Konrad Jędrzejczyk in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
2. Whoami
• VP Threat Detection Analysis, Financial Institution
• Senior Threat Hunter, Pepsico Consulting Polska Sp. z o.o.
• Senior Incident Response Analyst, Royal Bank of Scotland S.A.
• IT Infrastructure Risk Analyst, Royal Bank of Scotland S.A.
• IT Security Incident Manager, ING Services Polska Sp. z o.o.
• IT Forensic Expert, ProCertiv Sp. z o.o.
• IT Security Expert (Co-Founder), Collective Systems
The opinions expressed here are my own and do not necessarily represent those of my employer.
WHOAMI 2
24. Kismet-[date+hour].nettxt
PREPARATION 24
Network 4253: BSSID DC:53:7C:B7:AF:A2
Manuf : CompalBr
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Type : infrastructure
BSSID : DC:53:7C:B7:AF:A2
SSID 1
Type : Beacon
SSID : "House of Cards"
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Max Rate : 144.4
Beacon : 10
Packets : 3
WPS : Configured
Encryption : WPA+PSK
Encryption : WPA+TKIP
Encryption : WPA+AES-CCM
WPA Version: WPA+WPA2
Channel : 8
Frequency : 2447 - 3 packets, 100.00%
Max Seen : 1000
LLC : 3
Data : 0
Crypt : 0
Fragments : 0
Retries : 0
Total : 3
Datasize : 0
Min Pos : Lat 52.238670 Lon 20.988529 Alt 148.658997 Spd 0.000000
Max Pos : Lat 52.238674 Lon 20.988548 Alt 149.800995 Spd 0.000000
Peak Pos : Lat 52.238674 Lon 20.988548 Alt 148.658997
Avg Pos : AvgLat 52.238673 AvgLon 20.988536 AvgAlt 149.156900
Last BSSTS : Feb 26 09:02:14
Seen By : wlan0mon (wlan0mon) bc17995e-2d40-11e8-925d-5905352b2c03 3 packets
Wed Mar 21 16:05:50 2018
Client 1: MAC DC:53:7C:B7:AF:A2
Manuf : CompalBr
First : Wed Mar 21 16:05:29 2018
Last : Wed Mar 21 16:05:50 2018
Type : From Distribution
MAC : DC:53:7C:B7:AF:A2
Channel : 8
Frequency : 2447 - 3 packets, 100.00%
Max Seen : 1000
LLC : 3
Data : 0
Crypt : 0
Fragments : 0
Retries : 0
Total : 3
Datasize : 0
Min Pos : Lat 52.238670 Lon 20.988529 Alt 148.658997 Spd 0.000000
Max Pos : Lat 52.238674 Lon 20.988548 Alt 149.800995 Spd 0.000000
Peak Pos : Lat 52.238674 Lon 20.988548 Alt 148.658997
Avg Pos : AvgLat 52.238673 AvgLon 20.988536 AvgAlt 149.156900
Seen By : wlan0mon (wlan0mon) bc17995e-2d40-11e8-925d-5905352b2c03 3 packets
Wed Mar 21 16:05:50 2018
36. 36
#!/bin/bash
MAC="$(echo $1 | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6)";
result="$(grep -i -A 4 ^$MAC ./oui.txt)";
if [ "$result" ]; then
echo "For the MAC $1 the following information is found:"
echo "$result"
else
echo "MAC $1 is not found in the database."
fi
50. WPS - Currently Implemented
Safeguards:
• Limiting the number of attempts that can be made in a given timeframe
• Using a different PIN for every pairing attempt
• Limiting the pairing time
• Disabling WPS …however, there is a good chance that it will be disabled only in web api…
WPS 50
51. Don’t Underestimate the “Luck Factor”
http://zaufanatrzeciastrona.pl/wp-content/uploads/2014/02/superbowl.jpg
TALK TO ME:D 51
57. WPA/WPA2 Connection
Supplicant (Client) Authenticator
Supplicant Random number
(Snonce nonce generated by supplicant),
Message Integrity Code (MIC)
Security parameters (RSN)
Authenticator Random Number
(Anonce nonce generated by authenticator),
Authenticator MAC
Resend Random number,
Encrypted by PTK
Confirm both PTK and GTK are installed
Pairwise Master Key
(PMK)
Pairwise Transient
Key (PTK)
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 57
64. hashcat?
HANDSHAKE 64
In order to make use of this new attack you need the following tools:
1: hcxdumptool v4.2.0 or higher: https://github.com/ZerBea/hcxdumptool
2: hcxtools v4.2.0 or higher: https://github.com/ZerBea/hcxtools
3: hashcat v4.2.0 or higher: https://github.com/hashcat/hashcat
hcxdumptool -o hashfile -i wlan0mon --filterlist=macfilter.txt --filtermode=2 --enable_status=3
./hashcat-m 16800 /root/hashtocrack -a 3 -w 3 '?u?u?u?u?u?u?u?u'
72. X = Cn
Where:
X - Number of combinations
C - Number of characters in a charset
n - Password range (>=8)
Example:
8 char lowercase alpha
[a-z or (not and) A-Z] = 268
= 208827064576
Example for Radeon R9 270 OC (~98 kH/sek)
WPA/WPA2 Password Entropy
GPU 72
n Charset Time
Single R290 (~140 kH/s)
8 [0-9] = 10 12 minutes
8 [a-z] or [A-Z] = 26 17 days
8 [a-z + 0-9] or [A-Z + 0-9] = 36 233 days
9 [a-z] or [A-Z] = 26 1 year and 83 days
9 [a-z + 0-9] or [A-Z + 0-9] = 36 23 years
8 a-z + A-Z + 0-9 = 62 50 years
12 x R270 (12 x ~100 kH/s)
8 [a-z] or [A-Z] = 26 2 days
8 [a-z + 0-9] or [A-Z + 0-9] = 36 27 days
9 [a-z] or [A-Z] = 26 52 days
Single i5 CPU (~3,3 kH/s) depending on version
8 [a-z] or [A-Z] = 26 2 years and 1 month
81. WPA/WPA2 Entropy in Practice
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 81
paulina Paulina paulina! Paulina! Paulina!@# ,(15011, 'andziulka19994',
PaulinA!@# ,(15024, 'mariusz22',
paulina0 Paulina0 paulina0! Paulina0! PaUliNa0! ,(15003, 'demiano7'
paulina1 Paulina1 paulina1! Paulina1! P@ulin@1! ,(15004, 'Lampka',
(...) (...) (...) (...) Paulina2o15! ,(15005, 'paradyne',
paulina9 Paulina9 paulina9! Paulina9! paulinA1989! ,(15006, 'darek1054',
paulina!-! ,(15007, 'bandzior2911'
paulina10 Paulina10 paulina10! Paulina10! paulina19890101 ,(15008, 'Ruthless blade',
paulina11 Paulina11 paulina11! Paulina11! 89Paulina! ,(15009, 'SzYbKi',
(...) (...) (...) (...) 1paulina1 ,(15023, 'aramil23',
paulina99 Paulina99 paulina99! Paulina99! PaUlInA ,(15012, 'kasiq10',
.paulina ,(15013, 'diabelskapam'
paulina1970 Paulina1970 paulina1970! Paulina1970! paulinapaulina ,(15014, 'Janosik_13',
paulina1971 Paulina1971 paulina1971! Paulina1971! KonradPaulina ,(15015, 'Sztukens',
(...) (...) (...) (...) !!!PAULINA!!! ,(15016, 'superrolnik',
paulina2016 Paulina2016 paulina2016! Paulina2016! PaulinaDefCamp ,(15017, 'Henry102',
Real passwords from stolen and
publicly available sql file:
www.pobieramy24.pl.sql
82. WiFi & close ”air” support
WPA/WPA2 – IS THE HASHING ALGORITHM SO INSECURE AS WE ARE LED TO BELIEVE? 82
https://en.wikipedia.org/wiki/Joint_terminal_attack_controllerhttps://github.com/wifiphisher/wifiphisher
104. C64 – YES:D 104
Most commonly used for WiFi operations:
Kali & OpenWRT
Alfa AWUS036NHA (does have problems, old only b/g/n)
TP-LINK:
3020 (small & old standards)
3220 (stable & old standards)
3040 (battery included & old standards)
WR1043ND v4 (modern standards & 16 MB flash will allow direct install of aircrack-ng)
105. TILL NEXT TIME 105
ROK liczba postępowań wszczętych liczba przestępstw stwierdzonych
2016 3401 2718
2015 3515 2452
Art. 267
§ 1. Kto bez uprawnienia uzyskuje dostęp do informacji dla niego nieprzeznaczonej, otwierając zamknięte pismo,
podłączając się do sieci telekomunikacyjnej lub przełamując albo omijając elektroniczne, magnetyczne,
informatyczne lub inne szczególne jej zabezpieczenie, podlega grzywnie, karze ograniczenia wolności albo
pozbawienia wolności do lat 2.
§ 2. Tej samej karze podlega, kto bez uprawnienia uzyskuje dostęp do całości lub części systemu
informatycznego.
§ 3.Tej samej karze podlega, kto w celu uzyskania informacji, do której nie jest uprawniony, zakłada lub posługuje
się urządzeniem podsłuchowym, wizualnym albo innym urządzeniem lub oprogramowaniem.
§ 4. Tej samej karze podlega, kto informację uzyskaną w sposób określony w § 1-3 ujawnia innej osobie.
§ 5. Ściganie przestępstwa określonego w § 1-4 następuje na wniosek pokrzywdzonego.
Przedawnienie – 5 lat