Remote Wireless Pentesting with Eric Escobar & Matt Orme | Hackers of CypherCon

Remote Wireless Pentesting with Eric Escobar & Matt Orme | Hackers of CypherCon

admin Articles, Blog , , , , , , , , , , , , , , , , , , , , , , , , , ,


Today we’re gonna be talking to you
about remote wireless pentesting. Just in an a nutshell and a little bit
about what we do. I’m Eric, I’m Matt and yeah. We hate PowerPoint. We don’t make
slides. So, pretty much is just gonna be a bunch of pictures. -Time stamp on this is
about four minutes ago. It’s real. -Not really. – We tried. – Right.
– So a quick tidbit about us, I work for Secureworks, so does Matt. We like to do
wireless pentesting and all other sorts of pentesting. We got our start at
Barracuda way long ago. We started competing in the DEF CON wireless
capture the flag and won of three years in a row. And then they told us that we
can’t play their reindeer games anymore. And so we’re banned from playing the
walls capture the flag at Def Con. S o we decided that we’re gonna start our own
here and stuff. You guys come over to 201A we’re gonna be running the walls
capture the flag all night, and yeah it’ll it’ll be really fun. I don’t know, what
else? – That’s it. That’s it, that’s everything. – What about you Matt? What
about you? – Uh, I’m 6’2″, 170 pounds. I’m happily married.
I have kids. I like my house. The French horn is my favorite instrument. Yeah, next.
– OK, you go first. – So, we work with SecureWorks adversary group. We’re net
pen which is kind of vague. Basically, we attack people’s computer we’re pen testers,
and we break into things. We have a bunch of people too smarter than Eric and I on
our team. Which we… Hello? I can talk really loud until this microphone starts
working again. We break into people’s stuff. When we started, we were doing
Wireless engagements. We weren’t doing them in a way where we were breaking
into people’s stuff. We, they were, they were more assessments, than pentests.
That’s, that’s boring right for pen testers? And it’s boring for people who
are paying for pentests. So, we wanted to change that up. I think that is a good
segue into our next slide. – Yes, – Key, keyword hashtag slide. – So how we got
started on this, like I said, we did the DEF CON Wireless capture the flag and we
realized you know what? When you’re chasing down a fox, or you’re trying to
break an access point, or be in any way, shape or form covert. It doesn’t really
work if you have a laptop with a bunch of different antennas hanging off of end
people are looking by you and taking pictures of you at Def Con and you know
you stand out a lot and so somebody’s trying to have a little bit of OPSEC and
stay away from you you just stick out like a sore thumb and so because of that
we built our initial piece of this platform off of a Raspberry Pi hella
cheap because we were not it was our personal funding right so it wasn’t a
lot of money maybe $60 of stuff off of Amazon that’s a like lipo battery $10 on
Amazon wireless adapters 14 the Raspberry Pi was like what maybe 30
they’re even cheaper now so that’s how we started and basically this was used
because we could stick that in our pocket and then run everything off of a
terminal kline on our phone and so that we are really covert everything was nice
and quiet it was super cheap well within my budget and so then instead of having
a laptop in front of us so so sorry No so the difference matters there if
you’re walking around with a laptop doing a wireless assessment you’re
ridiculously obvious people don’t walk around typing on a laptop right if you
have a PI in your backpack with a bunch of antennas relatively concealed and all
you need is an ssh client on your phone you look like every other sheep walking
around on their phone like you blend right right it matters if you’re a pen
tester it matters anything you can do to blend in with the people around you
helps you so don’t the the PI is not the best platform it’s a good platform but
the phone versus a laptop is is a game changer for your ability to
blend into the people on to the next slide so I’d whoa that yeah so the
problem of the tablet is that the hardware there’s typically weird drivers
in there the operating system and kind of processors it on everything in the
world has been made on a Raspberry Pi so it’s easy platform just plug things in
there’s USB ports you can expand those ports out if you add additional power
and you don’t want your low voltage drops so yeah tablets are another option
but how expensive is a tablet when everybody else has a phone right
they do sell you know purpose-built pentesting tablets but this is just
honestly just cheaper in and it’s more customizable from my perspective anyways
and you can kind of see this like what I see on my phone so that’s typical iPhone
keyboard will show an Android one later and that’s air dump running caching a
handshake just off of my phone just just sitting there right so that’s that’s
kind of the power here is that you have the power of a full computer completely
customizable you can script up whatever you want on that pie when you’re at home
and then go to your phone run your scripts and do all this stuff I mean
we’ve we’ve been tested some very large areas where there are lots of people and
we walk around and nobody knows that we aren’t tourists you know if visiting
that spot we’re just nice and covert in fact this is this is Matt’s backpacking
tell you about it yeah so literally a backpack it’s there’s not that much to
say but you can see down down one side there’s just a an alpha 2.4 the green
alpha cards any of you guys have done Wireless you know those cards there’s
these fat card cases and they’re stupid so we popped we popped them out and just
3d printed cases that fit that board in it’s it’s a half size board relative to
the case that it’s in so we pop them out of the cases printed boards you it looks
it looks like it’s something you would notice there I can tell you I walk
around with a 9 DB alpha antenna which is about 14 inches long on my backpack
all the time through TSA and through an airport literally no one has ever ever
ever ever asked me about it so as sort of obvious as that seems it isn’t
especially when you consider the alternative of walking around with a
laptop typing like looking up at the ceiling for APS
right it’s it’s a and and the other part too is that it’s really easy to see that
one cuz they’re two little brass connectors right there but you probably
also didn’t see the black one right behind it eyes of one of the pandas
sitting right there so it’s one of those things those are all hanging off of it
and unless you’re really looking you there’s there’s to mix on there yeah you
and you you can’t even see it and that’s on the outside that’s not even on the
inside if you really wanted to be extremely covert you just put all in the
backpack nobody knows I’m just gonna go from there this is what it looks like on
the inside of it so you can see that that’s basically just two raspberry PI’s
we just if you need more if you need to capture more channels more bandwidth
just you plug it in more they run off of 10k milliamp hour batteries off the
shelf yeah all off-the-shelf stuff you buy it off Amazon and you know it’s like
20 bucks and those 10k million power batteries
can run it for probably about 20 hours that’s doing you know caps on multiple
cards the entire time so it’s its backpack is more expensive than the
hardware that’s yeah that that’s a 100% true Oh proud they’re so proud of those
bags with the loops oh how do you feel about this alright so we’re gonna talk a
little bit about the benefits of wireless attacks and this is this is one
of the things that I like to just kind of talk to clients about is hey you know
you could buy a fancy a fancy-schmancy red team and it will cost a lot of money
and we will definitely break into your company but a wireless contest has the
benefit of I can be sitting on that park bench right there and I don’t need any
physical access to your facility at all I can you know put up a nice directional
antenna and have the same level of access as if I were sitting in your
Lobby and so that’s one of those things that a
lot of people just think oh well you know what my my wireless signal only
propagates you know just in the parking lot because that’s how far my iPhone
goes what they don’t realize is that with different antennas and different
hardware you can extend that range hundreds and hundreds and hundreds of
yards especially in open air and so you can do a pen test without ever you know
creating a fingerprint ever getting on camera or even being in the same really
and what we’re gonna talk about is some of the hardware that we can do that with
that we can be thousands of miles away and still perform the same Wireless pen
test and arguably give give a much better product I think to the client
agreed yeah next you next suite slide slide so again one of the things that we
do often is rogue access points contrary to popular belief wpa2 PSK would
probably all of your your home you know access points are running right now
that’s actually really secure if you have a good passphrase oftentimes we’ll
catch a handshake for a client and if it’s of any reasonable size we’re
probably not going to crack it and we have multiple multiple dedicated
purpose-built devices that basically have eight you know 1080 Titan 1080 Ti
Titans that can crack hashes at billions and billions of hashes the second word
again how do you say that better we don’t crack very much wpa2 PSK what
he said it’s not a fast hash to crack if you
have a heart you know 1215 characters pseudo-random like even if they’re
dictionary words and you substitute appropriately those are way harder
you’re you’re more secure with that than you are with WPA enterprise unless you
check every single box getting WPA enterprise right and your and your users
aren’t local admins and can’t install certs PSK is harder period and that’s
and that’s where rogue access points come in because what I do is I stand up
a rogue access point that’s the same name as your Wi-Fi router it’s an open
network I nuke your Wi-Fi so that you can’t connect to it I just D off all of
your devices from it you say whoa there’s a problem with my Wi-Fi I don’t
know what’s going on you look on your iPhone and you say oh I’m not connected
to Wi-Fi I’m going to connect to the one that has the strongest signal guess who
has the strongest signal we do so you connect to us and this is a screen of a
bunch of people connecting to us and we serve them up a captive portal which
looks surprisingly like what their prompt is to put in their wireless
password so so some of this is some of this is like pentester stuff that that
we probably take for granted when you’re when you’re working like on
a on a machine that’s wired into your network there’s this concept of a
broadcast domain right those are the other machines sharing your locality
right in a map sense you’re limited in your exposure there right your servers
are going to be in a different broadcast domain than your desktops wireless is
not like that everything is your broadcast the air is your broadcast
domain in wireless so just just some context to back this up like these
attacks can be perpetrated against anybody using the wireless access points
that you connect to there is no isolation in a broadcast
domain everybody is just yelling as loud as they can and and we have tools so we
can yell pun intended because I’m yelling uh we can yell really loud right
I I have to amp wireless amplifiers that would put my wireless signal on the top
of everyone in this room probably everyone on this blocks list of access
points so broadcast it matters and I that’s ten gentle to what Eric is
talking about but it but it uh it matters those gaps it matters because
basically what it means is you’re gonna connect to us
you’re gonna submit your password to us since we’re running the webserver and
this is all our stuff when it comes to us it’s in clear text you typed in your
password you just gave it to us in clear text I don’t need to crack anything I
don’t need any fancy you know rig that has all these graphics cards in it you
just gave it to me and clear he typed it yeah you just typed it to me and gave it
to me without knowing it and so then what the script basically does is it
shuts down says I got a working you know I got a working the password so I’m
gonna stop doing everything and you think sweet well I just reconnected
Wi-Fi now everything works that is awesome
but really everything works and now I’m on your network and that’s that’s the
differentiator there and that’s really how you break PSK or you know what your
typical home Wi-Fi is is when you accidentally give it up to somebody
crypto cryptographically speaking it’s just secure it’s secure and so this is
an example you were to try to do the same thing on
like a Windows 10 computer you try to connect to the internet and you’re like
man I can’t connect what’s going on you can’t connect really this this isn’t
a no internet connection page that served up my windows this is my website
that we that we run on the Raspberry Pi and that’s you trying to connect you
enter your password and when you hit next you’re actually just submitting
that to my web server and now so so we’re gonna talk about so that’s that’s
why those pentesting right we’re going to talk about how we do it remotely and
why we did it remotely and so that’s why we we really did it for this one or like
but this is my daughter she just turned a year old wireless pentesting
traditionally required that I needed to go on site I I don’t like going on site
I have a baby home I have a wife at home I want to stay and hang out with them
when Matt said he likes his house I like my house a lot too and I want to stay
there that’s why we developed this box which is basically an emo cane with a
bunch of not basically it is 18 am okay I am okay with electronics inside with
raspberry PI’s inside it’s that little portable thing that we had but basically
just jammed into there not basically it is jammed into there and we did it just
so that we can hang out and be at home and this is our version one and I made
it it worked but it’s ugly as you’re about to see on the inside yeah so I
mean basically what you don’t see is that on that top right image I just
packed that full of packing foam like that’s all it was it was not like you
know there was no like good heat seats in there there was no airflow that was
just packed tight full of foam and probably a fire hazard but nothing
happened so we’re good and then Matt was nice enough to add on
the bottom left one the nice little Shelly adversary group sticker to our
Ethernet jack which gives us a little bit more capability or a tough so so
Erik brought over Erik and I work together on a lot of stuff Erik is an
optimist which is really good because I am cynical his optimism allows him to
take on projects that I know are a stupid waste of time
and then he shows up at my house and it’s like look it works sometimes and
I’m like oh god you’re the worst like okay so he brings this box over to me
and it’s literally some crap and some foam and some crap and some foam and
he’s like it works it works and he and he demonstrates that it works
and I throw it off my patio on the second floor and it breaks open and
everything dumps out on my driveway and he was like what are you doing and I was
like we have to ship it somewhere right because we’re not pen testing my house so we so we took his thing that worked
that he proved was worth some time and and did a whole bunch of 3d nonsense
printing like whoohoo like cool maker stuff and like got it into a format that
we could ship out to clients and it would arrive mostly working we put two
of everything in because I come from a world of running backups right where two
is one and one is none so we put two of everything in the box and we shipped it
and we have yet to have an instance where the box would arrive in such a
dilapidated state that we could not test frequently it’s it’s a little hodge
podge some things made it so we we kept sort of iterating on the box and and we
have a nicer version now we would like to have brought one but they’re so
booked through our our Wireless practice that we don’t have any to spare I built
to the day before we flew here to ship I don’t we we literally couldn’t take
one out of circulation that’s how in demand they are you want a pop pop
forward yes so a little bit about what’s on what’s in it this is like definitely
not the limited size deck but these are the main tools that we go to we use air
crack if you’re not familiar with that that’s like the main suite of tools that
allows you to or like are these live now whoa they’re live so so air crack is the main is the main
tool that we pretty much use the cat handshakes to see what’s going on in the
air space it takes some some you know decently I it takes some stuff off
Amazon that you can use like wireless cards to be able to scan the airspace
and see what’s there we use EEP Amer that’s what we use pretty much all the
time to break into wpa2 enterprise we have Wi-Fi Fisher that’s what I was
showing you before if we don’t know your Wi-Fi password we’re gonna try and fish
it from you it’s fishing but with Wi-Fi that we also have GTC downgrade I
haven’t seen that a long time but that’s also long they’re just you never know an
MD k3 that’s basically Deon saying that that can nuke all wireless you know I
could kick everybody in this room off of all Wi-Fi networks with just that one
tool and Raspberry Pi so again on top of all these we also have all of our
typical net pen tools when I say net pen if we’re gonna run a general network
penetration test you know we have stuff to do element our NetBIOS poisoning we
have crack map exec we have all of our a/b stuff to test your Active Directory
because the angle is not just to break into your Wi-Fi network the end goal of
this is to become domain admin or get to whatever you know the client deems are
their crown jewels that’s where this ends it’s not just a oh we knew where
this assessment it really just comes down to it is a part of your external
printer people do external penetration tests all the time of what they have
publicly exposed to the internet but they almost never do a wireless pen test
of what somebody could do if they’re you know local even close and what we’ll
show you is thousands of miles away anyone know today so I’m going to talk a
little bit about the version one and some of the design considerations I had
some ammo cans laying around so I use the ammo can be pretty rugged at the
time so hey it worked out there was there’s dual serial onboard so
raspberry PI’s if you don’t know they can connect to each other like you can
plug one into the other and they can like talk to each other back and forth
no network it’s just direct like almost keyboard to keyboard talking with one
another the nice part about that is if one Raspberry Pi doesn’t come up you can
troubleshoot it from the other one so there’s redundancy built in there you
should go to the next slide yeah cuz it does it explain all right oh
yeah that is a lot better slide yeah anyway this is what it looks like so
there’s the ammo can you can see everything that little green square
that’s what’s in the box so both of those raspberry PI’s they can talk to
each other independent of any network connection then you have tune that
you’re healthy modems in they’re both running different different cell signal
different services basically so we’re in an area where hey Verizon is crap we
can’t use it it will use t-mobile t-mobile’s crap inverse and we can
troubleshoot it so if something’s happening we can go back through any one
of those ways the other thing that’s nice about it too is this all phones
home directly to our Open VPN pen web that we use to do all of our pen test
from so when somebody plugs in that wire or you know somebody plugs in the am
okay and empower it automatically comes up connects the cell towers and then
it’ll even send us a text message saying hey I’m up here’s where I am here’s the
networks that I see and hear all you basically hear all the statistics of it
so I know before the client even emails me now that device has been plugged in
so agronomy the the emoji ins or the most secure devices on the clients
network and that’s and thats thanks thanks to another member of our team
who’s sitting up here in the green yeah john miller way to yeah yeah that guy
the guy who come along he doesn’t all the magic anyway so that was version one that’s
basically how it’s designed and the base the base bits of it are a little bit the
same but then that made everything really nice for me oh isn’t that big
doesn’t that make your OCD just feel amazing I just I just have a moment of
silence and we consider the ammo can foam debacle that arrived at my house
like Oh kinda works and then we look at that you can shake it and it doesn’t
make a sound you can shake it hard I throw them off
my patio to test them before we ship them that’s okay we’re just gonna show
him another picture they’re really good yeah yeah oh right right
so we got rid of the him okay nose buddy I just went looking for an appropriately
volumed case to ship these in and I bought a pistol case it was not my
intention when Eric’s kind of a gun nut I’m not really a gun nut but you
couldn’t tell from my Pig like we went from ammo cans to gun cases I don’t know
if it’s enough grade aside grade we went with black because orange is a little
too alarming and when you sticks out a lot and when you put all six antennas on
them they look nefarious yeah I think we can picture the all set since I was
coming up we only ship them don’t take them on an airplane it’ll go bad you’ll
there would be searches in places so this slide is out of order
yeah but it’s appropriate that’s my phone running IPE Merc which is a wpa2
enterprise certificate attack where we basically spoof the certificate for the
wireless network we’re attacking and just scream really really loud and every
AP and client how about my cert eventually someone accepts it when they
do they held that off and we have clear clear text or net and Kayla right
crackable hashes it it always wins like that that tool right there if you do
wireless you should know that too and if
it that’s why wpa2 enterprise is less secure than wpa2 PSK just period yeah
and I mean to just go off promo film yeah yeah exactly that’s the best kicker
there right all of this is happening from a phone in his backpack and that’s
just when he’s in sight you know if if this is all happening from our home
through their open VPN connection back to it this is all happening when we are
this is this is all happening to us you know when we’re sitting at home we’re in
our nice comfortable spot we really like it we have all of our monitors we’re not
crammed into some random cubicle from the person that left the week before at
a client’s site so we have we have really spread out and run a growth it in
this slide I think is that order do I need a root for they’re awesome yeah
usb-to-serial it’s great thank you mm-hmm all right so let’s talk a little
bit about the value of this so a lot of times people really want to send
somebody on site they want to see pentester doing pen testing things with
you know antennas and and all their doodads and gizmos and they really like
that image in like what they’re getting but really that’s not the full story
what they really want at the end of the day is a solid pen test done that
assesses all of their security and make sure that we can’t get in in any way
shape or form now if you if you hire a single person to come on site you’re
paying for meals you’re paying for hotel you’re paying for travel all that jazz
but you’re also only getting one person the cost of a pen test if you were to
say have 7/10 however many people you need it on it would be astronomical to
have that many people at one time at one site so really what this allows us to do
it this is basically a gateway into the wireless space of that client so even
though I’ll be the primary on wireless engagement the seconds that I break into
say their main wireless network and I see a web app I’m gonna be calling Jared
and say hey Jared can you look at this web application I don’t know anything
about web security but we’re on their network you can happen the VPN and he
can now pen test through the same device so really what you’re doing is opening
the floodgates for all of our pen testers all which have really
specialized you know skill sets they can all use it at the same time so you may
not be getting one pen tester for 40 hours you’re getting ten pen testers
that do what they’re great at for four hours at a time if if you’re in here and
you’re a secure works pen tester raise your hand please that’s the door that we
bring when we drop a wrt and your network yeah all of those guys including
us are there and yeah there’s the flexibility there are times where for
whatever reason I can’t go on-site I can’t you know fly across the country to
go do a pen test but this will get the flexibility to say hey client we’re just
gonna mail you this box you plug it into power great scheduling done we don’t
have to worry about that you know it allows it allows for all of our
basically people he even want to learn so all of our pen testers that are like
hey we wanted to get in Wireless you know in the wireless Dan themes how do
they do that hey you can just shadow along with somebody they don’t need to
come out on site to learn to basically learn the ropes right right and the up
set of that is ridiculous right with we have 70 or 80 of the biggest nightmares
that you’ve ever met on our team and and we’re basically affording them all of
them the opportunity to extend their ICS SCADA web app whatever horrible
things they know a lot about into wireless and and then you wind up with a
bunch of people who are real multi thread folks and and they don’t even
have to be at your place to perform your Wireless assessment like
their knowledge is just parallel to whoever the wireless pen tester is
that’s working your project it it’s a ridiculous it’s a ridiculous
model you get if you want a pen test and you want to see really what can happen
with your wireless it’s the it’s the only way when one guy
on your site it doesn’t matter how much one person can know right it’s still
just one person they’re not some Interdisciplinary you can’t have the
same person who has ten years of developer experience SCADA ICS that one
person doesn’t bring all of that to you right and that was always the trap of
wireless pen testing before somebody figured out a way to leverage the group
the hive mind sort of approach to pen testing it’s like oh cool we got into
Wireless what’s what’s next and now regardless of what the answer to that
question is we we bring the whole suite of tools like the the full force to bear
like whatever over-the-top a movie promo voice guy you can imagine if it was a
time and like we have all of those people and we put them on your network
through your wireless and and we’ve seen it just just in the past year of hey
before wireless pen test oh we caught a hash code in CRAC – bummer
like yep stamp of approval they’re good to go in in this past year past that and
having all the people that we have there is regularly in fact I can only think of
one two times where we haven’t basically compromised the entire domain from the
wireless and that’s that’s really just out of we have a lot of really good
people and this platform allows us to use all of them
that’s how – probably 50 assessments so – out of 50 we didn’t get in and these
aren’t small companies yeah they’re not this is all this is not your dentist and
and I think this is like the appropriate portion of this where we go into kind of
some story time about this is the real this is the real talk the slides were
just so that cypher con let us come back next year so so just sort of partly into story
time in the past a wireless pen test has been a guy who
shows up at your place and he probably knows about wireless
he’s probably got three to five days to walk around your site everybody knows
he’s coming and he’s in a bubble right he has some communications but it’s not
the communications he would have if he was at his house with his regular tool
set on his regular machines everything is mobile everything is sort of awkward
and uncomfortable at best and and we’re a shop that that has a lot of people who
are familiar with Wireless we’ve taken teams to CTFs Wireless suggests that we
have a lot of sharp people you put one person out on their own
on-site sort of out of their element and you compound the pentest problem which
is representing what of what a resource threat has over a year into what a pen
tester with with limited access has in a week
right if if you’re a pen tester you’re familiar with that problem of trying to
represent what a nation-state might be able to do over the course of several
years where they can find a foothold and sit and watch versus what a person can
do in a week and and there’s no way to overcome that right there just there
just isn’t I can’t sit there and watch all your traffic for a year to figure
out your network even if I know even if I can call you and you can tell me
things that you think will help it’s not the same and really the box that we
built that allows us to do things remotely the remote part is cool and
that’s where like you get to drop acronyms alte and
and WPA and all this stuff that that sounds neat but but the real
game-changing part of that is that we can leverage that to bring a real
pentest like like when we saw all those security folks in here throw their hands
up you get 20 guys whoever the best person is for whatever we’re attacking
that’s the person we pull in to attack you so you really do that’s the best way
to close the gap between what you can do in a week and what a nation-state could
do is it’s all about scale right and that’s really you like we can save
people money we get flexibility we get to stay home the real value is you get
the full force of what 80 hackers who do this as a job can deliver through your
wireless network and and past that I mean you saw everything that was in
there it’s all stuff we bought off Amazon like this is not this is one of
those things that you guys just sitting there right now could order all of this
stuff and have your own platform up all the tools we use are all open-source git
clone all of them and install them and they’re there and then you can learn it
too I mean that’s that’s the other part of this is that this is something we
built because we were hackers that you know saw a better way but this is also
to say that you guys can do basically the same thing that’s the real story
time Iliad news story time real surgeon okay so you want to go first you have
your first what I get to I got two really good ones
all right you go get your first one okay so we had a client who had a gosh a
thousand sites in the u.s. probably more than that we we picked six to test over
two weeks I’m gonna drop all of the pretenses of
remote versus on site for this because it doesn’t it doesn’t really matter
we’re talking more about Wireless and why Wireless is a is a reasonable thing
to test and quit talking about like some some redheaded stepchild of your network
it’s joined to your network it’s part of your network I showed up at the clients
first site on Monday morning I got there at about seven thirty forty thirty
meeting through a my regular little set up from my phone in a rental car in
their parking lot caught a hash sent it to one of the guys
on our team who has access to our cracking rig remotely crack the hash
send it to me I walk into the first meeting with the client on-site on a
Monday morning with local admin access on their network they were not ready
they were not ready for that and this client they’re one of my
favorite clients they they’re their lead security officer came from from ta oh
right so so nsa-level Ops blue team guy he knew what he was doing he knew his
exposure and he was not ready for that like he really didn’t I went in
shake hands hey POC 1 POC – nice to meet you guys I’m almost doing admin on your
wireless network pen test from your parking lot in 20 minutes like it’s a
it’s a mic drop like I can’t there’s a stand and I appreciate the sound guy so
I’m not gonna do it but it’s a mic drop moment right they they they respond to
that exactly how we would to think and they start to think about their wireless
network like a real network like it’s easy it’s easy to throw this bubble
around oh but it’s wireless it’s like mmm
do they login with LDAP cuz that’s your network I that that model of Wireless is
thing that we think about after we’ve tested the the RealNetworks
is dumb like it’s been done for a long time we can prove that it’s dumb now
so real Wireless is it’s it’s a thing your users use it your LDAP uses it and
that and that’s a legit company with really really really smart people
running they have a sock they have a blue team they have spunk
they have carbon black they have all of the things that you would deploy to
defend your network and we did it from a rental car in a parking lot in 15
minutes it’s a good story what’s artwork is hardware from Amazon
that’s the nono specialized stuff on there hundred fifty bucks yeah we look
that up for them alright so so my story this is a this was a really fun one show
up there’s a you know there enterprise network was was rock-solid there was
nothing there that I was gonna really touch so what I did is the hey I hopped
on guess you know they’re guest Wi-Fi cuz they provide it to everybody and
then I proceeded to kick everybody off of their enterprise network so what
happens people need internet they need to work they all hop on guests just to
get out to the normal Internet I’m sitting there and I’m just catching all
of their network track traffic as it goes through capture some hashes again
we crack the hashes I compromise their device their laptop and then I stop stop
you know after I compromise their device I stop nuking their corporate Wi-Fi so
everything goes back to normal they reconnect to their corporate Wi-Fi
which was rock-solid mind you but now that laptop is mine and it’s on their
corporate network and in probably less than a couple hours it was a complete
compromise of their internal domain again it was all from just the fact that
no you know everybody has firewalls for their external stuff that’s on the
internet everybody has firewalls everybody has you know all their metrics
and logs and all that stuff nobody has any of that for Wi-Fi you know if they
would have been alerted that you know there’s crazy nefarious things going on
with Wi-Fi that would been the first tip-off if they had been alerted that a
rogue access point had been stood up that would have been another tip off but
nobody implements these and because of it it’s really just you
know it’s a huge glaring chink in the armor that is a huge blind spot really
and I mean have you ever done ideas or maybe is warning Wireless I’ve never
ever had one and then one of my house I’ve never had one from a client it’s
never happened and and and that’s not to say Oh Matt has like the most robust
gear in the world it’s like stock yeah it’s just love the
thing that like people don’t turn on because it creates a lot of alerts and
you have to get to know your wireless airspace and a lot of people think like
now that’s after like whatever I’m not gonna do that it doesn’t really matter
no one’s actually gonna come on-site and actually do this it’s a soft outer
Millie for corporate networks the outer belly is dangerous you know you don’t
see a lot of outer bellies the inner bellies what we don’t talk about those a
soft underside right that’s what an internal pentest is your wireless
network is your soft outer belly I’m coining that hashtag outer belly
2019 Cybercom 2019 sorry you want to go into another one or
no more so so I got one more yeah so just it just to demonstrate Eric’s
really smart Eric is a civil engineer by trade who happened in depend testing
he’s had his master’s degree in civil engineering since he was 25 which people
don’t I don’t know about civil engineering because nobody will talk to
me about it because I’m not smart enough to be talked about or talked to about
there’s clauses and semicolons in there um I’m not I’m an old I’m 40 years old I
can’t depend testing late in my life anybody can learn this stuff this is not
hard if you have eight to ten months and I’m not saying that as like you should
all be pen testers because I like my job and it’s really good
I don’t want to compete against you I’m saying it because that’s your threat
model like you got you got a bus stop by you where some are high school kids ride
to work that’s that’s not high bar you don’t have to be very smart to know this
Eric wins because he’s clever I went by attrition I I can’t
I had the OCD you saw the box you heard the sounds I made when I look at the box
it’s a problem it’s wheel and that box on your network and then we can we can
literally put so if you’re sitting next to one of the SecureWorks guys who raise
their hand look at them when I say the next name we
can put people like Viet on their network if via is China and that’s not
in like an Asian centric way like that guy will destroy you he is the smartest
person I’ve ever talked to and he’s really nice and when he shows up on your
site he’ll take all of your things away from you and now we can put him on your
site from his house in Grand Rapids and and on the Viet node to Viet just went
on the wireless gig and he and he just asked hey Matt can you make me another
one of these wireless RTA’s so that might can be in two places at once
here guys all right gate on site so that he could be attacking on site and bring
the other 30 guys in this room on site with him right it’s it’s like cheap
airfare it’s a it’s bad news in Viet needs no help
he thought she’s actually smarter than Eric a lot of people aren’t so good he
won’t go into questions do you want to do yeah just open it up yeah Russians
okay um since you’re using off-the-shelf components it would seem that your
system would be vulnerable awesome and what do you do with all the open source
stuff you should talk to John right there in the green shirt he makes all
those problems go away for us well and the other the other part of that too is
that that device is a under completely under our control we have you know we
put we do security practices on it so we put everything in place cert based on
thank you – yeah you know you’d have to get our private SSH keys and and and
access it from our VPN and it’s going over LTE so there’s multiple layers of
encryption just it getting to us and there’s a new one for every client that
we have so if if somebody were to just steal it and go home with it then
technically there should be anything on it at all like it like there’s nothing
there and it’s unique to even that client so if the network admin wanted to
like pull it as B cards out and mount them great that’s all their own network
data anyways and that’s and that’s one of those arguments that kind of works
both ways right like the open source thing is always complicated you’re like
oh it’s open source so people can see the source code oh it’s open source so
it’s always pen tested it’s it it’s one of those it’s all gray right it’s it’s
hard to say yeah you yes yes so so initially we were printing these in PLA
we use a 3d printer for all of the fabrication PLA has a melting point at
about a hundred and sixty Celsius which is hotter than the maximum operating
temperature of a PI but close enough that we were getting warp so we wound up
changing the materials that we were using first to ABS which is like Lego
plastic that same same material they used to print like over
still a little soft and we had some warping issues so we went to PT PT plus
which is mmm like a water bottle plastic yeah thank you
right there you you know what the acronyms mean that’s huge
I have no idea I just press buttons but it has it has a melting temperature of
printing temperature of about 220 degrees Celsius and Eric Wright Lee was
initially concerned about fire we proved that we could not burn a box down
because the pies would completely stop functioning way below the point where
the materials would catch on fire it’s that’s a real test that we did I bought
some cool stuff to do that test Thank You SecureWorks yeah yeah uh we have
their 2-1 they even sell for watt injectors on Amazon sour Dick donk
yeah that’s a fire if you turn that on it’s gonna get hot it’s gonna draw a lot
of power and people might knock on your door the two watts will nuke everything yes yeah absolutely 100% no comment we can talk after the talk
went back mm that is a great question uh gosh
yeah we’re just like doing that the mental math 500 dollars in 30 years
you know the plumber joke he just just say the Plumber Joe the
plumber plumber shows up your house it’s like oh I got a leak cool let’s see he
looks at it he does some stuff you don’t understand what he’s doing it seems like
magic he has really fixed in 20 minutes any walks out and he gives you a bill
for $300 you’re like $300 for 20 minutes and he
says 20 minutes in 46 years so I totally get your question and I would be happy
to talk to you outside of outside of the amplified Tommy we’re having here it’s
it’s affordable but it’s work so yeah no no they have to ship them back and then
we wrote a bunch of scripts up to shred everything so that when they ship them
back the boxes won’t boot again that it is destroyed yeah before they should
back that was the thing that we didn’t add to later oh the elder gentleman in
the center that’s the best question I’m gonna let
every game so this one and I’m gonna move over here don’t don’t take cheap
lipo fat or don’t take lipo batteries that don’t have a case on them to an
airport why because if if you so as you as much look at them so wrong way just
start the beginning Dobson Garrick Nick all right all right so no thank you
Michael was my boss at the time of this incident I had a lipo battery in my
backpack we just come back from engagements in Orlando International
Airport and something happened to that battery it malfunctioned I don’t know it
wasn’t plugged in any super cheap it wasn’t it was sayin dollars in anyways
so it started smoking when I was in line for TSA and so like that’s bad enough
and so I knew what’s happened it’s like oh the battery spending so I grab some
TSA genomic hey battery spending like boats to go outside left my backpack
there which lots of residual steam coming out of it so people in lying is
no that wasn’t steam that was smoked s factory smoke and so everybody scattered knocked over
some of the like the line dividing pylons which sounded apparently like
gunshots so today and and airplanes that were flying in the air and the TSA agent
got here gun gunfire and said shots fired over the radio yeah so everybody
scattered yeah yeah everybody ran people ran through security the opposite way
into all the gates and so what they had to do is they they couldn’t be sure that
those planes that were in air didn’t have people that had jumped through
security and so they had to turn those planes around you know because maybe I
was creating a diversion you know that’s what that’s what they were thinking
which is reasonable right and so they turn those planes around cancel all the
other flights and then they had to flush everybody that had already gone through
security back out and around through security in so if you think you’ve seen
TSA and it’s worse that was it’s worse was everybody going back I’m working on
three that was these guys are doing the wireless India we’re also helping do
part of the capture time we have some challenge flowing so if you win
CTF yes so everybody come play when I capture
the flag if you don’t have beer don’t worry we have gear that you can borrow
and we will teach you things if you can turn on a laptop you can play our
Wireless capture the flag in fact I think they’re actually a couple of
wireless foxes in this room – so what hey we just finished a fight you

You May Also Like..

Motu Patlu Cartoons In Hindi | Animated cartoon | Trekking | Wow Kidz

Motu Patlu Cartoons In Hindi | Animated cartoon | Trekking | Wow Kidz

Oh! What a beautiful place! I wish I could always live here. Yes, It would be wonderful, if all four […]

Leave a Reply

Your email address will not be published. Required fields are marked *