1、EvilEssid to bypass WIPS surveilled environments伊万伊万Lenovo全球安全实验室首席信息安全研究员提纲OutlineIntroWho am I&Where I workBasic ConceptsEvil Twin meets the DefenderWIPSWhat is this deviceThreat detection methodsIVAN VS WIPS IIDealing with the WIPSHow to create and evil twin bypassing the EvilEssid?My target is t

2、he Human!Creating an evil twin that is not evil twin!Bypassing the WIPSEvilEssidEvilEssid tool introConclusionsIntro自我介绍和联想安全实验室介绍关键词“双面恶魔攻击”遇见“后卫”WIPS设备介绍威胁检测方法IVAN VS WIPS IIDealing with the WIPS如何创建一个不是双面恶魔的“双面恶魔”？人类是安全最薄弱的环节创建一个不是双面恶魔的“双面恶魔”!WIPS绕过实验与结果EvilEssidEvilEssid工具介绍结论自我介绍Who am I关于联想全球安

3、全实验室LenovoGlobal security lab联想全球安全实验室，拥有业界多名安全领域技术专家，具备专业的安全设计、研究与检测能力。实验室以控制产品安全质量为核心，以构筑设备+云+服务的端到端的产品安全生态为使命。研究主流安全攻防技术，构筑产品安全创新生态。实验室研究方向涵盖终端产品安全、云服务安全、IoT产品安全、大数据安全、无线网络安全等方向，专注于端到端的产品安全技术能力研究，同时安全实验室还关注工业互联网、智能交通、智慧城市、智慧家庭等方向的安全研究。The Lenovo Global Security Laboratory is integrated by technic

4、al experts in different areas of the security field,and is focus on secure design,research and penetration testing.The laboratory takes product security and quality as core value and his mission is to help in the creation of end-to-end product security ecology of equipment,cloud and services.Researc

5、h mainstream is offensive and defensive security technologies to build a product security innovation ecosystem.The research direction of the laboratory includes product security,cloud security,IoT security,big data security,wireless network security,etc.At the same time,the security laboratory also

6、pays attention to industrial Internet,intelligent transportation,smart cities and smart homes technologies.关键词-WIFIBasic Concepts WIFISSID:Name of WIFI Network(ESSID).MAC address:Network cards“unique“address.BSSID:AP MAC address.PNL:List of Automatic connect WIFI NetworksSSID:WIFI的名字(ESSID)MAC 地址:网络

7、设备“唯一的”身份号码BSSID:热点的MAC地址PNL(首选网络列表):客户自动连接的WIFI列表WLAN name:WLAN nameMAC Address:关键词 WIFI攻击Basic concepts WIFI attacksDeauthentication AttackEvilTwin attack Deauth frame 802.11 Attacker fake victim MAC D.O.S.Attacker ONLY fake ESSID Client”auto”connect fake AP Difficult to detect For further Attacks

8、Deauth 攻击双面恶魔攻击-无线钓鱼 Deauth frame 802.11 攻击者模仿受害者的MAC地址发Deauth 拒绝服务攻击 攻击者只要模仿目标的 ESSID 受害者“自动”连接恶意热点 很难发现 为了进一步的攻击“双面恶魔攻击”遇见“后卫”Evil Twin meets the DefenderEvil TwinEvil Twin为什么？Why？WIPS0:1WIPS0:1WIPSWIPSWireless Intrusion Prevention SystemHardware or SoftwarePassive/Active roleSniff WIFI trafficDec

9、ide if one AP，client or behavior is or not a threatTake predefined action无线入侵防御系统硬件或软件“被动”和/或“主动”的角色抓 WIFI 流量判断某个热点，客户或行为是否构成威胁执行预定义的措施管理页面WIPS 服务器传感器传感器WIPS威胁检测方法-最常用的WIPS Threat detection methods-Most CommonFingerprint feature(Passive-Sniff)ESSID MAC address Monitor Look for deauth packs,evil Twin

10、sWhitelist(surveilled)ESSIDMACLenovo11:22:33:44:55:66特点指纹(被动模式 抓包)ESSID MAC 地址 监控 查找DEAUTH包，无线钓鱼白名单(监控)ESSIDMACLenovo11:22:33:44:55:66Packet detection(Active)Broadcast check package Sensor capture broadcast WIPS check whitelist Send Alert数据包检测(主动模式)广播检测包 传感器抓检测包 WIPS 查看广播者是否在白名单 发出警报If WIPS discover

11、 an AP that is not in the whitelist,then?如果WIPS发现一个热点不在白名单里怎么办?Fingerprint feature(Passive)Essid Surveilled Look for deauth attacks and evil twins.White List(surveilled)ESSIDMACLenovo11:22:33:44:55:66Nothing!1.Not whitelisted AP doesnt mean threat!2.Attack is illegal 3.Just Send message to Admin Can

12、t perform any action白名单(监控)ESSIDMACLenovo11:22:33:44:55:66特点指纹(被动角色 抓包)ESSID 监控 查找DEAUTH包，无线钓鱼没有怎么办!1.热点不在白名单里，不代表是一个威胁2.乱攻击是非法的3.只能通知管理员什么都不能做!问题Question!Assume my WIPS use：假设我的WIPS用：IVAN VS WIPS IIIVAN VS WIPS IITo test if WIPS use Fingerprint features method(ESSIS,MAC address)1.Create AP with SAM

13、E ESSID but different MAC.2.Create one AP with ESSID like target AP.Target:Defcon010测试WIPS是否使用指纹特征的方法(ESSID,MAC address)1.创建一个ESSID跟目标热点一样，但是MAC地址不一样的热点。2.创建一个跟目标热点的ESSID相近的热点。目标ESSID:Defcon0101:11:1已知WIPSThey Just check ESSID.Have active role but cant be used too much.Is possible to create a rogue

14、AP but not evil twins.What I KnowWIPS仅检测ESSID有主动角色，但是不能乱用在监控环境可以创建一个恶意热点，但 是 不 能 用 目 标 热 点 的ESSID。How can I create a evil twin that is not evil twin？What is my target?我的目标是什么?如何创建一个不是双面恶魔的“双面恶魔”？人类是安全最薄弱的环节Humans are the weakest linkHow can I create an evil twin that is not evil twin How can I creat

15、e an evil twin that looks like an evil twin but is not an evil twin 如何创建一个不是双面恶魔的“双面恶魔”？如何创建一个跟双面恶魔相像、但却不是双面恶魔的“双面恶魔”呢？社会工程来相助Social Engineering to the rescueExchange letters for numbers/lettersGoogle GoogIeGoogle G00gleJumble lettersAltavista AtlavistaLenovoLeonvoExist any difference？soso 字母换数字/字母G

16、oogle GoogIeGoogle G00gle字母位置替换Altavista AtlavistaLenovoLeonvo有区别吗？soso 国际化域名（IDN）International Domain Name(IDN)是指部分或完全使用非英文字母组成的互联网域名。（Cyrillic）ICANN限制Domain name composed by non-eng （Cyrillic）ICANN 创建一个不是双面恶魔的“双面恶魔”Creating an evil twin that is not evil twinThe ESSID is different then we can evade

17、 the WIPSFor Humans looks the same,this is my twin因为跟目标热点的ESSID不一样，所以可以绕过WIPS在人类的眼睛看来，目标热点和我创建的热点一样，这就是双面恶魔攻击实验与结果Experiments&Results#BssidChannelEssid结果1相同相同EvilEssid绕过2不同相同EvilEssid绕过3相同不同EvilEssid绕过4不同不同EvilEssid绕过5不同不同Target EssidDetected2:1BlockUnblockIgnoreTrustedThreatUnknownUnknowThreatTrust

18、edIgnoreUnblockBlockESSIDMACLocationFactorySignalstrengthAdd FilterDispatchESSIDMACFactorySignalstrengthStatus#BssidChannelEssidResult1SameSameEvilEssidBypass2DifferentSameEvilEssidBypass3SameDifferentEvilEssidBypass4DifferentDifferentEvilEssidBypass5DifferentDifferentTarget EssidDetected2:1EvilEssi

19、d 全模式EvilEssid Complete ModeScan for possible targetGenerate possible EvilEssidsCreate an EvilTwinusing EvilEssid扫描为找目标生成可能的EvilEssid使用EvilEssid创建EvilTwin生成 EvilEssid 模式EvilEssid-Generator Input target ESSIDGenerate possible EvilEssidsUse it in your preferred device or way输入目标热点的ESSID生成可能的EvilEssid随

20、心所欲结论ConclusionsDo not blindly believe in your WIPS.Check the unknown APs for possible threats(Cyrillic,Greek,.).Train your users for WIFI threats.No autoconnectionNew technique to create evil twins in WIPS surveilled environmentsNew tool to Help youNo autoconnection介绍了在WIPS监控的环境创建双面恶魔攻击的新技术和新工具；不自动连接。不要盲目信任你的WIPS；检查未知热点，防范可能的攻击（西里尔字母、希腊字母）；培训你的用户防范WIFI威胁；不自动连接WIPS制造商的防御WIPS manufacturer countermeasuresUse image recognition tech to detect letters differences.Alert for ESSIDs that use other alphabets.用图像识别技术来检测字母差异。警报使用其他字母的ESSID。