Episode358

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Episode Media

MP3 pt1

MP3 pt2

Announcements

Paul's Security Weekly - Episode 358 for Thursday January 16th, 2014

  • I will, reluctantly, be attending RSA this year as a booth babe. Any requests for outfits are appreciated, send them to me on Twitter @securityweekly using #whattowearatRSA2014
  • The Offensive Countermeasures Hack Lab at the Mid-Atlantic CCDC conference in 2014, and sticking around to MC the event and do a live Podcast!
  • I'm also slated to speak at the Charlotte ISSA conference in 2014 and the NOLA conference in New Orleans in June
  • Security Weekly will be at the SANS ICS Summit from March 12-18th, doing a live podcast on Sunday night, covering the courses and attending the 2-day summit. Security Weekly subscribers can now enjoy a 20% off discount code! Use SecurityWeekly20 on checkout to get that discount applied. This conference will be held in Orlando at the Contemporary Resort & Convention Center in sunny Orlando, FL REGISTER NOW!
  • We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details, there are still a few slots available!

Guest Interview: Peter Van Eeckhoutte

Biography:

Founder of http://www.corelan.be and Corelan Team, author of exploit writing tutorial series and several free tools. Started working in IT and Security in 1995 and Current works as a CISO.

  • Tell us about your class at DerbyCon. What can students expect from the class?
  • You mention that just being able to execute "calc.exe" on a target machine doesn't really mean anything. What in your opinion, truly shows an entity that they are vulnerable?
  • Tell us about some of your steps in exploit development and explain the differences and perhaps advantages of static vs. dynamic analysis
  • What in your opinion is a basic skill or competency that most exploit development writers need to work on further? Are there any skills or technologies you still struggle with today?
  • What do you think about exploit sales or the "No More Free Bugs" movements? Should it be a moral issue or purely economic? Does the infosec community have any responsibility on the sale of exploits?
  • Considering the Corelan team sits on what might be considered true 0-days, what are your thoughts on the type of backdoors that the NSA has put on machines, especially, the allegation that they intercept new systems in transit?
  • What's the Corelan team process for bug reporting? Are companies generally thankful that you point out a problem to them? Have you ever been threatened for reporting a bug?
  • What's your advice for people getting into the exploit development field today?
  • What's your favorite tool that Corelan has released or has worked on?
  • Tell us about your work on mona.py




Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?

Special Guest: Joel Yonts

  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Biography:

Joel is a seasoned security executive with a passion for information security research. He has over 20 years of diverse Information Technology experience with an emphasis in Information Security. Joel is currently the Chief Information Security Officer for Advanced Auto Parts and maintains a blog at http://www.malicious-streams.com/ .

Tech Segment: Joff Thyer Crafting 802.11 Packets with Scapy

  • Larry teaching SANS classes: Check out his SANS page for the details" 617 in Orlando in March, Also 571 at RSA
  • SEC504 in Mentor format in Downtown Boston coming up in April! Use the discount code "SecOrg" when registering for 10% off the class. Register at http://tinyurl.com/SEC504-Boston Email mike@hacknaked.tv for more info or for a special discount code if you prefer to get the GCIH attempt for free instead.




802.11 Packet Injection with SCAPY

Author: Joff Thyer

January 2014


Why perform 802.11 packet injection?

  • R&D on potential vulnerabilities
  • Stand up fake AP by beaconing an SSID string
  • Perform targeted de-auth attacks to capture WPA key exchanges
  • Inject DHCP traffic to exhaust IP leases
  • Launch custom attacks
  • Perform active defense!
  • Much more…

What is SCAPY

  • Scapy is a python based packet manipulation tool
  • Can construct, send, receive, and decode packets across a wide range of protocols
  • Almost every conceivable packet header field is revealed
  • Custom frames can be sent at layer 2 or layer 3
  • Packets are designed using intuitive OSI layer syntax
  • Can be used in a Python script or interactively!


Simple Interactive Scapy Example

Scapy Joff 1.png

802.11 Frame Types

  • Josh Wright has a great pocket reference http://www.willhackforsushi.com/papers/80211_Pocket_Reference_Guide.pdf
  • Frame types we might want to send
    • Type=0: 802.11 Management Frame
    • Beacon frames (subtype=8)
    • Probe request (subtype=4)
    • Association Req (subtype=0)
    • Authentication (subtype=11)
    • De-Auth (subtype=12)
  • Type=1: 802.11 Control Frames
    • Request-To-Send (subtype=27)
    • Clear-To-Send (subtype=28)
  • Type=2: 802.11 Data Frames
    • Data (subtype=32)
    • QoS Data (subtype=40)
    • IP packets, ARP packets, TCP, UDP, ICMP etc..

Before coding anything…

  • Get a wireless NIC that works well with Linux and monitor mode.
    • Wireless monitor mode is required to sniff and packet inject
    • USB NICS I have used:
      • Alfa AWUS036NHA (Atheros UB91C)
      • Alfa AWUS036NHR (Realtek chipset)
        • Read online about monitor mode, packet injection and NICs/drivers that support it.
  • Learn how to create a monitor mode interface
    • airmon-ng start wlan0 (create interface mon0)
    • tcpdump –nnvv –i mon0 (check it)
  • Another method is using linux ‘iw’ command
    • iw dev wlan0 interface add mon0 type monitor
    • ifconfig mon0 up
  • You can set channels with ‘iwconfig’
    • iwconfig wlan0 channel 11
  • Wireshark
    • Install, sniff wireless monitor interface
  • Watch 802.11 frames and learn
    • Useful display filters
      • Management frames: wlan.fc.type == 0
      • Data frames: wlan.fc.type == 2
    • LOTS of activity surrounding management frames, particularly ‘beacons’.

802.11 Data Frame

  • Headers seen in data frame
    • RadioTap
    • 802.11 Header
      • Type/subtype
      • addr1, addr2, addr3, addr4
    • Logical Link Control (LLC)
    • IP Header
    • TCP Header

Sample code: 802.11 beacon

 #!/usr/bin/env python

from scapy.all import *

srcmac = ‘00:00:de:ad:be:ef’
dstmac = ‘ff:ff:ff:ff:ff:ff’
bssid = ‘00:11:22:33:44:55’

# short preamble, not wpa/wep, short timeslot
beacon = Dot11Beacon(cap=0x2104)
ssid   = Dot11Elt(ID="SSID",info=“AAAAAAAA”)
rates  = Dot11Elt(ID="Rates",info=“\x82\x84\x8b\x96\x24\x30\x48\x6c”)
dsset  = Dot11Elt(ID="DSset",info=“\x03”)
tim    = Dot11Elt(ID="TIM",info=“\x00\x01\x00\x00”) #no buffered traffic

pkt = RadioTap() \
    /Dot11(type=0,subtype=8,addr1=dst

Sample code: ICMP echo req

#!/usr/bin/env python

from scapy.all import *

bssid = ‘00:11:22:33:44:55’
srcmac = ‘00:00:de:ad:be:ef’
dstmac = ‘00:22:22:22:22:22’  #normally ARP for this
srcip = ‘10.1.1.99’
dstip = ‘10.1.1.1’

dot11hdr = Dot11(FCfield='to-DS',type=0x02, \
    subtype=0x20,addr1=bssid,addr2=srcmac,addr3=dstmac)

ipicmphdr = LLC()/SNAP()  \
   /IP(src=srcip,dst=dstip) \
   /ICMP(type=8,code=0,id=0xaa,seq=1) \
   /’0123456789abcdefghijk’

pkt = RadioTap()/dot11hdr/ipicmphdr

try:
    sendp(pkt,iface=“wlan0mon”,count=1,verbose=0)

Packet addressing in 802.11 header

  • Distribution System (DS) bits determine address interpretation
    • To-DS=0, From-DS=0: Frame stays within IBSS (airspace only)
      • addr1=dest, addr2=source, addr3=bssid
    • To-DS=1, From-DS=0: Frame sent to the AP and bridged to the DS (infrastructure)
      • addr1=bssid, addr2=source, addr3=dest
    • To-DS=0, From-DS=1: Frame received from the AP, and bridged from the DS (infrastructure)
      • addr1=dest, addr2=bssid, addr3=source
    • To-DS=1, From-DS=1: Frame bridged via Wireless Distribution System (WDS)
      • addr1=receiver addr, addr2=transmitter addr, addr3=dest, addr4=source

Scapy Joff 2.png


Receiving traffic

  • Sniffing is the best option.
  • We can use detailed filters while sniffing
p = sniff(lfilter=lambda x: \
  x.haslayer(UDP) and \
  x.dport == 68, \
  store=1,count=1,timeout=1)

  • ‘p’ contains results, or we can use a callback function with the ‘prn=funcname()’ param to sniff().
  • REMEMBER!! ‘DS-From=1’ now which implies certain ordering for addr1, addr2, addr3.

Lessons learned

  • Frames are constructed/sent at layer2
    • This means using the sendp() family of scapy functions
    • You must set the outbound interface
      • conf.iface=‘wlan0mon’
      • Pay attention to DS-From/DS-To
  • For layer 3 traffic you must ARP, and maintain your own ARP cache.
    • Might be possible to use scapy arping() command.
  • Control frames within 802.11 timing allowances are not easy.
    • Trying to perform an association by packet injection required responding to an association reply with an 802.11 ACK
      • I could not do this fast enough in scapy!
      • Result: Retries from AP, and timeouts.

References

Stories

Paul's Stories

  1. The Internet of Things Is Wildly Insecure — And Often Unpatchable | Wired Opinion | Wired.com - Wow, I can't even tell you how much I agree with the big B on this one. Its like he watched my talk from a few years ago, and wrote an article on it, except he's smart and doesn't need my material. Lots of great points here, economics, software engineering, price, marketing, consumerization, ease-of-use, upgradability. It seems in the race to build the most ubiquitous, cheapest, smallest, fastest, lightest, more feature rich device on the planet, one often leaves out security. Interesting...
  2. WordPress Plugins Exploitation Through the Big Data Prism - The Akamai Blog
  3. "A First Look at the Target Intrusion
  4. 2013 Toolsmith Tool of the Year: Recon-ng
  5. The Hidden Backdoors to the City of Cron | Sucuri Blog
  6. Businesses are building shopper profiles based on sniffing phones’ WiFi
  7. "Apple Settles with FTC
  8. Cisco Discloses Existence of Undocumented Backdoor in Routers

Larry's Stories

  1. Business as ususal - [Larry] - Otherwise known as “a breach waiting to happen”. Thanks to Dave Kennedy for testifying before congress that healthcare.gov isn’t doing a lot to fix the problems identified. I love also that Dave’s “opposition” Waylon Krush says that Dave is full of shit, but “acknowledged that he hasn't actually reviewed Kennedy's findings or worked on the health care site” Le sigh.
  2. 30C3 videos released - [Larry] - Go fill your brain. All the talks have been translated too, so if you don’t speak German, you have options. If nothing else, load up the MP3s into your player.
  3. Cisco to fix backdoor - [Larry] - Yes, the one we talked about from last week… Sure they’ll fox it, leaving millions of customers still vulnerable, because no one updates that stuff unless their router is broken. Also, great Cisco is doing something, but what about Belkin, Netgear, etc. I’m curious as to why all of this is cross manufacturer functionality, and what software uses it. Is this something that Cisco can even fix?
  4. Analysis of JPG bugs - [Larry] - Again, Dr. Krawetz has great stuff, this time talking about JPG processing and the way bugs are introduced and ultimately exploited. Neat stuff.
  5. Starfucks Coffee - [Larry] - Starbucks mobile app leaves it’s password in plain text and they are recoverable by connecting to a PC, no jailbreak required. Not to mention, there is all sorts of other cgos stuff in the app that is recoverable including geotracking info. Al this from the US’s most used mobile payment app.

Patrick's Stories

  1. Net Neutrality Gets Dealt a Blow
  2. Krebs looks at Target Malware - According the author of BlackPOS — an individual who uses a variety of nicknames, including “Antikiller” — the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones “budget version” of the crimeware costs $1,800, while a more feature-rich “full version” — including options for encrypting stolen data, for example — runs $2,300.
  3. Krebs looks at Target Malware II - It was a Ukranian.
  4. Have I been pwned, domain-wide Troy Hunt adds the ability to search by whole domains on whether email addresses have been part of a site compromise
  5. Yahoo Mail turns on https by default

Carlos Stories

Jack's Stories