Portable & Mobile Attacks

Ernest Staats EDMODO -- WME393 Technology Director

MS Information Assurance, CISSP, CEH, CWNA, Security+, MCSE, CNA, I-Net+, Network+, Server+, A+ [email protected]

Resources available @www.es-es.net/2.html

The Disclaimer!This workshop is intended to help you understand how

mobile software and hardware can be used to expose

security issues in your network

Have Permission in writing First!

This knowledge is intended to be used responsibly so we

can provide academic environments that are secure, safe

and accessible

So easy a Chimp can do this ….

Software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk.

Don’t be a Chimp !!

Ernest is not responsible for any subsequent loss or damage whatsoever!

Portable Apps

ProduKey—view Windows and MS product keys

Wireless Key—View stored wireless keys

Only SCAN Devices you have permission to SCAN

SoftPerfect Network Scanner—Find network devices and DHCP servers

Firefox portable—XSS and SQL tools test my local server 10.37.x.x.

LANSearch—Finding files across a network (find the password file)

Portable Apps 2 MACaddressView—Why Mac filtering is not good security use 802.1x

Change your Mac Address (MacMakeUp (software folder))

mRemoteNG—This application acts a tabbed remote connection manager

CurrPorts—A network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer

WirelessNetView—Displays: SSID, Last Signal Quality, Average Signal Quality, Detection Counter, Authentication Algorithm, Cipher Algorithm, MAC Address, etc

Portable Apps 3 FirefoxDownloadsView—Download URL, Download Filename (with full path), Referrer, MIME Type, File Size, Start/End Time, Download Duration, and Average Download Speed

Recuva FileRestore—Recovers files deleted from your Windows computer, Recycle Bin, digital camera card, or MP3 player

Starter—View and manage all the programs that run automatically whenever your operating system loads

“doors” on the system where info is sent out from and received

When a server app is running on a port, it listens for packets

When there is nothing listening on a port, the port is closed

TCP/IP Stack• 65,536 TCP Ports

What is a Port?

Open – port has an application listening on it, and is accepting packets.

Closed – port is accessible by nmap, but no application is listening on it.

Filtered – nmap can’t figure out if the port is open or closed because the packets are being filtered. (firewall)

Unfiltered – Ports are accessible, but nmap can’t figure out if it is open/closed.

Port Status Types

Any port can be configured to run any service.• But major services stick to defaults

Popular TCP ports/services:• 80 – HTTP (web server)

• 23 – Telnet

• 443 – HTTPS (ssl-encrypted web servers)

• 21 – FTP

• 22 – SSH (shell access)

• 25 – SMTP (send email)

• 110 – POP3 (email retreival)ecure shell, replacement for Telnet)

Typical Ports to know

• 445 – Microsoft –DS (SMB communication w/ MS Windows Services

• 139 – NetBIOS-SSN (communication w/ MS Windows

services

– 143 – IMAP (email retreival)

– 53 – Domain (DNS)

– 3306 – MYSQL (database)

More Ports that you need to know

Nmap ("Network Mapper") is a great tool that we have in both the portable apps and in BT

Extremely powerful.

Simple use:Nmap –v –A

‘v’ for verbosity and ‘A’ for OS/version Detection

nmap

Scan one target or a range

Built-in profiles or make your own for personal ease.

Zenmap

Visual Map• Hop Distance

• Router Information

Group Hosts by Service

Zenmap

Using a quite traceroute

Here are some IPs open to be scanned. Be careful!• 66.110.218.68

• 66.110.220.87

• Hackerinstitute.net

• 66.110.218.106

• moodle.gcasda.org

Just in case• 192.168.2.254

• 192.168.2.240

Using Zenmap

Netsparker Community Edition

Register the Software use an email you can access to activate the software

For the target URL use: 10.37.___.___

Web Tools

Metadata ToolsFOCA (use compatibility mode if needed)

http://www.informatica64.com/DownloadFOCA/

Metagoofilhttp://www.edge-security.com/metagoofil.php

Will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc also extracts MAC address MAC address from Microsoft Office documents

EXIF Toolhttp://www.sno.phy.queensu.ca/~phil/exiftool/

EXIF Viewer Pluginhttps://addons.mozilla.org/en-US/firefox/addon/3905

Jeffrey's Exif Viewer http://regex.info/exif.cgi

Examples of file types that contain metadata

JPG EXIF (Exchangeable image file format)IPTC (International Press Telecommunications Council)

PDF

DOC

DOCX

EXE

XLS

XLSX

PNG

Too many to name them all.

MAC addresses, user names, edits, GPS info. It all depends on the file format.

User Names:Creators.Modifiers .Users in paths.

C:Documents and settings/ofmyfile/home/johnny

Operating systemsPrinters.Local and remotePaths

Local and remote.Network info.Shared Printers.Shared Folders.

ACLS.

What Information is in MetaData?

Internal Servers.NetBIOS Name.Domain Name.IP Address.Database structures.Table names.Colum names.

Device hardware info

Photo cameras.Private Info.Personal data.History of use.Software versions.

Search for documents in Google and Bing

Automatic file downloading capable of extracting Metadata, hidden info and lost data cluster information Analyzes the info to fingerprint the network http://www.informatica64.com/FOCA

Fingerprinting Organizations with Collected Archives FOCA

Foca free

Type a project Name then type the URL use: es-es.net

Extract Metadata, it will be displayed on the right hand side of the window

Metadata

– Target Enumeration - who to scan

– Host Discovery – online

– Reverse-DNS resolution – IP -> Host name

– Port Scanning – port opened/closed/filtered

– Version Detection – Version of service

– OS Detection – OS of server

– Traceroute – network routes

FOCA provides most of this list without you ever running a single scan

Phases of Scanning

August of 2010, Adam Savage, of “MythBusters,” took a photo of his vehicle using his smartphone. He then posted the photo to his Twitter account including the phrase “off to work”

Image contained metadata reveling the exact geographical location the photo

Savage revealed the exact location of his home, the vehicle he drives and the time he leaves for work

GEO Tagging GEO Tagging

Read the full story here: http://nyti.ms/917hRh

Cat Schwartz of TechTV and her blog

Go to

Jeffrey's Exif Viewer http://regex.info/exif.cgi

Photo 1photo.JPG

Where was the photo taken of the Police office was the photographer on the sidewalk or somewhere else what kind of device was used to take the photo

Second photo

_MG_5982_ES.jpg what is the ethnicity of the Girl in the photo?

device was used to take the photo

Meta Data Images Hands on

Disable the geotagging function

Most smartphones/Tablets & several cameras automatically display geographical information

It’s important that users make efforts to turn off geotagging

More Info http://es-es.net/2.html

Turn off GPS function on phonesTurn off GPS function on phones

Software• Jpg and PNG metadata striper http://www.steelbytes.com/?mid=30

• Hands-On • Copy image 1 and 2 used earlier down to local system use metadata

striper then compare the results @ http://regex.info/exif.cgi

• BatchPurifier LITE• http://www.digitalconfidence.com/downloads.html

• Doc Scrubber• http://www.javacoolsoftware.com/dsdownload.html

Websites• http://regex.info/exif.cgi • http://trial.3bview.com/3BTrial/pages/clean.jsp • Clean your documents: MSOffice 2k3 & XP

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360

Scrubbing Meta Data

Doc Scrubber—Remove metadata from Word Documents downloaded

Select ALL options, reset Author to ES and Company to ES, Click Next

Metadata tools

InSSIDer

– Inspect your Wi-Fi and surrounding networks

– Troubleshoot competing access points and clogged Wi-Fi channels

– Highlight access points for areas with high Wi-Fi concentration

– Track received signals in dBm over time

View the SSIDs in the top section and the live graph in the bottom section

Wireless Issues

Xirrus Wi-FI Inspector

-Searching for Wi-Fi networks

-Managing and troubleshooting Wi-FI connections

-Verifying Wi-FI coverage

-Locating Wi-FI devices

-Detecting rogue Aps

-Excellent Testing tools i.e. Connection Test, Speed Test, Quality Test

Wireless Issues

Cain and Able—Allows easy recovery of various kind of passwords

-Discover Active WIFI

-Dump locally stored passwords

-Dump WPA2 PSK

Wireless Issues

Last Pass

Logmein

SPiceworks

IRdesktop

Free Wifi

Inet

Citrix

Vsphere

WI-FI Finder

Netmon

Free Pint

NSLookup

NetSwissKnife

DropBox + BoxCryptor

Iphone / IPad Apps

All Devices -- Last Pass - Fing - Network Tools – Citrix - DropBox + BoxCryptor – Pocket Cloud

Iphone / IPad Apps for network and Security

Logmein

IRdesktop

Free Wifi

INetVsphere

WI-FI FinderNetmonFree Pint

NSLookupNetSwissKnife

Serial IO WiSnap WIFI Com Ports for Telnet to switches from Ipad to the Com port on devices

Common & Iphone / IPad Apps

Anti - Wi-fi-scanning tool for finding open networks and showing all potential target devices

Shark for Root - Traffic sniffer, works on 3G and WiFi

Android Apps

ConnectBot—secure shell client can manage simultaneous ssh connections• ArpSpoof

arpspoof is an open source tool for network auditing.It redirects packets on the local network by broadcasting spoofed ARP messages http://www.irongeek.com/i.php?page=security/arpspoof

PortKnocker

The best portknock client on Android! Now with configurable number of ports; support for TCP or UDP; and more!

Nessusnables you to log into your Nessus scanners and start, stop and pause vulnerability scans as well as analyze the results directly from your Android device

Android Apps

Wifi Analyzer— Choose the best WiFI network

NetAudit—TCP port scanner

WiFi Key Recovery—recover the password of a wireless network you have

connected to with your device in the past

FaceNiff—Sniff and intercept web session profiles over the WiFi

Network Discovery -- network tool-- discovering, mapping, scanning, profiling your Wifi network

Computer/device discovery and port scanner for local area network.

 Net Scan--Network scanning and discovery along with port scanner. Find holes and security flaws in your network.

Android Apps

Android Apps

Device IP and hostname, both private and public.

Current mobile Cell and any neighbours, signal strength, location info and type

IMSI/ IMEI (Used to identify a mobile device and Mobile sim card )

Information about the current mobile provider (MCC+MNC, current connection, etc)

The Android device unique ID

Full WiFi connection (MAC, current SSID and BSSID, link speed, IP/Netmask, Gateway, DNS and DHCP servers, etc)

Your current location according to Android No GPS needed

Information regarding Bluetooth status, the current Bluetooth connection(s)

IPv6 device and router IP addresses for all device interfaces

Network Info II

Make a USB bootable using Unetbootin

Back Track5

Capturing Telnet Password with Wireshark

Inside of Backtrack open terminal

“airmon-ng start wlan0”

Open wireshark

Back Track5

Back Track5

Free File Camouflage

A donation screen will appear, click on the skip donation button to launch

the application.

Hiding Files inside a photo

-Must Have Microsoft Network Monitor 3.x

-Run SmartSniff if you want to capture general TCP data or SniffPass if  you

only want to capture passwords.

-You Must Leave the “Switch to Monitor Mode” window OPEN !

When you close this window, the network card will exit from monitor mode

and it'll return back to its normal state.

SniffPass

It draws connections between entities like name, domain, email addresses, etc., good for building a mind map of how things are related. You will have to register for API keys to get the most use out of ithttp://www.paterva.com

Allows you to discover and visualize relationships between atributes like Facebook or Twitter account names, email addresss, phone numbers and other information. It’s the first step when trying to understand where people fit into the digital world, and with whom they are or have been associated.– Get it rigt now

Let’s find someone you know like yourself …

Maltego Hands on

RobTexA great site for doing reverse DNS look-ups on IPs, grabbing Whois contacts, and finding other general information about an IP or domain namehttp://www.robtex.com

ServerSniff ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames on a shared IP. It’s nice to have them do some of the recon for you

http://serversniff.net

Check if your email address has been owned

http://beta.serversniff.de/compromised.php

Network Domain Info online

WSCC – Windows System Control Center

My first pick isn't actually a Microsoft tool per se: Windows System Control Center is a one-stop downloader for almost 300 maintenance tools from Microsoft's Sysinternals and the ever-popular NirSoft suites: simply download WSCC from KLS-Soft, check all the tools you need and hit "Install

More Tools

Please complete the session evaluation @:

http://www.edmodo.com/fetcsurvey

Please leave Feedback!!

Workshop3HRHO WMEWireless and Mobile Attack