1 00:00:00,000 --> 00:00:02,042 You guys see it on the screen up there? 2 00:00:02,042 --> 00:00:03,042 Yeah. 3 00:00:03,042 --> 00:00:03,042 JAMES: Everyone is asking why it is DBA, on the program 4 00:00:03,042 --> 00:00:04,125 and we kind of talked. 5 00:00:04,125 --> 00:00:06,792 What it really stands for is two boring assholes. 6 00:00:06,792 --> 00:00:06,792 [laughter] 7 00:00:06,792 --> 00:00:08,292 That's why it's not full in here. 8 00:00:08,292 --> 00:00:08,292 Anyway, our talk is on what we call BYO disaster 9 00:00:08,292 --> 00:00:10,876 and why corporate security still really sucks. 10 00:00:10,876 --> 00:00:11,999 A little bit about us. 11 00:00:11,999 --> 00:00:13,042 Are you pushing buttons? 12 00:00:13,042 --> 00:00:14,999 Anyways, my name is James. 13 00:00:14,999 --> 00:00:16,834 I also go by pumpkin poop online. 14 00:00:20,667 --> 00:00:24,209 Just an all around nerd, boring guy. 15 00:00:24,584 --> 00:00:28,459 With me, I have Josh Hoover here, the guy that pooped today. 16 00:00:28,459 --> 00:00:29,834 JOSH: Can you guys hear? 17 00:00:29,834 --> 00:00:30,834 No. 18 00:00:30,834 --> 00:00:32,292 JOSH: I'll switch over here. 19 00:00:34,999 --> 00:00:36,000 Yeah. 20 00:00:36,000 --> 00:00:37,000 I'm Josh. 21 00:00:37,000 --> 00:00:39,167 I've been coming to DEF CON well since I had hair and some 22 00:00:39,167 --> 00:00:41,751 of my friends over here were just starting 23 00:00:41,751 --> 00:00:43,417 to grow hair. 24 00:00:44,501 --> 00:00:46,959 So privileged to be here. 25 00:00:46,959 --> 00:00:49,167 Thank you for coming to our TBA talk. 26 00:00:49,334 --> 00:00:53,334 This picture that Jim selected of me is supposed to be kind of a joke. 27 00:00:53,334 --> 00:00:57,125 Did you guys read our profiles at all online? 28 00:00:57,334 --> 00:00:59,125 You probably can't see it online. 29 00:00:59,667 --> 00:01:01,876 But this is Jim's way of getting back to me. 30 00:01:01,999 --> 00:01:05,459 I told him to find a rare picture. 31 00:01:05,584 --> 00:01:07,334 That's the evil one he picked up me. 32 00:01:10,334 --> 00:01:13,334 Anyways, at the end of the day, we're nerds with random ideas 33 00:01:13,334 --> 00:01:15,375 and consistent things. 34 00:01:15,375 --> 00:01:16,999 That's the story of our lives. 35 00:01:19,417 --> 00:01:22,292 What we're going is to talk about is talking 36 00:01:22,292 --> 00:01:26,542 about credentials without cracking a single hash. 37 00:01:29,667 --> 00:01:32,918 There's been a lot of research work in the past that's been involved 38 00:01:32,918 --> 00:01:35,501 gathering and cracking them offline. 39 00:01:38,626 --> 00:01:40,417 We're pretty lazy. 40 00:01:40,417 --> 00:01:43,709 We don't have time or want to spend a lot of time cracking hashes. 41 00:01:43,709 --> 00:01:45,417 So our whole thought was to come together and find 42 00:01:45,417 --> 00:01:49,459 an easier way to find clear text credentials. 43 00:01:51,667 --> 00:01:54,542 Secondly, we're going to release a tool that automates 44 00:01:54,542 --> 00:01:57,876 the whole process and does things for you. 45 00:01:58,250 --> 00:02:04,375 If anybody has done this in the past, it can be time consuming. 46 00:02:07,584 --> 00:02:09,999 How we're going do this is we're going to explore 47 00:02:09,999 --> 00:02:14,751 a new functionality issue and I will get into that a little more later. 48 00:02:15,083 --> 00:02:21,125 We found how IOS got into the chap E2. 49 00:02:23,999 --> 00:02:28,375 We have the inner authentication mechanism 50 00:02:28,375 --> 00:02:31,792 in place of MSchap E2. 51 00:02:33,667 --> 00:02:35,334 So I will go ahead and give it to Josh here and 52 00:02:35,334 --> 00:02:38,083 he will take you through some of the technicals. 53 00:02:41,083 --> 00:02:44,542 How many people have ever set up a WPA2 enterprise network 54 00:02:44,542 --> 00:02:47,375 or know the ins and outs of that? 55 00:02:48,999 --> 00:02:50,918 You shouldn't, but yeah. 56 00:02:50,999 --> 00:02:50,999 57 00:02:50,999 --> 00:02:51,999 [INAUDIBLE] 58 00:02:51,999 --> 00:02:55,375 What that guy said right. 59 00:02:55,375 --> 00:02:58,375 There looks like there's a fair amount of you that haven't. 60 00:02:58,375 --> 00:03:00,999 So I will go over technical details on exactly what research was 61 00:03:00,999 --> 00:03:02,959 with looking at. 62 00:03:02,999 --> 00:03:07,709 I am sure most of you have set up a personal at home where you set 63 00:03:07,709 --> 00:03:12,083 up a key and you gave it a SID and you signed on to it T. 64 00:03:12,083 --> 00:03:19,083 adds one extra component usually back end authentication server of some kind. 65 00:03:19,083 --> 00:03:22,709 In this particular instance, it is the radio box you see on the right 66 00:03:22,709 --> 00:03:24,999 of your screen that. 67 00:03:24,999 --> 00:03:26,083 Just adds another layer. 68 00:03:26,334 --> 00:03:28,834 So you can authentication every single client in your network 69 00:03:28,834 --> 00:03:30,999 instead of just one key. 70 00:03:32,459 --> 00:03:34,834 You have a client and AP in the middle 71 00:03:34,834 --> 00:03:35,125 and the 72 00:03:35,125 --> 00:03:35,918 [INAUDIBLE] 73 00:03:35,918 --> 00:03:37,999 component for WPA2 enterprise which 74 00:03:37,999 --> 00:03:40,751 is the authentication server. 75 00:03:40,751 --> 00:03:44,292 Since it will be a radio server, there's other options there 76 00:03:44,292 --> 00:03:48,959 for different kinds of servers, but this is what we're centering 77 00:03:48,959 --> 00:03:51,083 on for GTC stuff. 78 00:03:51,083 --> 00:03:53,918 It's a lot of what you'll see in enterprise level networks 79 00:03:53,918 --> 00:03:57,834 and crazy people like us like it run this at home. 80 00:04:04,375 --> 00:04:07,999 You pick your SID and you connect right up to it. 81 00:04:08,083 --> 00:04:11,375 You pick your network gown there and that's pretty easy. 82 00:04:11,375 --> 00:04:13,959 So I will blow your mind with technical details. 83 00:04:13,959 --> 00:04:15,292 Association stuff. 84 00:04:15,667 --> 00:04:18,667 I will not go into that portion of it, but it is worth mentioning, this 85 00:04:18,667 --> 00:04:21,918 is the first layer of attack for a lot of people that want to set 86 00:04:21,918 --> 00:04:23,999 up an evil twin network. 87 00:04:24,542 --> 00:04:28,334 You are mirroring the exact same SID that your target 88 00:04:28,334 --> 00:04:32,250 is using and hopefully the clients will connect to you 89 00:04:32,250 --> 00:04:35,083 instead of the actual AP. 90 00:04:35,250 --> 00:04:38,375 That's the first layer of attack, the evil twin. 91 00:04:38,375 --> 00:04:38,999 [APPLAUSE] 92 00:04:38,999 --> 00:04:40,417 [Cheering] 93 00:04:40,417 --> 00:04:46,209 these guys are going to be very angry at me 94 00:04:46,209 --> 00:04:51,459 because I actually don't drink. 95 00:04:51,542 --> 00:04:57,667 Your current speaker has to drink. 96 00:04:57,667 --> 00:04:58,918 I can't drink. 97 00:04:58,918 --> 00:05:02,167 You guys can throw things at me if it makes you feel better. 98 00:05:03,083 --> 00:05:05,667 No way. 99 00:05:07,209 --> 00:05:08,792 Here's for you. 100 00:05:08,792 --> 00:05:10,999 Here's for your co speaker. 101 00:05:11,334 --> 00:05:14,792 You know how many times in my career I've had to take one 102 00:05:14,792 --> 00:05:17,125 for the team for this guy? 103 00:05:17,459 --> 00:05:20,999 And also as you may be familiar, raise your hand if this 104 00:05:20,999 --> 00:05:23,626 is your first DEF CON? 105 00:05:23,999 --> 00:05:26,083 Why is it everybody is new? 106 00:05:26,083 --> 00:05:27,542 Wait. 107 00:05:28,167 --> 00:05:30,292 Why were you pointing at him? 108 00:05:31,999 --> 00:05:32,999 All right. 109 00:05:32,999 --> 00:05:33,999 You. 110 00:05:33,999 --> 00:05:34,999 Get up here. 111 00:05:35,125 --> 00:05:36,959 [APPLAUSE] 112 00:05:36,959 --> 00:05:46,083 and the lady down here with the striped dress on. 113 00:05:46,626 --> 00:05:49,501 I gotta suffer. 114 00:05:49,501 --> 00:05:53,083 You suffer up here too. 115 00:05:53,083 --> 00:05:54,083 Where's mine. 116 00:05:54,083 --> 00:06:05,209 Bear with us. 117 00:06:05,751 --> 00:06:07,542 They know. 118 00:06:07,751 --> 00:06:10,626 Picked up it from the bar. 119 00:06:10,626 --> 00:06:12,083 I know. 120 00:06:12,083 --> 00:06:13,083 It's a double. 121 00:06:13,751 --> 00:06:18,584 I tried. 122 00:06:18,751 --> 00:06:20,375 We got more? 123 00:06:20,459 --> 00:06:26,417 Geez, everybody, come on. 124 00:06:26,876 --> 00:06:29,459 All right. 125 00:06:29,459 --> 00:06:31,125 To all of you newbies, welcome. 126 00:06:31,125 --> 00:06:34,999 [APPLAUSE] 127 00:06:34,999 --> 00:06:41,751 I'm sorry. 128 00:06:41,751 --> 00:06:42,834 Your time is up now. 129 00:06:43,083 --> 00:06:43,209 [Laughter] 130 00:06:43,209 --> 00:06:44,626 Thanks for having us. 131 00:06:44,626 --> 00:06:47,999 It's already coming out the other end. 132 00:06:50,876 --> 00:06:51,209 [Laughter] 133 00:06:51,209 --> 00:06:53,959 I have no idea what I was doing. 134 00:06:53,959 --> 00:06:56,501 Where am I? 135 00:06:56,501 --> 00:06:57,501 Um, hi. 136 00:06:57,501 --> 00:06:58,501 Drink one? 137 00:06:58,501 --> 00:06:59,501 No. 138 00:06:59,501 --> 00:07:00,751 So, association stuff. 139 00:07:00,751 --> 00:07:01,751 Right? 140 00:07:01,751 --> 00:07:02,999 We've got shots covered. 141 00:07:02,999 --> 00:07:04,083 So association stuff. 142 00:07:04,083 --> 00:07:06,709 We're connecting the evil twin, blah, blah, blah. 143 00:07:06,709 --> 00:07:07,999 We're excited about that. 144 00:07:07,999 --> 00:07:08,999 Let's move on. 145 00:07:08,999 --> 00:07:12,709 So the next portion that happens in WPA2 enterprise is open to proposal. 146 00:07:14,083 --> 00:07:16,834 Extensive interpretation protocol. 147 00:07:25,083 --> 00:07:29,209 This particular service is going to be Wi Fi. 148 00:07:29,209 --> 00:07:31,709 It allows you to be using the password or certificate 149 00:07:31,709 --> 00:07:35,125 or something like that to some kind of service. 150 00:07:35,334 --> 00:07:37,834 So the first thing that will happen here in this whole portion 151 00:07:37,834 --> 00:07:41,375 is that the AP will request on identity from the client. 152 00:07:41,667 --> 00:07:44,083 The client gets a pop up on most clients it says nothing 153 00:07:44,083 --> 00:07:46,999 more than user name and password. 154 00:07:46,999 --> 00:07:47,999 That's all it says. 155 00:07:47,999 --> 00:07:49,584 That will be kind of important later because at this point, 156 00:07:49,584 --> 00:07:53,999 we haven't established what kind of authentication we're even using yet. 157 00:07:53,999 --> 00:08:00,083 So anyway, the clients said it does send over the identity. 158 00:08:00,083 --> 00:08:03,125 In this case, it is the user name or some log in name. 159 00:08:04,751 --> 00:08:07,751 This is something you can stop here if you wanted and just gather user 160 00:08:07,751 --> 00:08:09,542 names all day long. 161 00:08:09,542 --> 00:08:10,542 That's boring. 162 00:08:10,542 --> 00:08:11,542 We want passwords. 163 00:08:12,083 --> 00:08:15,375 So that only gets us one step. 164 00:08:15,999 --> 00:08:17,999 It sends it over the radio server. 165 00:08:17,999 --> 00:08:19,459 It says that's good. 166 00:08:19,626 --> 00:08:21,459 It sends over a peep star. 167 00:08:21,459 --> 00:08:22,459 So what's peep. 168 00:08:22,459 --> 00:08:25,792 Peep is protected extensible appropriate co. 169 00:08:28,083 --> 00:08:32,584 Unfortunately, EEP by itself is not secure. 170 00:08:32,792 --> 00:08:35,999 If you are sending over hashes or whatever, there's no encryption 171 00:08:35,999 --> 00:08:37,999 at all at this point. 172 00:08:42,792 --> 00:08:44,999 So you can pick up anything. 173 00:08:44,999 --> 00:08:48,999 So, this is a way to protect that data. 174 00:08:48,999 --> 00:08:52,626 What EEP does it make outer authentication and inner authentication. 175 00:08:52,959 --> 00:08:55,999 Outer is just an encrypted tunnel. 176 00:08:55,999 --> 00:08:59,959 And inch is actual user clients authentication. 177 00:09:03,751 --> 00:09:06,459 It's great if you are sitting on the outside, but if you're 178 00:09:06,459 --> 00:09:09,083 the evil twin and sending it to you. 179 00:09:09,250 --> 00:09:12,584 You make sure it happens otherwise the client will freak out. 180 00:09:12,584 --> 00:09:15,417 It will not send you the credentials and goodies. 181 00:09:18,417 --> 00:09:20,417 So what happens next? 182 00:09:20,417 --> 00:09:21,876 The outer authentication. 183 00:09:25,751 --> 00:09:28,542 So you guys can look up TLS if you're not familiar. 184 00:09:28,542 --> 00:09:31,876 But there's a serve search that's on the radio server that gets sent 185 00:09:31,876 --> 00:09:35,125 over and establishes a TLS tunnel in order to start second 186 00:09:35,125 --> 00:09:38,584 over all the goodies, all the good authentication portions 187 00:09:38,584 --> 00:09:41,209 of whatever you happen to do. 188 00:09:41,751 --> 00:09:43,417 You go to the inner EEP. 189 00:09:43,999 --> 00:09:47,459 This particular instance, we will talk about MSchap 2. 190 00:09:47,459 --> 00:09:53,584 It differs from V1, but MSchap is generally used for NT or domain 191 00:09:53,584 --> 00:09:57,375 or whatever, windows log in. 192 00:09:57,375 --> 00:09:58,792 So user name and password. 193 00:09:58,792 --> 00:10:00,584 It's a way to allow people to use that and log 194 00:10:00,584 --> 00:10:02,959 into a wireless network. 195 00:10:02,999 --> 00:10:04,751 So this is kind of important for a lot ever enterprises 196 00:10:04,751 --> 00:10:07,417 out there because they want to make it easy. 197 00:10:07,417 --> 00:10:09,999 People don't want separate password people want to bring 198 00:10:09,999 --> 00:10:14,834 in their BYOD devices and this allows theme use their normal log or use it 199 00:10:14,834 --> 00:10:19,501 on the corporate network or whatever network they're using. 200 00:10:19,876 --> 00:10:25,459 So the next thing is what's called sorry. 201 00:10:25,459 --> 00:10:26,999 Just sends the identity again. 202 00:10:26,999 --> 00:10:29,501 So it fully sends it over the radio server. 203 00:10:29,751 --> 00:10:31,375 The requester sends it. 204 00:10:32,167 --> 00:10:35,959 So the first thing happens from the radio server, it sends 205 00:10:35,959 --> 00:10:38,999 over a challenge, the V2 challenge. 206 00:10:38,999 --> 00:10:41,375 But the client takes this challenge and takes it's password 207 00:10:41,375 --> 00:10:43,751 and makes a hash from it. 208 00:10:45,250 --> 00:10:48,959 Then it sends it back to the radio serve. 209 00:10:49,334 --> 00:10:51,167 Important part of V2 over V1 is there's 210 00:10:51,167 --> 00:10:54,459 a dual authentication happening here. 211 00:10:54,459 --> 00:10:59,876 Both the client and radio station want to make sure they know the password. 212 00:11:01,083 --> 00:11:05,501 So the radius creates a challenge and says use this challenge portion 213 00:11:05,501 --> 00:11:08,999 to create a password for me and a hash. 214 00:11:09,417 --> 00:11:11,167 And the client says no problem. 215 00:11:11,167 --> 00:11:14,083 I will take that challenge, my password, create a hash, send the hash 216 00:11:14,083 --> 00:11:15,751 over to you. 217 00:11:15,751 --> 00:11:18,542 There's a hash and people can tell you how to crack those, but we're lazy 218 00:11:18,542 --> 00:11:22,083 and still consider that too difficult for small minds. 219 00:11:22,459 --> 00:11:26,999 It will send that back over with the actual challenge itself. 220 00:11:26,999 --> 00:11:27,999 And say okay. 221 00:11:27,999 --> 00:11:31,250 Here's my hash, but I want you to tell me you know my password. 222 00:11:31,626 --> 00:11:33,999 Take this challenge, hash it with whatever you think 223 00:11:33,999 --> 00:11:36,876 is my password and send it back to me. 224 00:11:36,876 --> 00:11:40,626 So they say if I do have your password, I'm going to do that and I'm going 225 00:11:40,626 --> 00:11:45,792 to take your challenge and send the response back to the client. 226 00:11:45,792 --> 00:11:48,959 At this point, the client looks at it and says does this match? 227 00:11:48,959 --> 00:11:52,250 If it does not match, it is supposed to drop the connection at this point, 228 00:11:52,250 --> 00:11:56,501 which may or may not happen as we see here going on. 229 00:11:56,501 --> 00:11:58,918 But this is san important part of V1 versus V2. 230 00:11:58,918 --> 00:12:05,209 Microsoft and sis so created this to circumvent of what is going on here. 231 00:12:05,209 --> 00:12:09,417 You will see here in a second by making sure the client says, well, 232 00:12:09,417 --> 00:12:13,459 I will give you my hash, but I'm not going to connect 233 00:12:13,459 --> 00:12:17,999 until I am sure you know the password then the radio server 234 00:12:17,999 --> 00:12:23,250 will take that and make its actual response and say okay. 235 00:12:23,250 --> 00:12:24,959 Your password was successful. 236 00:12:24,959 --> 00:12:26,918 Here's the response to your challenge. 237 00:12:26,918 --> 00:12:29,667 The client says do you know my password. 238 00:12:29,667 --> 00:12:30,667 No problem. 239 00:12:30,667 --> 00:12:33,459 Send over success to the radio server. 240 00:12:33,459 --> 00:12:34,999 The radio server says great. 241 00:12:34,999 --> 00:12:35,999 We're good. 242 00:12:35,999 --> 00:12:38,959 Let's start our connection and send over an ETLD success. 243 00:12:40,292 --> 00:12:41,999 And we're golden. 244 00:12:41,999 --> 00:12:44,501 The user authentication has happened correctly. 245 00:12:44,959 --> 00:12:46,584 This is where MSchap V2. 246 00:12:46,999 --> 00:12:50,250 This is basically a need success portion here. 247 00:12:50,292 --> 00:12:53,250 We're installing special skis on to the AP to start 248 00:12:53,250 --> 00:12:57,999 up the actual encrypted network connection so they can get the rest 249 00:12:57,999 --> 00:13:02,918 of their IP address in order to get access to the network. 250 00:13:02,999 --> 00:13:05,459 We will blow your mind with fancy technical details 251 00:13:05,459 --> 00:13:08,459 and finishes the connection stuff. 252 00:13:08,751 --> 00:13:11,542 We're really concentrating here and our attack 253 00:13:11,542 --> 00:13:14,667 is the inner authentication portion because we want 254 00:13:14,667 --> 00:13:17,375 the password we need to convince them we know 255 00:13:17,375 --> 00:13:21,999 the password we want them to send the password us to anyway. 256 00:13:22,334 --> 00:13:27,083 So, this is where our research is really focused. 257 00:13:27,209 --> 00:13:31,125 How many people do security research other than showing up to DEF CON? 258 00:13:31,999 --> 00:13:33,417 So, a few of you. 259 00:13:33,459 --> 00:13:36,918 You are probably familiar with how difficult this can be. 260 00:13:36,959 --> 00:13:39,876 Especially stuff like this when you are hit negligent face 261 00:13:39,876 --> 00:13:41,709 and you say no. 262 00:13:41,709 --> 00:13:44,999 You can't have that connection and again it hits you in the face. 263 00:13:44,999 --> 00:13:51,334 We found this funny video that reminds us exactly what this feels like. 264 00:13:51,626 --> 00:13:56,834 It is not a whole lot of fun, but she's okay. 265 00:13:56,834 --> 00:13:57,999 So you'll be okay too. 266 00:13:57,999 --> 00:13:58,999 You take a few hits. 267 00:13:59,292 --> 00:14:03,999 You get back up and she gets back up and she had to finish this. 268 00:14:03,999 --> 00:14:06,999 But anyway so, that's a little overview, quick overview 269 00:14:06,999 --> 00:14:12,584 of the way our research exactly what our research is look at. 270 00:14:13,751 --> 00:14:18,876 Pass it over to Jim here and he will talk about our first attack. 271 00:14:18,876 --> 00:14:21,918 Thanks for sitting through all the technical details. 272 00:14:24,501 --> 00:14:27,709 JAMES: I have to say I only purposely took 273 00:14:27,709 --> 00:14:29,626 three drinks. 274 00:14:31,083 --> 00:14:32,999 The crap they just gave me pushed me 275 00:14:32,999 --> 00:14:34,834 over the best. 276 00:14:34,999 --> 00:14:38,375 So I will do my best to get through the slides. 277 00:14:38,999 --> 00:14:42,959 Anyways, the first attack, we call it IPONER. 278 00:14:57,334 --> 00:15:01,999 So we've the radio server is a patch version that we wrote that 279 00:15:01,999 --> 00:15:06,709 kind of puts the exploit into there and kind of what Josh writes 280 00:15:06,709 --> 00:15:11,999 in the past for capturing hashes and cracking those offline. 281 00:15:11,999 --> 00:15:15,584 We did this in a different way. 282 00:15:15,918 --> 00:15:18,918 But anyways, the first thing happens is the server challenge is a client 283 00:15:18,918 --> 00:15:21,584 like what Josh was talking about earlier. 284 00:15:21,999 --> 00:15:25,999 The client will send its MSchap response back 285 00:15:25,999 --> 00:15:29,459 along with the pure challenge. 286 00:15:29,459 --> 00:15:32,626 That pure challenge is basically the clients way of authenticating 287 00:15:32,626 --> 00:15:35,667 the server toss make sure both people have knowledge 288 00:15:35,667 --> 00:15:38,334 of the clear text credentials. 289 00:15:38,999 --> 00:15:42,709 So once the server gets that in the response, the attacker 290 00:15:42,709 --> 00:15:47,250 and we don't know what the users password is at this point. 291 00:15:47,459 --> 00:15:49,083 Have two choices. 292 00:15:49,083 --> 00:15:52,999 Your password is good or your password is wrong. 293 00:15:53,083 --> 00:15:57,292 So the first thing we tried is we accept everything. 294 00:15:58,375 --> 00:16:00,584 If anybody uses parches, they've been designed 295 00:16:00,584 --> 00:16:02,999 to say success for everything. 296 00:16:02,999 --> 00:16:06,375 Any password will send a success and response. 297 00:16:06,626 --> 00:16:07,918 We do that. 298 00:16:08,876 --> 00:16:10,999 The peer challenge doesn't march. 299 00:16:11,999 --> 00:16:15,959 They say what you sent back is wrong. 300 00:16:18,083 --> 00:16:20,626 It won't establish a connection to the network, which 301 00:16:20,626 --> 00:16:22,542 is what we're after. 302 00:16:23,375 --> 00:16:25,125 So we started over. 303 00:16:28,834 --> 00:16:31,626 We're trying thing s and con solidating things but anyway, we reject 304 00:16:31,626 --> 00:16:34,999 the password we tell them what you sent me is incorrect. 305 00:16:35,667 --> 00:16:39,334 So the server then sends a TLV success at the end. 306 00:16:39,584 --> 00:16:42,375 The use or this password and we send it back whatever you sent 307 00:16:42,375 --> 00:16:44,209 me is incorrect. 308 00:16:44,375 --> 00:16:47,334 Expecting the client to drop the connection. 309 00:16:47,334 --> 00:16:49,125 For some reason, IO, some and OSX device don't drop 310 00:16:49,125 --> 00:16:50,999 the connection. 311 00:16:51,999 --> 00:16:54,542 It is basically telling the client everything 312 00:16:54,542 --> 00:16:58,083 is good and we'll finish this connection and your DHCP connection 313 00:16:58,083 --> 00:17:01,584 and address and start sending you services. 314 00:17:02,999 --> 00:17:06,334 The devices GL, I don't know what that means, but okay. 315 00:17:06,334 --> 00:17:07,334 Cool. 316 00:17:07,334 --> 00:17:08,334 We're good. 317 00:17:08,626 --> 00:17:09,083 [Laughter] 318 00:17:09,083 --> 00:17:10,125 [APPLAUSE] 319 00:17:10,125 --> 00:17:11,876 Right. 320 00:17:12,125 --> 00:17:15,999 So the client sends us a TLV success at that point meaning they're ready 321 00:17:15,999 --> 00:17:19,626 for DHCP address and everything else going on. 322 00:17:19,999 --> 00:17:22,709 So the client checks for a captive portal. 323 00:17:25,083 --> 00:17:28,417 Most devices when you're connected to a secure wireless network, 324 00:17:28,417 --> 00:17:31,542 continues there is not a captive portal. 325 00:17:31,542 --> 00:17:34,459 There's no reason to say there's no captive portal. 326 00:17:34,459 --> 00:17:34,792 There the ISS and 327 00:17:34,792 --> 00:17:35,375 [INAUDIBLE] 328 00:17:35,375 --> 00:17:37,709 device don't do that. 329 00:17:37,709 --> 00:17:39,083 Shaped a probe no matter what. 330 00:17:39,459 --> 00:17:42,417 We capture the probe and say there's something 331 00:17:42,417 --> 00:17:44,334 you don't need. 332 00:17:55,542 --> 00:17:55,999 (music) 333 00:17:55,999 --> 00:17:56,417 [INAUDIBLE] 334 00:17:56,417 --> 00:17:59,292 that's how the attack basically works. 335 00:17:59,292 --> 00:18:00,834 We're very happy. 336 00:18:00,834 --> 00:18:01,167 [APPLAUSE] 337 00:18:01,167 --> 00:18:06,751 Jim: So we're not so from a user's perspective, 338 00:18:06,751 --> 00:18:13,209 what does this look like from the mobile phone you? 339 00:18:13,209 --> 00:18:16,834 Get some manager that brings his personal phone to work. 340 00:18:19,083 --> 00:18:20,083 Even though he knows he's not allowed, 341 00:18:20,083 --> 00:18:22,125 but he doesn't care, he's a manager. 342 00:18:22,918 --> 00:18:26,999 He pulls up his manager like Manny here in the front, 343 00:18:26,999 --> 00:18:30,999 like Tony and Manny here in the front. 344 00:18:30,999 --> 00:18:33,167 So anyways, you have your MS test network. 345 00:18:33,459 --> 00:18:35,292 So you select it. 346 00:18:35,751 --> 00:18:38,250 It prompts you for your username and password. 347 00:18:38,709 --> 00:18:41,250 It will pop up a cert. 348 00:18:41,292 --> 00:18:43,334 How many users always accept a cert. 349 00:18:43,334 --> 00:18:47,999 It can say you're a douchebag on the cert and people accept it. 350 00:18:54,209 --> 00:18:56,626 Now you can make this log in whatever you want, 351 00:18:56,626 --> 00:18:59,125 but we just took a standard one. 352 00:18:59,125 --> 00:19:00,584 The next thing pops up. 353 00:19:00,584 --> 00:19:01,667 It says what the hell. 354 00:19:01,667 --> 00:19:02,792 I already typed it in. 355 00:19:02,792 --> 00:19:04,167 Maybe I got my password wrong. 356 00:19:08,584 --> 00:19:11,167 This last screen shot is what it looks 357 00:19:11,167 --> 00:19:13,999 like from an OSX device. 358 00:19:14,584 --> 00:19:19,999 It actually tells you have authenticated the MSchap 2 and we just showed you 359 00:19:19,999 --> 00:19:22,250 that's not accurate. 360 00:19:23,125 --> 00:19:25,999 So at the end of the day, you're getting your clear 361 00:19:25,999 --> 00:19:27,999 text passwords. 362 00:19:28,250 --> 00:19:31,751 You have a full man and the sky is basically the limit. 363 00:19:31,751 --> 00:19:34,334 You can do anything you want with them at this point. 364 00:19:35,459 --> 00:19:37,125 A recap. 365 00:19:38,834 --> 00:19:44,876 The OSM device don't appear to be handling VS chap 2 properly. 366 00:19:47,083 --> 00:19:49,999 They're not paying attention to it for whatever reason. 367 00:19:49,999 --> 00:19:51,083 We don't really know. 368 00:19:51,083 --> 00:19:54,501 But basically at that point, so much for mutual authentication. 369 00:19:54,501 --> 00:19:56,375 They're there for mutual authentication and 370 00:19:56,375 --> 00:19:59,334 at this point, it's not working. 371 00:19:59,959 --> 00:20:03,250 So we're bypassing that mechanism. 372 00:20:04,626 --> 00:20:06,751 And we're just letting it go through and establishing 373 00:20:06,751 --> 00:20:08,292 that connection. 374 00:20:10,999 --> 00:20:13,792 It is defaultly sent by the mobile devices 375 00:20:13,792 --> 00:20:17,501 and just forwarding them on to our malicious captive portal 376 00:20:17,501 --> 00:20:21,667 like if you are mimicking a hotspot at Starbucks. 377 00:20:22,626 --> 00:20:24,626 Not that we've done that. 378 00:20:26,999 --> 00:20:29,959 And then the users have their credentials again. 379 00:20:31,834 --> 00:20:34,999 We're there to capture them. 380 00:20:34,999 --> 00:20:37,876 Oh, I love Apple. 381 00:20:38,709 --> 00:20:42,834 So anyways, I'm gonna or actually the next slide here. 382 00:20:42,834 --> 00:20:45,083 We're talking about responsible disclosure. 383 00:20:45,209 --> 00:20:45,125 [INAUDIBLE] 384 00:20:45,125 --> 00:20:47,501 first off responsible disclosure because Josh gives me crap 385 00:20:47,501 --> 00:20:50,959 all the time and I will tell him how I really feel about it. 386 00:20:50,999 --> 00:20:54,125 It's a good thing and we encourage people to do things. 387 00:20:55,083 --> 00:21:02,999 It's like in elementary school when you tell a kid you will tell on him 388 00:21:02,999 --> 00:21:04,792 before do you T. 389 00:21:04,792 --> 00:21:08,334 so we found a new issue. 390 00:21:08,334 --> 00:21:09,999 We will report it up the chain. 391 00:21:10,459 --> 00:21:14,459 Typically I discovered this thing that expose your back door and I urge 392 00:21:14,459 --> 00:21:16,501 to you pass you before someone dumps 393 00:21:16,501 --> 00:21:18,999 a nasty payload in there. 394 00:21:18,999 --> 00:21:21,334 You guys don't have a sick sense of humor like me. 395 00:21:22,792 --> 00:21:24,834 So anyways, that's what happens. 396 00:21:24,834 --> 00:21:26,999 Then the sociopath and your responses. 397 00:21:34,584 --> 00:21:38,999 Outsourced managers put ten cards on it and they never get back to you. 398 00:21:39,209 --> 00:21:41,083 That's typically how it goes, right? 399 00:21:43,751 --> 00:21:44,375 [APPLAUSE] 400 00:21:44,375 --> 00:21:47,083 Actually, in this case, they did respond 401 00:21:47,083 --> 00:21:49,999 with their generic message. 402 00:21:52,083 --> 00:21:57,626 A month later, can I get a status on that ticket number 99 whatever. 403 00:21:57,751 --> 00:22:03,584 Then I get a response, hey, me Josh 4379, I like gummy bears. 404 00:22:03,584 --> 00:22:04,584 Ticket closed. 405 00:22:04,959 --> 00:22:08,834 Basically saying whatever you told us is crap and have a nice days. 406 00:22:09,125 --> 00:22:10,125 Okay. 407 00:22:10,125 --> 00:22:11,125 Cool. 408 00:22:11,125 --> 00:22:13,999 So, this is their actual response they sent back. 409 00:22:13,999 --> 00:22:18,209 Basically they're telling us that it's nothing. 410 00:22:19,959 --> 00:22:24,083 And then they tell us at the end here, why don't you try this GTC thing 411 00:22:24,083 --> 00:22:28,125 because it will send this shit to you in cleartext. 412 00:22:30,083 --> 00:22:32,083 So thanks, Apple. 413 00:22:32,083 --> 00:22:34,209 We will go ahead and start our next attack. 414 00:22:36,501 --> 00:22:39,334 Well, Apple, thanks. 415 00:22:39,626 --> 00:22:40,999 I don't know what to say. 416 00:22:40,999 --> 00:22:42,250 It's early Christmas? 417 00:22:42,250 --> 00:22:43,876 I am not sure what is going on. 418 00:22:45,083 --> 00:22:49,501 With all that said, it works with GTC, but we thought it was hilarious 419 00:22:49,501 --> 00:22:52,792 they were giving us our next attack. 420 00:22:52,959 --> 00:22:54,751 What's GTC? 421 00:22:55,125 --> 00:23:00,209 It replace the portion of the authentication that is in MSchap. 422 00:23:00,999 --> 00:23:04,083 It was developed for key version 1. 423 00:23:07,876 --> 00:23:11,709 It was created for token cards and one time passwords. 424 00:23:11,709 --> 00:23:13,999 You guys have probably seen the secure cards. 425 00:23:14,417 --> 00:23:15,999 If you ever worked for a major corporation, 426 00:23:15,999 --> 00:23:19,834 I am sure you saw something like this or played video games. 427 00:23:21,542 --> 00:23:23,999 It's similar with MSchap 2. 428 00:23:24,999 --> 00:23:28,167 So a lot of it, I will not go over the whole interaction buzz it 429 00:23:28,167 --> 00:23:30,542 assault same instead of the dual challenge and 430 00:23:30,542 --> 00:23:34,250 all of that stuff, it sends over the one time password. 431 00:23:34,792 --> 00:23:37,083 It is similar in that regard. 432 00:23:37,918 --> 00:23:41,459 So you guys remember what I said about the clients not actually telling 433 00:23:41,459 --> 00:23:44,501 or the server not telling the clients what kind of password 434 00:23:44,501 --> 00:23:46,999 and user name was asking for. 435 00:23:47,125 --> 00:23:48,334 Well, this is one of those areas where it might 436 00:23:48,334 --> 00:23:49,999 become helpful. 437 00:23:55,959 --> 00:23:57,501 Why wouldn't it be? 438 00:23:57,501 --> 00:23:58,999 Doesn't say one time password. 439 00:23:58,999 --> 00:24:01,125 It doesn't say give me your token card. 440 00:24:03,250 --> 00:24:07,334 This is weird thinking with clients, but think about how we use that 441 00:24:07,334 --> 00:24:09,334 to our advantage. 442 00:24:10,250 --> 00:24:13,999 It is probably pretty obvious, but let's take a look at it. 443 00:24:13,999 --> 00:24:15,209 This is the next attack. 444 00:24:15,417 --> 00:24:17,417 It's called the peeping Tom. 445 00:24:19,167 --> 00:24:21,918 You don't see, but you have your clients 446 00:24:21,918 --> 00:24:22,167 in the 447 00:24:22,167 --> 00:24:22,999 [INAUDIBLE] 448 00:24:22,999 --> 00:24:26,083 and can be android or IOS device. 449 00:24:26,083 --> 00:24:27,876 The last one was IOS only. 450 00:24:27,959 --> 00:24:32,083 Before I get into this attack, this doesn't invalidate and I think that's 451 00:24:32,083 --> 00:24:34,542 what Apple was saying. 452 00:24:38,709 --> 00:24:41,999 People decide no one supports GTC anymore. 453 00:24:41,999 --> 00:24:46,292 Apple doesn't fix their problem and that's still a valid attack vector. 454 00:24:52,125 --> 00:24:54,709 So what happens with our first attack here 455 00:24:54,709 --> 00:24:59,834 is we replaced radius server just like the other one exactly the same. 456 00:24:59,959 --> 00:25:03,250 The server request well, you need the identity thing. 457 00:25:03,334 --> 00:25:05,667 It sends over the identity just like MSchap. 458 00:25:05,999 --> 00:25:09,626 The service is send me that password. 459 00:25:11,542 --> 00:25:15,125 The client is like oh, okay. 460 00:25:15,125 --> 00:25:16,584 I already got the password. 461 00:25:16,959 --> 00:25:17,959 Why not. 462 00:25:17,999 --> 00:25:20,375 So the client responds with sure. 463 00:25:20,375 --> 00:25:21,667 This is a GTC password. 464 00:25:21,667 --> 00:25:22,667 Why not. 465 00:25:22,667 --> 00:25:25,459 I just asked the client for username and password can. 466 00:25:26,792 --> 00:25:28,751 Since we don't actually know the password, 467 00:25:28,751 --> 00:25:31,626 GTC fails and says no password for user. 468 00:25:33,083 --> 00:25:37,876 We're a radio service patch and it will have success anyway. 469 00:25:38,999 --> 00:25:43,334 Sends the server LTC, some and says okay. 470 00:25:43,334 --> 00:25:44,792 Your password looks good. 471 00:25:44,999 --> 00:25:47,209 And the client is like sure. 472 00:25:47,209 --> 00:25:48,209 I trust you. 473 00:25:48,209 --> 00:25:49,209 Why not. 474 00:25:49,209 --> 00:25:50,459 Send over the password. 475 00:25:50,459 --> 00:25:51,876 It's a one time password. 476 00:25:51,876 --> 00:25:54,626 Why wouldn't I do that anyway for the one time password. 477 00:25:56,250 --> 00:25:58,125 And then we have the full connection there and 478 00:25:58,125 --> 00:26:00,876 the full connection is established and at this point, we can do 479 00:26:00,876 --> 00:26:02,667 all kinds of things. 480 00:26:02,667 --> 00:26:05,292 We have the password which I will show you in a second. 481 00:26:05,292 --> 00:26:06,999 But we can use the normal middle attacks you might 482 00:26:06,999 --> 00:26:11,501 want to do with the client to get them to connect to you. 483 00:26:11,626 --> 00:26:11,999 So once again 484 00:26:11,999 --> 00:26:12,834 [INAUDIBLE] 485 00:26:12,834 --> 00:26:14,083 okay. 486 00:26:14,334 --> 00:26:15,334 Great. 487 00:26:21,626 --> 00:26:23,626 Several excited about that. 488 00:26:24,751 --> 00:26:26,417 Yeah, yeah, yeah. 489 00:26:26,417 --> 00:26:27,959 Jim liked his video better. 490 00:26:30,959 --> 00:26:34,334 So what does the client look flick this instance? 491 00:26:34,334 --> 00:26:36,999 This works in IOS, but I will use an android device. 492 00:26:38,626 --> 00:26:43,167 If you guys can camp what it is what is missing from this what was 493 00:26:43,167 --> 00:26:46,999 in the MSchap attack with the clients. 494 00:26:47,209 --> 00:26:48,999 DEF CON secure. 495 00:26:48,999 --> 00:26:51,626 You guys all use give scan secure network, right? 496 00:26:54,375 --> 00:26:59,417 Anyway, so we connected DEF CON security. 497 00:26:59,417 --> 00:27:00,417 It's peep. 498 00:27:00,999 --> 00:27:03,459 Let's type in username and password. 499 00:27:03,459 --> 00:27:05,501 It just says identity on android. 500 00:27:05,999 --> 00:27:07,125 Bam. 501 00:27:08,083 --> 00:27:09,626 We're connected. 502 00:27:09,709 --> 00:27:11,876 So what's missing here? 503 00:27:16,876 --> 00:27:16,999 504 00:27:16,999 --> 00:27:17,709 [INAUDIBLE] 505 00:27:17,709 --> 00:27:19,709 that's right. 506 00:27:19,709 --> 00:27:20,709 Our cert bogus. 507 00:27:24,999 --> 00:27:28,501 Android doesn't actually ask you to accept a cert, which 508 00:27:28,501 --> 00:27:31,751 is interesting because that means later there's no 509 00:27:31,751 --> 00:27:33,876 user interaction. 510 00:27:33,876 --> 00:27:36,999 So in client interaction would change. 511 00:27:36,999 --> 00:27:38,459 If they have connected to the corporate network 512 00:27:38,459 --> 00:27:41,417 or DEF CON secure network and connect to your evil twin, 513 00:27:41,417 --> 00:27:43,375 it doesn't matter. 514 00:27:46,999 --> 00:27:48,876 Awesome, right? 515 00:27:48,999 --> 00:27:51,999 Anyway, did anyone see this weekend? 516 00:27:58,999 --> 00:28:02,999 Nobody had any idea we were in here and what we were doing. 517 00:28:03,083 --> 00:28:06,167 We basically took with one of my buddies 518 00:28:06,167 --> 00:28:12,999 down here that helped me we basically took a raspberry pie and use our same 519 00:28:12,999 --> 00:28:18,083 attack tools and just set up a captive portal. 520 00:28:18,083 --> 00:28:21,209 Where someone connected us to, they got this captive portal page 521 00:28:21,209 --> 00:28:24,876 and says hey, Jim doesn't know this idea. 522 00:28:24,876 --> 00:28:25,918 This is a surprise. 523 00:28:26,751 --> 00:28:29,250 It took a lot of his work do this. 524 00:28:29,250 --> 00:28:30,999 I was going to fill him in later. 525 00:28:30,999 --> 00:28:36,792 He came in a little later. 526 00:28:36,792 --> 00:28:36,792 527 00:28:36,792 --> 00:28:36,999 [INAUDIBLE] 528 00:28:36,999 --> 00:28:38,999 So anyway, that's what we were doing. 529 00:28:38,999 --> 00:28:41,999 There so clear text anyway, where do we get the password? 530 00:28:43,751 --> 00:28:46,250 Well, gee, radius was totally awesome for you 531 00:28:46,250 --> 00:28:49,999 to put your cleartext password and debug for us. 532 00:28:50,209 --> 00:28:51,209 Cool. 533 00:28:51,417 --> 00:28:53,417 That's kind of weird, right? 534 00:28:53,417 --> 00:28:55,918 If you think about it, it's a one time password. 535 00:28:57,834 --> 00:29:00,999 Well, unless it's an actual one where somebody 536 00:29:00,999 --> 00:29:05,584 mistaken for a one time password, and again, the clients developed 537 00:29:05,584 --> 00:29:08,167 and this is a big thing. 538 00:29:08,167 --> 00:29:09,999 The way the clients are developed, they just ask you 539 00:29:09,999 --> 00:29:12,083 for the user password. 540 00:29:12,083 --> 00:29:15,083 You don't have any authentication for what they're using. 541 00:29:16,709 --> 00:29:18,709 This is the screen shot from this weekend 542 00:29:18,709 --> 00:29:20,999 the DEF CON secure network. 543 00:29:21,083 --> 00:29:22,501 Blanked out the passwords. 544 00:29:27,167 --> 00:29:30,459 I don't think anybody notices their password. 545 00:29:30,459 --> 00:29:30,999 We have MEA and W 546 00:29:30,999 --> 00:29:31,999 [INAUDIBLE] 547 00:29:31,999 --> 00:29:33,334 user. 548 00:29:34,334 --> 00:29:38,584 So anyway, that was from this week to show you just another example. 549 00:29:38,584 --> 00:29:42,083 I want to say I had nothing to do with his attack that he did today or 550 00:29:42,083 --> 00:29:44,167 over the weekend. 551 00:29:44,626 --> 00:29:44,167 552 00:29:44,167 --> 00:29:44,999 [Laughter] 553 00:29:44,999 --> 00:29:46,250 Sure. 554 00:29:46,250 --> 00:29:47,250 You say that now. 555 00:29:47,999 --> 00:29:49,834 Let's talk about it. 556 00:29:49,834 --> 00:29:52,334 Let's do a recap and figure out what happened here. 557 00:29:53,125 --> 00:29:57,584 Version 1 works on anything that GTC that key version 558 00:29:57,584 --> 00:30:00,000 one works natively. 559 00:30:01,959 --> 00:30:05,083 So your actual Mac computer your personal device works 560 00:30:05,083 --> 00:30:08,417 on Android again without a cert, which is a huge deal 561 00:30:08,417 --> 00:30:12,083 in the attack environments because it sends you that password 562 00:30:12,083 --> 00:30:13,999 right on over. 563 00:30:14,918 --> 00:30:16,626 Here's my goodies. 564 00:30:17,667 --> 00:30:20,250 The users will have a lot of interaction. 565 00:30:20,250 --> 00:30:22,042 They will see what is going on a little bit 566 00:30:22,042 --> 00:30:22,709 more with 567 00:30:22,709 --> 00:30:24,375 [INAUDIBLE]. 568 00:30:27,834 --> 00:30:31,417 But they're going to and the attack would work. 569 00:30:31,542 --> 00:30:34,334 But typically, I will say it outright Linux users have 570 00:30:34,334 --> 00:30:36,999 more of what is going on. 571 00:30:36,999 --> 00:30:38,501 Why does it say butthole.com? 572 00:30:47,959 --> 00:30:50,959 There's flow actual Native support. 573 00:30:50,959 --> 00:30:53,125 Someone would have to install some other software 574 00:30:53,125 --> 00:30:57,501 in windows work, but again, that wasn't our focus. 575 00:30:57,501 --> 00:30:59,999 Our focus is execs or people that want to bring in their phones 576 00:30:59,999 --> 00:31:02,876 or whatever mobile device or bringing their own device 577 00:31:02,876 --> 00:31:04,834 and disaster kind of crap and connect 578 00:31:04,834 --> 00:31:07,083 up to the network because that's who they are 579 00:31:07,083 --> 00:31:08,959 and they can. 580 00:31:09,999 --> 00:31:12,417 It doesn't really work on windows. 581 00:31:12,959 --> 00:31:14,626 For once ever, right? 582 00:31:14,626 --> 00:31:16,542 That's a rare thing, but whatever. 583 00:31:17,709 --> 00:31:18,792 Portal required the 584 00:31:18,792 --> 00:31:19,334 [INAUDIBLE] 585 00:31:19,334 --> 00:31:22,334 because it includes passwords and we don't have to do 586 00:31:22,334 --> 00:31:23,292 a captive fort A. 587 00:31:23,292 --> 00:31:25,626 I use it to advertise. 588 00:31:25,626 --> 00:31:30,417 You can put them off the internet and connected to DEF CON secure. 589 00:31:36,999 --> 00:31:40,417 IOS devices after the user accepts first evil twin. 590 00:31:42,918 --> 00:31:45,959 It won't just happen in your pocket. 591 00:31:45,959 --> 00:31:48,459 We were doing this with friends of ours that kept seeing 592 00:31:48,459 --> 00:31:50,083 the password over and over T. 593 00:31:50,083 --> 00:31:54,999 pop up and say I don't recognize this cert and people are like yeah. 594 00:31:54,999 --> 00:31:55,999 It's a lot like porn. 595 00:31:55,999 --> 00:31:56,999 Give me access. 596 00:32:01,501 --> 00:32:04,959 I will hand it over to Jim because he will give you the intro 597 00:32:04,959 --> 00:32:06,709 and then that. 598 00:32:10,999 --> 00:32:16,083 Jim: You will need a Linux type system. 599 00:32:16,083 --> 00:32:21,876 We have used both in the server and the desktop versions. 600 00:32:22,792 --> 00:32:25,083 If you want to download those, you can. 601 00:32:25,083 --> 00:32:29,792 If a Wi Fi adapter is needed, we're using host AP. 602 00:32:37,834 --> 00:32:39,834 It should work just fine. 603 00:32:41,083 --> 00:32:46,417 Our custom patch that we made just basically goes in and changes some 604 00:32:46,417 --> 00:32:51,250 of the modules built into radius, the pat module and MSG module 605 00:32:51,250 --> 00:32:55,709 to get theme establish the full connections. 606 00:32:55,709 --> 00:32:57,083 So you want to download that. 607 00:32:57,834 --> 00:33:01,626 And then the Wi Fi tools is just a bitty tool we just developed. 608 00:33:01,999 --> 00:33:04,083 We wrote it in Ruby. 609 00:33:04,834 --> 00:33:09,167 People ask why the hell did you guys use Ruby? 610 00:33:09,292 --> 00:33:11,083 So Ruby is basically to me like the canvass 611 00:33:11,083 --> 00:33:14,918 for people that can't draw because I suck at coding. 612 00:33:14,959 --> 00:33:17,417 You can take a giant shit on the canvass and smear it 613 00:33:17,417 --> 00:33:19,751 and that always works. 614 00:33:20,918 --> 00:33:23,751 Once you download the tool, you say now I know why 615 00:33:23,751 --> 00:33:27,209 he said that because he does suck at coding. 616 00:33:29,667 --> 00:33:33,334 I don't do it right by any means. 617 00:33:33,334 --> 00:33:35,999 You want to take this one? 618 00:33:35,999 --> 00:33:36,999 Jim: Yeah. 619 00:33:36,999 --> 00:33:38,125 Is that mic working? 620 00:33:38,125 --> 00:33:39,125 Hello. 621 00:33:39,125 --> 00:33:40,125 Yes. 622 00:33:40,125 --> 00:33:41,125 Sweet. 623 00:33:41,584 --> 00:33:44,083 Jim: Josh is going to pull up our live demo here. 624 00:33:44,083 --> 00:33:46,999 We encourage to you try this for those of you not smart enough 625 00:33:46,999 --> 00:33:50,626 to turn your phones off before you came in. 626 00:33:53,876 --> 00:33:57,209 JOSH: You can just download and look at the code and do it, however, 627 00:33:57,209 --> 00:34:00,083 you want like we did in raspberry pie. 628 00:34:03,083 --> 00:34:06,959 Jim: We have to of the attacks we have built in there. 629 00:34:08,792 --> 00:34:13,999 The first one is I can't even see it from over here. 630 00:34:14,209 --> 00:34:15,999 So the peeping Tom attack. 631 00:34:19,209 --> 00:34:20,459 Yeah. 632 00:34:20,459 --> 00:34:22,999 Jim: So you select option 2. 633 00:34:23,250 --> 00:34:27,375 It will tell you a brief description of what the attack will do. 634 00:34:27,375 --> 00:34:29,751 So you kind of have an idea of what is going on. 635 00:34:29,751 --> 00:34:31,584 Can any of you see it at all? 636 00:34:31,876 --> 00:34:32,876 Okay. 637 00:34:32,876 --> 00:34:34,417 Let's make the font bigger here. 638 00:34:36,999 --> 00:34:38,209 How about this? 639 00:34:42,083 --> 00:34:43,626 Any better? 640 00:34:44,209 --> 00:34:45,751 Even bigger? 641 00:34:45,751 --> 00:34:48,751 Let's see. 642 00:34:49,417 --> 00:34:50,999 It's huge! 643 00:34:50,999 --> 00:34:53,876 Jim: Size matters, right, says the lady in the front here 644 00:34:53,876 --> 00:34:56,167 with the striped skirt. 645 00:34:57,918 --> 00:35:01,999 Jim: Anybody noticed her limp when she walked in the room today? 646 00:35:02,334 --> 00:35:05,999 Just saying. 647 00:35:06,250 --> 00:35:08,209 Use your imagination. 648 00:35:09,751 --> 00:35:11,999 It was this crap they made me drink. 649 00:35:11,999 --> 00:35:12,999 I know. 650 00:35:12,999 --> 00:35:13,999 I know. 651 00:35:13,999 --> 00:35:15,751 You took one for the team for me too. 652 00:35:17,999 --> 00:35:21,501 Jim: Cool pictures and we like that. 653 00:35:21,501 --> 00:35:23,709 How many people like colorized with Ruby? 654 00:35:24,542 --> 00:35:26,501 Thank you! 655 00:35:27,584 --> 00:35:29,542 It looks really cool though, right? 656 00:35:29,542 --> 00:35:30,876 Old school, kind of neat. 657 00:35:30,999 --> 00:35:33,375 Jim: So anyways, start. 658 00:35:34,918 --> 00:35:38,667 You type in your wireless interface and we're using WLAN 1. 659 00:35:38,999 --> 00:35:40,375 We tell it the name. 660 00:35:40,375 --> 00:35:44,083 You want to type that in there, whatever company you are working for. 661 00:35:48,083 --> 00:35:50,459 We're using my computer. 662 00:35:50,459 --> 00:35:51,999 My company rules. 663 00:35:52,083 --> 00:35:55,542 Jim: When you guys see the cert, connect to T. 664 00:35:55,542 --> 00:35:57,292 seriously. 665 00:35:57,292 --> 00:35:59,083 We're not going to steal your stuff. 666 00:36:03,542 --> 00:36:06,334 If you just hit enter, it will take whatever your security guards 667 00:36:06,334 --> 00:36:08,375 default Mac address is. 668 00:36:08,999 --> 00:36:11,334 You can select the channel and you like. 669 00:36:11,375 --> 00:36:14,083 If you hit enter, it will default to 9. 670 00:36:14,083 --> 00:36:15,501 I don't know why I picked 9. 671 00:36:17,584 --> 00:36:20,167 It will start a bunch stuff. 672 00:36:20,167 --> 00:36:22,999 Basically what it's starting is starting a radius or free radius 673 00:36:22,999 --> 00:36:27,834 if you guys use that on the top left, there that's your free radius. 674 00:36:28,083 --> 00:36:30,959 On the bottom left corner, it's your web server. 675 00:36:30,959 --> 00:36:33,876 It will show you the captive portal and that's all in Ruby. 676 00:36:33,876 --> 00:36:35,918 I think it's called web brick. 677 00:36:35,999 --> 00:36:38,417 You will see people trying to hit your portal. 678 00:36:38,626 --> 00:36:42,417 Over on the right hand side, you will see host AP. 679 00:36:42,417 --> 00:36:45,667 That's basically if you want to see from an access point, you 680 00:36:45,667 --> 00:36:49,834 will see people associated with the access point and that kind 681 00:36:49,834 --> 00:36:51,834 of information. 682 00:36:51,918 --> 00:36:54,292 Out in big screen in the middle is your captive portal, which 683 00:36:54,292 --> 00:36:56,999 is what you are waiting to pop up. 684 00:36:57,250 --> 00:37:00,584 People have made the connection and accept your cert and they're going 685 00:37:00,584 --> 00:37:03,417 to type in their credentials again. 686 00:37:04,584 --> 00:37:08,999 So hopefully somebody is doing it. 687 00:37:10,834 --> 00:37:13,918 I will say you can type in whatever you want. 688 00:37:13,918 --> 00:37:16,751 So if you want everybody in here to see it, go and do it now. 689 00:37:21,792 --> 00:37:25,375 If you're trying this with your own device, it won't work. 690 00:37:25,999 --> 00:37:28,292 Vulnerability is only hacked. 691 00:37:28,292 --> 00:37:29,501 Jim: I'm a loser? 692 00:37:31,834 --> 00:37:33,334 You are good. 693 00:37:33,334 --> 00:37:36,209 Nobody has done anything offensive. 694 00:37:46,250 --> 00:37:48,709 Jim: If you're doing a penetration test 695 00:37:48,709 --> 00:37:51,459 in a corporate environment, which is most of them, 696 00:37:51,459 --> 00:37:54,083 do you spend this tool up and waited 10 minutes 697 00:37:54,083 --> 00:37:55,999 or 15 minutes. 698 00:37:55,999 --> 00:37:57,709 Somebody flipped them on. 699 00:37:57,918 --> 00:38:02,459 I fucked your mom. 700 00:38:03,501 --> 00:38:04,959 I know. 701 00:38:04,959 --> 00:38:07,250 I tried to talk to her a few times. 702 00:38:07,459 --> 00:38:09,334 She does her own thing. 703 00:38:09,334 --> 00:38:10,334 I encourage her. 704 00:38:12,083 --> 00:38:14,292 Remember do the pull and pray. 705 00:38:14,792 --> 00:38:18,999 All right. 706 00:38:19,751 --> 00:38:22,918 So the in, attack is the peeping Tom one. 707 00:38:22,918 --> 00:38:25,709 So the first only works in ISS and that's only people that are 708 00:38:25,709 --> 00:38:29,209 screwing up MS chap at this point in time. 709 00:38:29,667 --> 00:38:31,999 So second attack is peening Tom. 710 00:38:31,999 --> 00:38:33,959 Network is basically on everything. 711 00:38:34,999 --> 00:38:37,083 That supports GTC. 712 00:38:38,999 --> 00:38:40,792 You dine in your wireless you have plugged 713 00:38:40,792 --> 00:38:42,375 in your machine. 714 00:38:42,834 --> 00:38:44,999 My company rules. 715 00:38:44,999 --> 00:38:45,999 Yeah. 716 00:38:46,334 --> 00:38:47,751 You're right. 717 00:38:47,999 --> 00:38:50,584 You want to spoof a Mac address. 718 00:38:55,751 --> 00:39:00,083 You have your radius serve starting up so you can see what is going on. 719 00:39:01,751 --> 00:39:04,959 You have your AP server and then you have your 720 00:39:04,959 --> 00:39:06,918 GTC passwords. 721 00:39:06,959 --> 00:39:09,209 The cool thing about this so if you ever connected 722 00:39:09,209 --> 00:39:12,459 to my company rules before and you've accepted the cert 723 00:39:12,459 --> 00:39:16,250 or whatever, it is automatically going to send your stuff over now 724 00:39:16,250 --> 00:39:18,584 to this one because your Android device 725 00:39:18,584 --> 00:39:21,375 will ask you to accept the cert. 726 00:39:22,584 --> 00:39:27,083 People in have connected with IOST sends your password 727 00:39:27,083 --> 00:39:31,999 of because you have already accepted this cert. 728 00:39:31,999 --> 00:39:34,584 But this is just a demonstration. 729 00:39:36,334 --> 00:39:39,125 Jim: I like that! 730 00:39:39,125 --> 00:39:40,125 Monkey balls. 731 00:39:40,125 --> 00:39:41,125 Raise your hand. 732 00:39:42,167 --> 00:39:43,751 We love you. 733 00:39:44,209 --> 00:39:45,834 Yeah. 734 00:39:45,834 --> 00:39:49,626 It is just a great way to see how the attack works right in a row. 735 00:39:49,999 --> 00:39:52,125 First attack is you log in to your company and 736 00:39:52,125 --> 00:39:55,083 the second one is it is asking for your credentials 737 00:39:55,083 --> 00:39:57,501 and you are logging in. 738 00:39:58,542 --> 00:40:05,751 Jim: How many people are familiar with air crack sweep? 739 00:40:06,250 --> 00:40:09,125 You than thing with the guy automatically responds 740 00:40:09,125 --> 00:40:11,375 to any probe request. 741 00:40:11,667 --> 00:40:12,999 So imagine if you were just responding 742 00:40:12,999 --> 00:40:15,834 to anybody's probe request in this scenario that's connected 743 00:40:15,834 --> 00:40:18,125 to a corporate network before. 744 00:40:18,542 --> 00:40:20,959 You're spinning up a fake corporate network. 745 00:40:21,667 --> 00:40:25,334 It will start sending you log ins, which is kind of a big deal. 746 00:40:26,459 --> 00:40:27,999 Just saying. 747 00:40:34,667 --> 00:40:34,751 [APPLAUSE] 748 00:40:34,751 --> 00:40:35,834 Yeah. 749 00:40:35,834 --> 00:40:38,209 Jim: Anyways, I will pause back over here to Joshy pooh, 750 00:40:38,209 --> 00:40:41,584 the guy that doesn't drink his alcohol. 751 00:40:41,584 --> 00:40:45,709 Josh: Don't hate me. 752 00:40:45,999 --> 00:40:50,083 Jim: You have five minutes tops. 753 00:40:50,083 --> 00:40:55,125 Josh: You can just do it. 754 00:40:55,125 --> 00:40:56,542 Take my word for it. 755 00:40:56,667 --> 00:40:58,000 Where are. 756 00:40:58,501 --> 00:41:01,083 We just we're beeping. 757 00:41:01,584 --> 00:41:02,584 All right. 758 00:41:02,584 --> 00:41:03,584 Look at that. 759 00:41:03,584 --> 00:41:06,334 Let's talk about how we came about with this? 760 00:41:06,334 --> 00:41:09,083 What was our goal and how do we achieve it? 761 00:41:09,501 --> 00:41:11,209 So, historical perspective. 762 00:41:11,209 --> 00:41:15,417 The first thing we decided was without Josh Wright and who's 763 00:41:15,417 --> 00:41:20,250 the guy that did the divide and conquer stuff? 764 00:41:31,375 --> 00:41:33,334 Crack the actual hash and 765 00:41:33,334 --> 00:41:34,167 [INAUDIBLE] 766 00:41:34,167 --> 00:41:38,626 access to a client web and virtual infrastructure online 767 00:41:38,626 --> 00:41:41,375 or 10,000 GPUs or PS2s. 768 00:41:43,667 --> 00:41:46,999 We were just like you know, we're lazy. 769 00:41:46,999 --> 00:41:48,667 Cracking hash is too hard. 770 00:41:48,667 --> 00:41:50,834 There's got to be another anyway of doing. 771 00:41:50,834 --> 00:41:55,083 This we can trick the client to give it to us to establish full and education 772 00:41:55,083 --> 00:41:57,751 hand it over to us. 773 00:41:58,083 --> 00:42:00,167 Obviously that's what you guys just saw. 774 00:42:00,542 --> 00:42:03,999 So then we start going down the path of how WPA2 works. 775 00:42:05,792 --> 00:42:11,999 What if we accepted everything that radius got sent and sent it back. 776 00:42:11,999 --> 00:42:14,584 You saw that even that, there was some problems with that 777 00:42:14,584 --> 00:42:19,083 or in this B2 they work correctly and they dump the connection. 778 00:42:20,459 --> 00:42:22,999 What if radius said everything is okay. 779 00:42:23,292 --> 00:42:25,417 We trick the client into making full connection 780 00:42:25,417 --> 00:42:29,375 and do something with them later to get the password. 781 00:42:29,792 --> 00:42:33,083 So basically we started with some past work. 782 00:42:33,083 --> 00:42:36,999 Josh Wright sends pretty good work on patching radius 783 00:42:36,999 --> 00:42:41,501 to output hashes into the debug file. 784 00:42:41,501 --> 00:42:43,125 So then you can take those hashes and try to crack them offline, 785 00:42:43,125 --> 00:42:45,125 but we started with that. 786 00:42:49,542 --> 00:42:53,626 And then we moved on from there and said what else do we do 787 00:42:53,626 --> 00:42:58,250 with radius and I basically put Jim in a little box and let him come 788 00:42:58,250 --> 00:43:00,999 out for air in a month. 789 00:43:02,083 --> 00:43:05,292 We start going through every single module what 790 00:43:05,292 --> 00:43:08,999 about that one and what about that known people seem 791 00:43:08,999 --> 00:43:12,542 interested in how we figured that out. 792 00:43:13,999 --> 00:43:16,250 We started with someone else's work. 793 00:43:17,876 --> 00:43:20,999 We did this 90 will Ruby that's scripting. 794 00:43:22,501 --> 00:43:25,083 So how can we do this to make it easier starting 795 00:43:25,083 --> 00:43:27,999 with the great work from others. 796 00:43:28,083 --> 00:43:30,542 Yielded unexpected discoveries. 797 00:43:30,542 --> 00:43:36,083 We find vulnerability as far as wean for IOS that's never been reported. 798 00:43:36,501 --> 00:43:40,125 We told Apple about it and they told us to get stuffed 799 00:43:40,125 --> 00:43:42,334 in so many words. 800 00:43:42,626 --> 00:43:49,999 But it was just random and I encourage you guys to say words that work. 801 00:43:54,751 --> 00:43:56,999 Whatever it is to take you guys wherever you want 802 00:43:56,999 --> 00:44:00,292 to go, but test things you think it should work. 803 00:44:00,501 --> 00:44:02,626 Test it and make sure. 804 00:44:02,751 --> 00:44:07,584 There are times and I say V2 doesn't work, but here it is. 805 00:44:08,292 --> 00:44:10,999 So, you know, we didn't invent time 806 00:44:10,999 --> 00:44:16,667 with a flux capasitor, but we did come up with this patch. 807 00:44:16,834 --> 00:44:22,083 We put if in the box and radius that allowed us to test this interest allowed 808 00:44:22,083 --> 00:44:28,459 us to see what would happen when we accent everything in certain ways. 809 00:44:28,751 --> 00:44:31,999 That is with the meat and potatoes of what we're giving to you guys. 810 00:44:32,959 --> 00:44:35,083 Anybody sending wireless attacks. 811 00:44:37,375 --> 00:44:38,751 Perfect. 812 00:44:38,792 --> 00:44:40,999 It can take some time to set that up. 813 00:44:41,125 --> 00:44:44,125 We're giving you guys the patch so you can test this 814 00:44:44,125 --> 00:44:46,375 against your patches. 815 00:44:51,083 --> 00:44:54,626 I will pass Jim over here to the last slide. 816 00:44:55,918 --> 00:45:01,709 Jim: So basically it will forward on you to our get hub sea. 817 00:45:01,709 --> 00:45:04,209 you can download the tool and the patch. 818 00:45:04,792 --> 00:45:08,209 It has an installer script that you can run that's called sis prep. 819 00:45:08,999 --> 00:45:11,626 It will download libraries. 820 00:45:12,584 --> 00:45:14,959 But again, read the code and make sure you 821 00:45:14,959 --> 00:45:17,292 understand what is going on before you run it 822 00:45:17,292 --> 00:45:21,834 before your guys' own corporate environments and all that jazz. 823 00:45:21,834 --> 00:45:25,083 I promise it won't send your passwords over to you. 824 00:45:25,999 --> 00:45:28,959 Josh: You should check though. 825 00:45:28,959 --> 00:45:29,959 Jim. 826 00:45:29,959 --> 00:45:32,999 And it is just a jab of what is it is going on in the media today. 827 00:45:32,999 --> 00:45:33,999 Stop spying on me. 828 00:45:37,292 --> 00:45:38,999 That's our talk. 829 00:45:38,999 --> 00:45:41,751 We appreciate you guys taking time to listen to this. 830 00:45:41,751 --> 00:45:41,751 Josh: If you guys have questions, I think we're going to be 831 00:45:41,751 --> 00:45:42,999 over in the chillout area. 832 00:45:42,999 --> 00:45:44,709 Or just catch us walking around. 833 00:45:44,709 --> 00:45:46,834 We'll be here for the rest of the weekend. 834 00:45:46,834 --> 00:45:47,834 Is this thing on? 835 00:45:47,834 --> 00:45:49,083 Everybody first time talk.