Beyond WiFish-Finder

In the previous post, we saw how wifish-finder can find the security settings of SSIDs configured on our wireless client. So the natural question that comes into mind is......ok great! You have found the security settings on my SSID's in PNL, but how are you gonna use this information?? How does it make my client vulnerable??

The answer is: Your client is vulnerable if any of the SSIDs in your client is configured to connect to an open/weakly-secured AP. Any attacker can use this info to set up a "Honeypot AP" with same security settings and your client will connect to honeypot AP. Now, as your client has been associated to attacker's AP, layer 2 connection has already been made. If your client is configured to use dhcp address and attacker's AP is running dhcp server, wireless client will get an IP from the attacker's honeypot AP. At this time, attacker has layer-3 connection also with your client. I will not describe what an attacker do ,once he has layer 3 connection, in this post, but i will definitely put some more posts explaining what more can be done.

Access Points which can be considered as weakly-secured APs are:
1. Open Auth/No encryption
2.Open Auth/WEP encryption ( WEP key can easily be broken)
3.Shared Key Auth/WEP encryption (SKA just makes it easier to crack the key)
4.WPA/WPA2 -PSK (only dictionary attack is possible, so if you choose a strong key, its safe)

The most secure configuration as of now is WPA/WPA2 using 802.1x authentication. We will see in the coming posts that how a MITM attack is possible in some cases even if the client is configured with most secure configuration ( WPA/WPA2, 802.1x,PEAP).

WiFish-Finder

I m starting this blog with WiFish-Finder, a wireless client vulnerability assessment tool which has just been presented in Defcon 17.
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Ahmad

What the tool does: This tool gives the security and authentication settings of the SSID's configured in the wireless client's PNL.

Now before we go further and try to understand how the tool does it, we first need to understand the basics of how a wireless client connects to a network.
When a wireless client refreshes the wireless network list, it is presented with a list of wireless networks in the vicinity. This list is known as ANL(Available Network List). This list is populated by collecting the beacons and probe responses sent from the AP's in which they advertise their supported rates, security settings etc. There is one more list known as PNL(preferred network list) which stores wireless network configuations it has connected to in the past. The wireless interface keeps probing for the networks in the PNL, and if it gets one such network, it tries to connect to that network.

For this tool, as we are interested in finding a vulnerable client i.e. a client which is configured to connect to an open/weakly-secured SSID, we will focus on PNL. To know the security settings of SSID's configured in wireless client, tool has to collect association request from the client(as only assoc request has this information). But wireless client woudnt send assoc request if security settings sent by AP in probe response does not match with the security settings of configured SSID.

So how the tool does it: The tool listens for probe requests, and send probe responses. If it does not get assoc request for that SSID/client, next time it gets probe request for same SSID/client, it changes the security in probe responses. WiFish-Finder keeps doing it till it gets assoc request from the client. As the tool maintains the list per client per SSID, it is able to differentiate if same SSID has been configured with different security settings on different clients.

What you need to have:
1. A linux machine having a wireless driver supporting packet injection in monitor mode. (madwifi-ng)
2. A wireless card (cisco a/b/g)

Tool is available here for download :
http://blog.airtightnetworks.com/wifish-finder/

If you find any problem running this tool, please feel free to comment on this post. I will try to reply ASAP. Next version of the tool having PEAP vulnerability detection will be uploaded soon. I will be explaining that feature when the next version is available.