Insert Your Name
Insert Your Title
Insert Date
New World – New Security
BYOD…. & some cool h@ck1ng gadgets / tools….
Roy G...
2© SafeNet Confidential and Proprietary
Who We Are
Trusted to protect the world’s most sensitive data for
the world’s most...
3© SafeNet Confidential and Proprietary
-Disclaimer
-Local Laws
-USB HID Device
-Cool Wi-Fi story
-Wi-Fi MITM Experiment…....
4© SafeNet Confidential and Proprietary
Legal Disclaimer
Hacking without permission may result
in a prison sentence – do n...
5© SafeNet Confidential and Proprietary
6© SafeNet Confidential and Proprietary
+
USB HID- Scripting 101
7© SafeNet Confidential and Proprietary
As Storage
As Keyboard
8© SafeNet Confidential and Proprietary
Script Encode Payload
USB HID- Keyboard Scripting For Fun
9© SafeNet Confidential and Proprietary
USB HID- Keyboard Scripting Not For Fun
Script Encode Payload
10© SafeNet Confidential and Proprietary
USB HID- Keyboard Scripting Not For Fun
11© SafeNet Confidential and Proprietary
Imagine you are Chuck, a Wi-Fi penetration tester at
ACME Corp., sitting at the c...
12© SafeNet Confidential and Proprietary
Since Alice has connected to ACME Corp. wireless from her tablet
in the past it r...
13© SafeNet Confidential and Proprietary
Chuck (that’s you!) has a Wi-Fi Pen testing device in his bag.
The device is cons...
14© SafeNet Confidential and Proprietary
Once Alice’s tablet receives the probe response from Chuck’s
device they begin th...
15© SafeNet Confidential and Proprietary
Now that Chuck’s internet enabled device has made
friends with Alice’s tablet she...
16© SafeNet Confidential and Proprietary
Chuck is even capable of saving Alice’s browsing
sessions to disk for later analy...
17© SafeNet Confidential and Proprietary
Since Chuck can’t stay at the ACME Corp. cafeteria
all day, he considers leaving ...
18© SafeNet Confidential and Proprietary
In this case Chuck is able to remotely manage the
device a few ways. If no intern...
19© SafeNet Confidential and Proprietary
www
Probe requests
Proberequests
20
Wi-Fi MITM Experiment : mk4 karma, urlsnarf, dns spoof , facebook/twitter phishing
phishing site
21
Cell phone tracking device….send pic…see gps,txt,calls,email….
22© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
23© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
24© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
25© SafeNet Confidential and Proprietary
The Weapons – Hands On
Cain & Abel is a password recovery tool for Microsoft Oper...
26© SafeNet Confidential and Proprietary
Cain & Abel has been developed in the hope that it will be useful for
network adm...
27© SafeNet Confidential and Proprietary
-Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
- Adde...
28© SafeNet Confidential and Proprietary
ARP Poison
Select interface - Scan for hosts - Poison ARP Table - Look for PW’s
B...
29© SafeNet Confidential and Proprietary
Ophcrack is an open source (GPL licensed) program that cracks Windows passwords
b...
30© SafeNet Confidential and Proprietary
XP Rainbow Tables Example:
The Weapons – Hands On
31© SafeNet Confidential and Proprietary
Vista / Win 7 Rainbow Tables Example:
The Weapons – Hands On
32© SafeNet Confidential and Proprietary
Example using a XP VM
Length = 14
Predefined Charset :
Base64 = Decimal + Lowerca...
33© SafeNet Confidential and Proprietary
Lets take it for a ―Test Drive‖
In Under 4min
The Weapons – Hands On
34© SafeNet Confidential and Proprietary
CAIN vs OPHCRACK
The Weapons – Hands On
35© SafeNet Confidential and Proprietary
CAIN vs OPHCRACK
The Weapons – Hands On
36© SafeNet Confidential and Proprietary
Upcoming SlideShare
Loading in …5
×

Holland safenet livehack hid usb pineapple_cain_oph_with_video

556 views
445 views

Published on

Life Hacking presentation Roy Gray, Safenet

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
556
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Holland safenet livehack hid usb pineapple_cain_oph_with_video

  1. 1. Insert Your Name Insert Your Title Insert Date New World – New Security BYOD…. & some cool h@ck1ng gadgets / tools…. Roy Gray CISSP-CCIE-CCNA-CEH-CHFI roy.gray@safenet-inc.com © SafeNet Confidential and Proprietary
  2. 2. 2© SafeNet Confidential and Proprietary Who We Are Trusted to protect the world’s most sensitive data for the world’s most trusted brands. We protect the most money that moves in the world, $1 trillion daily. We protect the most digital identities in the world. We protect the most classified information in the world. FOUNDED 1983 REVENUE ~500m EMPLOYEES +1,500 In 25 countries OWENERSHIP Private GLOBAL FOOTPRINT +25,000 Customers in 100 countries ACCREDITED Products certified to the highest security standard
  3. 3. 3© SafeNet Confidential and Proprietary -Disclaimer -Local Laws -USB HID Device -Cool Wi-Fi story -Wi-Fi MITM Experiment….Want to take part? -Example ―cracking‖ sites -Cain & Able ARP MITMA -Cain & Able Brute Force -Cain & Able R$A Calculator -OPH Rainbow tables
  4. 4. 4© SafeNet Confidential and Proprietary Legal Disclaimer Hacking without permission may result in a prison sentence – do not try any of these techniques at home *See Hacking Law’s from CEH* Do send me a postcard though and tell me which one you used!
  5. 5. 5© SafeNet Confidential and Proprietary
  6. 6. 6© SafeNet Confidential and Proprietary +
  7. 7. USB HID- Scripting 101 7© SafeNet Confidential and Proprietary As Storage As Keyboard
  8. 8. 8© SafeNet Confidential and Proprietary Script Encode Payload USB HID- Keyboard Scripting For Fun
  9. 9. 9© SafeNet Confidential and Proprietary USB HID- Keyboard Scripting Not For Fun Script Encode Payload
  10. 10. 10© SafeNet Confidential and Proprietary USB HID- Keyboard Scripting Not For Fun
  11. 11. 11© SafeNet Confidential and Proprietary Imagine you are Chuck, a Wi-Fi penetration tester at ACME Corp., sitting at the cafeteria. Busy office workers that BYOD, are eating, socializing and using the Internet from their laptops, smartphones and tablets. Alice is sitting across from you pulling a tablet from her purse. She intends to connect to the wireless, and surf during lunch. The tablet, waking up, transmits Wi-Fi probe requests looking for preferred networks.
  12. 12. 12© SafeNet Confidential and Proprietary Since Alice has connected to ACME Corp. wireless from her tablet in the past it remembers the network name (SSID) and looks for it periodically in this fashion. If the network is within range it will receive a probe response to its probe request. The probe responses provides Alice’s tablet with the necessary information it needs to associate with ACME Corp. network. Since this process happens automatically for every network Alice frequently connects to, both on her tablet and laptop she isn’t inconvenienced by choice when getting online at the office, home, cafes or even airplanes! Probe responses Probe requests
  13. 13. 13© SafeNet Confidential and Proprietary Chuck (that’s you!) has a Wi-Fi Pen testing device in his bag. The device is constantly listening for probes requests. When it hears the probe request for the ACME Corp. network from Alice’s tablet it responds with an appropriately crafted probe response. This informs Alice’s tablet that the device is in fact the ACME Corp. wireless network. Of course this is a lie that Alice’s tablet will believe. This simple yet effective lie is responsible for the device’s code name ―Jasager‖ –German for ―The Yes Sayer‖ or ―The Yes Man‖.
  14. 14. 14© SafeNet Confidential and Proprietary Once Alice’s tablet receives the probe response from Chuck’s device they begin the process of associating, and within moments her tablet has obtained an IP address this the Pen test device’s DHCP server. The Pen test device’s DHCP server provides Alice’s tablet with not only an IP address, but DNS and routing information necessary to get her online. Chuck has the Pen test device ―dialled-up‖ to the internet via a pre -configured USB Modem, the default gateway used by Alice’s tablet will be the IP of the Pen test device. Probe responses Probe requests
  15. 15. 15© SafeNet Confidential and Proprietary Now that Chuck’s internet enabled device has made friends with Alice’s tablet she is free to browse the web and Chuck is free to eavesdrop and even change the web she sees. Using man in the middle tools, Chuck is able to watch what web sites Alice visits (url snarf). Since Chuck is particularly mischievous he prefers to change what servers Alice connects to when looking up a website (dns spoof)—thus replacing would be kitten videos with ones of puppies. Oh the horrors!...
  16. 16. 16© SafeNet Confidential and Proprietary Chuck is even capable of saving Alice’s browsing sessions to disk for later analysis (tcpdump), intercept secure communications (sslstrip), or inject malicious code on to websites (ettercap-ng). Alternatively if Chuck chooses not to provide internet access at all the device will still be an effective wireless auditing tool. By enabling DNS spoof Chuck is able to redirect Alice’s browsing session from legitimate websites to the device’s built in web server, which may host a number of phishing sites, password harvesting or malware.
  17. 17. 17© SafeNet Confidential and Proprietary Since Chuck can’t stay at the ACME Corp. cafeteria all day, he considers leaving his device on site. The device is concealed in a case with a battery pack, hidden in plain sight.
  18. 18. 18© SafeNet Confidential and Proprietary In this case Chuck is able to remotely manage the device a few ways. If no internet access is being provided Chuck must be within range of the device wireless network in order to connect to the management SSID. If internet access is provided, Chuck can configure a persistent SSH tunnel. With an SSH or VPN tunnel enabled, internet traffic from the device connected client routes through the tunnel endpoint – typically a virtual private server. From this VPS Chuck may also extend the man in the middle attack.
  19. 19. 19© SafeNet Confidential and Proprietary www Probe requests Proberequests
  20. 20. 20 Wi-Fi MITM Experiment : mk4 karma, urlsnarf, dns spoof , facebook/twitter phishing phishing site
  21. 21. 21 Cell phone tracking device….send pic…see gps,txt,calls,email….
  22. 22. 22© SafeNet Confidential and Proprietary Hacking Gadgets…..who needs them….when..
  23. 23. 23© SafeNet Confidential and Proprietary Hacking Gadgets…..who needs them….when..
  24. 24. 24© SafeNet Confidential and Proprietary Hacking Gadgets…..who needs them….when..
  25. 25. 25© SafeNet Confidential and Proprietary The Weapons – Hands On Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by: -Sniffing the network -Cracking encrypted passwords using Dictionary -Brute-Force and Cryptanalysis attacks -Recording VoIP conversations -Decoding scrambled passwords -Recovering wireless network keys -Revealing password boxes -Uncovering cached passwords -Analyzing routing protocols….and more.
  26. 26. 26© SafeNet Confidential and Proprietary Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also includes routing protocols authentication monitors & routes extractors, dictionary & brute-force crackers for all common hashing algorithms & for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders & some not so common utilities related to network and system security. The Weapons – Hands On
  27. 27. 27© SafeNet Confidential and Proprietary -Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter. - Added Abel64.exe and Abel64.dll to support hashes extraction on x64 OS. - Added x64 operating systems support in NTLM hashes Dumper, MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder. - Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts. - Fixed a bug of RSA SecurID Calculator within XML import function. - Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data. - Executables rebuilt with Visual Studio 2008. **Be very aware of versions with screenscrape / backdoors, not downloaded from the correct source. The Weapons – Hands On
  28. 28. 28© SafeNet Confidential and Proprietary ARP Poison Select interface - Scan for hosts - Poison ARP Table - Look for PW’s Brute Force R$A Calculator…and more Lets take it for a ―Test Drive‖ Industry Example: The Weapons – Hands On
  29. 29. 29© SafeNet Confidential and Proprietary Ophcrack is an open source (GPL licensed) program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. It is claimed that these tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few minutes. A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible. The Weapons – Hands On
  30. 30. 30© SafeNet Confidential and Proprietary XP Rainbow Tables Example: The Weapons – Hands On
  31. 31. 31© SafeNet Confidential and Proprietary Vista / Win 7 Rainbow Tables Example: The Weapons – Hands On
  32. 32. 32© SafeNet Confidential and Proprietary Example using a XP VM Length = 14 Predefined Charset : Base64 = Decimal + Lowercase + Uppercase + Special Characters < 4min CRACKED! The Weapons – Hands On
  33. 33. 33© SafeNet Confidential and Proprietary Lets take it for a ―Test Drive‖ In Under 4min The Weapons – Hands On
  34. 34. 34© SafeNet Confidential and Proprietary CAIN vs OPHCRACK The Weapons – Hands On
  35. 35. 35© SafeNet Confidential and Proprietary CAIN vs OPHCRACK The Weapons – Hands On
  36. 36. 36© SafeNet Confidential and Proprietary

×