Nobody knows · 2014/08/28 16:52
0 x00 preface
A few days ago, I saw a foreigner’s article about wifi fishing shared by @rayh4c on Weibo. I felt quite good and translated it. The first translation, The English level is comparable to just over level 4, the translation of the bad please forgive me, to see.
The original address is https://www.os3.nl/_media/2012-2013/courses/ssn/open_wifi_ssid_broadcast_vulnerability.pdf
0 x01 the
It’s not uncommon for some vendors to want to deliver a better user experience rather than better security. Based on this fact, the SNE lab conducted a study and confirmed that in order to ensure faster scanning/connection, some devices broadcast their saved SSIDS without the user being aware. This study raises configuration issues, specifically the SSID of public wifi, and reveals a security hole. So, the two main concerns are what the device actually sends out and how to use what it sends out.
0 x02 introduction
Recent observations show that wifi devices with active scanning turned on reveal information that may not be important to users, but could be valuable to attackers. The idea for this project stemmed from an effort to gather the same information in a more efficient way (in less time, with less effort). The idea is to design an automated approach (device) that takes advantage of the device’s own vulnerability to active scanning (probe request) and automatic connectivity to open wifi access points. Obviously, the scope of this vulnerability can be obtained by creating a device that can sniff out and automatically create forged SSIDs by scanning many devices over a period of time. Research findings aside, such a device could have a number of practical safety-related applications. For example, any public entity, such as an institution or company (without any technical knowledge), would be able to assess the security level of their employees by proactively scanning their devices from wifi. Especially for high-level security entities (banks), enhanced security measures are necessary. Also, no physical contact is necessary, and completing a safety analysis provides better results. Needless to say, it can definitely reduce costs and lost work time.
0 x03 background
1) Connect the client to the access point
A key part of the IEEE802.11 process is discovering WLAN and then connecting to it. WLAN networks notify their presence by displaying SSIDs, sending frames called Beacons. The WLAN client then sends a probe request frame to identify or connect to a better WLAN. The last two steps are authentication and connection. Considering that it is not directly related to our project, this part is not introduced.
2) IEEE 802.11 Beacons
The main purpose of Beacon is to let WLAN clients know which network or access point is available in a given area. Access points may broadcast beacons from time to time. Although beacons may be broadcast regularly by the access point, detection frames, authentication, and connections may also be useful during connection (or reconnection).
3) IEEE 802.11 probe
For clients, there are actually two ways to scan available aps, active and passive: Figure 1
Figure 1: Connection process
1 Active scan: During active scan, the client adjusts its IEEE 802.11 broadcast to the channel to be scanned and broadcasts the probe request in order to listen for an available AP probe response on the specific channel of the matched SSID. The time the client waits for a response depends on the vendor, but is usually around 10ms. There are two types of probe requests, direct probe and broadcast probe.
Direct probe: The client sends an SSID probe request with a specific name. Only the AP with the requested SSID can respond. (figure 2)
Figure 2. Direct probe
Figure 3 Broadcast probe
Broadcast Probe: The client broadcasts an SSID-free probe request, and all aps receive the request and return the SSIDS they support.
Passive scanning: In passive scanning, the client will still adjust its broadcast frequency to the channel it wants to scan, but it will wait for a broadcast beacon from a valid AP instead of sending a probe request. As shown in figure 4
Figure 4: Passive scanning
0 x04 method
1) Probe the device that sends the probe request
1 installation
This section mainly captures all the device information that sent the probe request. Installation is based on software configuration, so it can be installed on a router with a custom operating system (such as openWRT) or on a laptop. After the configuration takes effect, three types of data can be captured.
The first part is network sniffing. Run a tcpdump process on a wireless listening device to listen for traffic packets sent by all other devices. It then puts it into the filter and saves only the probe requests to the log file. The file format contains only the MAC address of the device and the SSID issued by the probe request.
The second part is identifying equipment. To identify the device, an access point is set up for the device to connect to it. The DHCP server assigns a permanent IP address to each device. MAC addresses and corresponding IP addresses are recorded in a file. All traffic passes through a local server that has logging turned on (Lighttpd in this case). The log file contains the IP address and the UserAgent string requested by the HTTP device. In fact, if a device connects to this access point and accesses a web page, it visits the local Web server and logs its request.
2 Collecting Data
To collect data, such devices were placed at different locations. These locations are chosen to be public, but also to have user interaction. At each location, people are asked to connect to an access point to determine the type of device. These locations include UvA,VU,Amsterdam Central andcSchiphol Airport. A sniffer is placed to capture packets before the device connects and runs for a short time after the last client connects. This is to ensure that the sniffer catches the probe requests, as they are sent every 60 seconds.
3 Saving Data
After collecting data, there are three files for each login session, namely the issued SSID, DHCP lease and HTTP UserAgent. The files for all sessions are combined into three large files, formatted for import into the database. In this project, we use Mysql database. Each file is imported into the database and represented as a table. This makes it easy to query the data in the database.
2) Detect the device connected to the forged AP
A plethora of devices with different operating systems are put into the evaluation process to see which devices are connected to the fake access point. The ACCESS point is configured as an SSID that was previously connected to the device. The AP is set to an unprotected network. When the device is automatically connected, the type and version of the operating system are recorded.
3) Automated deception
The concept of dynamic access points is to automate the process of collecting SSID and MAC addresses, taking care of probe requests for those specific SSIDs. The next step is to automate the process of spoofing those SSIDs in order to find out which ssiDs are public. If a device is connected, then it can be concluded that the SSID is exposed and the setting is actually valid.
To automate the spoofing principle, a piece of hardware with custom software can be used. This hardware is called a dynamic Access Point (DAP). It adjusts the spoofing process based on the input. The input can be user-defined or captured from a wireless interface. The DAP created here can use two attack modes: normal mode and direct mode. In normal mode, all probe requests are collected and used to set up forged SSIDs. In direct mode, only probe requests with the specified MAC address are used. In this study, a TP-link router using OpenWRT as the operating system was used. Each part of the process uses two devices. The first part is to collect filtered information from devices that listen to wireless traffic. To do this, a piece of software was written. First, the wireless interface is set to a listening mode, so that all packets can be captured. All packets are then filtered except for the probe request. From these probe requests, a list of SSIDs is generated. The first seven SSIDs are used for forgery. If the system is in direct mode, only the SSID of the MAC address defined by the user is used.
The second part is also a TP-Link router with OpenWRT. This route is set up as an access point using HostAPD as a service. Hostapd is a user process that handles client connections to access points. Routers can use DHCP to distribute IP addresses and provide network access. When the first route collects enough SSIDs, it generates a configuration file in a format that the HostAPD service can support. It uses the SCP command to send the via SSH file to the second route and rerun the service. After rerun, the second route becomes the access point to the supplied SSID.
Figure 5 DAP basic operations
0x05 Survey result
1) Detect the device that sent the probe request
The collected results are divided into three parts. The first part is a table of MAC addresses and broadcast SSIDs. Then there is a table of DHCP leases, including MAC addresses and corresponding IP addresses. The third table contains the IP address and the browser’s UserAgent string. To analyze this data, we performed a number of complex queries. First, we used the following query in Table 1 to get the most popular SSIDS
SELECT ssid , count ( _ ) AS count FROM ( SELECT ssid.mac,ssid.ssid FROM ssid WHERE ssid.ssid! = "" GROUP BY ssid.mac ) AS P GROUP BY ssid ORDER BY count DESCCopy the code
The next step is to query the UserAgent string of the client that issued the probe frame. This result is intended only to show the operating system, as you can see in Table 2.
SELECT useragent .useragent FROM ssid , dhcp , useragent WHERE ssid.mac = dhcp.mac AND dhcp.ip = useragent.ip AND ssid.ssid ! = "" GROUP BY useragent . useragentCopy the code
2) Detect devices connected to forged access points
In part 2, many devices connect to malicious access points. The connected operating system type and version can be seen in Table 3.
This figure also reflects the number of devices affected in terms of market share. You can see this in Figure 7.
Automated spoofing SSID
When the dynamic access point starts working, you can observe several things. First, it took about 30 seconds for the device to boot up. But when it is in operation, it supports the underlying SSID well. When the device is in spoofing mode, it takes 10 seconds for the HostAPD process to run again and update the SSID list before the forged SSID works. When the device is running, it is obvious that the device can automatically connect to a forged SSID. This only tested a small number of devices, but they were all connected.
0 x06 conclusion
From the data collected, a large percentage of Android, iOS and Blackberry devices issue probe requests. Because these devices occupy a large market share, many of them are risky. And it has been proven that the automatic spoofing process works, and devices can easily be spoofed into connecting to a fake AP, which is a problem. This proves that some devices rely only on the SSID to connect to the AP, while the SSID is stored in the device.
0 x07 discussion
More research on this topic could further improve the reliability of the market share of known devices making probe requests. The study did not look at every device, so the number could be higher than previously known. Also, not all devices run on the default operating system, and custom ROMs can improve the different Wireless stacks. It is possible that some vendors have changed the Wireless Stack, so research in this area needs to give more detail to make the scope of the problem more precise.
Since the device connects only based on the SSID, it is also a good idea to have it remember the access point. For example, the device should never remember an insecure network. In this way, deception becomes more complicated. In another way, you can record the BSSID of the known AP while saving the SSID. This approach also makes spoofing more difficult, because forging an AP requires knowing both the BSSID(and the MAC address), and the BSSID is not exposed in the probe request and is not easy to guess.
More research shows what good strategies are, and manufacturers should maintain them. And now that this problem exists, we will further investigate the need to send probe requests, and do not use them unless necessary.
More sophisticated techniques should be used in the future to increase the success rate of connecting devices to DAP. Ssids are marked as higher priority than other things. A successful connection also increases the priority of the affected SSID. Each SSID has a frequency attribute, meaning that DAP tries to predict which SSID is more likely to be developed, depending on the tags mentioned earlier.
0 x08 reference
[1] J. Bhardwaj, What is your phone saying behind your back? , Oct. 2012. [Online]. Available: http://nakedsecurity.sophos.com/2012/10/ 02/what-is-your-phone-saying-behind-your-back/. [2] Part 11: wireless lan medium access control (mac) and physical layer (phy) specifications, IEEE Computer Society, Mar. 2012.Copy the code