Tuesday, June 30, 2015

Little bit about Payments

  • One Factor Authentication
  • Two Factor Authentication
    • Security Tokens
      • http://india.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm
      • https://www.duosecurity.com/product/methods/hardware-tokens
      • http://www.solidpass.com/products/hardware-security-token-authentication.html

Thursday, June 25, 2015

Aircrack-ng Suite

  • airmon-ng
    • creates another interface and put it in monitor mode
  • airodump-ng (reference)
    • airodump-ng wlan0 --essid mySSID -c 1,6,11 -a --manufacturer --uptime
  • aireplay-ng (reference)
    • Inject some specific attacks
  • packetforge-ng
    • Makes possible to inject arbitrary frames

Tuesday, June 23, 2015

Wireless Security Brief

  • Cipher:
    • An algorithm which converts plain text into encrypted text & vice versa. i.e. it provides cryptography by providing both encryption and decryption.
  • Properties of Ciphers
    • Symmetric / Asymmetric: Asymmetric uses public key for encryption & private key for decryption. 
    • Stream / Block

  • Security Standard / Encryption Method provides:
    • Encryption: Provides confidentiality of data
    • Data Integrity: Provides prevention from Bit flipping, Forgery attacks, Fragmentation attacks, Redirection attacks, Impersonation attacks
    • Sequencing: Defeats Replay AttackRe-injection attack.
  • Different Security Standards

  • WEP
    • WEP was used for encryption only not for authentication.
    • Dynamic WEP used 802.1x for authentication & WEP for encryption.
  • Security related Information Elements
    • RSN Information Element: Present when WP2 is configured. (more info)
    • Vendor Specific: WPA Information Element:Present WPA is configured.
    • Both these IEs are available in Beacon frames, Probe Response frames, Association Request Re-association Request frames.
  1. Both IEs are present when WPA2 Mixed Mode is used. 
  2. Authentication Key Management (AKM) suite  gives info about whether PSK or Enterprise (802.1x) is used.
  3. Pairwise suite gives encryption method to be used for unicast packets.
  4. Group key suite gives info on the encryption method to be used for broadcast. In mixed mode, this element will fallback to TKIP as AP broadcast / Multicast is supposed to be for both WPA & WPA2 clients. 
PTK / GTK in Mixed Mode

  • 802.1x Authentication Methods
    • http://wiki.freeradius.org/protocol/EAP 
    • http://wiki.freeradius.org/protocol/EAP-PEAP 

  • Seven EAP Methods Required for WiFi Certification
    1. EAP-TLS
    2. EAP-TTLS
    3. PEAPv0 (EAP-MSCHAPv2)
    4. PEAPv1(EAP-GTC)
    5. EAP-FAST
    6. EAP-SIM
    7. EAP-AKA

Monday, June 22, 2015

Using Wireshark for Wireless Capture

  • Precautions before Starting Wireless Capture
    • Channel Identification using Channel Hopping. Sniffer can listen to specific channel.
    • Avoid keeping sniffer too close. Keep at least 3 feet.
    • No guarantee that 100 percent traffic will be captured
    • Disable any nearby transmitter (mainly Bluetooth)
    • Reduce CPU utilization before starting capture
    • Configure wireless card in monitor mode. Wire shark does not do this automatically.
  • Air pcap Requirement for Windows 
    • Can't configure windows driver in Monitor mode hence need airpcap.
  • Adding New Columns (Edit -> Preferences -> Columns)
    • RSSI (IEEE 802.11 RSSI)
    • Tx Rate (IEEE 802.11 TX rate)
    • Channel/Freq (Frequency / Channel)
  • Building Graphs (Statistics -> I/O Graphs)
    • I/O Graph (RSSI, Tx Rate can be plotted)
  • Coloring Elements (View -> Coloring Rules)
  • Filters to remember
    • wlan_mgt.ssid (NOTE: mgt not mgmt)
    • wlan.addr (wlan.sa or wlan.da)
    • wlan.sa
    • wlan.da
    • wlan.bssid
    • wlan.fc.type
    • wlan.fc.subtype
    • wlan.fc.type_subtype
    • wlan.sa contains 80:6c:1b
    • wlan.sa[0-2] == 80:6c:1b
  • Use Cases:
    • Finding hidden SSIDs
      • Find BSSID using filter wlan_mgt.ssid==""
      • Filter probe requests with BSSID found in previous step.
    • Rogue AP Detection (security will be open)
    • Capturing all AP under given SSID
    • Capturing all packets tx/rx from/to particular client
    • Capturing all packets under a given BSSID
    • Decryption of packets 
  • Values for Type & Sub-type Fields