SlideShare uma empresa Scribd logo

Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)

ClubHack
ClubHack

At ClubHack 2011 Hacking and Security Conference Vivek Ramachandran presented on - Scenatio based hacking - enterprise wireless security Speaker - Vivek Ramachandran

EducaçãoTecnologia
1 de 76
Baixar para ler offline
Scenario Based Hacking – Enterprise Wireless Security Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net ©SecurityTube.net
Vivek Ramachandran B.Tech, ECE 802.1x, Cat65k WEP Cloaking Caffe Latte Attack IIT Guwahati Cisco Systems Defcon 15 Toorcon 9 Media Coverage Microsoft Trainer, 2011 Wi-Fi Malware, 2011 CBS5, BBC Security Shootout ©SecurityTube.net
In-Person Trainings ©SecurityTube.net
SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net
Scenario Based Hacking • Multiple courses are available from different certification bodies • Concentrate more on tools than application • Script kiddie mentality • Real world scenarios are not used • Student finds it tough to excel in the real world ©SecurityTube.net
The Real World • Complicated scenario • Heterogeneous architecture • Multiple security controls present at the same time – Firewalls, IDS/IPS, etc. • Requires one to be a Master of all, rather than a Jack of all • Basically “Scenario Based Hacking” ©SecurityTube.net
Understanding Scenario Based Hacking Component Scenario 1 Scenario 2 Scenario 3 Scenario 4 Patches X Present Present Present Personal Firewall X X Present Present AV X X X Present NAT X X X X Firewall X X X X IDS X X X X IPS X X X X WAF X X X X … … ©SecurityTube.net
Simple Scenarios Internet • No patches • No AV • No Firewall • No Network IDS/IPS • Direct Access (No NAT) • ….. ©SecurityTube.net
Complicated ©SecurityTube.net
Interesting Ones! Coffee Shop Airport ©SecurityTube.net
Scenario Based Hacking for Wireless • Enterprise Wireless Attacks – PEAP – EAP-TTLS • Enterprise Rogue APs, Worms and Botnets ©SecurityTube.net
Enterprise Wireless Attacks PEAP and EAP-TTLS ©SecurityTube.net
WPA-Enterprise Authenticator Authentication Supplicant Server Association EAPoL Start EAP Request Identity EAP Response Identity EAP Request Identity EAP Packets EAP Packets EAP Success EAP Success PMK to AP 4 Way Handshake Data Transfers ©SecurityTube.net
WPA-Enterprise • Use a RADIUS server for authentication • Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc. • De facto server – FreeRadius www.freeradius.org • Depending on EAP type used Client and Server will need to be configured ©SecurityTube.net
FreeRadius Wireless Pwnage Edition http://www.willhackforsushi.com/FreeRADIUS-WPE.html ©SecurityTube.net
WPA/WPA2 Enterprise EAP Type Real World Usage PEAP Highest EAP-TTLS High EAP-TLS Medium LEAP Low EAP-FAST Low …. …. ©SecurityTube.net
PEAP • Protected Extensible Authentication Protocol • Typical usage: – PEAPv0 with EAP-MSCHAPv2 (most popular) • Native support on Windows – PEAPv1 with EAP-GTC • Other uncommon ones – PEAPv0/v1 with EAP-SIM (Cisco) • Uses Server Side Certificates for validation • PEAP-EAP-TLS – Additionally uses Client side Certificates or Smartcards – Supported only by Microsoft ©SecurityTube.net
Source: Layer3.wordpress.com ©SecurityTube.net
Understanding the Insecurity • Server side certificates – Fake ones can be created – Clients may not prompt or user may accept invalid certificates • Setup a Honeypot with FreeRadius-WPE – Client connects – Accepts fake certificate – Sends authentication details over MSCHAPv2 in the TLS tunnel – Attacker’s radius server logs these details – Apply dictionary / reduced possibility bruteforce attack using Asleap by Joshua Wright ©SecurityTube.net
Windows PEAP Hacking Summed Up in 1 Slide  ©SecurityTube.net
Demo of Enterprise Wireless Attacks PEAP ©SecurityTube.net
EAP-TTLS • EAP-Tunneled Transport Layer Security • Server authenticates with Certificate • Client can optionally use Certificate as well • No native support on Windows – 3rd party utilities to be used • Versions – EAP-TTLSv0 – EAP-TTLSv1 ©SecurityTube.net
Demo of Enterprise Wireless Attacks EAP-TTLS ©SecurityTube.net
Can I be Secure? EAP-TLS • Strongest security of all the EAPs out there • Mandates use of both Server and Client side certificates • Required to be supported to get a WPA/WPA2 logo on product • Unfortunately, this is not very popular due to deployment challenges ©SecurityTube.net
Enterprise Rogue APs, Backdoors, Worms and Botnets ©SecurityTube.net
Objective • How Malware could leverage Wi-Fi to create – Backdoors – Worms – Botnets ©SecurityTube.net
Background – Understanding Wi-Fi Client Software • Allows Client to connect to an Access Point • First time user approves it, Auto-Connect for future instances • Details are stored in Configuration Files ©SecurityTube.net
Command Line Interaction? • Scanning the air for stored profiles • Profiling the clients based on searches • Different clients behave differently • Demo ©SecurityTube.net
See All Wi-Fi Interfaces Netsh wlan show interfaces ©SecurityTube.net
Drivers and Capabilities Netsh wlan show drivers ©SecurityTube.net
Scan for Available Networks Netsh wlan show networks ©SecurityTube.net
View Existing Profiles Netsh wlan show profiles ©SecurityTube.net
Starting a Profile Netsh wlan connect name=“vivek” ©SecurityTube.net
Export a Profile Netsh wlan export profile name=“vivek” ©SecurityTube.net
Creating an Access Point on a Client Device • Requirement for special drivers and supported cards • Custom software used – HostAPd, Airbase-NG • More feasible on Linux based systems ©SecurityTube.net
Generation 2.0 of Client Software – Hosted Network • Available Windows 7 and Server 2008 R2 onwards • Virtual adapters on the same physical adapter • SoftAP can be created using virtual adapters – DHCP server included “With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.” http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx ©SecurityTube.net
Feature Objective • To allow creation of a wireless Personal Area Network (PAN) – Share data with devices • Network connection sharing (ICS) with other devices on the network ©SecurityTube.net
Demonstration Demo of Hosted Network ©SecurityTube.net
Creating a Hosted Network ©SecurityTube.net
Driver Support ©SecurityTube.net
Client still remains connected to hard AP! ©SecurityTube.net
Wi-Fi Backdoor • Easy for malware to create a backdoor • They key could be: – Fixed – Derived based on MAC address of host, time of day etc. • As host remains connected to authorized network, user does not notice a break in connection • No Message or Prompt displayed ©SecurityTube.net
Understanding Rogue Access Points Rogue AP ©SecurityTube.net
Makes a Rogue AP on every Client! Rogue AP Rogue AP Rogue AP ©SecurityTube.net
Best Part – No Extra Hardware! ©SecurityTube.net
Advantages? Internet ©SecurityTube.net
Advantages? Wicked Network Internet ©SecurityTube.net
Why is this cool? • Victim will never notice anything unusual unless he visits his network settings – has to be decently technical to understand • Attacker connects to victim over a private network – no wired side network logs: firewalls, IDS, IPS – Difficult, if not impossible to trace back – Difficult to detect even while attack is ongoing  • Abusing legitimate feature, not picked up by AVs, Anti-Malware • More Stealth? Monitor air for other networks, when a specific network comes up, then start the Backdoor ©SecurityTube.net
Chaining Hosted Networks like a proxy? • Each node has client and AP capability • We can chain them to “hop” machines • Final machine can provide Internet access • Like Wi-Fi Repeaters ©SecurityTube.net
Chaining Infected Laptops AP Client AP Client AP Client Authorized AP ©SecurityTube.net
Package Meterpreter for full access? • Once attacker connects to his victim, he would want to have access to everything • Why not package a Meterpreter with this?  • How about a Backdoor post-exploitation script for Metasploit?  ©SecurityTube.net
Demo Coupling Hosted Network with Metasploit ©SecurityTube.net
Increasing Stealth • Passive Monitoring for SSIDs available • Trigger SSID causes Wicked Hosted Network to start and create application level backdoor • Attacker connects and does his job • Shuts off Trigger SSID and Malware goes to Passive Monitoring again ©SecurityTube.net
Karmetasploit • Victim connects by mistake or misassociation • Victim opens browser, Metasploit Browser_Autopwn exploits the system • Hacker gets access! • Biggest Challenge – Victim notices he is connected to the wrong network and disconnects himself ©SecurityTube.net
Enhancing Karmetasploit • Upon Exploitation, create the hosted network backdoor • User disconnects, but this hosted network still remains active • Attacker connects via this network ©SecurityTube.net
What about older clients and other OSs? • Windows < 7, Mac OS do not have the Hosted Network or alike feature – Use Ad-Hoc networks – Use Connect Back mechanism  • When a particular SSID is seen, connect to it automatically • Blurb reporting “Connected to ABC” – Could we kill it?  ©SecurityTube.net
Hosted Network Meterpreter Scripts http://zitstif.no-ip.org/meterpreter/rogueap.txt http://www.digininja.org/projects.php ©SecurityTube.net
Dissecting Worm Functionality Propagation Technique Worm Exploit ©SecurityTube.net
Hosted Network Encryption • Uses WPA2-PSK for encryption • Key is encrypted in configuration file • Can be decrypted  • What if there is an office network configured on the same machine with WPA2-PSK? ©SecurityTube.net
1. Infect Authorized Computer and Decrypt Passphrase ©SecurityTube.net
Decryption Routine ©SecurityTube.net
Alternate – Dump and Copy ©SecurityTube.net
2. Create a Soft Access Point with the same Credentials OfficeAP OfficeAP Worm Infected Laptop ©SecurityTube.net
3. Signal Strength Game OfficeAP OfficeAP Worm Infected Laptop ©SecurityTube.net
4. Hop and Exploit OfficeAP Exploit ©SecurityTube.net
5. Replicate and Spread OfficeAP OfficeAP ©SecurityTube.net
Worms Wi-Fi Network Signal Strength > AP OfficeAP OfficeAP OfficeAP OfficeAP OfficeAP ©SecurityTube.net
Wi-Fi Worm • Retrieve the network key for the network • Create a hosted network with the same name • When the victim is in the vicinity of his office, worm can be activated • At some point the signal strength may be higher than real AP • Other colleagues laptops may hop and connect – Conference rooms, Coffee and Break areas ©SecurityTube.net
Why is this interesting? • Worm uses its own private Wi-Fi network to propagate • Does not use the Wired LAN at all • Difficult for network defenses to detect and mitigate  • Targeted APT against an Enterprise ©SecurityTube.net
Demo ©SecurityTube.net
On the Run  ©SecurityTube.net
APIs for the Hosted Network Feature ©SecurityTube.net
Questions Questions? vivek@securitytube.net ©SecurityTube.net
SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net

Recomendados

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
WPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP ExploitWPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP Exploit
AirTight Networks
 
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Mohammad Fareed
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
 

Recomendados

Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
WPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP ExploitWPA/WPA2 TKIP Exploit
WPA/WPA2 TKIP Exploit
AirTight Networks
 
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018Wifi cracking Step by Step Using CMD and Kali Linux 2018
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Mohammad Fareed
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
Ahmed Habib
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
AirTight Networks
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Shital Kat
 
Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Information Security Lesson 5 - Network Infrastructure - Eric VanderburgInformation Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Eric Vanderburg
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Agris Ameriks
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slides
guest1c1a9a
 
Wireless security camera
Wireless security cameraWireless security camera
Wireless security camera
Aasheesh Tandon
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
Ccna security
Ccna securityCcna security
Ccna security
dkaya
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
TheCreativedev Blog
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewall
saing sab
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija ppt
Girija Sankar Dash
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Chapter08
Chapter08Chapter08
Chapter08
Muhammad Ahad
 

Mais conteúdo relacionado

Mais procurados

How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slides
guest1c1a9a
 
Ccna security
Ccna securityCcna security
Ccna security
dkaya
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewall
saing sab
 

Mais procurados (20)

CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Information Security Lesson 5 - Network Infrastructure - Eric VanderburgInformation Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
wifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slideswifi-y3dips-stmik_mdp_slides
wifi-y3dips-stmik_mdp_slides
 
Wireless security camera
Wireless security cameraWireless security camera
Wireless security camera
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
Ccna security
Ccna securityCcna security
Ccna security
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewall
 
Firewall girija ppt
Firewall girija pptFirewall girija ppt
Firewall girija ppt
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 

Semelhante a Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)

Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Khash Nakhostin
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
Amazon Web Services
 

Semelhante a Scenatio based hacking - enterprise wireless security (Vivek Ramachandran) (20)

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
Chapter08
Chapter08Chapter08
Chapter08
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
 
You think your WiFi is safe?
You think your WiFi is safe?You think your WiFi is safe?
You think your WiFi is safe?
 
Video-over-IP for AV
Video-over-IP for AVVideo-over-IP for AV
Video-over-IP for AV
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Advanced Wi-Fi pentesting
Advanced Wi-Fi pentestingAdvanced Wi-Fi pentesting
Advanced Wi-Fi pentesting
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
Airheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 complianceAirheads vail 2011 pci 2.0 compliance
Airheads vail 2011 pci 2.0 compliance
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Making NFV-Based Business Services Secure
Making NFV-Based Business Services SecureMaking NFV-Based Business Services Secure
Making NFV-Based Business Services Secure
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Unv banking &amp; finance video surveillance solution v1.00
Unv banking &amp; finance video surveillance solution v1.00Unv banking &amp; finance video surveillance solution v1.00
Unv banking &amp; finance video surveillance solution v1.00
 
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...
 
2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals2012 ah vegas wlan security fundamentals
2012 ah vegas wlan security fundamentals
 

Mais de ClubHack

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
ClubHack
 

Mais de ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Último

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Último (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 

Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)

  • 1. Scenario Based Hacking – Enterprise Wireless Security Vivek Ramachandran Founder, SecurityTube.net vivek@securitytube.net ©SecurityTube.net
  • 2. Vivek Ramachandran B.Tech, ECE 802.1x, Cat65k WEP Cloaking Caffe Latte Attack IIT Guwahati Cisco Systems Defcon 15 Toorcon 9 Media Coverage Microsoft Trainer, 2011 Wi-Fi Malware, 2011 CBS5, BBC Security Shootout ©SecurityTube.net
  • 3. In-Person Trainings ©SecurityTube.net
  • 4. SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
  • 5. Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net
  • 6. Scenario Based Hacking • Multiple courses are available from different certification bodies • Concentrate more on tools than application • Script kiddie mentality • Real world scenarios are not used • Student finds it tough to excel in the real world ©SecurityTube.net
  • 7. The Real World • Complicated scenario • Heterogeneous architecture • Multiple security controls present at the same time – Firewalls, IDS/IPS, etc. • Requires one to be a Master of all, rather than a Jack of all • Basically “Scenario Based Hacking” ©SecurityTube.net
  • 8. Understanding Scenario Based Hacking Component Scenario 1 Scenario 2 Scenario 3 Scenario 4 Patches X Present Present Present Personal Firewall X X Present Present AV X X X Present NAT X X X X Firewall X X X X IDS X X X X IPS X X X X WAF X X X X … … ©SecurityTube.net
  • 9. Simple Scenarios Internet • No patches • No AV • No Firewall • No Network IDS/IPS • Direct Access (No NAT) • ….. ©SecurityTube.net
  • 10. Complicated ©SecurityTube.net
  • 11. Interesting Ones! Coffee Shop Airport ©SecurityTube.net
  • 12. Scenario Based Hacking for Wireless • Enterprise Wireless Attacks – PEAP – EAP-TTLS • Enterprise Rogue APs, Worms and Botnets ©SecurityTube.net
  • 13. Enterprise Wireless Attacks PEAP and EAP-TTLS ©SecurityTube.net
  • 14. WPA-Enterprise Authenticator Authentication Supplicant Server Association EAPoL Start EAP Request Identity EAP Response Identity EAP Request Identity EAP Packets EAP Packets EAP Success EAP Success PMK to AP 4 Way Handshake Data Transfers ©SecurityTube.net
  • 15. WPA-Enterprise • Use a RADIUS server for authentication • Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc. • De facto server – FreeRadius www.freeradius.org • Depending on EAP type used Client and Server will need to be configured ©SecurityTube.net
  • 16. FreeRadius Wireless Pwnage Edition http://www.willhackforsushi.com/FreeRADIUS-WPE.html ©SecurityTube.net
  • 17. WPA/WPA2 Enterprise EAP Type Real World Usage PEAP Highest EAP-TTLS High EAP-TLS Medium LEAP Low EAP-FAST Low …. …. ©SecurityTube.net
  • 18. PEAP • Protected Extensible Authentication Protocol • Typical usage: – PEAPv0 with EAP-MSCHAPv2 (most popular) • Native support on Windows – PEAPv1 with EAP-GTC • Other uncommon ones – PEAPv0/v1 with EAP-SIM (Cisco) • Uses Server Side Certificates for validation • PEAP-EAP-TLS – Additionally uses Client side Certificates or Smartcards – Supported only by Microsoft ©SecurityTube.net
  • 19. Source: Layer3.wordpress.com ©SecurityTube.net
  • 20. Understanding the Insecurity • Server side certificates – Fake ones can be created – Clients may not prompt or user may accept invalid certificates • Setup a Honeypot with FreeRadius-WPE – Client connects – Accepts fake certificate – Sends authentication details over MSCHAPv2 in the TLS tunnel – Attacker’s radius server logs these details – Apply dictionary / reduced possibility bruteforce attack using Asleap by Joshua Wright ©SecurityTube.net
  • 21. Windows PEAP Hacking Summed Up in 1 Slide  ©SecurityTube.net
  • 22. Demo of Enterprise Wireless Attacks PEAP ©SecurityTube.net
  • 23. EAP-TTLS • EAP-Tunneled Transport Layer Security • Server authenticates with Certificate • Client can optionally use Certificate as well • No native support on Windows – 3rd party utilities to be used • Versions – EAP-TTLSv0 – EAP-TTLSv1 ©SecurityTube.net
  • 24. Demo of Enterprise Wireless Attacks EAP-TTLS ©SecurityTube.net
  • 25. Can I be Secure? EAP-TLS • Strongest security of all the EAPs out there • Mandates use of both Server and Client side certificates • Required to be supported to get a WPA/WPA2 logo on product • Unfortunately, this is not very popular due to deployment challenges ©SecurityTube.net
  • 26. Enterprise Rogue APs, Backdoors, Worms and Botnets ©SecurityTube.net
  • 27. Objective • How Malware could leverage Wi-Fi to create – Backdoors – Worms – Botnets ©SecurityTube.net
  • 28. Background – Understanding Wi-Fi Client Software • Allows Client to connect to an Access Point • First time user approves it, Auto-Connect for future instances • Details are stored in Configuration Files ©SecurityTube.net
  • 29. Command Line Interaction? • Scanning the air for stored profiles • Profiling the clients based on searches • Different clients behave differently • Demo ©SecurityTube.net
  • 30. See All Wi-Fi Interfaces Netsh wlan show interfaces ©SecurityTube.net
  • 31. Drivers and Capabilities Netsh wlan show drivers ©SecurityTube.net
  • 32. Scan for Available Networks Netsh wlan show networks ©SecurityTube.net
  • 33. View Existing Profiles Netsh wlan show profiles ©SecurityTube.net
  • 34. Starting a Profile Netsh wlan connect name=“vivek” ©SecurityTube.net
  • 35. Export a Profile Netsh wlan export profile name=“vivek” ©SecurityTube.net
  • 36. Creating an Access Point on a Client Device • Requirement for special drivers and supported cards • Custom software used – HostAPd, Airbase-NG • More feasible on Linux based systems ©SecurityTube.net
  • 37. Generation 2.0 of Client Software – Hosted Network • Available Windows 7 and Server 2008 R2 onwards • Virtual adapters on the same physical adapter • SoftAP can be created using virtual adapters – DHCP server included “With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.” http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx ©SecurityTube.net
  • 38. Feature Objective • To allow creation of a wireless Personal Area Network (PAN) – Share data with devices • Network connection sharing (ICS) with other devices on the network ©SecurityTube.net
  • 39. Demonstration Demo of Hosted Network ©SecurityTube.net
  • 40. Creating a Hosted Network ©SecurityTube.net
  • 41. Driver Support ©SecurityTube.net
  • 42. Client still remains connected to hard AP! ©SecurityTube.net
  • 43. Wi-Fi Backdoor • Easy for malware to create a backdoor • They key could be: – Fixed – Derived based on MAC address of host, time of day etc. • As host remains connected to authorized network, user does not notice a break in connection • No Message or Prompt displayed ©SecurityTube.net
  • 44. Understanding Rogue Access Points Rogue AP ©SecurityTube.net
  • 45. Makes a Rogue AP on every Client! Rogue AP Rogue AP Rogue AP ©SecurityTube.net
  • 46. Best Part – No Extra Hardware! ©SecurityTube.net
  • 47. Advantages? Internet ©SecurityTube.net
  • 48. Advantages? Wicked Network Internet ©SecurityTube.net
  • 49. Why is this cool? • Victim will never notice anything unusual unless he visits his network settings – has to be decently technical to understand • Attacker connects to victim over a private network – no wired side network logs: firewalls, IDS, IPS – Difficult, if not impossible to trace back – Difficult to detect even while attack is ongoing  • Abusing legitimate feature, not picked up by AVs, Anti-Malware • More Stealth? Monitor air for other networks, when a specific network comes up, then start the Backdoor ©SecurityTube.net
  • 50. Chaining Hosted Networks like a proxy? • Each node has client and AP capability • We can chain them to “hop” machines • Final machine can provide Internet access • Like Wi-Fi Repeaters ©SecurityTube.net
  • 51. Chaining Infected Laptops AP Client AP Client AP Client Authorized AP ©SecurityTube.net
  • 52. Package Meterpreter for full access? • Once attacker connects to his victim, he would want to have access to everything • Why not package a Meterpreter with this?  • How about a Backdoor post-exploitation script for Metasploit?  ©SecurityTube.net
  • 53. Demo Coupling Hosted Network with Metasploit ©SecurityTube.net
  • 54. Increasing Stealth • Passive Monitoring for SSIDs available • Trigger SSID causes Wicked Hosted Network to start and create application level backdoor • Attacker connects and does his job • Shuts off Trigger SSID and Malware goes to Passive Monitoring again ©SecurityTube.net
  • 55. Karmetasploit • Victim connects by mistake or misassociation • Victim opens browser, Metasploit Browser_Autopwn exploits the system • Hacker gets access! • Biggest Challenge – Victim notices he is connected to the wrong network and disconnects himself ©SecurityTube.net
  • 56. Enhancing Karmetasploit • Upon Exploitation, create the hosted network backdoor • User disconnects, but this hosted network still remains active • Attacker connects via this network ©SecurityTube.net
  • 57. What about older clients and other OSs? • Windows < 7, Mac OS do not have the Hosted Network or alike feature – Use Ad-Hoc networks – Use Connect Back mechanism  • When a particular SSID is seen, connect to it automatically • Blurb reporting “Connected to ABC” – Could we kill it?  ©SecurityTube.net
  • 58. Hosted Network Meterpreter Scripts http://zitstif.no-ip.org/meterpreter/rogueap.txt http://www.digininja.org/projects.php ©SecurityTube.net
  • 59. Dissecting Worm Functionality Propagation Technique Worm Exploit ©SecurityTube.net
  • 60. Hosted Network Encryption • Uses WPA2-PSK for encryption • Key is encrypted in configuration file • Can be decrypted  • What if there is an office network configured on the same machine with WPA2-PSK? ©SecurityTube.net
  • 61. 1. Infect Authorized Computer and Decrypt Passphrase ©SecurityTube.net
  • 62. Decryption Routine ©SecurityTube.net
  • 63. Alternate – Dump and Copy ©SecurityTube.net
  • 64. 2. Create a Soft Access Point with the same Credentials OfficeAP OfficeAP Worm Infected Laptop ©SecurityTube.net
  • 65. 3. Signal Strength Game OfficeAP OfficeAP Worm Infected Laptop ©SecurityTube.net
  • 66. 4. Hop and Exploit OfficeAP Exploit ©SecurityTube.net
  • 67. 5. Replicate and Spread OfficeAP OfficeAP ©SecurityTube.net
  • 68. Worms Wi-Fi Network Signal Strength > AP OfficeAP OfficeAP OfficeAP OfficeAP OfficeAP ©SecurityTube.net
  • 69. Wi-Fi Worm • Retrieve the network key for the network • Create a hosted network with the same name • When the victim is in the vicinity of his office, worm can be activated • At some point the signal strength may be higher than real AP • Other colleagues laptops may hop and connect – Conference rooms, Coffee and Break areas ©SecurityTube.net
  • 70. Why is this interesting? • Worm uses its own private Wi-Fi network to propagate • Does not use the Wired LAN at all • Difficult for network defenses to detect and mitigate  • Targeted APT against an Enterprise ©SecurityTube.net
  • 72. On the Run  ©SecurityTube.net
  • 73. APIs for the Hosted Network Feature ©SecurityTube.net
  • 74. Questions Questions? vivek@securitytube.net ©SecurityTube.net
  • 75. SecurityTube Online Certifications 25+ Countries ©SecurityTube.net
  • 76. Free DVD (12+ Hours of HD Videos) http://www.securitytube.net/downloads ©SecurityTube.net