BSides SP 2025 - WiFi Recon: Espionagem Corporativa com Evil Twin

Hamilton Justino, who will talk about Wi-Fi Recon, corporate espionage with Evil Twin. Welcome to the stage and a round of applause for Hamilton. Hey guys, how are you? I felt like I was on a TV show with this presenter. Nice, congratulations. Well, complementing Ricardo's talk that you saw before, very nice, I come from Florianópolis, there's a consulting company there, which used to be Infra, and today I'm a pentester, besides being the owner of the company, one of the partners. And one thing he brought in his talk, which I confirm and sign below everything, is that even having done a lot of advanced courses, studying a lot of shellcode, today I still keep invading the basics. Normally, an open door and a

CVE. For Pentester, it makes life easier and we end up... But sometimes we get frustrated, because I never needed to do an exploit. Maybe it wouldn't take time, because people have asked for Pentest faster and faster. But anyway, I'm from the pre-Google era, when I studied in books. I've studied a lot of things, but where I learned the most was following the right people. And in events like this, you can select the people that you should follow, so be careful with who you follow. On LinkedIn, last week, people asked me if I was going to bring any zero day, right? I said no, it's all Pentest using basic stuff, it's just the Pentest story that was a little

different or interesting, but then I found out that I have a zero day at home there. It can knock down Fortinet in a very easy way, and also causes service denial in micro ticks. This guy here, he dropped the Fortinet in seconds and eventually he doesn't let me touch the equipment. So that's what happened, to bring it from scratch. Well, a context of the pentesting there, so it was an electronic point SaaS software, The customer needed to prove security and maturity to the data controller, this controller here was based on LGPD, his client was the data controller, and he needed to prove security and maturity. The test was only on the administrative panel of the system, it was not even on the watches or on

the cell phone app, it had a 15-day deadline to do, it could not be social engineering or service denial.

I was on the tenth day already and I couldn't find anything. Really, the production part was quite hardened. So it was complicated, I was already getting distressed because Pentester has... Who is Pentester here? When you... The rest of the crew, when you decide to be Pentester, learn to deal with frustration, because Pentester gets upset when he doesn't invade. He should be happy, because then the environment is protected. And when he invades, he gets super happy, he should be upset, because it's a sign that the environment is fragile. So learn to deal with frustration. And we test a lot of things to get just one right. It's a bunch of wrong shots to hit a shot. Sometimes it kills, right? Headshot. So I was on the

tenth day and I hadn't done anything yet. And the pleasure was over and I didn't want to deliver a report saying, "Oh, it's cool there, right?" The ego is fucked. Then I remembered a little tool that Nelson Murillo Team, right? It's called FaveNets. Is Nelson there? Oh, he's there. Wow, what a response. I'll talk to him together. Well, Nelson, for those who don't know, is the creator of the Checkout Kit, this little tool, and a lot of other cool tools. I suggest you investigate here on his GitHub. So, he has this little tool called FaveNets, and it keeps showing us all the networks that your phones are looking for. because it's saved on your phone and for it to connect automatically, it has to look every now and

then if it's in the right environment. In despair, the company stays in the same city, in Floripa. Florianópolis has many technology companies and they have nice environments, because everyone there likes the great place to work. So there's always a bar, a cafe, a gym, everything in the same building. So I thought about despair, "I can't solve this shit, I'll have to go see a place." At the time, it was this antenna here. Now I'm more powerful. Anyway, my hope was to find an address that would take me to the environment's homologation. I wanted to find the less protected place. So I used this little guy, went there to have a coffee, Because my idea was that if I, seeing Dev people walking around looking for networks,

could assemble a network equal to the one that the phone would connect to my network, then I could see uncryptographed traffic. For example, in my case here, what I wanted was DNS, because the point software was obviously used by the company. Well, let's say there's someone from Ikea there with the software, with the homologation version. It would access the homologation part too. And besides that, it reveals several other things for the Recum and OSINT people who like to raise things. So basically I'm creating an access point with the same name as the company's AP or the network that was being searched here, that was found by Favenet. And if I were lucky enough to connect it, maybe I could

find out via DNS. So, let me show you if it worked. Can you see it well? I was already connected to it and was already collecting, but basically this is the FaveNet running, it keeps changing the channel. and here it will show your phones searching the networks here. So, this is all phone now, at this exact moment, searching networks. It's good to turn off the Wi-Fi, okay? Here, maybe some companies already... Okay? And it continues, right? So, you can see that the phone denounces many things. It's good to turn off your favorite networks there. Then, thinking about it, now it's small, right? Better, right? Yeah, I dropped it because I went to do the test and it was already running. But I created the Wi-Fi here with

the name of the place I wanted and I kept supporting... Wow, not even I can see that up close. And I kept waiting for someone to connect. I raised a DHCP and asked the DNS Mask to show me the log on the screen. So that's what was going to happen. I don't know if you saw it here, but there's a lot of... The network here, the building itself, the hotel, is this one, the National, in Jaraguá. So, what do you think would happen if I run, for example, this AP? Will anyone connect there? Hello? No, but I found out there's a delegate here in the environment, I'm not going to do it. My goal is to get to the

end of it with the primary intact. Everyone turned off the Wi-Fi already? So this was at the client's place, and he had this network of the gym and the canteen here, of the open restaurant, and it was exactly the one I used, the gym one. So I stayed close to the gym, I had about four or five coffees, I stayed there all afternoon, and then I was lucky that someone from the QA went there. Then the system, the mobile, accessed the environment, collected it, the IP was saved here, And then I managed to get the approval environment, which I think I left... Ah, it's there. Ah, yeah. It was with HM in the front. Ah, but it could

have been done via DNS Recon and stuff. Yeah, it could, but I didn't find it, because the name was different, right? So there were some very specific names there. But that's how I got it. And then I managed to do the... There was no protection, there was no WAF, nothing, everything was fine, it was easy to test there and then validate in the production environment. And that was not in the pen test exclusions. I can't tell you the rest of the pen test, the client didn't want to, he didn't authorize me, even discharacterizing, but basically it was capture of favorite networks, configuration of Evil Twin to guarantee, hope for the Goddess of Luck, to connect someone, capture the DNS and do the recognition there in

the DNS of where the guy... of where the target was that I wanted. So I managed to kill 5 out of 10 of the Ashtotep. It was a good result and thanks Nelson. If it wasn't for the tool, it wouldn't work. So, conclusions, please configure the DLH on your phones, DNS over HTTP, because as you saw, DNS shows us a lot, including behavior, tools that the person uses to protect, so... Where's the other one? Ah, it's right here. For example, there it uses Kaspersky and uses G Suite, so for those who do Recon, this can be very important information, Recon, Red Team, On Android, there is an option to turn on Wi-Fi automatically, which is turned off by default and only

active when you are in your most common geographical location. I believe this will evolve so that I can say where I want it to turn on. I will choose, for example, only my house and only my work. When it's outside, it turns off. I know there is an app, but I don't have a phone to test it. But I've seen that there is an option to keep the Wi-Fi off when you're outside the premises. Avoid connecting to public networks, like the hotel's, for example. Or not to save it, for example, so we don't know. There's an app, like KarsPersky, that gives you a notification of a suspicious network and VPN with complete navigation, so that a lot of access doesn't leak out.

So that's it, guys. What I wanted to share with you was just this case of partial pen testing. And if anyone has any questions, feel free to ask. Is there an extra microphone? Or radio? No. So take mine. It was bad. Sorry. Hello, hello, okay. My name is Rafael, I came from FATEC Ourinhos and it's a question that we had, even from a mini course that we had related to pen testing in practice there. I saw that you work with pen testing, both about you invading something doing pen testing, when in the defense part of what you had to deal with the company, I wanted to know... In practice, we see so many things related to pen testing, even shell reverse, that you

say: "Damn, I don't know how to deal with it." And sometimes I feel a little unmotivated. But a professor told me that he has been working in the pen testing area for more than 10 years and he said something that caught my attention. He said that in college we see something so complex, like a reverse shell, but in practice it's very difficult to say that it caught some reverse shell, something like that. Or even, as you commented, it's up to you to do the pen test, sometimes you say, wow, there will be a lot of difficulty, and sometimes they are very basic things that happen. I wanted to know about your experience. How was that

for you? Do you agree? Although we learn many complex things, in practice it is sometimes simpler. So, this is what I commented there, that Ricardo was also commenting, that attacks continue to happen because of the easy things. I've done a lot of courses, I've done a course on shellcode, I've done a course on H2HC, I've done a course with Manuel T, who is a very cool guy from Java. of deserialization, but like these pentests here, we end up finding the simple things to do, and then you get to the critical part and you have to send the report to the client. So, today I say, as much as I've been in these talks since 2013 and I've had security of information in the company

since 2015, that we serve, more or less, I never needed to do an exploit, for example. There's always a CVE with the exploit ready or the application simply leaks the data to me, so I don't need to go there and find out how to get it out of the screen. So, that's it. You'll end up studying a lot of things, especially if you work in a consultancy, because then every day you get something different. So you'll always study a lot of things, but you'll end up using less. you won't end up using everything you use. I have a lot of things that I'll consult in the material because I've studied it, but I never needed to use it. Sometimes it dyes something. I don't know if I answered that.

The basics work, as Ricardo said. The basics will work for a long time. And so, at the beginning, before 2010, we were from the Infra area, so I was part of the defense. But, man, who is from the defense is screwed. Thanks guys!