BG - The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirec

this is the talk of the black art Wireless post exploitation post post exploitation yeah what I'd I'd like to take a few moments ask you a favor these this talk is being live-streamed and as as such I'd like you to take all your phones pull them out of your pockets and turn them down we really don't want people on YouTube listening to your conversation that wouldn't be nice also if you have a question I have the audience mic just raise your hand I will come over to you and bring you the mic so everyone can hear it and even the people that on YouTube can hear it I'd like to thank all of our sponsors our

wonderful sponsors who are first bright creativity tenable Amazon and the source of knowledge and this the first time I've made it through that without screwing up the names so I would like to introduce you to Solstice he's going to be presenting hi guys all right so this is ya talk title thing so my name is Gabriel Ryan I'm a security engineer at Gotham digital science we're primarily a security consulting firm we do some research as well we tend to specialize in knapsack infrastructure testing do some red teaming stuff like that so cool new things in this presentation I mean we're gonna be talking about two new ways to use rogue access point tax we're going to talk about hostile portal

attacks which are it's a method of stealing Active Directory credentials without network access and we're also going to look at indirect Wireless pivots which is a way of bypassing port based access controls using rogue access point attacks so before we go any further we kind of have to do a little background info first we're gonna talk about is wpa2 EAP how many people are familiar with the extensible authentication protocol show of hands awesome okay this is what I like to see so I'm gonna fly through this stuff so as you may know in order to talk about like EAP we really have to talk about rogue oh boy tax because that's a primary attack vector that we use to to own it

so rogue access point attacks I mean they're pretty much like the bread and butter of modern wireless pen tests you know you've used them to perform an the middle attacks steel radios creds do like little fishing portals stuff like that and the way that they work at a fundamental level you know let's say that we have this any SSID let's say we have like Starbucks Wi-Fi is the name of our of our Wi-Fi network and its operating on channel 6 you know if you if an attacker creates a hotspot using the same SSID and channel there's actually like you know you might ask yourself like how can the wireless clients that are associated with its

access point tell the difference between the legitimate axis pointing attackers actively and the truth is that they actually can't and the the access point with the soccer swing signal strength is the one that will you know win so to speak and and what will happen is that the wireless clients will actually reassociate with the attacker which gives the attacker you know a man the middle it gives them the capability to if you run radius which we'll talk about a second you know to for some that occasion so you know these attacks been along around for a pretty long time I mean we're talking like about at least 15 years at this point the first documented mentioned that I

could find for evil twin attacks for example was this as this Wireless LAN security fact by w CW Klaus and and that was actually mentioned in the the talk that came out in 2004 but the idea is o V and Shane McCauley about karma attacks so I mean they go back pretty far you know later on you have like the free radius stuff by Brandon Tata wits and and and Joshua right and then you know you know more recently you know in 2000 in 2014 Def Con 22 a couple guys from sense post dominic white and ian de villiers came out that manna toolkit if you guys anyone ever played with that yeah it's pretty awesome it basically

they took the carbon tax which had start to work less and less well over the over the past decade and kind of made them really really relevant and really really effective again and also went into some ap stuff which we'll talk about later and then finally you know very recently past couple months actually we have lower ten attacks which exploits some some problems with Windows tens Wi-Fi sense capabilities and it's a totally new type of attack and that the guy who who came up with the Wi-Fi Fisher tool actually did this fairly recently so I mean historically though we've had two primary uses for rogue ap attacks stealing credentials and also you know breaching WPA EAP

networks and and in this talk we're actually going to look at something a little different we're gonna look at Rho VP X that means a lateral movement so before we continue we should talk also about evil twin attacks against wpa2 EAP and specifically let's talk about EAP and how it works all right so you know logically and for those of you who know how he appears you're gonna call me out on this because because there's something missing and that's deliberate for those of us who don't know what it how it works I'm simplifying this a bit I'll go over the more complex definition later but you know logically from a very high level authentication occur occurs

between two parties you have the client and the authentication server and you know the first thing that happens to this laser pointer thing works it doesn't okay you have the client and the authentication server and the the client first makes an authentication request and the authentication server then responds with x.509 for certificate and the purpose of that's x.509 certificate is that the server is is proving that it is who it says it is and if the client accepts this and this is a big if then we proceed from we're just doing which was the outer authentication now we're looking at the internal dedication layer of EAP so you know if this is EAP TLS or

EAP peep which is kind of what we're going to be focusing on secure tunnel will be established at that point and the intern authentication will take place through that and the reason why we use this the secure tunnel is that everything that's happening here actually is happening over open wireless technically you know the WPA doesn't actually kick in until this entire process is complete so you know older versions of EAP we're actually susceptible to attacks where you could just sniff that entire transaction and even do like replay attacks and stuff like that you paid md5 comes to mind you know and there are actually tools out there for example the md5 hash by Josh right does that stuff and that's a

really old attack by the way like a decade old so you know I mentioned there were two parties here they're actually three there the authentication server and there's the client which I mentioned the client is also the technical term for that is a supplicant but in the middle there there's this authenticate or the Authenticator is the access point so all this communication between the authentication server and the supplicant is being in kind of mediated by this access point and you know the communication between the access point and the radius server that's happening over layer seven much higher protocol it's radius and everything going on between the the client and the access point is happening at a much lower level

that's that's going over layer two so really what you need to do as a client in order to do this securely is be able to trust the access point and as we talked about earlier if you have an open access point and all this is technically having over to open Wireless you can't because you you're vulnerable to these these rogue ap attacks where you could just spoof in the access point and get someone to connect and that's essentially how you how you historically you know how we've taken advantage of this of this protocol because you know you can actually just create a rogue access point and run your own radio server in the background and that will

just force clients to authenticate with you and then you'll have via page Hauser response and you can crack and get radius Kratz so quick demo how that works by the way this is a video demo for the new stuff we're gonna do live demos but we have like a short amount of time to talk about all this stuff so to avoid tempting the demo gods we are going to see it's already going that way so I'm gonna skip through this so essentially what we're doing here is we're just creating a bogus certificate because remember we have to send that cert to the to the client and then we're going to create our access point and I'm

skipping through this at warp speed and you'll notice here this is the attackers perspective you see where we have someone associated and later on they're going to try to authenticate with the attacker and then you'd end up with something that looks like this there's a user named challenger response and that you could just crack it offline and that's how you get your your plain tax credentials so that that's the classic attack against WPA EAP if you're actually trying to gain access to that kind of network the solution to this which ironically enough was introduced into 2008 which is where these these kinds of attacks really gain prevalence implemented by RFC 5216 but so ap TLS

instead of you actually had mutual authentication not only on the internal indication layer but on the outer authentication layer as well so the server will to serve in the client needs to have x.509 certificates that they send to one another and the strength lies in this mutual authentication but unfortunately how many people here any network administrator's out here no Neda mints okay so like how many people think that this is like easy to implement like if you had to go implement EAP TLS on the massive enterprise network yeah he's shaking his head like crazy he's like enough and and that that is the problem with this EAP TLS it's very secure it's wildly unpopular the reason for that is

it's kind of arduous to implement you have to put a client store on every single device on your network in order for this to work and that can be a pain and actually it's not always as simple as that because you may have network endpoints particularly if you're in a very specialized industry like you know let's say you're in the mining industry and you have mining equipment or let's say that you're working in a hospital and you have like MRI machine this stuff might not even support client-side service so it really is difficult to implement so you end up with this this classic security versus convenience scenario in which you're kind of forced to choose between authentication

mechanisms that have known weaknesses or a highly secure butBut very impractical or seemingly impractical authentication mechanism and of course you know as you can guess there's a huge market gap is that this creates you know people start coming out the woodwork trying to sell you magic pills that can can kind of offer the the convenience and security of both so along that line the solution or at least the current trend it seems to be that to focus on breach containment rather than than breach prevention so instead of instead of you know focusing on trying to keep attackers from entering the network you know you basically make sure they can't really do anything dangerous wants to

get there and the primary way of doing that is what we're going to we're pretty much gonna be talking about you know whether or not this actually works particularly within a wired Wireless context so so network access control isms are actually like the the primary way that this this containment problem has been approached so we're going to talk about some classic wireless access control mechanisms and I'm before we continue I'm going to present you with this it's lovely cartoon pretty much selves up might 50 on that but so let's talk about using of nax for for a wireless breach containment so you know knack mechanisms they're definitely said one of those popular methods of this

approaching this containment problem and you know the idea here is that you can use an act to distinguish between an authorized and unauthorized endpoint so if an unauthorized endpoint aka an attacker enters your network you immediately put them in a quarantine jail where presumably they can't interact with anything else and this problem is completely solved you know so the way that this works is I kind of just said this I'm gonna skip this slide so there are two varieties of nack that that we you know has historically the concern ourselves with the first agent based acts so an agent is essentially a software component that you install on every single Network endpoint and the idea here is a software component you

know communicates with the brain of the neck and you know because this is very secure because if it has the agent on there or communicate with the with the next brain and it will be authorized if it doesn't have it it'll fail and it will be quarantined this is very effective but you know once again we have something that we have to put on every single Network endpoint in order to get this to work so it's nearly as impractical as eap-tls and then we on the other on the other side of the spectrum we have agent listen acts so an agentless nak it's purely external you don't actually have something on the on the enact system itself it's relying on

external fingerprinting passive scanning and stuff like that and and essentially you know the problem with this is that because it's not there's no internal component you can't use an agentless nak - and I'm leaving out next generation next we're gonna talk about those in a second but traditionally you've not been able to perform internal interrogations using an agentless nak and so you can easily bypass them by masquerading as authorized advice but it is convenient so we return to recurring dilemma you know we've decided to focus on breach containment as opposed to breach prevention but we still are faced with this you know how do we best approach this and there's a still this this this

kind of paradox we're dealing with security versus in practicality and once again there's another market gap that that is created by this although we're kind of narrowing our focus a bit you know there's a high demand for a solution that that offers both the the deep interrogation capabilities offered by an agent based knack but it has the convenience of an agentless knack so you know the the kind of the kind of things that that have surfaced to meet this need are these next-generation TAC appliances and I was going to talk about one I actually could that I end up seeing on pen tests a lot so I actually opened a helpdesk ticket to see if I could borrow one and it's a

$10,000 network appliance and the answer was yeah you can guess how that what but not only that so that far it wasn't that surprising but you know that the part that actually caught me off-guard was actually a legal department got involved and so for the sake of being vendor-neutral we're just going to you know if you really really want to know what's particularly Knack I'm talking about you could probably figure it out using Google and the attributes I'm talking about but we're I'm gonna be polite and call this vendor a for the race in this talk and also hardware appliance a but you know one great example of a next-generation nak appliance is there's vendor a and they use a dump that they

use WMI to interrogate devices and that's pretty cool because you can perform you know these deep internal checks without using an agent and the way that you do that is you just authenticate over SNB using a single administrative service account and you know service account is given I'm hearing some chuckles so the service account is give it remote login access to everything on the network that is authorized and you know this allows the device to do is checks and you know it's lovely seeing these on pen tests because it really represents a single point of failure where you know you as an attacker attempt to access the network and you just have God Mode hashes sent

to you so thanks nak another threat to this would be SIV really attacks I think how many people are familiar with SMD relay attacks I could good stuff I'm gonna there was about 50 / 50 % show of hands so I'm gonna touch on this briefly so a PPP you know just much like EVP bits of challengers ntlm is a challenge response mechanism and the way it works is that the the client will initiate the authentication process and the server will respond with a plain text plain text string right and the client that this one has to encrypt the plain text string and send it back to the server the server then decrypt it and if the decrypted string matches the

original saying that it's sent the authentication process succeeds so the way an SMB relay attack is you literally just stick yourself in the middle of this process and you know so you use them and the middle attack or what have you and the victim will try to Afeni kate with what it thinks is the server it's actually authenticating with you the attacker and you just kind of forward all this information on to the to the destination the target and the target just you know sends that you the response and you then for the the responses back to the victim and this process just kind of goes back and forth until eventually what happens is that

you're authenticated with the target and not the victim and by the way you can specify the target as anything on the network that the victim has access to doesn't have to be the intended destination so of course you know you're talking about something that an app appliance where you just you know pop on the network and sense you hashes well you know if they don't have SMB signing turned off well then you can just use SMB relays to to authenticate with just about everything on there and you know it's kind of cool because you don't have because there's no man in the middle necessary because it sends you the hashes it's even faster so of course you

can mitigate this by enabling SMB signing and you know honestly but the thing is that by default you know most windows operating systems ship with SMB signing turned off and the reason why I sent these signing ships feel the only thing where it actually is turned on by default is a domain controller and the reason for that is the group policy is actually downloaded or Vanover SNP so that's I think where Microsoft drives that draws the line and they're like you know this is the one thing where's gonna be enabled by default so you know and and by the way there is a workaround to this if you don't want to deal with these issues vendor a does kindly

provide you with a piece of software that you can install in a oh wait that's just an agent again so we're back to square one so what I'm trying to say is that there's no magic bullet you know there's you can't security you can have convenience but usually if you want both there's going to be some kind of compromise made you know and I think that's like a pretty normal problem I mean like it it's but I mean it's just something that we have to accept and be honest with ourselves about when we're designing security systems so what about client isolation I mean this is another wireless security mechanism that that gets used a lot particularly to open

networks actually because if you if you have been on on the network here you know you might notice that you can't pin each other that's because there's something called client isolation and all my guys just realize I'm gonna tell you how to bypass that as we're at the well anyways they'll assume me please so wireless client isolation I mean the idea here is that you prevent wireless clients from communicating with one another this often uses security control and you know it works to a certain extent because there's a lot of trouble to go through to the bypass this so the way 8'o 2.11 supposed to work so the AP is supposed to mediate all communication

between you know various network endpoints and you know this this works because everything has to pass to the AP supposedly and and because of that the AP can dictate who you can and cannot talk to the the problem is the client isolation at least in a wired this isn't a so external wired network about our wireless network it's a logical control not a physical control you know the the the problem of how do you know the problem is like how do you keep multiple radio transceivers from communicating with one another and a really awesome researcher he's no longer with us but you know he was great in 2005 his answer was you can't and he wrote this really

cool tool called Wi-Fi tap where essentially what it does is it just injects challenges and injects responses to packets coming from it'll use a modern remote interface to sniff for packets coming from wireless clients on the target network and then inject responses as if they came from the AP and the result of this is that you can actually bypass client isolation now and actually give you like a pretty cool like ton tap device that you can use to interact with the network fully without even being associated with it so you know there are also later tools that let you do this by the way the aircraft crack suite has some awesome they have air ton and also air tkip ng which let

you do with with weapon and WPA one there's also this thing called whole 91 96 which apparently you can use it to do this for wpa2 I've never seen it work and it's debatable whether it actually does but whatever I figure for being thorough I should probably mention it once again another speedy video demo here up the right-hand corner here anymore everyone see my mouse with me around frantically okay cool top right corner we're going to create a an access point and so you just create an access point we're going to connect to it from our host OS and the host OS so I've got three you know two VMs going on here has a terminal open the bottom right and you

can kind of see should I get the yeah that's that's me associated with it so in the bottom right I'm gonna send ICMP packets to the access point and you notice they're you know there are five pack ICMP packets sent in five responses so in this terminal over to the left you know we have we're gonna run something called Wi-Fi ping it's just a modified version of Wi-Fi tap that exists it's kind of a proof of concept but what it's going to do is any time it sees an ICMP packet it's going to respond and this just kind of proves that this is possible so notice here we're gonna we're running Wi-Fi pain on the left and

we're now going to run Wi-Fi we just made the use of these five ICMP packets and notice here that we have all these messages that say duplicate and we have ten responses and that's because we're actually sending ICMP packets to the AP without even actually being on the network and it's or not to be ap I'm sorry to the client is it without actually being on the network so back to knacks and actually access control and breach containment Food for Thought you know we've been we've been we talked a little bit about whether or not you know knacks are effective at being next and I think that that's a valid discussion to have but what if we're

missing the point here you know nack is in the only problem you know the role of nack and containing a wireless breach is to prevent attackers from preventing resources after from accessing intensive resources after the breach occurs and you know what an authorized endpoint is detected the idea is that the endpoint would be placed in some kind of quarantine and that the port will be blocked and and you know when you violate that these access control policies this will cause an act to impose some kind of restriction in a wired network this is a physical restriction in a wireless network though as we saw earlier these kinds of restrictions can only be logical district restrictions well we'll talk

more about that later so I think to kind of to kind of like understand you know where we're going with this it's best understood through the scenario you know we're attacking a wireless network let's use to access sensitive resources and we've already breached the perimeter using that attack earlier and we end up in a situation like this where there's a knack involved and they place this on a quarantine VLAN as a restricted VLAN which is what we're trying to get into and of course there's sorts of VLAN you have your sensitive resources which are the goodies we're trying to get but we can't because we're stuck over here so the question is how do we get out of this well before we go

any further who knows how NetBIOS name resolution works and LM an RnB T&S poisoning does anyone okay let's hands cool to talk about this more so the way NetBIOS name resolution works or basically windows name resolution the first thing that happens is the computer will when it's trying to look up a NetBIOS name it will try to check the local cache in the lmhosts file locally if that fails it will try local DNS that remote DNS servers local ones and then you know if those three steps fail it will do what's called an LM in R or MB T and s prod these are actually two separate protocols but they're they're logically very similar and the implication of the same so kind

of lump up together but it will use element RMB TNS to make a broadcast request to the entire subnet and you know the idea is that at that point the correct host that is trying to look for will respond with it with its IP address if you if you've ever heard of ARP this sounds very similar and well we'll see in a second so that the best way to understand the problem of this is once again through example you know we have two windows computers named Allison Leroy you know Alice is trying to send something to Leroy or or or authenticate with with Leroy and you know Leroy the but Alice doesn't know Leroy's IP

address so what what will happen is that you know Alice will first go through those those first three options you know both checking locally and also make you know try and local DNS servers if that fails Alice will fall back to element are in NP TNS so Alice will send out a broadcast request at every single end point on the same subnet and the idea here is that you know it every you know every every computer on this analysis suddent it's going to receive this request the idea is that there's kind of an honor system involved only the only Leroy's supposed to respond to this but you know as we know no honor among thieves what can happen is as an

attacker you can just wait for element R and MVT Ness queries and respond to all of them and the thing is that if something if a computer makes these requests the first one that receives is considered the valid one so an example of this working so I'm gonna skip forward a bit we're going to run a tool Lawrence or Lauren Joffe by the way wrote this it's really really good this is this is like stent a standard like that pen like you know you you get on the local you actually get an advertisement so you start running this it's so effective that it's actually like so here we're running this poisoner as you can see we're poisoning element

RMB TNS and we're also listening on it you know we have a HTTP server running a rogue SMP server running we're just waiting for something to authenticate with us and what's gonna happen is we're going to start up on the right here we have a Windows host and we're just going to make an attempt to connect to an SMB share on non-existent server and because the server doesn't exist of course we're going to go through all those different and be those those different NetBIOS lookup options and we're going to exhaust our possibilities we're going to fall back to elven aren't MBTs and that's going of course because once again because the server doesn't exist the only thing that's going to respond

to it is our rogue server over here so you can see here we're typing and do not does not exist and we've poison - poison answer and boom we have hashes by the way and that's that's an element art or MBT nslookup or poisoning request or poisoning attack should I say so our escape attempt let's say we're about 5% there I mean we've got the underpinnings of what we're going to do to get out of our our little situation there in earlier well there's one more thing we have to go over anybody had any heard of our redirect SMD okay cool let's get more into the weeds here so with a redirect S&V it's actually pretty

simple attack it is to force the victim to visit an HTTP endpoint you know like a fishing lake or something like that that actually just redirects to an SMB share on the attackers machine so you last the link and they'll go to the server and server will initially like immediately send them a 302 redirect to an SMB share and you know that will trigger ntlm authentication and you'll get their hash it's kind of like what we just saw and there's a variation of this where you actually just you know make them you know redirect to non-existent share and then we kind of have the same situation we saw earlier because it triggers element our deputy and s so the

very fast way to get hashes but it requires social engineering so this is where it's gonna kind of get cool we're gonna talk about like new stuff that we're gonna talk about hostile attacks which is kind of like taking a lot of it we just talked about and puts together and it's it's kind of a cool way of like stealing Active Directory credentials without network access it's just kind of why I think it's C so how many of you like so you guys know what a captive portal is right I mean you've probably seen something like this the past few days yeah so captive portal right it's you connect to a wireless network and they

use that there's a number of tricks that they use to make sure that you end up back on the same page and you typically don't get released from that until you you know fork over some money or your room number or spoof Emeka no sorry um so but the way that that works is that all DNS queries are just resolved to the location the Casa portal and if they really want to get sneaky they'll also redirect DNS traffic and redirect HTTP traffic so well so you're kind of stuck there so a hostile portal attack is very similar to just like your your typical hotel Wi-Fi captive portal but in this case you're redirecting to an SMB share

on the attackers machine so they connect to the Wi-Fi network and anytime they try to access something they just end up sending you hashes so um you know and also you can run you know like responder in the background and that will poison all element R and mbts lookups that they make so you know the kind of what this would look like is you know the first the victim would be forced to connect to the attacker you know using a Rho VP attack and then instantly you know anything they do essentially would be redirected to this SMB share and you can hash this that way and this is the first live demo maybe the demo well this is going off to

a great start looks like I'm doing decently on time though so I'm going to login it's Jay Cena there kurz and chuckles for copyright reasons I can't use Jason's full first name but whatever you get the point all right so the first thing I'm gonna do is I'm gonna create Oh what command+ okay yeah so I've got an open network here I'm gonna make are you are you kidding me oh I need to be in the directory see the thing it's like when I'm operating on the projector everything looks very very small on my screen so like I'm having to squint here to actually do any of this it's a vise not faoud it's a small for you - can you

actually read that brilliant okay so I'm gonna make this bigger so that this works for both of us then we can both read this okay so try this again apparently I need to actually need a network interface to do this big surprise there right go to looks until I pick the machine no I don't I'll take me there okay let's try this again all right cool so I've connected to open Wi-Fi and I'm now going to to Jenkins I've got Leroy Jenkins that's my - let's fight see those computers all right so I'm gonna connect to this open a Wi-Fi network and this is this is just like me setting up the initial Wi-Fi here I'm

gonna get ready to make this like rogue ap attack happen all right so it's associated that's a good sign what about over here excellent so it's that's that's working so now I'm going to launch this rogue ap attack and hopefully you guys can see this a little better I'm gonna trying to make this figure is this decent decent size I'm gonna take that's a yes all right now that's working into a reap okay so I gotta connect more stuff it's funny everything actually got reset when I came up here no I don't do that come on all right I'm just gonna make sure that Network manager doesn't mess is my thing here all right so hopefully

that will work there we go no that's not it try this one

okay so I wouldn't give this one more shot and then for the sake of time going to switch over to video yeah whatever alright so then what guys are obviously pissed at me right now but fortunately I came prepared with the backup yay round of applause for the demo gods yeah that's right so okay so the same thing we're going to do earlier we're gonna do earlier but this time we're gonna create a Wi-Fi network using the terminal in the top right we're then going to connect to it using this poor victim in the bottom left and we're gonna connect to it I'm going to fast forward through the connection process you guys type that

all right it's still work yeah so bottom right is connected to bottom or to top right that's kinda what we're looking at here then bottom left here is going to do the rogue access point attack and we're going to do them to get them to roam to our AP and you'll notice they're now associated with us and we're gonna open up I II and and something sometimes this will actually open IE automatically for some reason when you connect a network and bam we have hashes actually what interesting thing that you'll notice here is that let's say they're using Internet Explorer whatever you type something into the address bar it'll do a Bing search for it which will

to further do this attack over and over and over again and you'll just fill just keep sending you their their their ad hashes so anyways that's that so we did that with an open network and the reason why we did that with an open network is there's a little more to it when you do this with WPA EAP you know in most cases you know what we were talking about earlier we were talking about EAP TLS and EAP peep and both of these used and this chap e24 their inner authentication method so Emma's Chafee to actually just we use mutual authentication for the final stage of the authentication process it doesn't use it for the first

stage and that's why we can perform the rogue ap attack but you know the the thing is that we for using Emma's chitchat be to the very end end of the the authentication process the final steps at the radius server actually has to prove knowledge of the the users password to the user and if that doesn't happen the whole thing fails despite the fact that you still in there creds so what this means is that although an attacker can force the victim to authenticate with an evil twin that still hashes the attacker still needs the attackers radio server what will still fail to that the final stage of the authentication process and because they can't prove knowledge of the user's

password until they've cracked those credentials so there are a couple of solutions to this and the first one is really cool and actually this once again came out in incensed post-talk in 2002 or 2014 at Def Con 22 it's called Auto crack and added we'll talk about that that that in a bit that's Tom white and Ian de Villiers and then the I guess the basic the more basic thing you can do and you'll have to do this for stronger radius credentials so you just crack offline and finish the attack later we'll talk more about that as well so the very end of the mschap YouTube education process looks like this the challenge response which is the thing that we cracked to

obtain the plaintext financials is sent to the attacker in this case the attacker is running hostapd which is what you use to do all this radius stuff and you know I was pay PD it has this the special file that's kind of just like I really really like you know janky it's a text file it's uses a database that's but it loads you know the password from this EAP user file and then it uses that to create authentication response that it sends with the auth success message back to the victim so you know of course if the users password is not in the EP user file it's not going to work even if you forged an off success message it's still

you're not gonna be able to prove knowledge so you know the the full authentication will not put succeed so the way Auto crack and AD works is that Dom boy and Ian de Villiers came up with this technique for instead of just you know looking it up directly in the EAP user file you instead just send the the challenge response directly to a cracking rig and actually for pretty amazed how quickly the the wordless password that we had earlier at the beginning of the talk was cracked so for weak credentials you can do this very quickly and even for relatively strong credentials if you have a powerful enough to cracking break you can actually often you know send this off

and then modify the EAP user file throughout this process occurring or even just you know modified after the process occurs and then you get them to connect again and then finish the attack so I mean the second option of course is the is you know this the autocrat can add will work if you have a fairly weak radius crotchal which i mean an organization of a couple hundred people your your you're gonna find at least one but for strong for stronger passwords you're going to need to do an offline crack but you know the only caveat here is that instead of this this this attack taking you know anywhere between like a few minutes and a few out

and in an hour now it's gonna take a few hours to pop potentially a week but I mean that's still pretty effective because you know from a attackers perspective that's not a bad time frame and of course if you're dealing with a PT's our buddy up there and them on the right they are a time boxed at all so tried demo number two here although this can be a variation the same thing so we'll try this we'll try this again so once again we're going to create an EAP access point over here and we're going to connect to it or or at least we're going to alright here we go

dan it's still connecting can you smell the anticipation checking network requirements I'm going to give this I'm gonna give this 15 seconds to connect it doesn't hear you know what

okay so my interface has gone completely dead thanks for um we're great product okay so um we're just gonna do this like this again but this time we're gonna use it with peep and we're gonna do the auto crack and AD and this is you know see we're just connecting to it for the first time this is actually a legitimate access point so it's this is what would happen and now we're going to actually mount the attack and as you can see here we're gonna start our EP can everyone see okay I know that probably like really small text I'll put these videos online later if you want to look at them that way you

don't have to deal with like using a telescope to try to see what's going on up there but yeah so we've D off the thing so this will happen with with with EAP is that especially Microsoft it's not as much of a problem from attackers perspective when you're doing it until it like Android or OSX but when you try to do this attack against Windows sometimes it'll just drop off completely and then the user will have to reconnect and then fortunately they'll they'll be reconnected to you right but it still adds a little extra so they've they've authenticated with us and we've captured the username and challenge and response but of course they weren't able to

associate as you can see down here and the reason for that is it's missing we don't have knowledge of the password yet however we've just cracked it by sending to the crackling reagan would have updated our user file in fact if you if you we're gonna also we've just reconnected them to the legitimate access point so you can try this again so if you look this is the bottom of our stuff that this is the bottom aren't user file we now have the the credentials not have been added to that and we're gonna proceed forward and actually perform this attack to so they've associated with us or they're in the process of doing so connects and by

the way this is the message I'm gonna possibly fast when you actually are on the other end of this attack and you perceive well as invalid certs that's the message you received like in Windows it'll say like do you expect to find example Wi-Fi this location and you know you were just connected to this thing like five minutes ago or five seconds ago so of course you're expecting to find it there I mean it so it doesn't say anything about a sir warning so that's I find that interesting but yeah so client's going to go ahead and connect and then instantly do you see how internet store just like randomly opens itself to say congrats you're on a Wi-Fi and then

instantly you have you have hashes so that's the attack against the AP so what does this get you it gets you lots and lots of ntlm hashes it's very similar to element aren't MBT nuts poisoning in fact it actually uses that in the background in case that you don't get those HTTP requests you can redirect you could still poison element are at MPT and s but the cool thing is you no longer need direct network access and it's also not limited to a local subnet you get everything that's connected to the wireless and it's also not a passive attack before you're waiting for them to send stuff to you for them to make these requests and now you're you're you're

actually forcing them to make these sort of us so it's a little more active back to our scenario we're gonna talk about indirect wireless pivots so it's kind of how we can use this to bypass necks on wireless right so what we're gonna be doing is we're going to be incorporating stuff we just talked about into and using it's a bypass pork based actual control mechanisms and remember here we had were these attacker on the on the left and we're trying to get over here where all the cooties aren't the sensitive resources so we're here on this quarantine VLAN oh we want to get over to the restricted VLAN yeah but there's this this pesky nack in the way

and it's it's kind of put us on this on this quarantine deal and we're kind of stuck well you know using what we just what we just learned we could use a rogue ap attack to force the victim to associate with us right that would be step one step two you could use a redirect test and be a hostile portal attack to obtain NC LM hashes from the victim crack them offline you know and then you can use that to authenticate with the victim and you know at this point you might have to come back and pick up where you left off depending how long tracking those hashes took but at this point you shown the payload to the

victim and you know you could use like a scheduled task or something like that some kind of time payload something that will not execute right away and then you kill your rogue ap and allow them to reconnect to that wireless network the victim ends up being put back on to the research vielen because they're still an authorized endpoint that's why the five used like attack them and you just wait for the reverse shell and boom now the snack could be the most effective network access control mechanism out there you know this this could be like the death star of next and it would matter because because you know when you attack this victim over here you weren't

on this protected network so I think that's kind of where you know I think we're missing the point using knacks for breach containment is that if you can't trust well-well talk about more you see where I'm going it but a better approach to this by the way would be it using an SMB relay attack I remember here but let's say that we have a couple victims and you need more than one victim to do this you unfortunately cannot just like do an SMB relay attack you know from the victim to the victim and the reason for that is it's called that's actually called an SMB reflection attack and that wasn't exactly was so effective in 2008

Microsoft released service patch called MS zero eight zero six eight so that's just kind of tells you how yeah so that you can't do that anymore but you can still do it and be really at that and what that would look like it's use a rogue ap attack to force the victims to to to to your to your own ap they're now on your network you can do it what you want with them we're going to use the hostile portal technique again but this time instead of simply capturing hashes we're going to perform s and B really attack from one victim to the other and use that to place a time payload on on one of the victims allow them to

reassociate with with their with the target network they get placed back on the research to VLANs before and you simply just wait there for the for the nice juicy reverse shell and you get access to all this stuff so that's an indirect pivot the way this is going almost time to have like four fifteen minutes ten alright so this rate I don't trust any of this to work so we're just good we're just we're just going to say screw it and go with this and whatever if you want me to give you a demo later just come find me we'll do it inside a Faraday cage or something so you know as before oh goodness me so as

before we have our two victims right you know left and right but we're also gonna have our attacker we're gonna be using Empire for this it's a because use that power before oh cool you should go check this out as well cuz it's pretty awesome it's a PowerShell post exploitation framework think of it as like Metasploit but for attacking Active Directory and we have our our our access point running in the legitimate access point running in the bottom left and we're going to create two Empire listeners we have a switch which is we're going to be using for our pivot and we're going to be using initial and that's the initial one that we're going to use to perform the attack

and we're going to what we're doing here is we're creating a stager so a stage here it's basically the code that's gonna run on the target on the target to send us the the initial reverse shell everybody's using SMB relay acts which is part of the impact of suite to perform our our SMB real attack realistically you could use anything that you could just use multi relay which is built into responder you could use all kinds of stuff now we're matching we're using a pameron su mounts our rogue access point attack and you know as before we're gonna get it to Rome from the legitimate apt to us just by spamming the off packets with every

play and gonna do that about a second and you can see all right so we got one to connect there and we've got the second one to connect so we now have we now have two of these guys associated with us which is which is what we want so the second thing that's gonna happen is we're going to take that that code that's gonna be executed on the target machine and we're going to sleep are going to we're gonna feed it to SMB relay acts just going to perform our SMB relay attack right now we're grabbing a legitimate IP address from one of the two victims and then you go back here and we just kind of paste it you can

kind of see in the bottom right we've just pasted it into SMB relay X and and we're gonna execute this attack and it's gonna perform the ESP relay attack so now we're gonna do something we're gonna kind of help this along we're gonna have to do something on the target machine that kind of makes it you know set of sense he LEM hashes should I figure out where that was okay so obviously was somewhere in there but we just wait for the hatchets and you see here it says initial agent and has a certain characters and it says 10.0.0.0 which is one of our victims so we received a connect back from one of our victims and they're still associated

with our our access play at this point and right now just kind of show where we are I'm gonna type use module persistence elevated scheduled tasks and that's how we're gonna go about this and we're going to essentially just set this you know actually before we continue with that we're gonna do shell anti-authority system that tells you what privileges we have and we do shell hostname that'll tell us which of these hosts were all so we're attacking Leroy your attendance looks like we're attacking Jenkins okay based on our output there so the next thing we're gonna do is we're going to set the scheduled tasks that execute a couple minutes into the future this little

thing on the bottom he's popping up so so set daily time total tasks and by the way I note about using a scheduled tasks for this it's really great from a proof-of-concept perspective but like you know in a real pen testing area you probably actually want to use like something with it's a little stealth here because scheduled tasks touch disk so you want something that lives completely in memory but I mean there's other stuff like you can do you can hook into the you know like something like a network change event or something when they only switch back anyways so we're sitting our listener here we're just set our listener to our second listener and

I'm gonna just kind of fast-forward through this sorry running out of time and something interesting happened when I recorded this right so so you're close to the thing I've killed or I will be killing the rogue access point so it should just be connected back to the target network yeah there you go but the problem is that when I recorded this I actually didn't have the proper network adapter plugged in and I decided to keep this for really because something really interesting happened when this occurred I actually started I still you know I actually replugged I figure out where it was yeah so here I'm plugging the network adapter back in and I'm getting ready to simply

start be recording this again but we end up seeing here is that as soon as I plug the network adapter back in the agent still connects back to me so that's that proves an interesting point about a good implants or good malware's that you know it will keep trying to persist you know doggedly connect back to the attacker regardless of whether or not it has it has network Isis or not you know in this case I had a hundred sixty three tries set on this thing and that's why white did that so there you are you know we're now we've received the agent we're gonna run shell hostname again that will give us the hostname just kind

of show where we're connected to and wait for it

yeah there we are Jenkins was our initial host that we were connected to before so I gotta wrap this up but indirect wired Wireless pivots I mean the equivalent technique would be in a wired network or because literally unplugging a device from from the switch and plugging it into your own network where you can attack it and that would allow you to bypass like it or treat out one X or whatnot so it's kind of the equivalent of having physical asset network where you could do something like that you know the the assumption you know is that poor support based access controls rely on the assumption that the physical layer can be trusted but a wireless network

wpa2 EAP is pretty much all you've got to ensure the integrity of the physical layer so in weak forms like wpa2 EAP are used the attacker can freely control the physical layer using Rho VP attacks and that kind of renders fort based in act mechanisms a kind of useless so then what this demonstrates is that port base and act mechanisms don't effectively mitigate the risk presented by weak wpa2 EAP implementations and you know furthermore it demonstrates that adding forward based enactment mechanisms you know they don't really make the use of the apt TLS or EBP penniless inappropriate if the network in question it's used to grant access to sensitive information about sense of information we usually mean PCI or HIPAA

data remember the clock compliant does not necessarily mean secure I'm gonna make a you know I'm gonna make a one last-ditch like case for EAP TLS it's not quite as bad as it used to be you know you can use group policy to simply configure 8:02 what ex-clients your best options to use a private CA leverage Active Directory to deploy EAP TLS and to distribute the server search to clients to bring your own device clients either using either uses a really solid PYD already solution or you use an MDM and you know you can actually use let's encrypt so you deploy upp less although honestly like even the folks that let's encrypt say that this is probably not

the best way to use our product so closing thoughts just because wireless and wired networks operate similarly at the logical level it does not necessarily mean that they works and operationally at the physical level and as community we should really question whether it's truly a sound business decision to neglect ap TLS in favor of reactive approaches that focus on on containment rather than prevention and you know the needs for security and and convenience often are at odds with one another right so it's it's really great to it's really good to maintain a healthy skepticism to propose solutions that promise both and that's it basically if you want to check out the tool that we were using for the rogue ap

attacks it's you can check out github calm slash solstice / - eat hammer there's also going to be a blog post about this the GDS blog later in the week actually know the URL for that but it's just at a GC free comm it's gonna be on there thank you hopefully the [Applause] does anyone have any questions you sir what's up yeah so I've got a question and if the clients in this case had had come feared the system to use the EAP based on computer instead of users what kind of hashes would you collect would it be and LM 1 or 2 and how would you use it so what you're saying is if

it's if it's computed it's automatically associated with a network using a PT LS that depends on how the clients configured because if it's configured correctly to reject the certificates you're good but if it's if it's I mean sometimes you'll get clients that won't do that and they'll just you know so it really depends on how well the supplicant is configured so it could go either way assuming that it's configured correctly and it rejects invalid certs then it's probably alright ok and I think I put the wording wrong due to lack of English words ok the client was in a pen testing scenario your your cognitive client somebody that's paying you to break their system yes if they implemented the EAP but

instead of allowing Windows user authentication the only base it on computers and they're a part of the domain well that that's the plus here talking about if they're using radius instead of using Active Directory are they safe if they don't use Active Directory for radius authentication and the answer that is no actually because if if we wouldn't have to do this attack if people didn't do that I guess what I mean is that the original the original attack against EAP networks was to you know force this thing to authenticate with you and then you steal the radius credentials if there's overlap between the radius credentials and the Active Directory credentials and you'll end up with Active Directory crash holes but

the reason why we have to go for this further step and actually do something further it's because not everyone uses Active Directory credentials for radius authentication in fact it's technically better not to although I understand the reasons why people do it if that makes any sense but kind of answer questioner okay cool stuff is there any more questions Solstice thank you very much thank you [Applause]