheng + CPC Team {tao.cheng@ucl.ac.uk} Department of Civil, Environmental &amp; Geoma@c

610 views • 14 slides
Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff

Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff

Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff Utrecht University 1 / 25 Logics A logic L can be given via semantics (algebras, Kripke models, valuations, . . . ), proof systems (sequent

566 views • 25 slides

More recommend