Transcript Wireless Hacking Made Easy - Ernest Staats Network Security
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+
[email protected] http://es-es.net
http://es-es.net/
In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Ernest or Eric, & the other 3 rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever!
Legal advice– I am not a lawyer for legal advice please seek a trained lawyer in the field you have a question.
ETHERNET ISSUES
Network and System Access – Unauthorized Join – Unauthorized Expansion of the Network – VLAN Join – VLAN Tagging – Spoofing and Address Capture Traffic Confidentiality – Passive Eavesdropping – Active Eavesdropping Traffic Integrity – ARP Poisoning and Rogue DHCP Server – Man in the Middle – – Replay Availability of Service – Denial of Service – Session Hijacking Switch Control
RELATED ISSUES
Using Network as a Medium – Network Scanning – – – Redundancy and Aggregation Protocols Other Security Related Issues – Topology Discovery Protocols Configuration and Installation Issues – Break-Ins Implementation Issues – Issues with Legacy Technology – Architectural Issues – Freely available Software for Attacks and Exploits
A switch learns the MAC address/port pairings and stores them in limited memory Easy to generate bogus frames and get the memory to owerflow If a MAC address is unknown the switch broadcasts it out of all its ports Makes eavesdropping possible Spanning Tree Protocol is used to define the logical topology for an Ethernet segment Any host can claim to be the STP root and direct large parts of traffic to go through itself Man in the Middle attack (MitM) STP can also be used for Denial of Service (DoS)
DHCP poisoning A new host on LAN broadcasts a request for IP and router information Any host can pretend to be the DHCP server and tell that it is the router Enables a Man in the Middle attack ARP poisoning Any host on LAN can broadcast a gratuitous ARP message claiming to have any IP address (including the router) at its MAC address ARP poisoning can be used to hijack an ongoing session
Frames can hop from one Virtual LAN to another with "double tagging" VLANs supposedly bring security VLAN management protocols enable all kinds of attacks Frame padding and MAC table timeouts leak information With persistance the attacker can passively wait for HTTP cookies All attacks can be (and are being) made to software Ettercap for MitM,
http://ettercap.sourceforge.net/
Sniffers for eavesdropping:
Wireshark, ngrep, tcpdump, snoop
Packet crafting tools:
packETH, Bit-Twist, Mausezahn, Hping, Nemesis, Scapy, Yersinia, THC Parasite, macof
Packetsquare
for capture, edit and replay
Access Control and Node Authentication
– Physical Protection of the Network – Segmentation and VLANs – Access Control Lists – – Network Access Control
Network Integrity Protection
– Securing ARP – Port Security – Authentication based Access Control – IEEE 802.1X
Control and Management Plane Overload Protection (CoPP) – Control and Management Plane Logical Protection – STP BPDU and root guard – – Deep Packet Inspection Proper Configuration
Traffic (Payload) Integrity and Confidentiality Protection
– Traffic Encryption and Integrity Verification – IEEE 802.1AE MACsec – Replay Protection
Intrusion Detection and Prevention Systems Hiding or Obfuscating Network Topology Future solutions
– Automated Key Management Policies – Cryptographically generated addresses – Removing ARP broadcasts – OpenFlow or DHT/TRILL
IEEE has no architectural solutions, except VLAN 802.1X adds authentication, does not protect from misuse
Authenticated entities may misbehave
802.1AE MACsec adds confidentiality (encryption)
Based on 802.1X authentication Not end to end, but host to switch
802.1X and MACsec require administration activities per node
Software installation, identity management High cost, little flexibility
Vendor solutions can make Ethernet fairly secure, but require configuration Configuring each switch with knowledge of topology Port Security, Root Guard, BPDU Guard...
Effectively these are ACLs with fancy names to separate user and control (and management) planes Good administration practices Knowledge of vendor-specific quirks of the switches
Ethernet architecture is flawed from security point of view
It is a nice and simple LAN architecture But it is "fail open" by design ▪ If you don't know how to handle a frame, send it to everybody ▪ Trusting everybody is implicit
Vendor solutions require active management
Mainly to tell the switches the topology (trunk ports and leaf node ports)
Potential new solutions
Deduct topology information automatically (low management overhead) then use Intrusion Prevention Systems and ACLs to protect the network Get rid of ARP and broadcasts (with e.g. DHT-Trill)
1. SHARED, UNCONTROLLED MEDIA:
Invisible & Airborne Threats are Hard To Control vs. Wired Network
2. SELF-DEPLOYING & TRANSIENT NETWORKS
Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users Require In depth Forensics capability to Address Security Breaches
3. USER INDIFFERENCE
Invisible Connectivity & True Distributed Nature Gives a Faulty Sense of Security
4. EASIER TO ATTACK
Lax WLAN Security is the Lowest Hanging Fruit for Hackers Dozens of Tools Readily Available to Exploit these Holes
From a System management terminal, someone could:
Add non-dedicated machines for administration Install new programs and new vulnerabilities Forget to update the management application when updating other LMR machines Remote into the management application from outside the LMR network Connect LMR to existing management functions
Protect, Detect, Respond
Physically secure the management terminals
Ensure system managers are authenticated
Ensure appropriate privileges for users
Update patches and manage administrator terminals
With the Radios, someone could:
Use a radio purchased from eBay Steal an existing radio from storage What else could be done?
Protect, Detect, Respond
Ensure subscribers are authorized and authenticated
Infect the radios with viruses
Ensure that alerts are generated when unauthorized radios attempt to access the system
Send invalid data packets from the radio and terminals
Implement firewalls and Router Access Control Lists to ensure only valid packets are passed
Close unnecessary ports and protocols
Network Edge blurred – another access into your mission critical network Rogues, hackers, mis-configured devices Organized crime – hacking for profit Interfacing with other systems Access control Combination of public and private network connectivity Multiple agency access
OPEN AP ‟ S
Let ‟ s all play nice
COOKIE SESSION IDS
SSL login, and then?
EDIT COOKIES
Sniff and edit
FERRET AND HAMSTER
http://erratasec.blogspot.com/sidejacking.zip
DHCP Attack
Exploit attacks a client and loads creates a Admin User on device DHCP Broadcast Attack (MS06-036) http://www.milw0rm.com/sploits/07212006 MS06_036_DHCP_Client.tar.gz
DNS ATTACK/MANIPULATION
Can offer anything to you and you believe it Sites: Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL)
TORNADO
Web-based attack tool which exploits up to 14 browser vulnerabilities and installs malware on the user's system
YOUR NOTEBOOK IS: 1. Not location-aware
Office Home Hotspot
2. Wants to always connect to something
Virtual Local Area Networks A logical grouping of devices or users Users can be grouped by function, department, application, regardless of physical segment location VLAN configuration is done at the switch (Layer 2)
VLAN's are not security
! They are obscurity, they are great for
segmentation and traffic management
Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on not by the host.
Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings
•
VLANS cannot communicate with each other even when they exist on the same switch
•
For VLANS to communicate they must pass through a router
•
Each VLAN is required to have at least one gateway to route packets in and out of the network
Trunking allows us to cascade multiple switches using the trunk ports to interconnect them Trunk ports act as a dedicated path for each VLAN between switches The trunk port is a member of all configured VLANs
These attacks are designed to allow the attacker to bypass the Layer 3 device
The attack takes advantage of incorrectly configured trunk ports on network switches
Basic VLAN Hopping Attack
1. Attacker fools switch into thinking that he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs
Double Encapsulated VLAN Hopping Attack
1. Switches perform only one level of IEEE 802.1q decapsulation 2. This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify. 3. This attack works even if Trunk ports are set to OFF
Use dedicated VPAN for all trunk ports.
Avoid using VLAN 1.
Deploy port security.
Set users ports to non trunking.
Use ARP security options.
Use BPDU guard, Root guard.
Use PVLANs.
Disable CDP.
Disable unused ports and put them in an unused vlan.
Ensure DHCP attack prevention.
26
Listed in Lab manual starting on Page 11 MiniPwner Here is a list of some of the software that comes installed:
Nmap network scanner Tcpdump sniffer Netcat Hacker’s swiss army knife aircrack Wireless network analysis kismet Wireless network analysis perl Perl Scripting Language openvpn VPN Client and Server dsniff suite of sniffing and spoofing tools, including arpspoof nbtscan NetBIOS Network Scanner snort Sniffer, Packet Logger, Intrusion Detection System samba2-client Windows File Sharing Client elinks Text Based Web Browser yafc FTP Client openssh-sftp-client Secure File Transfer Client
Fully loaded. Wireless, 3G/GSM, & NAC/802.1x bypass!
Includes 3G, Wireless, & USB-Ethernet adapters Fully-automated NAC/802.1x/RADIUS bypass!
Out-of-band SSH access over 3G/GSM cell networks!
One-click Evil AP, stealth mode, & passive recon Maintains persistent, covert, encrypted SSH access to your target network Tunnels through application-aware firewalls & IPS Supports HTTP proxies, SSH-VPN, & OpenVPN
Analyze risk
risk = (cost of an exploit)*(likelihood it will occur)
Mobile devices make this inexpensive and very possible (BeetleJuice) inside of “Flame”
Demos:
Bypass DLP
(Safepod)
ANTI FaceNif WIFI Kill
• • • • • •
Inherent trust. “It’s MY PHONE.” Portability is a benefit and a risk
•
Controls if lost
•
Lock/Erase? Implications of erasing personal data
•
PIN security – secure or easy to do 1 handed
•
What is resident in memory?
Malware – whole new breed of malware and products Malicious apps
•
Increasing
•
How do you write secure apps? Social engineering providers – value of OOB communication Where did my app come from ? What is a trusted source?
Username: root Password: toor startx
Tools organized by category in the typical order of a penetration test.
Main collection of tools by category
Sweet and Simple ICMP: Ping Fping- quickly check an IP range.
Not very reliable; many servers and firewalls can turn off ICMP replies.
TCP and UDP- More than ICMP Replies Nping TCP UDP IP ranges Many others for Internal and External ▪ Applications> Backtrack> Information Gathering> Network Analysis> Identify Live Hosts
Nping --tcp –p 8080 66.110.218.68
Linux: Win: traceroute tracert Seeing hops and routers in between.
Zenmap The all-in-one GUI for nmap Hop and routing maps Save findings for later Extremely easy
“doors” on the system where info is sent out from and received When a server app is running on a port, it listens for packets When there is nothing listening on a port, the port is closed TCP/IP Stack 65,536 TCP Ports
Open – port has an application listening on it, and is accepting packets.
Closed – port is accessible by nmap, but no application is listening on it.
Filtered – nmap can’t figure out if the port is open or closed because the packets are being filtered. (firewall) Unfiltered – Ports are accessible, but nmap can’t figure out if it is open/closed.
Any port can be configured to run any service.
But major services stick to defaults Popular TCP ports/services: 80 – HTTP (web server) 23 – Telnet 443 – HTTPS (ssl-encrypted web servers) 21 – FTP 22 – SSH (shell access) 25 – SMTP (send email) 110 – POP3 (email retreival)ecure shell, replacement for Telnet)
445 – Microsoft –DS (SMB communication w/ MS Windows Services 139 – NetBIOS-SSN (communication w/ MS Windows services – 143 – IMAP (email retreival) – 53 – Domain (DNS) – 3306 – MYSQL (database)
Nmap ("Network Mapper") is a great tool that we have in both the portable apps and in BT Extremely powerful.
Simple use: Nmap –v –A ‘v’ for verbosity and ‘A’ for OS/version Detection
Scan one target or a range Built-in profiles or make your own for personal ease.
Visual Map Hop Distance Router Information Group Hosts by Service
Using a quite traceroute
Here are some IPs open to be scanned. Be careful!
66.110.218.68
66.110.220.87
Hackerinstitute.net
66.110.218.106
moodle.gcasda.org
Just in case 192.168.2.254
192.168.2.240
Host name to IP lookup: nslookup www.es-es.net
Reverse lookup: nslookup 74.208.95.36
dig [domain] any dig es-es.net any The ‘any’ switch is used to show all DNS entries.
Just a few record types cribbed from: http://en.wikipedia.org/wiki/List_of_DNS_record_types
Code Number Defining RFC Description
A 1 RFC 1035
address record
AAAA MX CNAME PTR 28 15 5 12 RFC 3596 RFC 1035 RFC 1035 RFC 1035
IPv6 address record
mail exchange record
Canonical name record pointer record
AXFR 252 RFC 1035
Full Zone Transfer
http://serversniff.net/subdomains.php
http://serversniff.net/nsreport.php gcasda.org
http://serversniff.net/content.php?do=httprobots http://whois.domaintools.com/ Tools on Thumb Drive DNS Lookup good DIG tool(GUI) http://nscan.org/dig.html
Nirsoft’s http://www.nirsoft.net/utils/whois_this_domain.html
http://www.nirsoft.net/utils/ipnetinfo.html
Using Wireshark and taking advantage of unencrypted traffic.
Telnet Session
Website logins
SNMP capture
Wlan0 needs to be in monitor mode
List the available capture interfaces.
Choose an interface…
ip.src==[ip_address_of_target] Filter by protocol telnet ssh http, etc.
and This is used to link multiple filters together
Everything is unencrypted over telnet; every character typed is sent as an individual packet.
Wireshark can follow and piece together the packet stream for us.
This will allow us to see the password in clear text.
Here is the unencrypted login page^ Set wireshark to filter and display HTTP only We are now looking for an interesting URL.
POST requests can be full of information.
Web login for the procurve 2524 Captured login packets, found encoded password hash.
Hash looked base64, and used Cain to decode it:
The same password from the telnet session
Sniff SNMPv1 or SNMPv2c clear text You'd be a fool not to sniff traffic and look for UDP 161 just in case some SNMP traffic leaks to client or servers you control Also, try community string guessing/dictionary attacking against SNMPv1, v2c, or v3
Onesixtyone by Solar Eclipse Speedy –Sends lots of requests in parallel, not waiting for responses Doesn't stop on success –enumerates all valid community strings for a device dict.txt includes 49 common strings Free at www.phreedom.org/solar/onesixtyone/ Free Metasploit module: auxiliary/scanner/snmp/community Good for large-scale iteration through network address space Nice, flexible RHOSTS options (range, list, file, IPv6, etc.) Stops once it gets a success on a given target (maybe just Read) Includes snmp.txt file with 119 common strings
If you achieve SNMP Read/Write access, you own the device We can download running or startup configuration for detailed analysis Crack the passwords for it and use them on other network devices Cisco enable passwords are typically stored using salted MD5, easily cracked using John or oclHashcat We could dump CDP, ARP cache, and routing table for target enumeration We could reconfigure the device to allow all sorts of access, such as telnet, ssh, http, or https
/pentest/enumeration/snmp Onesixtyone Can dictionary attack SNMP community names With names we can enumerate.
onesixtyone –c dict.txt 192.168.2.240
Both snmpcheck and snmpenum are good, but they have their pros and cons.
We will use snmpcheck today.
./snmpcheck-1.8.pl -t 192.168.2.240 -c admin v 2 We have the admin community from the attack with onesixtyone.
Or with the –w option we can check or write access and see if we can reconfigure the switch
Cell Communication has been hacked it is not secure Defcon Demos Email pop smtp sent in clear text. If you lose the device it is not stored in a secure environment. Running wireshark to sniff account at coffee shop Several mobile apps have poor security including some bank apps that store username and password on the device in clear text i.e. Citibank PayPal had the app state that if the SSL cert was bad allow it anyway Local device storage issues SSD tends to move the app around on the deice Good uses an encrypted container to store email in “secure” environment
Can they get into your VM or fake the caller ID http://www.telespoof.com/freecall/agi http://www.spoofcard.com/ http://www.telespoof.com/freecall/agi
www.spoofcard.com
http://www.slydial.com/apps.php
From the cell tower to back you is unencrypted. Rogue Apps Live malware found How will you updated Over the air or tethered What about Bring your own Device device Jailbreakme.com it is so easy to jailbreak / Rooting a Publish standards of what you will or will not support Poorly codded apps that limit password length complexity, and allow paste Running Wireshark from a mobile device
Mobile Management tools available from several 3 rd party Vendors : more info on es-es.net
AirWatch, Good Technology, MobileIron, Sybase, and Zenprise Most offer remote wipe of Corporate APPS and email. Some have antimalware and filtering options before you install it Read the list of permissions that app requests Does that list make sense? For instance, does a game really need to be able to send premium text messages or access your contact list?
Metagoofil http://www.edge-security.com/metagoofil.php
Exploit DB Google Dorks http://www.exploit-db.com/google-dorks/ Online Google Hacking Tool http://www.secapps.com/a/ghdb SiteDigger http://www.mcafee.com/us/downloads/free tools/sitedigger.aspx
Goolag http://goolag.org
RobTex
While the interface is a bit weird in my opinion, this is a great site for doing reverse DNS look-ups on IPs, grabbing Whois contacts, and finding other general information about an IP or domain name.
http://www.robtex.com
ServerSniff
This one is sort of an odd ball. Lots of sites offer Whois info, this one goes for more exotic tools. You really have to just play with it to find all of its features. It’s sometimes hard to remember which option is where. Just some of the tools are: ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames on a shared IP. It’s nice to have them do some of the recon for you if you don’t want to use a proxy and don’t wish for your IP to show up in the target’s logs. http://serversniff.net
Check if your email address has been owned http://beta.serversniff.de/compromised.php
Portable apps Angry IP Scanner Wireless keyview Zenmap will do more after lunch Attack_Surface_Analyzer_BETA_x64 Wscc SearchDiggity.Client Google and Bing “hacking” Google Hacking Diggity Project - Creepy FreeScreenRecord– HoffmanUtilitySpotlight2009_04 -- Rich Copy great copying
From the portable apps we will do an angry IP scanner on our local network to see what ports are open and if we can get into them.
TCPView
Suffering from a slow connection? You get the feeling that something's bogging down your WiFi or Ethernet adapter? TCPView (also a part of Sysinternals and available via WSCC) is your chance to figure out which process is costing you how much bandwidth and deal with this connection hog. Simply launch TCPView and sort all processes by clicking the "Sent Packages/Bytes" or "Rcvd Packages/Bytes" header to get the top bandwidth hogs.
Sign up for BrowserCheck Business Edition
Ensure all browsers and plug-ins used within your organization are up-to-date with the latest security patches
BrowserCheck Business Edition: your company for security issues organization over time Provides you with a unique URL to give to users inside Allows your users to scans their browsers and plug-ins Helps you track the state of browser security in your http://www.qualys.com/forms/browsercheck-business edition/
Vulnerabilities:
– OWASP (http://www.owasp.org) – SANS Top 20 (www.sans.org/top20) – National Vulnerability Database (http://nvd.nist.gov) – cgisecurity (http//www.cgisecurity.com)
Guidance:
– ( National Institute of Standards and Technology (NIST) Computer Security Resource Center http://csrc.nist.gov/publications/nistpubs /) – Center for Internet Security (CIS) ( http://www.cisecurity.org/ ) – Educause (http://connect.educause.edu/term_view/Cybersecurity)