Wireless Drone Strikes---doing wireless attaks with drones

THOTCON 0x5

Presented by: Parker Schmitt
Date: Friday April 25, 2014
Time: 11:30 - 11:50
Location: IB
Track: Turbo

Wireless attacks are easy and rather well known and everyone seems to talk about drones and drone strikes. Chances are many of us have Wifi Pineapples with us right now, or some other wireless device. Public Wifi is amazing: ettercap and SET and you win. No certificate validation? WIN! The downside of many wifi attacks is they require a physical presense---drones can solve these problems; who says missiles and guns are the only way drones can strike? Small drones can go unnoticed, move quickly, and leave. Many wireless devices are rather light much lighter than missiles. The benefit of this is that smaller and cheaper drones are feasible, it's now possible to land on a roof. In most corprate environments the easiest way to pwn is to set up a rogue AP and use FreeRADIUS to steal credentials. This is a practical attack for drones, especially if you're ok with multiple fly-bys. First step, find the SSID, there are lots of people connectiong; kismet and fly back. Then set your ssid and configure FreeRADIUS. Fly by and pwn. Another method is to land on the roof with an LTE card and retransmit the Wifi signals. The first method is faster and cheaper though. Arp poisoning attacks are harder via drone since there is not as much time. But a good public Wifi attack might be to fly a rotocraft or baloon near mobile devices. Arm the aircraft with a 4g uplink (3g or gsm would work but I'd say 4g so the users don't notice anything). Set up a mobile hotspot with ssid of let's say attwifi and you can intercept, ssl strip, use SET and gain shells on phones or laptops. VPNs are amazing, ssl-stripping is an easy win. Even with two factor authentication the credentials are still good for a period of time. Even if an attack is discovered, if you're moving quickly enough it will be hard to pinpoint even the location of the attacker. If you're sitting at Starbucks sniffing credentials and you use them for a newsworthy attack someone might find you on a security camera. If you use gogoinflight they have a list of who bought tickets. However if you fly a drone by starbucks and fly to another there's almost no trace as long as the drone is recovered. (Biodegradeable baloon fabric is possible, I'll try to find some before the talk).

Parker Schmitt

Parker Schmitt is currently working as a penetration tester and is working on some Network/Virtualization Management. He has made various contributions to Gentoo and the Gentoo-Hardened project (mostly in SELinux) and submitted some ebuilds (including Samba 4). In Gentoo he specializes in hardening layers (SELinux, PaX, GRSecurity), Virtualization, and Networking. He also loves mathematics, mathematical modeling, and is a serious crypto nerd. He loves CTF and often plays in them. He became interested in security playing for the Rose-Hulman CCDC team (now he's too old). Outside of security he loves flying airplanes and playing the piano.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats