Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных сетей. defcon-russia.ru

1. 802.11 tips and threats
@090h

2. 7iP5 Li57
1. Conditions: weather/time/other
2. Antenna inside and outside
3. HW
4. SW
5. RF
6. Channel plan(s)
7. “Good” news 4 everyone (CRDA, Syste.md)
8. TP-Link 722n as hamradio
9. 802.11 @ OS X
10. Some stupid phun if some time remains

3. Independent conditions
Weather:
•H2O + RF = ? Remember borsch in microwave.
•WWW - Wardriving/Warwalking/Warsitting 8). IT’S TiME TO HACK!!
•DFS*
Happy hours:
•WEP - anytime
•WPS - night
•WPA-Personal - evening
•WPA-Enterprise – 9:00 or when normal people come to the job? 8)
Other:
•Depends on your neighbors, interference, PRNG, ISP, etc..

4. Antenna types
• Omnidirectional
• Uda Yagi
• Panel
• Parabolic
• Sector

5. Omnidirectional antenna

6. Omnidirectional Antenna RF Gain Pattern

7. Uda Yagi
Use “Uda Yagi Calculator” 4 DIY*

8. Omnidirectional Antenna RF Gain Pattern

9. Hardware
• No silver bullet. TP-Link TL-WN722N best choice for beginner.
• WPS brute –> Alfa AWUS 036H
• Handshake capturing -> MIMO card. MAC80211+Ralink chips rule.
• Deauth => Any card with INJMON
• Wisipi = KARMA + custom soft => TP-Link: 3020, 3040, 3220, 4300
• WiFi Pineapple -> MARK IV, MARK V
• Google Nexus (Kali Nethunter compatible)
• INJMON_WITHOUT_EXTERNAL_CARD -> Nokia N900, N9

10. Software
• Kali, Kali Nethunter, BlackArch, ArchAssault
• kismet, horst,
• Aircrack-NG, Pyrit, cowpatty
• reaver-wps, WPSPIN.sh, wpscrack, Bully, pixie-wps, WPSIG
• Wifite (forked)
• KARMA, MANA, Hostapd-WPE
• https://github.com/0x90/wifi-arsenal
• https://github.com/0x90/wps-scripts
• WISPI http://semaraks.blogspot.ru
/2014/12/wispi-ver-11-for-tp-link-mr3020-mini.html

11. - RF?
- No… 8(
- 2.4GHz, 5GHz!

12. RF
• 700MHz – ITS in Japan
• 900 MHz (802.11ah) – US unlicensed
• 2.4 GHz (802.11b/g/n) – everyone uses @ home
• 3.6 GHz, 4.9GHz (802.11y) – US, Public Safety WLAN 50 MHz of spectrum
from 4940 MHz to 4990 MHz (WLAN channels 20–26) are in use by public
safety entities in the US.
• 5 GHz (802.11a/h/j/n/ac) – 802.11ac is what you should use @ home
• 5.9 GHz (802.11p) – Wireless Access in Vehicular Environments (WAVE),
ITS in EU
• 60 GHz (802.11ad) – WiGig. 7Gbit/s, 10m, beamforming, HDMI over WiFi

13. Channels, plans and the world.

14. 802.11b channel center frequency

15. 802.11b
• Channel 1
• Channel 6
• Channel 11
• Channel 14

16. 802.11g/n (20 MHz)
• Channel 1
• Channel 5
• Channel 9
• Channel 13

17. 802.11g/n (40 MHz)
• Channel 1+5 (Upper)
• Channel 5-1 (Lower)
• Channel 5+9 (Upper)
• Channel 9-5 (Lower)
• Channel 9+13 (Upper)
• Channel 13-9 (Lower)

18. 2.4GHz channel plan

19. 2.4GHz channel plan for US

20. Channel plans
Theory:
•US => 1,6,11
•WORLD => 1,5,9,13
IRL fcukups:
•wtf is channel plan?
•40MHz bandwith will give me more speed!
•More AP power will give me more speed!
•More antennas will give me more speed!

23. Interference indoor

24. Gr337z fly 2 JBFC

25. 5GHz around the world

26. Meanwhile in Russia
Также во исполнение протокольной записи к решению ГКРЧ от 19
августа 2009 г. № 09-04-09, ГКРЧ решила[16] (п.2):
Выделить полосы радиочастот 5150-5350 МГц и 5650-6425 МГц для
применения на территории Российской Федерации за
исключением городов, указанных в приложении № 2 [1], РЭС
фиксированного беспроводного доступа гражданами Российской
Федерации и российскими юридическими лицами без оформления
отдельных решений ГКРЧ для каждого физического или
юридического лица.
Brief: 802.11a/h/j/n channels: 36-64, 136-165.

27. 5GHz freedom? Depends on weather.
DFS.

29. Country limitations

30. HACKER = NO_LIMITS
• Patched wireless-db https://github.com/0x90/wireless-regdb
• Pathched CRDA https://github.com/0x90/crda-ct
• Install script https://github.com/0x90/kali-scripts

31. UDEV IFACE NAMING
• wlan0 -> wlp3s0
• mon0 -> wlp3s0mon
• wlan1 -> wlp0s20u9
• mon2 -> wlp0s29f7u2mon
• All mon0 based bash scripts fcuked up
• Lorcon + PyLorcon2 broken

32. ath9k low level
• http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/
• Ath9k/ath9k_htc open source driver, firmware
• FFT disable
• Channels: -19-
if ath9k.driver.has_sw_limits() && ’kernel patching’ in hacker.skills[]:
hacker.patch(ath9k.driver)
ath9k.channel = -5
ath9k.power = 30
ath9k.bandwith = 5

33. ath9k spectral scan
• Fluke Spectral Analyser = many $$$
• Atheros AR92XX, AR93XX chips support spectral scan (???)
• http://pages.cs.wisc.edu/~patro/htc_spectral/0003-Update-spectral-
scan-calls-to-support-both-ath9k-and.patch
• http://blog.altermundi.net/article/playing-with-ath9k-spectral-scan/

34. spectral scan plot

35. ath9k advanced
• echo "$bandwidth" >
/sys/kernel/debug/ieee80211/$phy/ath9k/chanbw
• ls /sys/kernel/debug/ieee80211/phy*/ath9k_htc/registers/
• ath9k_htc AP mode client fw limit
https://lists.ath9k.org/pipermail/ath9k-devel/2013-
April/010513.html
• echo '1' > /sys/kernel/debug/ieee80211/phy0/ath9k/disable_ani
• iw --debug dev wlan0 info

36. 802.11 hacking @ OS X
• No INJ, only RFMON => No sending deauth frames*
• Use reaver-wps, aircrack-ng, tcpdump from mac ports
• airport cmd with RFMON support
/System/Library/PrivateFrameworks/Apple80211.framework/Version
s/Current/Resources/airport
• Scapy patched for RFMON @ OSX https://github.com/0x90/scapy-osx
• WPSIK
• PrivateFrameworks: Apple80211, CoreWLAN, etc…
• Horst to be patched

37. 7HR3475
• PWN via MosMetro_Free
• WPS_FAST_PWN = pingen + pixie wps + fork(wifite, reaver)
• KARMA, MANA, HOSTAPD-WPE - pros and cons
• I’LL CALL YOU @ WPA2 PWD (greetings fly 2 d0znpp)

38. KARMA/MANA/ROGUE AP

39. KARMA vs MANA
KARMA
•Client->ProbeRequest ESSID=FreeWiFi
•ProbeReply ESSID=FreeWiFi BSSID=00:13:37…
•+ PineAP @ Mark V == beconizer by ESSID list
MANA
•PNL gathering (capture broadcast)
•Beacon Broadcast
•Hidden SSID

40. QUESTIONS? PWN’EM ALL!
@090h/root@0x90.ru
Code @
•http://github.com/0x90/
• http://github.com/dc7499