ATGP - Wi-Door - Blind/Reverse Shells for Your Wi-Fi - Vivek Ramachandran

thank so it's going to be doing to talk why do I upper shelves over Wi-Fi and take it away thank you right thank you for that introduction my name is Vivek and I run a site called security tube dotnet and pentester academy so today I'm going to be talking about why do which is wireless back doors right before I begin you probably already notice I have an accent so in case there is anything you'd like me to repeat feel free to tell me right just a quick introduction about myself started as a programmer used to work with Cisco's layer 2 security team 802 dot1x port security found a couple of wireless attacks cafe latte broke web cloaking

which is now on by motorola and i have my own training company now security to you pentester academy we keep doing a lot of stuff both online as well as in the real world the author of a couple of books and we're going to release a new book at Def Con as well so this is the first self-published book called make your own hacker gadget which is how do you make your own pie from scratch right by using commodity routers and open wrt and all that so I'm going to be you know asking some very simple questions whoever answers first can get a couple of these books I have 10 of them so hopefully it should be fun ok so why do

what why and where right why do is actually a wireless back door for Windows now the exact same principle can probably be ported to every operating system right windows is more fun everybody likes to hack and break windows so that was my first choice why create this well I at first spoken about hosted networks and the security implications of hosted networks probably three years back unfortunately the exact status is you know prevailing today as well so I decided to create an automated tool through which pen testers can demonstrate why hosted network should be blocked tool is completely open source you can actually go grab the source code from the github URL okay how many of you

have ever used air base in G couple of you guys okay Wi-Fi pineapple and it loads the boundary and how many of you created fake access points honey pots and all of that some more okay now whenever you've probably done a fake AP you may be used backtrack collie with an alpha card for a compatible card air base some people may even have used host apd to do that right a kernel mode AP it's probably is more stable if you want to do better things now interestingly most people feel that access points of software ap's on client cards is a linux thing right windows can't support that but looks like windows can support it right anyone here heard about the hosted

network a couple of folks okay great who wants to tell me what a hosted network is for the first book kept they go

okay great you go first book on Windows interestingly from windows 7 onwards they have a very interesting feature called hosted network now what is that if you never heard of it you're going to be shocked today right quoting from msdn directly with this feature a Windows computer can use a single physical wireless adapter to connect as a client to a hardware AP just typically we connecting to our enterprise access point now here's the interesting part after that right while at the same time acting as a software AV so this is not mutually exclusive while you are connected to a regular network you can actually create a software ap on the same wireless card now if you're

wondering how can a card probably be it on two channels at the same time well the hosted network is on the same channel as the access point you are connected to okay and if you aren't connected to any AP the hosted network will automatically select the channel for you now why is this feature available to support personal area networks right you are at one of those hotels who wants you to pay per device you can just connect your laptop enable hosted network and share that same connection with all your other devices now if you want to test if your Windows machine supports the hosted network actually a very simple command and just type in net SH WLAN show drivers and

there is this little thing in here which says hosted network supported right will say yes to all built in card support hosted network yes external cards yes anything which says it is Windows 7 Plus compatible has to mandatorily support the hosted network for windows right the driver has to there is no choice here unlike the Linux case where you had to search for guards this includes all cards right if you have a Windows machine you can try it right now if it says yes they probably have something to worry about so let me show you how to create a hosted network right we will first use the command line and then we will talk about why do and maybe

why that is interesting so you can create a hosted network through the command line something which you can backdoor your friends computer with the next time he forgets to lock it the syntax is unbelievably simple net SH w-lan unbelievably simple but I forgot set hosted network mode equals allow followed by the a society of the network so let's call it wicked network and key here is the interesting difference between using air base hostapd versus the hosted network right in the former you could create an open AP WEP wpa wpa2 in the case of the hosted network you are only allowed to create a wpa2-psk network right that is the only option you cannot do an open AP so probably put

in a key ABCD one two three four five we can go ahead from the command the hosted network hasn't started yet you can start it using net Sh WLAN start hosted network now before we do that let's actually go to my collie BM and start scanning the air so what I've done is just so that we can do the demo I already have the mac address of my Wi-Fi card put in right so that we can save some time rather than having to scan at this point of course you're going to see nothing in there now let's go here start the hosted network let's go back takes a couple of seconds and there you go right did you see any

pop-up anything like that come up now here is the even more worrisome part when a client connects you still don't get to see who connected to you now it actually gets even more worrisome if I actually go here I could have been connected to a network but you notice the wicked Network listed anywhere here so you cannot see the hosted network you've created so this is going to be an invisible Phantom Network once created which will trail you for life till you use the same computer everyone else will see it you want for a good reason right now if you're wondering this is something which should be easy to detect and figure out it isn't if i were to

even click on view network or view connection settings do you notice you still don't see it anywhere right the only place where it actually tells you that a hosted network was connected or created rather unbelievably is when you actually go and look at the list of adapters now do you see a new adapter here which says land area connections 6 wicked network can you even see that this is the only in d right now right you can try connecting to it if you like that you already know the key the passphrase what you would find is there is no pop-up i can probably try and will actually see there will be no pop-ups so you should be able

to see a wicked network is everyone seeing it on their mobile phone or okay perfect right try joining it here I've joined my wicked network right do you see any pop up on my Windows computer which tells me someone connected to you okay create a fake AP on cali with air base or hostapd does everyone hate it when you have to go through the pain of setting up your own dhcp server you get one free with the hosted network right it's already set up of course logical enough because it's a personal area network right you would want to hand out IP addresses but interestingly already have that now previously you could basically just hop on pretty much any of

the other adapters right and that's where wider comes in where you can go ahead connect to the system do a lot of fun stuff is anyone surprised and shocked here that we can do that you know do all of this how many of you wanted in your co-workers machine as soon as you go back right and and this was really my litmus test unbelievably I hoped for a couple of months but I ended up being a couple of years that I could just do this and nobody even knew right so what is the good and bad news and by the way I could actually have been connected to a regular wireless network right so I

could actually be connected to the speaker network and the hosted network will still run it might just change channel because now the channel is the one which speaker network uses so you have changed our two one and there you go right as soon as i connect to a network the hosted network switches to that channel but do you notice I am perfectly connected to the speaker at work right now you know that this is what we were talking about in the definition of the feature right which is it can do both simultaneously while you are connected it can accommodate further connections to your computer and of course that is the whole intent or else how would your personal area network

function right if unfortunately you've forgotten to turn off ICS which is turned on by default internet connection sharing any one connecting can actually hop onto the internet or whichever other connected Network which makes this a perfect back door right all your traffic is tunnel through the Machine you're hopping through now what is the good and bad news well actually it's all bad news if you are the one affected and all good if you're the one hacking right so the no alerts nah and I did it through the command line I'll just do it programmatically with wider in just a bit right no alerts at all the host remains connected to the Wi-Fi which means if a piece of malware

this is post exploitation a piece of malware creates the hosted network in the background you would never ever know something's going on because you never lose connectivity right you can connect to any regular Wi-Fi network and the hosted network will just keep running in the background there are no alerts when a client connects now this is something I hoped Microsoft would have done right Pope right a little pop-up it says new client connected yeah yes yes yes so basically programmatically you can do it but natively windows doesn't right yeah this is post exploitation yeah yeah Windows 10 can actually even do it for the current user loans are checked so yep so this is post exploitation the

assumption is you're there what we are looking at is a different dimension for a backdoor right typically we are used to back doors which connect back whenever you run the wired network your malware the next to the command and control this is over wireless that is the difference it is post exploitation you the exploitation vector itself could have been something right the gooey network manager doesn't show it we clicked on it we couldn't find the hosted network anywhere the only place is the adapter settings now why is this worrisome assuming you've been infected by you know a malware or you know someone managed to go ahead and have command execution they can actually create a complete software rogue AP

enterprises from a wireless security perspective are always worried about rope devices right can I find these devices connected to my network we should probably open Wi-Fi or you know through which someone can connect back now with hosted networks every machine is actually a rogue AP and keep in mind that a hardware rogue AP would have to be connected to the switch port which means you could always go ahead and figure out which one of the ports are active look at the MAC addresses and a bunch of things and maybe even figure it out here you're tunneling through one of the laptops or workstations with Wi-Fi access right the best part you save money on hardware

that's always good now interestingly I kind of talked about the hosted network and all of this the first time around two or three years back we even did contact microsoft at that point saying well could you at least have a pop-up so microsoft's final answer to me was you're abusing a legitimate feature right so end of discussion and they they finally only wrote that when i said i was speaking at a conference right and this was yours back every new version of Windows I'm hoping there would be something yes third-party software could be used but natively Windows doesn't show you anything okay so I do a lot of wireless teaching and you know we show

this to our students in the first question they say is hey we'd like to demo this to our clients right clients are okay if you say well you got infected and something in happen a client isn't okay when you say I'm going to type something in right because that doesn't simulate the real world so I created why dude which is what we are releasing today but why dude has a little twist so I wanted the back door to be covert and what I decided to do was when the piece of malware runs it automatically scans the air at regular intervals right and it waits for what I call a signal SSID lack of a better word

right so this signal SSID is what an attacker will bring up right you could even use the hotspot facility in your phone to do that I mean this is just any access point now the moment why do actually sees that this signal a society is available in the vicinity it police starts the hosted network right and the hosted network would be started and keep running till the time the signal a society is around once the attacker connects probably goes ahead tunnels is traffic does something else right and then decides to bring down his signal a society why dude automatically shuts down the wireless back door so let me actually show you a demo of wider I'm

going to stop the hosted network which have already created

why do is written in C++ simple reason is the Wi-Fi API only has the sea version available right now there isn't a c-sharp version you might have to probably write a wrapper around it so in this POC the signal s society is open sea same and it will continuously monitor the air as soon as it sees this a society it's going to create a back door with this key right how does it work we'll get into the working in just a bit so I've pre-configured my tp-link access point with the SSID opens the same right so I'm going to start wider wider can run completely in the background all you have to do basically on Windows is just called free console

so that actually frees the console just so that we can look at it interactively right now I've commented out freaking soul okay what else it can just run in the background so let's start wider it's scanned it could not find open sea same scanning every five seconds right so now I'm going to power up the router hope this demo works now work the hundred times but you never know right final d-day windows will automatically scan once every one minute so it isn't going to be instantaneous probably take a couple of seconds for just to come up and then the moment you actually see open sea same show up on the right maybe in the next iteration you should see the

backdoor start

windows is slow as you probably already expected so

as you can see we still haven't window still hasn't found it I just booted up

someone is already using a pineapple

that should probably be seen in just a couple of seconds it does take a couple of seconds for windows to refresh everything

there you go see that don't I deserve a clap finally work okay thank you should actually found open seas aim and the moment it found it it started the wireless back door we can verify that by going back and there you go now you have your back door network which is running now as you probably noticing we never lost connectivity which is of course the feature itself right so for the end user he can never figure out that something's going wrong now what why do does is once it starts the wireless back door it goes back to scanning and keeps checking if you know the open seas aim is down or not now this is a boilerplate code which

can actually go ahead and be reused to start something like a metal prater back door or a bind shell right I just explain the code the code is actually quite straightforward all I do is basically check if the network is available over here using is net available which is actually a rapper internally is net available is going ahead and looking at every wireless interface which I have there's a simple API called WLAN enim interfaces with which I get all the interfaces on the system and for every interface I actually check the list of network that interface sees and once I go through that list it's just a simple string compared to my signal a society right to

what I societies are available once I get my signal SSID I start my hosted network again simple API calls nothing much to it there are two API calls one is called WLAN hosted network set property and the other is hosted network set secondarykey the second one sets the key the first one creates the config once the host or network is created all I do is just wait and check if that I society goes down if it goes down I shut the hosted network now at this point as soon as you found that you have open seas aim or whatever is your signal SSID right here you can insert and start any program run anything you like on the

system right could be a matter praetor bind shell could be a reverse TCP I mean a bind shell would be go to reverse TCP as well but probably you want to reverse TCP which can iterate through a list of IP addresses because you might not know what you as an attacker would get as an IP address generally it's the first one in the range but just so that if there are any issues now why do sorry so now let me go ahead disconnect the hardware AP I mean it has to be stealthy there's no point starting it once and not being able to stop it so we still see open cesium windows actually caches the

results for quite some time there you go shutdown signal received right it saw that opens his aim isn't available and if we go back basically over here for long in the list of networks you'd see that now if I reconnect it back actually see it come up once again in just a couple of seconds but Windows caches results for quite some time it's unbelievable but when you actually get into Wi-Fi programming it's quite painful because a lot of times windows even caches results across reboots do you notice a lot of times when you shut your windows laptop and then you cannot bring it back again it shows you like a hotel network which you connect it to a

couple of hours back it still has it in the list so it does a lot of automatic caching which you have to be very careful when you do all your parsing about now what are the other things which can be done you could make the signal a society or regular expression but it does not need to be hard-coded you could probably even make it a function of the mac address right so you can be clever just like most malware now when deciding which domain names to use to connect back to their command-and-control all the same principles apply I mean this is no different same goes for the key as well what are the advantages well in a

regular attack you'd probably have to use some common network in between to connect to your victim in this case you're using your own little private network right to connect to the victim why is this interesting as I mentioned the victim never notices anything unusual unless actually checks his network settings how many of you check your network settings every day week month ever okay the other interesting aspect of course is keep in mind that all you're wired site defenses can never pick the backdoor up in a typical back door they try to be as stealthy as possible because you're worried the IDS or IPS may actually notice an outgoing connection right to an IP address or to

a domain name which is unusual in this case you're connecting directly to your victim you aren't using the white side anyway or really your enterprise network anything you would like to tunnel through the Machine goes through the victim so now the question arises how do you detect this anyone okay so one is that you can go ahead and of course monitor the air and detect this but if you wanted to build a security tool on Windows is it even possible to do detection ok what's that ok does that ok so here is a hint does anyone know the name of the subsystem whose events we'd like to monitor anyone the Wi-Fi subsystem oh come on all of you lost the

book right the Wi-Fi subsystem that's all there was to it so we so windows goes ahead and creates tons of events unfortunately most of which isn't exposed to you so if we monitor the different subsystem events then you can figure out a lot of what is happening under the hood is there any tool which allows you to do that right now no so did why do what I decided was to create a tool which can do that as well I'm also doing a main stage Def Con talk on the tool which actually has a lot more capabilities than just pick up the hosted network and the tool is called chellam so this is the defense side just

you know demo the tool

they're you notice it once again started the hosted network okay I probably just kill it right now we will start wider and basically we will see how detection works all the source code is available so you can play with it Chellam at least in my humble view is the world's first wireless firewall so when I run it it's going to start with a bang I have to do the ninja the ninja changes color I have four different colors around it right so every time you start it it's going to change color so what does chellam really do it kind of goes ahead and a lot of shortcomings which I as a wireless researcher always felt was there on

Windows based systems so the first thing chellam does is it actually digs deep into the api's and rather than giving you just the SS IDs it will actually give you the SS IDs and the MAC addresses of every AP around interestingly the api's provide that some tools have it but not from a security standpoint so i'll just show is there even able to see this do you want me to magnify it a bit or ok so just to give you an example chillum is now scanning the air and trying to look at different things which are happening so let me show you an interesting demo so one of the things Chellam can do this actually picks up a lot of subsystem

events

shalam took us around four months to build okay I'll just explain what these events are in just a bit now one other thing chellam does is it can actually do a honeypot detection out of the box a common question which I always get is hey someone created the Wi-Fi started the Wi-Fi pineapple or air base in G right and no client can pick it up and the client doesn't know that this ap actually was created by an attack tool so what if I made windows smarter okay so now let me go ahead and create a fake access point with air base in G

I was they've changed all the names yes quite yeah pain pain to remember but okay hold on let's quickly check w line one up thanks

okay so now the attack tool has started chillum can actually monitor everything in the background there you go you notice that it actually said it's found a fake AP right and and just so you know I'm not faking it you can decide to give me a random name I'll explain of course how it works I mean it isn't meant to be a black box yeah I'll actually show you how to write signatures right now we have signatures for air base but at the DEF CON talk I will actually talk about how you can write your own signatures I don't own a pineapple so I couldn't write the signature but you can write your own so let's say we just put in

something completely random right just so you know I'm not faking it

so right now the way it works is before I start the other demo is chellam will scan the air and scare into how it works just so that you know something interesting it'll actually even point out the fake AP right just so you know that this is the fake AP the red one from tp-link now how does chehlum do this now this is beta software if it crashes don't blame me so if I click on any of these hippies right up am I sniffing the air I'm not right will the next version of Chilham have a low level device driver yes I'm already working on it okay but right now here is what chellam does shalam queries a lot of the

wireless AP is and reconstructs the beacon frame of the a society's it sees so I basically reconstruct all of that data so that I can look at a given beacon frame what are the different information elements that beacon frame would actually have as you can see here right so is that visible okay so as an example the AP which i clicked has SSID supported rates and a couple of other things right now what shalam does is if i look at the fake AP wireless hackers have you know had fun for too long in the sense Wi-Fi attack tools never improvised Wi-Fi attack tools create beacon frames including the pineapple and others which used the minimalistic

number of information elements required to be acceptable as a real access point to clients right they don't work hard they don't try to clone a real access point I mean people don't even change MAC addresses how many of you actually change MAC addresses in the same range as the vendor of whatever set up your just one or two right so that alone is a dead giveaway okay air base ng who started it here Alexis Park Wi-Fi anyone here someone is actually using that around that chellam will pick all of them up air base is fingerprinted at this point and actually fingerprinting the rest is trivial as well you'll just see why so this is the air base beacon

this is the air base we can yeah most of these fields and their values nobody ever changes so by different versions you can actually create a black list the only way an attack tool would probably escape a black list is by ensuring that it has a clone option right so if I want to create a fake ap for the speaker Wi-Fi it should take an input for that SSID take a beacon frame clone that exactly right that's the only way you could probably beat most blacklists up now so or that the second one someone has a script so interestingly here is the other thing which we've done you can actually use this till the time it is in

to profane that's you can also use this as a wireless scanner now windows when I was researching on this over the last couple of months windows does something which I find quite stupid which is it scam which scans the air gets the list of SS IDs right after a minute it scans the air and it might just go ahead and say hey okay all i care about is what i receive now there are so many ap's around which get left over from the previous scan which are still around so one of the things we did was he basically said okay why not have a sin start since five minutes and up to 10 minutes so you could actually walk

around and pretty much fingerprint or rather enumerate all the access points in the vicinity through this interface right including the kind of beacon frames it has and everything you'd be quite shocked if you run this at an airport you wouldn't find as many fake ap's at least airbase based as you thought you would like the moment we created this and I and I sat down and I put in the signature detection I was like okay now let's go to the airport I won't have to use wireshark anymore right to go ahead and find the signatures let's see what is out there there weren't too many but you can try it on your own the tool this

is freeware as well what we did was we wanted both a blacklist and a white list based approach right black lists are great when you want to detect attack tools but what if I could just whitelist stuff so what if I could just go ahead right click on my home access point and auto create a signature for it based on all the beacon frame IE elements neighboring aps and all of that and store it so the next time you create your fake ap with the same SSID I actually know it is in the same right so that's what I added and made this basically a whitelist wait firewall so you'd love this if you are a pure

wireless guy I could basically go ahead and right-click on any one of these eps let's say not that one so let's say open Scism i could right click and say create rule and what this does is it brings me to an interface where i can create a white list or a black list now it basically already puts in the bssid the BSS type the physical type the beacon period the center frequency in case you decide to run your home AP at a specific frequency and it actually allows you to decide whether this can change or not so if you have a cheapy set at auto channel scan you can actually go here and say okay when i create my wireless firewall

rule set it's okay if the channel changes that's fine right or if you are wanting to rigidly fingerprinted you can say okay the channel can never change as well right and then you can go down to the rates the best part or probably the most difficult to beat is going to be the sum of the neighboring a piece so what I've done is generally ap's don't change locations very often so if you have a home AP you'd probably find couple of your neighbors around so I'm enumerate in your neighbors as well and the ruleset says at any point at least a couple of them have to be around the next time i see opens his aim right so

an attacker at a at a coffee shop or at a hotspot cannot just spin up something even if somehow talk to you and manage to figure out which AP you're using so that he can clone the beacon frame exactly which he can't he can never write unless he has a copy of that and then there are a bunch of other things as well you could actually go ahead and create this as when the rule should be tested only when you connect to a network or when you're scanning networks as well right so if you use air base in G with an option where it responds to every probe request and you enable scanning this can automatically tell you

there is an issue question yes yes so for example you can actually select an SSID which has multiple be a society's like a hotel network and then you can create create the rule set so you could have a full drop-down list here is there anything here which has multiple there isn't anything here which has multiple right now but it would basically do that the only problem though is if you mix and match different vendor equipment for the same in society right so keep in mind that then you will not be able to get like a very rigid definition of a beacon frame so what I can of preferred was a combination of a society and bssid

rather than the SSID alone defining what to search for right now shalam can do a lot of this stuff I have a DEFCON talk you can come see the demo there now what I will demo is it can detect events as well so shalam can go ahead and detect every single Wi-Fi event happening on your Windows machine right this includes roaming events where you disconnect and quickly Rome to the next day p this includes connecting to a LAN are connecting to a network disconnecting authenticating let me show you how this works in just a bit I personally love chillum so master after this it's very clear who I am connecting to and where I cannot there is no confusion ever and a

lot of times when you actually run fake access points and someone does it do then you reconnect windows might not even show you a temporary disconnection yeah exactly exactly so what I'm looking at is basically where the community can submit rules and eventually you can write your own rules in Python actually Jai thorne but yeah so that anyone can go ahead and push stuff I'll just quickly demo I just have 10 minutes i will take the questions at the end I'll just finish the demo and I'll take all your questions just want to make sure this one's first so as an example let me actually shift the alerts to the left

so now when I let's say disconnect from a network right you see all of those little alerts show by which actually tells you that you just disconnected from this network right I don't if you can see that and this tells you the MAC addresses so let's say someone d Ott's you and you end up Rica connecting to his fake AP this will actually catch that event and this will tell you that you just switched an access point okay it won't interfere with the connection but it will just tell you that in just a bit now I'll just do the last the more I think I hardly have any time the hosted network one so it can even go down and

pick up all the different hosted network events so I've just enabled the alerts for the hosted network and chellam can completely run in the background and I could I don't know start start why do

so as soon as the hosted network is created shalam will jump up one of the other ways to simulate is of course just to create a network right here there you go right of course one can argue that if you have a malware running on the same system then it can kill chellam and all that the exact same arguments of what a rootkit could do to anti-rootkit solution is valid here as well right so i am not going to debate that but could you pick it up yes you could if you're already running at the kernel level maybe you know you have a kernel module which is what we are building into chellam now at this point chellam

depends on the api's to pick up all the information so I'm actually building an intermediate driver so that we can look at every single packet which goes up and down so that way we have our own data source rather than looking at windows's api's to figure all of that out right once that happens Chellam can even actively prevent so at this point I could prevent but all I can do is disconnect you right the subsystem send me all of the events after they've happened I mean it is an infinitesimally small time but the event has happened with the kernel mode driver when I see a beacon frame probably from an attack tool which shouldn't be there I actually

won't pass it up the exact same principle as any other network based firewall would use right they don't pass up the frames to the stack they actually drop it right there and log it that would be the next version I wish I could release that for defcon but kernel mode drivers to make them stable he does take a little bit more time or else nobody will install them getting the right certificate and cosine from microsoft itself is a long process Windows 10 onwards you have to have everything signed by Microsoft for especially kernel mode drivers right is there anything else okay do I have any time roommate okay questions yes questions yes so I'm going to be doing actually

for wireless stocks are def con I am doing two talks in the main stage one is chellam the other is how to create your own network IDs for four and six so what it does is it takes pcap files pushes it into a sequel I'd database and then allows you to just run plain sequel aight on Wi-Fi packets to do for n 6 and attack detection that talk is on Saturday chillum is on Friday and the wireless village I'm going to talk about WP enterprise and how to automate attacking WP enterprise life by controlling wpa supplicant using the WPA control API and the d-bus API which is available a lot of people don't use that

but you can actually automate wpa supplicant so that it can try and maybe connect to an enterprise networks and dictionary attack passphrase combinations for what its words right so that's in the village right any other questions yeah all of this would be released you know yeah yes so you can actually go ahead and have a policy which does that what I found during most audits is ninety-five percent people don't even know it exists of course keep in mind that because this is most exploitation a piece of malware once it privilege escalations yeah and runs in kernel mode after that none of the policies matter so yeah question okay yeah that is there is a group policy you

can apply okay okay thank you thank you very much [Applause] you