A supporting slide deck for Digital Silence's 2018 talk from HackWest, BSides KC, and Thotcon. A supplemental blog post with more useful written information can be found at: https://digitalsilence.com/5ghz-electronic-warfare-part-1-attacking-802-11n-networks
You can check out the source code at: https://github.com/s0lst1c3/eaphammer
2. net user author /domain
Gabriel Ryan
Co-Founder / Principal Security Consultant @ Digital Silence
@s0lst1c3 @digitalsilence_
gabriel@digitalsilence.com
3. Typical Enterprise WiFi Configurations will have
Dedicated networks for:
● Guest internet
● Corporate network access
● Possibly BYOD
Varying levels of security for each of these. However, if it’s important it’ll probably
be protected using WPA-EAP
11. The problem
To perform an evil twin attack, the attacker must either:
1. Entice a client device to roam to a rogue AP by providing a better connection
(higher signal strength, better signal to noise ratio)
2. Coerce a client device to roam to a rogue AP by denying access to legitimate
AP (deauth packets)
12. The problem
Most modern hardware uses 802.11ac or 802.11n.
Existing tools for performing rogue AP attacks either:
1. Don’t support 802.11n and 802.11ac at all
2. Only do so with extensive manual configuration
What this means: timeboxed pentesters stuck using 802.11g or 802.11a
13. 802.11n and 802.11ac provide notably better
throughput than 802.11a or 802.11g
802.11g – maximum of 54 Mbps
802.11n – theoretically can reach speeds of 600-900 Mbps (300 Mbps more
realistic)
14.
15.
16.
17. What this means
It is very difficult to entice a client to roam from a 40 MHz 802.11n access point
to a 20MHz 802.11g rogue access point.
Coercion through denial service the only viable option in most cases.
18.
19. Why coercion doesn’t always work
● Very rarely will you be going up against a single AP
● When you deauth a single AP the clients will just roam to another 802.11n or
802.11ac AP
20.
21.
22.
23.
24.
25.
26.
27. Can’t you solve this problem by deauthenticating
BOTH target access points?
Sure, you’ll just need 3 WiFi interfaces (1 for rogue AP, 2 for deauthentication)
● but what if the target network uses 3 APs?
● now we need 4 WiFi interfaces
● … and so on and so forth
This can quickly get out of hand.
28. Other proposed solution: jam 5GHz spectrum using
SDR
I’ve heard of people doing this. Disclaimer: I do not endorse or recommend it.
32. Obviously a terrible idea
Not a targeted attack
802.11n and 802.11ac can still use 2.4Ghz spectrum
5GHz used by all kinds of other neat stuff…. like aircraft radar
33.
34.
35. What we really need: a tool that can create rogue
APs using 802.11n and 802.11ac on both 2.4Ghz
and 5GHz spectrums
... This talk focuses primarily on 802.11n. Stay tuned
for 802.11ac.
36. Why 802.11n is so hard:
Access point configuration is highly complicated
Access points must be 802.11h compliant in order to work on DFS channels
(i.e. - must be able to detect and avoid interfering with airplane radar)
BSS overlap prevention must be circumvented
What does any of this mean? Stay tuned for following sections.
43. How 802.11n Uses Spatial Multiplexing
Multiple data streams transmitted at the same time and on the same channel.
How this works:
Transmitter splits data streams into multiple spatial streams using MIMO
signal process
Each spatial stream is transmitted using a dedicated antenna
Receiver recombines the spatial streams using MIMO signal process
47. 802.11n Channel Bonding
Traditional 802.11 channels (assuming OFDM) are 20 MHz Wide
Channel bonding combines two or adjacent channels to create a 40 MHz
wide channel, doubling bandwidth
48.
49. Other improvements introduced by 802.11n:
Short Guard Interval
MAC improvements
This is a 45 minute presentation, so we don’t have time to talk about these ;)
Not as relevant to discussion as MIMO, spatial multiplexing, and channel
bonding. Look them up if you’re curious.
50. What this means for pentesters:
To create a rogue AP using 802.11n you must:
1. select a channel width (20 MHz or 40 MHz)
2. select an operating channel
3. select a hardware mode that works with that operating channel
4. set your HT parameters correctly
51. We’re not done…
To create a rogue AP using 802.11n you must:
5. decide whether to allow non-HT connections to your HT access point
6. select an appropriate number of spatial streams
Bonus: if you chose a 40MHz channel, you need to choose whether to place the
secondary channel above or below the primary channel. :D
52. If you mess up any of these up, hostapd
will either refuse to start or silently fail.
53.
54. There is a method to this madness. You just need to
know what configuration options to use in any given
situation…
55. … or use a tool that will
handle configuration for
you.
58. Achieving 802.11h Compliance
● Certain parts of the 5Ghz spectrum are used by radar
● Regulations by FCC, EU, etc dictate that APs operating on this channel must
be capable of detecting and avoiding radar
● This means that if you want to legally operate on DFS channels, you need to
be compliant
61. Achieving 802.11h Compliance
How we’ve addressed this:
● Added flags to eaphammer that enable 802.11h, granting access to DFS
channels
● Note: you may still have to enable DFS at the kernel level. That’s on you.
● For researchers: added flags that force eaphammer to use DFS channels
even if DFS is not enabled (do not use this outside of a lab)
64. BSS Conflicts:
Law of 802.11n - thou shall not occupy the same primary channel as another AP if
possible
65. BSS Conflicts
Evil Twin Attack - Deliberately occupying the same ESSID and channel
as another AP in order to force client devices to connect to the attacker
66.
67. BSS Conflicts
Fortunately, we can resolve this issue by patching hostapd to ignore BSS
conflicts.
● People have been doing this for years, and it’s as easy as changing a couple
lines of code (hostapd only checks for conflicts at start) [3]
68.
69.
70.
71.
72. What’s been added to eaphammer:
Out of the box support for
● 5Ghz rogue access points
● 802.11n compatibility (ac comes next)
● Added support for wmm (for good measure)
● 802.11h compliant (yay)
● Minimal manual configuration needed, granular configuration still possible
73. Check out the source code:
https://github.com/s0lst1c3/eaphammer