Sunday, June 9, 2013

iStupid: Advanced Usage

This is a follow up of the original iStupid introduction and the iStupid setup & basic usage blog posts. The simplest way of launching iStupid is by specifying the local Wi-Fi interface in monitor mode (e.g. mon0). However, this is not a very useful alternative for the main purpose of the tool, as it will start announcing a random SSID (or network name) that will hardly match any entry on the target iOS mobile device PNL:

The "-v" (or verbose) option allows you to see how iStupid continuously generates 802.11 beacon frames (as it displays dots while sending 802.11 frames; see image above) and can be combined with any other option.

iStupid also allows you to set the channel ("-c" option) for the impersonated Wi-Fi network (not required, as Wi-Fi clients monitor networks and send probe requests through all the different channels), specify the BSSID of the Wi-Fi network via the "-b" option (random by default), set the beacon interval ("-i" option; 100 ms by default), and set the 802.11 rates (11b or 11g; "-t" option). The "-h" option provides help and all the details about these command line switches.

The most interesting command line switch is "-m". When the "-m" option is used, iStupid will monitor specific probe requests sent by Wi-Fi clients for the same SSID that it is announcing. This feature allows iStupid to automatically identify the security type of the Wi-Fi network stored on the target iOS mobile device for a given SSID, complementing the manual security type detection process described on the iStupid basic usage blog post.

In order to accurately and quickly use iStupid automatic detection capabilities through the "-m" option, due to the way iOS mobile devices scan for Wi-Fi networks and based on the research I performed, the best option is to ensure the iOS mobile device cannot currently connect to any nearby network (turn off the known Wi-Fi access points, if any). Then, execute these steps in the following order:
  1. Disable the Wi-Fi interface in the target iOS device.
  2. Launch iStupid with the desired options (e.g. "--loop" and "-m").
  3. Enable the Wi-Fi interface in the target iOS device.
After turning on the Wi-Fi interface, the iOS mobile device will start scanning for the currently available Wi-Fi networks, it will find the iStupid impersonated network, and if it is available on its PNL (same name and security type), it will send particular 802.11 probe requests for that network. As a result, iStupid will print out the MAC address of the iOS device. iStupid allows monitoring a single Wi-Fi client MAC address (e.g. "-m 00:01:02:03:04:05") or multiple clients, in reality, all nearby clients through the "-m ff:ff:ff:ff:ff:ff" option.

As the network security type is initially unknown, by combining the "-m" and the "--loop" options iStupid will iterate through the different security types and, once the iOS device identifies the network available on its PNL, it will specifically probe for it and its MAC address will be displayed on the right hand side of the corresponding security type, automatically disclosing the security type of the legitimate network [0].

Additionally, the time iStupid spends on each security type can be adjusted through the "--loop_interval" option. The default value of 30 seconds works pretty well to allow iOS devices to rescan for new Wi-Fi networks.

Once the security type of the network has been identified, you can directly delete the network from the device PNL or easily relaunch iStupid with that specific security type (instead of "--loop") and proceed to delete the associated entry from the hidden PNL... slowly :-)

Something else I discovered when developing iStupid is that iOS might present weird GUI behaviors when the same network name is switching over different security types. As a result, the lock that indicates that a network is "secure" might dance, that is, appear on the top left hand side of the network name :-)

Nowadays, iStupid can also be used to manage and remove the entries from the Windows 8 hidden PNL, although you can use the "netsh" command line tool (e.g. "netsh wlan show profiles") too or the WiFi Profile Manager 8 graphical tool (Thanks Dennis Weber - Bechtle BISS - for the heads up!). Surprisingly, Windows 8 does not include the "Manage wireless networks" option available within the "Network and Sharing Center" in Windows 7. It does not include either the "advanced" button that allows managing the PNL in Windows Phone 8 (see slide 8 of my RootedCON 2013 presentation for a screenshot sample). As with iOS, only when the Wi-Fi network is in range you can right-click on it from the list of currently available networks in the default Windows 8 graphical interface and access the advanced options to manage the PNL.

Shameless plugI will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Tokyo (October 21-26, 2013) and London (November 18-23, 2013).

[0] iStupid does not use advanced multi-thread locks and synchronization, so potentially the MAC address of the Wi-Fi client could be printed on a nearby security type. This can also occurs if the target iOS device decides to probe for the network at any given time, such as when it wakes up from an idle state.