At ClubHack 2011 Hacking and Security Conference Vivek Ramachandran presented on - Scenatio based hacking - enterprise wireless security Speaker - Vivek Ramachandran

1. Scenario Based Hacking – Enterprise
Wireless Security
Vivek Ramachandran
Founder, SecurityTube.net
vivek@securitytube.net
©SecurityTube.net

2. Vivek Ramachandran
B.Tech, ECE 802.1x, Cat65k WEP Cloaking Caffe Latte Attack
IIT Guwahati Cisco Systems Defcon 15 Toorcon 9
Media Coverage
Microsoft Trainer, 2011 Wi-Fi Malware, 2011
CBS5, BBC
Security Shootout
©SecurityTube.net

3. In-Person Trainings
©SecurityTube.net

4. SecurityTube Online Certifications
25+ Countries
©SecurityTube.net

5. Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads
©SecurityTube.net

6. Scenario Based Hacking
• Multiple courses are available from different
certification bodies
• Concentrate more on tools than application
• Script kiddie mentality
• Real world scenarios are not used
• Student finds it tough to excel in the real
world
©SecurityTube.net

7. The Real World
• Complicated scenario
• Heterogeneous architecture
• Multiple security controls present at the same
time
– Firewalls, IDS/IPS, etc.
• Requires one to be a Master of all, rather than
a Jack of all
• Basically “Scenario Based Hacking”
©SecurityTube.net

8. Understanding Scenario Based Hacking
Component Scenario 1 Scenario 2 Scenario 3 Scenario 4
Patches X Present Present Present
Personal Firewall X X Present Present
AV X X X Present
NAT X X X X
Firewall X X X X
IDS X X X X
IPS X X X X
WAF X X X X
…
…
©SecurityTube.net

9. Simple Scenarios
Internet
• No patches
• No AV
• No Firewall
• No Network IDS/IPS
• Direct Access (No NAT)
• …..
©SecurityTube.net

10. Complicated
©SecurityTube.net

11. Interesting Ones!
Coffee Shop
Airport
©SecurityTube.net

12. Scenario Based Hacking for Wireless
• Enterprise Wireless Attacks
– PEAP
– EAP-TTLS
• Enterprise Rogue APs, Worms and Botnets
©SecurityTube.net

13. Enterprise Wireless Attacks
PEAP and EAP-TTLS
©SecurityTube.net

14. WPA-Enterprise
Authenticator Authentication
Supplicant Server
Association
EAPoL Start
EAP Request Identity
EAP Response Identity EAP Request Identity
EAP Packets EAP Packets
EAP Success EAP Success
PMK to AP
4 Way Handshake
Data Transfers
©SecurityTube.net

15. WPA-Enterprise
• Use a RADIUS server for authentication
• Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc.
• De facto server
– FreeRadius www.freeradius.org
• Depending on EAP type used Client and Server will need to be
configured
©SecurityTube.net

16. FreeRadius Wireless Pwnage Edition
http://www.willhackforsushi.com/FreeRADIUS-WPE.html
©SecurityTube.net

17. WPA/WPA2 Enterprise
EAP Type Real World Usage
PEAP Highest
EAP-TTLS High
EAP-TLS Medium
LEAP Low
EAP-FAST Low
…. ….
©SecurityTube.net

18. PEAP
• Protected Extensible Authentication Protocol
• Typical usage:
– PEAPv0 with EAP-MSCHAPv2 (most popular)
• Native support on Windows
– PEAPv1 with EAP-GTC
• Other uncommon ones
– PEAPv0/v1 with EAP-SIM (Cisco)
• Uses Server Side Certificates for validation
• PEAP-EAP-TLS
– Additionally uses Client side Certificates or Smartcards
– Supported only by Microsoft
©SecurityTube.net

19. Source: Layer3.wordpress.com ©SecurityTube.net

20. Understanding the Insecurity
• Server side certificates
– Fake ones can be created
– Clients may not prompt or user may accept invalid certificates
• Setup a Honeypot with FreeRadius-WPE
– Client connects
– Accepts fake certificate
– Sends authentication details over MSCHAPv2 in the TLS tunnel
– Attacker’s radius server logs these details
– Apply dictionary / reduced possibility bruteforce attack using
Asleap by Joshua Wright
©SecurityTube.net

21. Windows PEAP Hacking Summed Up in 1
Slide 
©SecurityTube.net

22. Demo of Enterprise Wireless Attacks
PEAP
©SecurityTube.net

23. EAP-TTLS
• EAP-Tunneled Transport Layer Security
• Server authenticates with Certificate
• Client can optionally use Certificate as well
• No native support on Windows
– 3rd party utilities to be used
• Versions
– EAP-TTLSv0
– EAP-TTLSv1
©SecurityTube.net

24. Demo of Enterprise Wireless Attacks
EAP-TTLS
©SecurityTube.net

25. Can I be Secure? EAP-TLS
• Strongest security of all the EAPs out there
• Mandates use of both Server and Client side
certificates
• Required to be supported to get a WPA/WPA2
logo on product
• Unfortunately, this is not very popular due to
deployment challenges
©SecurityTube.net

26. Enterprise Rogue APs, Backdoors,
Worms and Botnets
©SecurityTube.net

27. Objective
• How Malware could leverage Wi-Fi to create
– Backdoors
– Worms
– Botnets
©SecurityTube.net

28. Background – Understanding Wi-Fi Client Software
• Allows Client to connect
to an Access Point
• First time user approves
it, Auto-Connect for
future instances
• Details are stored in
Configuration Files
©SecurityTube.net

29. Command Line Interaction?
• Scanning the air for stored profiles
• Profiling the clients based on searches
• Different clients behave differently
• Demo
©SecurityTube.net

30. See All Wi-Fi Interfaces
Netsh wlan show interfaces
©SecurityTube.net

31. Drivers and Capabilities
Netsh wlan show drivers
©SecurityTube.net

32. Scan for Available Networks
Netsh wlan show networks
©SecurityTube.net

33. View Existing Profiles
Netsh wlan show profiles
©SecurityTube.net

34. Starting a Profile
Netsh wlan connect name=“vivek”
©SecurityTube.net

35. Export a Profile
Netsh wlan export profile name=“vivek”
©SecurityTube.net

36. Creating an Access Point on a Client Device
• Requirement for special
drivers and supported
cards
• Custom software used –
HostAPd, Airbase-NG
• More feasible on Linux
based systems
©SecurityTube.net

37. Generation 2.0 of Client Software – Hosted
Network
• Available Windows 7 and Server 2008 R2 onwards
• Virtual adapters on the same physical adapter
• SoftAP can be created using virtual adapters
– DHCP server included
“With this feature, a Windows computer can use a single
physical wireless adapter to connect as a client to a hardware
access point (AP), while at the same time acting as a software
AP allowing other wireless-capable devices to connect to it.”
http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx
©SecurityTube.net

38. Feature Objective
• To allow creation of a wireless Personal Area
Network (PAN)
– Share data with devices
• Network connection sharing (ICS) with other
devices on the network
©SecurityTube.net

39. Demonstration
Demo of Hosted Network
©SecurityTube.net

40. Creating a Hosted Network
©SecurityTube.net

41. Driver Support
©SecurityTube.net

42. Client still remains connected to hard AP!
©SecurityTube.net

43. Wi-Fi Backdoor
• Easy for malware to create a backdoor
• They key could be:
– Fixed
– Derived based on MAC address of host, time of
day etc.
• As host remains connected to authorized
network, user does not notice a break in
connection
• No Message or Prompt displayed
©SecurityTube.net

44. Understanding Rogue Access Points
Rogue AP
©SecurityTube.net

45. Makes a Rogue AP on every Client!
Rogue AP
Rogue AP Rogue AP
©SecurityTube.net

46. Best Part – No Extra Hardware!
©SecurityTube.net

47. Advantages?
Internet
©SecurityTube.net

48. Advantages?
Wicked Network
Internet
©SecurityTube.net

49. Why is this cool?
• Victim will never notice anything unusual unless he visits his
network settings
– has to be decently technical to understand
• Attacker connects to victim over a private network
– no wired side network logs: firewalls, IDS, IPS
– Difficult, if not impossible to trace back
– Difficult to detect even while attack is ongoing 
• Abusing legitimate feature, not picked up by AVs, Anti-Malware
• More Stealth? Monitor air for other networks, when a specific
network comes up, then start the Backdoor
©SecurityTube.net

50. Chaining Hosted Networks like a proxy?
• Each node has client and AP capability
• We can chain them to “hop” machines
• Final machine can provide Internet access
• Like Wi-Fi Repeaters
©SecurityTube.net

51. Chaining Infected Laptops
AP Client AP Client AP Client
Authorized
AP
©SecurityTube.net

52. Package Meterpreter for full access?
• Once attacker connects to his victim, he would
want to have access to everything
• Why not package a Meterpreter with this? 
• How about a Backdoor post-exploitation script
for Metasploit? 
©SecurityTube.net

53. Demo
Coupling Hosted Network with Metasploit
©SecurityTube.net

54. Increasing Stealth
• Passive Monitoring for SSIDs available
• Trigger SSID causes Wicked Hosted Network to
start and create application level backdoor
• Attacker connects and does his job
• Shuts off Trigger SSID and Malware goes to
Passive Monitoring again
©SecurityTube.net

55. Karmetasploit
• Victim connects by mistake or misassociation
• Victim opens browser, Metasploit
Browser_Autopwn exploits the system
• Hacker gets access!
• Biggest Challenge – Victim notices he is
connected to the wrong network and
disconnects himself
©SecurityTube.net

56. Enhancing Karmetasploit
• Upon Exploitation, create the hosted network
backdoor
• User disconnects, but this hosted network still
remains active
• Attacker connects via this network
©SecurityTube.net

57. What about older clients and other OSs?
• Windows < 7, Mac OS do not have the Hosted
Network or alike feature
– Use Ad-Hoc networks
– Use Connect Back mechanism 
• When a particular SSID is seen, connect to it
automatically
• Blurb reporting “Connected to ABC”
– Could we kill it? 
©SecurityTube.net

58. Hosted Network Meterpreter Scripts
http://zitstif.no-ip.org/meterpreter/rogueap.txt
http://www.digininja.org/projects.php
©SecurityTube.net

59. Dissecting Worm Functionality
Propagation
Technique
Worm
Exploit
©SecurityTube.net

60. Hosted Network Encryption
• Uses WPA2-PSK for encryption
• Key is encrypted in configuration file
• Can be decrypted 
• What if there is an office network configured
on the same machine with WPA2-PSK?
©SecurityTube.net

61. 1. Infect Authorized Computer and Decrypt
Passphrase
©SecurityTube.net

62. Decryption Routine
©SecurityTube.net

63. Alternate – Dump and Copy
©SecurityTube.net

64. 2. Create a Soft Access Point with the same
Credentials
OfficeAP OfficeAP
Worm Infected Laptop
©SecurityTube.net

65. 3. Signal Strength Game
OfficeAP
OfficeAP
Worm Infected Laptop
©SecurityTube.net

66. 4. Hop and Exploit
OfficeAP
Exploit
©SecurityTube.net

67. 5. Replicate and Spread
OfficeAP
OfficeAP
©SecurityTube.net

68. Worms Wi-Fi Network Signal Strength > AP
OfficeAP OfficeAP
OfficeAP
OfficeAP OfficeAP
©SecurityTube.net

69. Wi-Fi Worm
• Retrieve the network key for the network
• Create a hosted network with the same name
• When the victim is in the vicinity of his office,
worm can be activated
• At some point the signal strength may be
higher than real AP
• Other colleagues laptops may hop and
connect
– Conference rooms, Coffee and Break areas
©SecurityTube.net

70. Why is this interesting?
• Worm uses its own private Wi-Fi network to
propagate
• Does not use the Wired LAN at all
• Difficult for network defenses to detect and
mitigate 
• Targeted APT against an Enterprise
©SecurityTube.net

71. Demo
©SecurityTube.net

72. On the Run 
©SecurityTube.net

73. APIs for the Hosted Network Feature
©SecurityTube.net

74. Questions
Questions?
vivek@securitytube.net
©SecurityTube.net

75. SecurityTube Online Certifications
25+ Countries
©SecurityTube.net

76. Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads
©SecurityTube.net