February 6, 2023 • 45 mins
Did you know that your Wi-fi is even vulnerable to attacks? Tune in to hear our guest, Dennis, talk about kill chain, DOS attacks, Wi-Fi reconnaissance, and more. For more information about relevant attacks and ways to protect your network, listen to The Audit today! #wifi #cybersecurity #itauditlabs #theaudit
Follow our guest Dennis Pelton on Twitter @c0ldbru
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:16):
Hello and welcome to the Audit presented by IT Audit
Labs.
I'm Mandy, and joining me fromthe IT Audit Lab team is Eric
and Kyle.
We have a special guest today,Dennis Pelton.
Hi everybody.
Hey, mandy.
Eric Brown (00:36):
So, dennis, thanks for joining us today.
You and I met a couple ofmonths ago at wild west
hackenfest in deadwood and youwere presenting this uh
presentation and you werepresenting it to a packed house,
if I recall.
Yeah, and was that your firsttime in deadwood and and going
(01:02):
to wild west?
Dennis Pelton (01:04):
yeah, yeah, it was my first time going.
I'd been wanting to go forquite a while, but never really
had an excuse to go, and so whenI saw they had opened the CFP,
I kind of put together some ofthe stuff I'd been working on
recently and, yeah, sure enoughgot accepted.
Eric Brown (01:20):
Yeah, nice.
Yeah, I had never been either,and one of the things I thought
was pretty neat about Deadwoodwas there's I think there are
more slot machines than peoplein that town.
Dennis Pelton (01:35):
Yeah, pretty much .
Eric Brown (01:37):
It's a fun time though it was, it was good.
Yeah, lots of bars too.
Well, let's jump in and, if youdon't mind, we probably have
some questions or some thingsthat we can interject with along
the way.
Sure.
Dennis Pelton (01:51):
Sounds good.
So, yeah, I'm Dennis Pelton,cissp, a couple of the specialty
certs from AWS and GCP SecurityPlus and I'm actually working
on my oswp right now for thewireless stuff.
I'm currently working atfoghorn consulting doing the
cloud security stuff there andI'm also a kind of hardware
(02:13):
hacker and rgb enthusiast.
Just I love messing withhardware, building new things,
stuff like that and, yeah,wireless noob.
I'm just getting started intowireless and learning everything
I can, having a blast andpeople.
Eric Brown (02:27):
You do some.
You're on Mastodon right.
Are we calling them toots onMastodon?
Dennis Pelton (02:35):
Apparently so.
Yeah, I don't know.
I've been seeing a lot of that.
Yeah, it's coldbrew atinfosecexchange and so yeah, so
this presentation really kind ofgoes over a number of different
things but kind of starts withthe current landscape of
wireless what kind of wirelessstuff you'll see in the
workplace and home, then what isa kill chain, and then we'll
(02:58):
kind of go through a little bitabout how wireless works, just
to kind of get the basics downon that, and then go over Wi-fi
reconnaissance and then seguestraight into the actual wi-fi
attacking and then finally howto protect your network from
this kind of stuff and is that apicture of your cat?
Eric Brown (03:17):
I wish it was just something that cracked me up
online but I think you almosthave to have a cat to be an
InfoSec.
I don't know yeah it's probablytrue.
I've got a couple, but See,mandy, you're going to need a
cat.
There you go, Step one.
Mandi Rae (03:36):
Can't take a cat to the dog park.
Dennis Pelton (03:40):
It's true, you really can't.
So, yeah, wireless is prettymuch everywhere at this point in
time in our lives.
In this office building herethat we've got you can see
they've got like a wireless ACcontroller, wireless access
points, wireless printer.
You know, they probably got aProx system for the doors,
things like that, light sensors,all of that light sensors, all
(04:08):
of that and all of it, whetherit's 802.11, wi-fi or IoT or
Prox cards or any of thosedifferent technologies that are
wireless, they're all vulnerablein some way.
And so, yeah, really, peoplecomplain about security, but
they opt for convenience, andthis was something that I saw on
the PageDuty website, actually,and it really just summed up
Wi-Fi for me.
People want what's going to bethe most convenient, and that
(04:30):
doesn't always line up withwhat's the most secure.
Securing wireless is all abouttrying to make it as convenient
as possible while still beingsecure.
Eric Brown (04:40):
When you're doing pen tests, because you do some
pen tests for your day job,right yeah, do you do wireless
attacks at all?
Do you find you have to do thatto get into places?
Dennis Pelton (04:55):
No.
So unfortunately we don't getto do any of the wireless stuff
at my work, so any of thewireless stuff that I've done
has all just been here at homefor fun.
I would love for that to be oneof our offerings in the future,
but currently we just do likeapplication pen testing and
things like that, sure.
So yeah, this presentation iscalled the Wireless Attack Kill
(05:15):
Chain.
So what is a kill chain?
So it's actually a militaryterm which I know a lot of
people kind of poo poo againstthose.
But really it just lines up soperfectly to me with kind of how
the wireless attacks work.
So you've got theidentification of the target,
you've got your dispatching offorces to the target, initiation
of the attack and thendestruction of the target, and
(05:37):
so we'll kind of come back tothese throughout the
presentation.
But to me that really does lineup with how you do like a pen
test of either wireless orotherwise.
You really have to go throughall these steps.
So that was kind of why I chosethis name.
Sure, all right, so in order toattack something, you got to
know how it works.
So this is kind of my littleexplanation of how Wi-Fi works
(06:01):
in a nutshell.
Obviously there's a lot more toit than just these parts.
But you've got the wireless APsand those are all broadcasting
their SSIDs using what's calledbeacon frames and those are
basically just blasting outtheir name out there for
everyone to see.
And then you've got yourwireless clients which are
broadcasting what's called thePNL or their preferred network
(06:21):
list, and so that is your phonejust blasting out things that
it's connected to in the past,saying like hey, are you
Starbucks?
Hey, are you Starbucks Lookingfor anything that it knows it
can connect to?
Every once in a while there'sgoing to be a match.
The client will send a proberequest.
At that point in time the APreplies the probe response, and
now you've got that handshakestarted and that's kind of the
(06:44):
first part that you can start toexploit when you're kind of
breaking into a wifi network.
Eric Brown (06:49):
And this is how, if you're using security tools like
a pineapple, where thatpineapple would capture and
rebroadcast out those SSIDs thata person's wireless client was
attempting to connect to- ohyeah.
Dennis Pelton (07:10):
Yeah, there's a lot of different attacks that
are kind of based on that backand forth of those different
broadcasts that are sent out.
So yeah, one quick note thereis that DOS attacks can work
against these.
It's something where, when Ifirst wrote this slide, it was
something where I just kind ofsaid, you know, yeah, it is
(07:30):
possible, no one's going to doit, it's not.
It doesn't really make sense inany way.
But I was actually showing thispresentation to a buddy of mine
and this slide actually sparkedthis whole conversation.
And one, you know, proof ofconcept but at least it was
something viable that he hadmentioned when he saw this was
(07:50):
that if you were to essentiallyspam the APs of a business with
these broadcast requests, it'sgoing to reply to every single
one of those.
So if you slam it with enoughof them to take down the Wi-Fi
network, you're probably takingdown their camera system as well
(08:13):
, which means now someone fromthe outside has the ability to
get in without being caught oncamera.
And it's you know, I don't knowif it would actually work or not
, but it's enough of a threatthat it really made this slide.
A lot more impactful to me whenyou mentioned that.
Eric Brown (08:24):
Yeah, absolutely Good to point that out.
For sure, I've seen somesecurity cameras that have the
SSD cards embedded in the camera, you know removable, so they're
recording to that SSD card andthen presumably also shipping it
(08:48):
off to a central serversomewhere.
Dennis Pelton (08:51):
But you know, fair point If that SSD card
wasn't there and they're justrelying on that wireless network
.
It would be susceptible, yeah,or if they chose to use really
small SD cards where it can onlystore, say, an hour's worth of
downtime.
So yeah, a little bit moreabout Wi-Fi.
(09:12):
It's got different securityoptions to utilize.
Everybody's seen these before.
But you've got WEP and thenyour WPA suite.
Wpa comes in WPA 1, 2, and 3,and then those all come in
standard or enterprise.
Which standard is your home one?
Enterprise is where you'reusing an actual radius server so
you kind of authenticate thoseReally in this presentation,
(09:34):
since this was made for noobs, Idon't really go into the
enterprise one.
To be honest, I wish I had,because when I presented this in
Deadwood I finished way tooearly and I would have had
plenty of time to talk aboutenterprise.
But oh well, then WPS is thelast thing I wanted to mention
on here.
It really shouldn't be used inany businesses.
(09:56):
But that's the whole systemwhere you can push the button on
the router and it's going toinitiate that sending of the
credentials to the device andthen the device can connect.
Obviously that is not a goodidea and is broken in many ways,
but the real thing to payattention to on this slide,
though, is that little photothere, which was from Wiggle in
(10:17):
the same month that I presentedthis.
I'm sure those numbers have notchanged too much between now
and then, but you'll notice thatWPA2 is 72%, or over 72%, of
the wireless networks out there.
To me, that number wasabsolutely shocking, because
WPA2 is broken.
You can definitely break intothat in multiple different ways.
(10:37):
That we're about to go overSame with WPA.
Web's been broken for a longtime, and then no encryption
obviously is not a good idea,but places are still going to do
it for a long time.
And then no encryptionobviously is not a good idea,
but places are still going to doit for things like coffee shops
and things like that.
So, yeah, so the next thingwe're going to talk about is
Wi-Fi reconnaissance, which tome, lines up with the
identification of the target inour kill chain.
(10:58):
So, really, the main kind ofWi-Fi reconnaissance thing is
war driving, or war walking, assome people like to call it.
The name actually comes fromwar dialing, which was back in
the day, you know, like wargames and things like that,
where people would just dialrandom numbers until they hit a
modem and that gave them atarget, because now they know,
(11:19):
okay, well, there's a computeron the other side of this.
That's something that I can canget into.
So kind of.
In a similar way, war drivingis just driving around
physically looking for targets,kind of in the same way they
used to do that with corddialing, uh.
How it's done is you just putyour kind of wireless access or
your wireless clients intopromiscuous mode, uh, which
(11:42):
allows it to pick up anything,not just the things that are
sent directly to it.
This is used for sniffingtraffic on either wired networks
or wireless, but in this casewe're doing it for the wireless
and driving around with the GPS.
When you pair that GPS data ofyour current location with the
Wi-Fi, data of this SSID is onthis channel with this security.
(12:05):
But now you've got a aggregatedlist of targets If you switch
the slide.
I believe the next one waswigglenet.
Again, these are actuallyexamples of war driving devices.
You can see on the left therethat device.
It's clearly very purpose-builtand I can't even remember how
(12:29):
many antennas are there, butthat's able to sniff every
single band, or not every band,but every channel all at once,
and so some people will buildthese devices like that to be
able to drive around and justpick up the most data possible.
But the alternate to that iskind is those methods there on
the right, which one of those isjust a Raspberry Pi with an
Alpha card strapped onto it anda GPS.
(12:51):
The next one is just a guy'slaptop sitting in his lap while
he's driving around.
It just goes to show that youcan spend as much or as little
as you want on something likethis, but it can all still work
the same way.
I've actually got an examplehere.
I built this one a while back,just kind of as a proof of
concept, but you can see it'sjust a uh, just a little esp
(13:13):
unit attached to a nine voltbattery and that's enough.
Eric Brown (13:25):
You can still do these attacks with that and that
was five dollars worth of parts.
And, dennis, if, if somebodywanted to see if their business
or their home wireless networkwas captured in uh war driving
or recorded somewhere, is therea a website that you can go to
to see that?
Dennis Pelton (13:45):
Yes, that's actually the next slide, I
believe, Ah here we go.
Yeah, so Wigglenet is where youcan then upload all this data,
and on Wiggle you can kind of goto any location, you can zoom
in, you can browse around thingslike that and it's going to
show you everything that anyonehas collected and uploaded here
and they have various contestsand things like that from and
it's gonna show you everythingthat anyone has collected and
uploaded here and they havevarious contests and things like
(14:07):
that.
From time to time there'sdifferent teams, that kind of
accrue points on here, butreally it's just about
collecting all that data andeveryone aggregating it together
.
But that means that, yeah, youcan check if you're on here
which I checked, my house isdefinitely on here but it means
that also, if you're looking fora target, all you need to do is
know where they're located andyou can zoom in and find what
(14:29):
their exact AP is called.
You know the SSID of that, youcan find the channel it's
running on and get all that dataahead of time, before you even
go out there to your target.
So, yeah, the next step isdispatching your forces to the
target.
To me this was kind of likerogue wireless attacks or really
just kind of any wirelessattacks in general.
(14:49):
And so, yeah, the first thingwe'll talk about is a karma
attack, and this is kind of whatwe were talking about before
with the, where everyone'sbroadcasting their PNL and
they're broadcasting their SSIDs.
Well, what a karma attack is?
It's where the ap is speciallyconfigured to just, like you
said, reply with whatever it isthey get.
So if they have a phone thatcomes up and says, hey, are you
(15:10):
starbucks?
It replies back and says yeah,I'm starbucks.
So now the phone thinks it'sconnecting to starbucks, even
though it's connecting to eitheryeah, like it's a wi-fi
pineapple, or or even one ofthese little guys.
You know, whatever it may be,it's going to reply that it's
that.
And actually, at WildHackenfest I made a handful of
(15:30):
these, which were little badgesthat were running wireless
access points on the back andthey were doing that same thing.
So if you connected to awireless network there, it very
well could have been my badge orone of the other ones that I
handed out there, but it justgoes to show you these can be
anything.
They can be disguised to looklike anything, they can be super
(15:51):
simple or super complex.
Eric Brown (15:55):
Yeah, Kyle, what's the Ponegachi thing that you
have?
You were doing something verysimilar, weren't you?
Kyle Rosendahl (16:03):
Yeah, that does something similar and we'll
probably get into it, but itdoes more of like a
deauthentication attack, whereit actually kind of intercepts
the four-way handshake as it'sgoing to and from, or it watches
for those four-way handshakestaking place and then grabs a
copy of those and brings it downso that you can, I think,
basically break into the keysthat are passed between the
access point and the client andthen to force them to
(16:25):
authenticate.
It'll send a deauth packet,knock them off the Wi-Fi and
then watch them reconnect to tryand grab all the information.
Yeah, so with the Karma attack,then, when doing this type of
attack right, you've got yourdevice, you've got someone to
connect to it Is the purposethen to have that person connect
(16:46):
and then pass the internet backto them and intercept what's in
the middle, or kind of what'sthe benefit of running an attack
like this?
Dennis Pelton (16:54):
So there's honestly a couple, and I think I
went into a few of them in here.
But yeah, the first one wouldbe if you're presenting as
something like Starbucks, forexample, you may just want to
hijack their traffic.
It's something where if you setup a little DNS server in there
, then you are essentiallycontrolling where their traffic
goes.
Actually, I think that is thisslide here If they accept your
(17:18):
probe request, they connectunder those false presenses.
Now you can control theirtraffic.
So when they go to googlecom,you're sending them to a fake
googlecom that maybe asks fortheir password or something like
that.
You get to pick what it does atthat point.
But that's really only gonnawork if you know what the
authentication is.
(17:38):
The other point of it is, yeah,as you had mentioned before,
where you can kind of start toget into that four-way handshake
and if you can kick them offthe network with a deauth packet
, now you can kind of interceptthat handshake and get both
sides of it, and we'll kind ofget into that further down in
the slides.
But that's how you crack theWPA keys.
Kyle Rosendahl (18:04):
Cool.
So essentially, you want to setwith a Karma attack I mean the
main purpose or the easy I don'twant to say easiest, but most
fruitful maybe would be tocontrol that DNS, send them
somewhere that looks likefacebook but it's your facebook,
and then get their facebookpassword as they type it into
your fake facebook that'sprobably the most common thing
(18:26):
that people end up doing with it.
Sure, most common that's.
Dennis Pelton (18:29):
That's a good way to put it you know people get
creative sometimes but, yeah,totally cool.
So I think, yeah, the next onehere is talking about kind of
DNS and this goes back to the,yeah, manipulating DNS to
control the traffic is the mostcommon thing that people would
do with this.
So how that ends up working DNSkind of in an extreme nutshell
(18:50):
here, of like just doing thehighest level overview, you know
, when they type in somethinglike wildwesthackinfestcom into
their browser, their browser isgoing to query a DNS server.
That DNS server is going toreturn the IP address and then
the browser goes to the IP andit was returned.
But if you're the onecontrolling that DNS server, you
know you can send it backwhatever you want and their
(19:14):
browser is just going to gothere and you know, accept that
that was the truth.
So once you control thattraffic, you control where
they're going.
And yeah, this was kind of whatwe talked about just a minute
ago of you know, in a real lifescenario, this is kind of how
that would play out.
Eric Brown (19:31):
Oh, this is, while we were talking about this, with
the Ponegachi scenario too.
Dennis Pelton (19:39):
Exactly Yep.
So what if they're alreadyconnected?
Just like you said, deauth.
The way that deauth works isjust APs can send out those
deauth packets.
That's really if the clientshave degraded service or if the
client is sending out issues orthings like that, the AP is kind
(20:02):
of able to sever thatconnection and force a reconnect
.
It's really for AP handoff iskind of the main thing that it's
for.
But yeah, you can send thosefrom anywhere, assuming it's WPA
or WPA2.
In WPA3, they started to kind ofget a little smarter about how
those are handled and so there'ssome kind of validation there
between the device and the APsaying, hey, is this legitimate?
(20:24):
And the AP has to respond withyes, this is legitimate.
So yeah, the Deauth, it willonly work with WPA2 and WPA.
The reason for this is that the802.11 frame headers in those
two are not encrypted.
They're necessary for thestandard operations of the
actual spec itself, but theydidn't feel like it was
(20:46):
necessary to encrypt those.
Now, the 802.11w spec didactually kind of deal with that
problem.
But the problem with that isthat it needs to be supported
and enabled on both the clientand the AP.
It's really not in most casesand because most clients don't
(21:06):
support it.
Most APs that even do supportit don't have it turned on
because that would cause issues.
So really that one didn't helptoo much.
Wpa3 did pull all that workfrom the 802.11w spec into it.
So once that gets some higheradoption that's going to solve
the problem.
But as you saw from that wiggleslide a good ways back, the
(21:31):
kind of adoption on WPA3 isbasically non-existent at this
point.
So really the problem kind ofsticks around.
And so, yeah, let's get intoactually breaking of those
networks and the initiation ofthe attack on the target.
So the first one we're going totalk about is called the half
handshake attack, and this isreally when we were talking
(21:52):
about the four-way handshakeearlier.
This is what exploits that.
And so when you do that Wi-Ficonnection you've got kind of
four main things that happen andwe're going to go into each one
of these in depth.
But the first thing thathappens is the AP sends out an
authenticator number to theclient, then the client is going
to send back a transient key.
The AP is going to return witha temporal key and then the
(22:15):
client is going to confirmreceipt of that and actually
start that encryption, thatencrypted connection.
So for that first step, the apsends what they call the anons,
I believe is how they pronounceit.
But it's that authenticatornumber and it's only used one
time.
So it's just a random numberthat that ap actually generates.
(22:36):
So it generates this randomnumber and it sends it over to
the client, and it sends italong with its own MAC address.
So there's no encryption onthat and there's no integrity
validation, because on its ownit has kind of no value
essentially.
But if we're sniffing thistraffic, that means now we have
(22:57):
that random number that'sgenerated, we have its MAC
address, we already know itsSSID and we know the channel.
We know kind of a fair amountof information at this point
just from that one packet andthe bit that we've seen so far.
So then, once the clientreceives that, it's going to
create what's called thepairwise transient key or the
PTK, and what that includes isthat's going to be the's called
(23:18):
the pairwise transient key orthe PTK.
What that includes is that'sgoing to be the authenticator
number that was sent from the AP.
It's going to generate its ownrandom number, which is called
the supplicant number.
That includes the MAC addressof the AP that was sent to it
and the MAC address of itself.
Then it's going to include ahashed version of the SSID and
(23:38):
the password.
So it sends this with messageintegrity code and that's just
basically another hash of allthat information.
So it does not send the PTK, itonly sends that message
integrity code, which is thehashed version of all that
information that it created withits PTK.
(24:00):
This is important because thatmeans that it's not actually
sending that password.
The AP is then going to createa PTK of its own.
It's going to have all thatsame information, because now it
has some of that that it gotback from the client and it has
the rest of it that it generatedon its own.
Then it's going to create thatmessage integrity code and
(24:20):
compare the two.
If those two match, then itknows that the SSID and password
that the client was sending isthe same as the one that it
generated.
So it knows there's a match, itknows everything's good and
that's when it sends the grouptemporal key.
It sends that also with messageintegrity code.
But now they're ready tocommunicate because now they
both have that main key.
(24:41):
So now we can jump into how canwe actually kind of exploit this
.
So the PTK is the mostimportant part of this, but it
doesn't get sent.
We only have the messageintegrity code that was sent of
that.
So we've already captured theauthenticator number from those
AP packets.
We've captured the MAC address.
We've already captured theauthenticator number from those
AP packets.
We've captured the MAC address,we've captured the supplicant
(25:02):
number and we've captured theMAC address of the client.
So we have every single part ofthis except the password.
But we have that messageintegrity code, which is the
hash of all of those things puttogether.
So we can build our own PTKsand compare them to that message
integrity code to see do wehave the right password here?
(25:24):
Obviously this would takeforever, but Aircrack NG has
automated this process for us.
So we can send it a passwordlist and it's just gonna roll
through that list of you know10,000 passwords or whatever,
comparing each one of thosemessage integrity codes to the
one that it sniffed until itfinds the password.
You can actually set these upahead of time too.
(25:46):
If you did something like goingonto wigglenet and grabbing the
SSID, it may even have the MACaddresses too.
I can't remember, butessentially you can prepare a
lot of that ahead of time andmake it go even faster.
So the next thing we'll talkabout with the four-way
handshake is what's called thecrack attack, and I've never
(26:07):
actually been able to pull thisone off successfully.
So at least for me it's more ofa just kind of fun thing to kind
of think about and keep in mymind.
But it has been done before, soit is a proven thing that does
have a proof of concept Withthis one.
Basically, if the client doesnot complete step four, that
(26:29):
kind of confirmation that itreceived that group temporal key
, the AP will resend it.
And each time the AP resends it, or each time the client
receives it, I should say getsreinstalled.
And that means that since it'susing the packet number as the
IV for the encryption, thatmeans you can essentially reset
(26:49):
the IV of that client'sencryption by resending it, that
GTK.
So at that point it's reusingthe key stream for its
encryption, which means you cannow decrypt that traffic.
So even if you don't know whatthe password is, if you can
force it to re-accept that GTK,you can decrypt their traffic as
(27:11):
they're sending it, even thoughit's encrypted.
Mandi Rae (27:13):
Is this the four-way handshake details you've been
looking for, Kyle?
Kyle Rosendahl (27:19):
Oh, that and more Mandy yeah.
We love a four-way handshakeFor those that don't know.
I mean, what is the IV kind ofin layman's terms?
Dennis Pelton (27:34):
So it's the value that it's using for the
encryption, but the IV is goingto change each time a new packet
is sent.
It's not like you're using, Iguess, trying to think of a good
way to put this but somethinglike a Route 13, which obviously
not encryption, but somethinglike Route 13,.
Every single message you sendthat was Route 13 encoded is
(27:57):
going to be decoded in the exactsame way, but with an IV it's
going to change each time it'sused.
So you can't just use the samemethod to decrypt one packet as
the next one unless you knowwhat that IV is, because the IV
is going to continue changing inthe same pattern.
Kyle Rosendahl (28:14):
I guess I'm trying to think if there's a
better way to explain this, butby forcing them to reinstall,
then you can essentially figureout what the IV is and decrypt
the traffic.
Yes, exactly, to force areinstallation of that GTK at
the client end, I meantheoretically and proof of
concept wise would that be?
I mean injecting some sort ofdeauthentication midstream
(28:39):
during the handshake.
Or I mean what are kind of theproof of concepts that
theoretically could work, eventhough they haven't maybe been
used in the field necessarily?
Dennis Pelton (28:49):
So really it's not deauthentication, but it's
similar to a deauthentication inthe sense where when you send a
deauth packet, you're sendingsomething that should have been
coming from the AP and you'reforcing the client to accept it
With the GTK.
It's very similar where you arejust resending that GTK that
you captured and the client isjust going to accept it and
(29:09):
accept that it came from the AP.
Kyle Rosendahl (29:13):
Got it.
So it would really be capturingthe GTK in transit and then
continually pushing it to theclient to get that IV and that
decrypt the traffic.
Dennis Pelton (29:24):
Yeah, and again, like I said, I've never actually
done this one, it's more justone I've read about and kind of
done a lot of research into andit really just fascinated me
that.
You know, I'm sure it's noteasy, but at least as far as how
it works it's fairly simplistic.
Kyle Rosendahl (29:42):
Sure, and the packet number.
Is that the sequence of GTKsthat were received, or is that
just something that you add aspart of the header of the packet
that you're sending over?
Dennis Pelton (29:53):
So the packet number is basically part of that
stream of traffic and sinceit's using the packet number as
the IV, yeah, so that's wherethat comes in.
And that's going to be a littlebit of.
Kyle Rosendahl (30:10):
Yeah, so there'd be a little bit of logic in out
.
Where in the stream are we?
Which GTK is this?
But not a lot of guesswork.
If you're at that point whereyou could then say, well, I'm
somewhere in this range, I'mgoing to try all of them and
figure out which one decrypts it, and then you're locked in and
keep going.
Dennis Pelton (30:28):
Yep, yeah, just like that.
Yeah, for known content,decryption becomes a lot easier.
So if you know that they aregoing to you know googlecom or
something like that then youknow what it should look like,
and you're just comparing it towhat it does look like at that
point, and you know, at thatpoint you can reset the IV as
well, which makes it evensimpler for you Got it Cool.
Kyle Rosendahl (30:48):
That makes sense .
That's awesome.
Dennis Pelton (30:51):
And so, yeah, the last part is the kind of
destruction of the target.
Really, for us this is kind oftotal pwnage, in the sense of
you know at that point in timethat you're able to read their
encrypted traffic and you'reable to get onto their network
because you know the passwordand things like that, and you
know I think the next slideshows it but, yeah, it's, it's
pretty much you know wreak havocin any way that you see fit at
(31:14):
that point, because you'reyou're on their network, you can
control their traffic, you canharvest their credentials, you
can sniff their internal traffic, you can do anything at that
point.
So, yeah, that's kind of theend of the how to get onto it
section.
So then, how do you protectagainst this kind of thing?
Really, with Wi-Fi, the bestadvice to give is use common
(31:38):
sense.
Now that you know how thesework, you can think of different
ways to break this kill chain.
Like the slide about kill chainsaid, it's something where,
once you understand the killchain, you can break it, and if
you can break it you can stopthat end goal of the attacker.
There's a couple more thingsI've got listed here than just
(31:59):
common sense.
But, yeah, disabling theability for your devices to just
connect to networks you've beento before.
There's a lot of different waysto do this.
There's a screenshot there froma Mac on the iPhone I think
it's yeah, ask to join networks.
You can set that to ask insteadof auto join.
You know, really just connectonly when you need to.
(32:22):
Don't let your phone just kindof connect to every little thing
that it comes across, force itto actually ask you like hey, do
you want to connect toStarbucks?
And you're like wait a minute,I'm on an airplane.
I don't think I do.
You know, just kind of usingcommon sense in that way of like
, you know, look at the thingsyou're connecting to make sure
you're connecting to somethingthat makes sense and something
(32:42):
that you want to connect to.
This is kind of one of thosethings where it's easy to say
and it's not as easy to convinceothers to do it and this really
goes back to that quote that Ihad near the beginning of people
are going to opt forconvenience, and this is where,
if you make it slightly lessconvenient for yourself, you
know put some kind of barrierthere where you have to look at
it and you have to accept thatnetwork.
(33:04):
It makes it a lot more secure.
Eric Brown (33:07):
I know Mandy and I in the past have done some
security education seminars andwe'll set up a pineapple ahead
of time in the room and juststart collecting the SSIDs from
people's devices as they come inand then towards the end of the
presentation we flip over tothat pineapple screen and we
(33:33):
show all of the networks andpeople's mouths just hang open
when they see their homeinternet on that list.
It's pretty funny to see and itreally does get people to start
to think differently aboutwireless.
Dennis Pelton (33:51):
Yes, yeah, and honestly, that's kind of the
thing that I love doing the mostwith things like this is it
kind of when you can showsomeone these things in that
kind of a way where it's likeyou show them with this massive
impact and it's just, yeah,people don't even know that kind
of stuff is possible.
So when you show them somethinglike that where it says you
know, this is your home network,it's just you know.
Mandi Rae (34:14):
Yep, I also want to add I'll get a cat if y'all find
me, a cat that wears a hoodie,like in your presentation.
Eric Brown (34:24):
That was the cutest thing I've seen all week.
I do love that picture.
Kyle Rosendahl (34:33):
I don't even know where you'd get a hoodie
that tiny, but you got to custommake one.
Put the ITI.
Mandi Rae (34:37):
Lab's logo on it.
Man, there you go, you can beour mascot, yeah.
Dennis Pelton (34:43):
Yeah.
The next one is use a guestWi-Fi for employee devices.
This is another one that's veryeasy to say and it's a lot
harder to actually kind ofimplement out of place.
But the you know things likethe half handshake attack.
It requires proximity to adevice that knows the password.
So if you're talking about yourcorporate network, you know if
(35:04):
employees devices are connectingto it and then they're going
out to the club or they're goingto.
You know if employees devicesare connecting to it and then
they're going out to the club orthey're going to.
You know wherever they go onvacation.
You know now the attackers canactually imitate that and get
that password.
But if they've only everconnected to the guest Wi Fi,
the most they're going to get isthe guest network, in which
case it doesn't really matter ifthey have that information.
(35:25):
You know it's not going toremove the risk entirely.
It's only going to lower therisk because the laptops will
still have that risk.
So if you go to Starbucks andstart working on your laptop,
your laptop's probably connectedto the corporate Wi-Fi.
There's not really much of away around that one, but if at
least your phones are not, thatdoes reduce the risk.
Mandi Rae (35:45):
I think I mentioned this to you outside of the
podcast recording, but theimagery within this presentation
is amazing.
So if you're listening to usaudibly and you have a good
sense of humor, I encourage youto check out the YouTube.
Definitely worth seeing and Iappreciate everything you put
into this.
Dennis Pelton (36:04):
Yeah, it was definitely a lot of fun to make.
I wanted to make sure it was,you know, even if people thought
the content was kind of dry, Ifigured as long as the memes are
there, it should be pretty good.
Mandi Rae (36:14):
You nailed it.
Well thank you.
Dennis Pelton (36:18):
Yeah, the last one is secure your APs and use
like rogue AP detection if youcan.
I've gone to a lot of placeswhere the APs were literally
just sitting on employees' desks.
They said well, tim, part ofyour desk is taken up now
because we need the Wi-Fi to behere, and that's just a bad idea
.
It's super easy to just swipethat when nobody's looking or
(36:39):
swap it out for something else.
There's all kinds of terriblethings that people could do if
they have that physical accessto the device.
So put them up in the ceiling,hide them, secure them.
Whatever it is you can do tokeep the physical devices away
is going to be a good thing.
And then rogue AP detection.
Not everything supports it, butI know with the unified devices
(36:59):
they support it and I do a lotof Wi-Fi testing here at home
and that rogue AP detectionworks.
If you start trying to mimicone of my networks, it's going
to throw me an email and I'm, ofcourse, just going to ignore it
because I'm doing it so muchmyself, but in a normal business
you want those kind of alerts.
(37:20):
And then, yeah, use strongpasswords and keep your devices
updated.
The half handshake attack andthe crack attack those both rely
on a password that can becracked with something like
aircrackng.
If you make your passwordstupid long and really hard,
you're just making it a lotharder on someone trying to get
in.
Karma relies on WPA or WPA2.
If you run WPA3, you're goingto be in a lot safer place.
(37:43):
At least last time I checked itstill had not been broken yet.
Obviously it's going to be atsome point in time.
Someone's going to find a flaw,but you know it's a lot more
secure to be on something likeWPA3 than to be on something
that we know for a fact isbroken and has been automated.
And yeah, that's the end.
Eric Brown (38:04):
A couple questions for you, Dennis.
Yeah, that's the end.
A couple questions for you,Dennis.
Yeah, go for it.
How about VPN?
Using a VPN to encrypt thattunnel that might go through a
rogue AP?
Would that be something thatusers could do to protect
themselves, like at a coffeeshop, or something like that?
Dennis Pelton (38:23):
That's actually a great question.
I hadn't really thought aboutthat, but yeah, I mean, it makes
sense to me, assuming that yourVPN is actually encrypting all
of your traffic and not justsome of it, because they have
those, you know, the ones whereit only encrypts the traffic.
Yeah, there's the tunnels whereit only encrypts the traffic
that it needs to, in which case,if you sent out a DNS request
(38:44):
for googlecom, it's still goingto send you to the malicious one
, but if you had the kind ofmore egregious one that's going
to encrypt all of your traffic.
Yeah, I mean, I suspect thateverything is going to be piped
through, so you're not reallygoing to.
At least, you know, in my headI'm trying to think of ways that
this attack could still affectsomeone like that.
Kyle Rosendahl (39:08):
But yeah, I think that would actually work.
And what about something I meanjust going off what you said
with DNS, right, I mean, there'sthose VPNs where you can use
secure DNS and it forces itthrough those secure servers.
What if, like on yourworkstation or phone, you have a
hard-coded DNS inside?
Is that going to make a Karmaattack more difficult?
So you're using a service likeQuad9 or OpenDNS or something
(39:33):
and you push all your trafficout your devices through that?
Are you still hijackable, or isit only if you're automatically
configuring your DNS?
Dennis Pelton (39:41):
So that's actually also a great question.
I suspect that it would becomea lot harder to hijack that
traffic if you were hard codingyour, you know, like quad nines,
like you said, or somethinglike that.
Yeah, again, honestly, I'm kindof curious to play with that
now.
Yeah, because I suspect there'sprobably still a way to do it.
(40:03):
In fact, now that I'm thinkingabout it, I'm betting you could
just do some kind of a rule thatwould redirect any traffic
bound for, you know, quad eights, quad nines, quad ones, any of
those and force it to your DNSserver.
But yeah, it's definitelysomething that like, at least
personally, I have neverattempted to do that.
(40:24):
I wouldn't have thought of itbefore today.
At least personally, I havenever attempted to do that.
I wouldn't have thought of itbefore today.
Kyle Rosendahl (40:30):
So you know, yeah, just making it a little
faster outrunning the bear rightLike probably still vulnerable.
Dennis Pelton (40:39):
You're just making them take another step to
get you Possibly.
But yeah, that does make mewant to start playing with that
now and see how difficult itwould be to still hijack that
traffic.
Eric Brown (40:46):
One other question for you, dennis, maybe not
necessarily related to hackingthe Wi-Fi, but a user question
that comes up from time to timeand it's around the portals.
So when you go to a hotel oryou go to a coffee shop,
(41:07):
sometimes they present thatportal that you need to go
through in order to get on thewireless.
Sometimes that portal doesn'tpresent.
You know you try to go to awebsite, the portal doesn't
present.
Do you have any tips or trickson how to get on those networks?
(41:28):
I've tried things like going to1.1.1 or 0.0.0 or just you know
different things like that, butI don't have a foolproof way to
be able to get those portals topop up sometimes.
Dennis Pelton (41:49):
Sometimes, yeah, so I know, when they set those
up it's usually something wherethey're basically just
redirecting any website to theirportal essentially, and so,
just kind of out of laziness,they're going to set it up for,
you know, starnet, starcom,starorg, and just say send those
here.
But that does mean that, yeah,if you attempted to go to like
infosecexchange, that's notincluded, it's going to be
(42:11):
blocked because it's not goingto the portal, but it's also not
going to trigger the portal tocome up.
Honestly, for me, what Iusually do, because I've run
into that same thing where I tryto go somewhere, the portal
doesn't come up, and now I'mkind of in this weird locked
state where I'm connected,portal doesn't come up, and now
I'm kind of in this weird lockedstate where I'm connected but
I'm not able to get on, and Ijust try going to googlecom
because I figure that's yourstandard user.
(42:32):
That's probably going to betheir first place they go.
That one's got to be in thelist of things that's going to
get hijacked and redirected totheir portal.
Eric Brown (42:40):
But sure, I've played around with it before and
then looked at the IP addressthat they gave me and then tried
to go to .1 on that network tosee if that was their gateway.
And you know, it's all sorts ofthings that the general user
would do and these things arestuff that happens to the
everyday user.
So it's, you know, I like youridea there of just suggesting
(43:02):
try to go to Google or a commonwebsite.
That would be captured.
Dennis Pelton (43:08):
Yeah, although interesting point about those
captive portals.
That's another thing that Iwish I would have put into my
presentation, but I didn't isthat most of those they're on a
unsecured network.
They just do the securitythrough the portal rather than
through the network, which doesmean you could spin up something
like a Wi-Fi pineapple put on afake captive portal that you
(43:30):
know mimics whatever that hotelis, or whatever coffee shop
you're in, or whatever, and thenasks you know, please log in
with your Gmail account.
Well, now you're harvestingGmail credentials because
anytime somebody connects toyour network, it's going to
force them to your portal, andnow you've captured whatever it
is you're trying to capture fromthem.
Eric Brown (43:50):
Awesome.
Well, Dennis, thank you so much.
Mandi Rae (43:53):
Well, thank you for joining us on this episode of
the Audit.
We appreciate our guest DennisPelton, sharing with us the Wild
West Hacking presentation.
If you want to get a hold ofDennis or get more information
about him, hit him up onmastodon at
coldbrewinfosecexchange.
For more information on ITAudit Labs, you can visit us on
(44:16):
our website, itauditlabscom.
Eric Brown (44:20):
If you have pictures or a way for a cat to get a
hoodie, I think Mandy would beappreciative of that.
Mandi Rae (44:29):
I need some cat hoodies or pictures of cute cats
in hoodies.
Well, thanks again, dennis.
Bye guys.
Eric Brown (44:41):
In the current technology landscape, managing
risk, among other operations,can be incredibly challenging.
Let IT Audit Labs expertsprovide a detailed, thorough
examination in preparation foryour upcoming audit.
Contact us to learn more.
You're listening to the Audit presented by IT Audit
Labs.
Mandi Rae (00:16):
Hello and welcome to the Audit presented by IT Audit
Labs.
I'm Mandy, and joining me fromthe IT Audit Lab team is Eric
and Kyle.
We have a special guest today,Dennis Pelton.
Hi everybody.
Hey, mandy.
Eric Brown (00:36):
So, dennis, thanks for joining us today.
You and I met a couple ofmonths ago at wild west
hackenfest in deadwood and youwere presenting this uh
presentation and you werepresenting it to a packed house,
if I recall.
Yeah, and was that your firsttime in deadwood and and going
(01:02):
to wild west?
Dennis Pelton (01:04):
yeah, yeah, it was my first time going.
I'd been wanting to go forquite a while, but never really
had an excuse to go, and so whenI saw they had opened the CFP,
I kind of put together some ofthe stuff I'd been working on
recently and, yeah, sure enoughgot accepted.
Eric Brown (01:20):
Yeah, nice.
Yeah, I had never been either,and one of the things I thought
was pretty neat about Deadwoodwas there's I think there are
more slot machines than peoplein that town.
Dennis Pelton (01:35):
Yeah, pretty much .
Eric Brown (01:37):
It's a fun time though it was, it was good.
Yeah, lots of bars too.
Well, let's jump in and, if youdon't mind, we probably have
some questions or some thingsthat we can interject with along
the way.
Sure.
Dennis Pelton (01:51):
Sounds good.
So, yeah, I'm Dennis Pelton,cissp, a couple of the specialty
certs from AWS and GCP SecurityPlus and I'm actually working
on my oswp right now for thewireless stuff.
I'm currently working atfoghorn consulting doing the
cloud security stuff there andI'm also a kind of hardware
(02:13):
hacker and rgb enthusiast.
Just I love messing withhardware, building new things,
stuff like that and, yeah,wireless noob.
I'm just getting started intowireless and learning everything
I can, having a blast andpeople.
Eric Brown (02:27):
You do some.
You're on Mastodon right.
Are we calling them toots onMastodon?
Dennis Pelton (02:35):
Apparently so.
Yeah, I don't know.
I've been seeing a lot of that.
Yeah, it's coldbrew atinfosecexchange and so yeah, so
this presentation really kind ofgoes over a number of different
things but kind of starts withthe current landscape of
wireless what kind of wirelessstuff you'll see in the
workplace and home, then what isa kill chain, and then we'll
(02:58):
kind of go through a little bitabout how wireless works, just
to kind of get the basics downon that, and then go over Wi-fi
reconnaissance and then seguestraight into the actual wi-fi
attacking and then finally howto protect your network from
this kind of stuff and is that apicture of your cat?
Eric Brown (03:17):
I wish it was just something that cracked me up
online but I think you almosthave to have a cat to be an
InfoSec.
I don't know yeah it's probablytrue.
I've got a couple, but See,mandy, you're going to need a
cat.
There you go, Step one.
Mandi Rae (03:36):
Can't take a cat to the dog park.
Dennis Pelton (03:40):
It's true, you really can't.
So, yeah, wireless is prettymuch everywhere at this point in
time in our lives.
In this office building herethat we've got you can see
they've got like a wireless ACcontroller, wireless access
points, wireless printer.
You know, they probably got aProx system for the doors,
things like that, light sensors,all of that light sensors, all
(04:08):
of that and all of it, whetherit's 802.11, wi-fi or IoT or
Prox cards or any of thosedifferent technologies that are
wireless, they're all vulnerablein some way.
And so, yeah, really, peoplecomplain about security, but
they opt for convenience, andthis was something that I saw on
the PageDuty website, actually,and it really just summed up
Wi-Fi for me.
People want what's going to bethe most convenient, and that
(04:30):
doesn't always line up withwhat's the most secure.
Securing wireless is all abouttrying to make it as convenient
as possible while still beingsecure.
Eric Brown (04:40):
When you're doing pen tests, because you do some
pen tests for your day job,right yeah, do you do wireless
attacks at all?
Do you find you have to do thatto get into places?
Dennis Pelton (04:55):
No.
So unfortunately we don't getto do any of the wireless stuff
at my work, so any of thewireless stuff that I've done
has all just been here at homefor fun.
I would love for that to be oneof our offerings in the future,
but currently we just do likeapplication pen testing and
things like that, sure.
So yeah, this presentation iscalled the Wireless Attack Kill
(05:15):
Chain.
So what is a kill chain?
So it's actually a militaryterm which I know a lot of
people kind of poo poo againstthose.
But really it just lines up soperfectly to me with kind of how
the wireless attacks work.
So you've got theidentification of the target,
you've got your dispatching offorces to the target, initiation
of the attack and thendestruction of the target, and
(05:37):
so we'll kind of come back tothese throughout the
presentation.
But to me that really does lineup with how you do like a pen
test of either wireless orotherwise.
You really have to go throughall these steps.
So that was kind of why I chosethis name.
Sure, all right, so in order toattack something, you got to
know how it works.
So this is kind of my littleexplanation of how Wi-Fi works
(06:01):
in a nutshell.
Obviously there's a lot more toit than just these parts.
But you've got the wireless APsand those are all broadcasting
their SSIDs using what's calledbeacon frames and those are
basically just blasting outtheir name out there for
everyone to see.
And then you've got yourwireless clients which are
broadcasting what's called thePNL or their preferred network
(06:21):
list, and so that is your phonejust blasting out things that
it's connected to in the past,saying like hey, are you
Starbucks?
Hey, are you Starbucks Lookingfor anything that it knows it
can connect to?
Every once in a while there'sgoing to be a match.
The client will send a proberequest.
At that point in time the APreplies the probe response, and
now you've got that handshakestarted and that's kind of the
(06:44):
first part that you can start toexploit when you're kind of
breaking into a wifi network.
Eric Brown (06:49):
And this is how, if you're using security tools like
a pineapple, where thatpineapple would capture and
rebroadcast out those SSIDs thata person's wireless client was
attempting to connect to- ohyeah.
Dennis Pelton (07:10):
Yeah, there's a lot of different attacks that
are kind of based on that backand forth of those different
broadcasts that are sent out.
So yeah, one quick note thereis that DOS attacks can work
against these.
It's something where, when Ifirst wrote this slide, it was
something where I just kind ofsaid, you know, yeah, it is
(07:30):
possible, no one's going to doit, it's not.
It doesn't really make sense inany way.
But I was actually showing thispresentation to a buddy of mine
and this slide actually sparkedthis whole conversation.
And one, you know, proof ofconcept but at least it was
something viable that he hadmentioned when he saw this was
(07:50):
that if you were to essentiallyspam the APs of a business with
these broadcast requests, it'sgoing to reply to every single
one of those.
So if you slam it with enoughof them to take down the Wi-Fi
network, you're probably takingdown their camera system as well
(08:13):
, which means now someone fromthe outside has the ability to
get in without being caught oncamera.
And it's you know, I don't knowif it would actually work or not
, but it's enough of a threatthat it really made this slide.
A lot more impactful to me whenyou mentioned that.
Eric Brown (08:24):
Yeah, absolutely Good to point that out.
For sure, I've seen somesecurity cameras that have the
SSD cards embedded in the camera, you know removable, so they're
recording to that SSD card andthen presumably also shipping it
(08:48):
off to a central serversomewhere.
Dennis Pelton (08:51):
But you know, fair point If that SSD card
wasn't there and they're justrelying on that wireless network
.
It would be susceptible, yeah,or if they chose to use really
small SD cards where it can onlystore, say, an hour's worth of
downtime.
So yeah, a little bit moreabout Wi-Fi.
(09:12):
It's got different securityoptions to utilize.
Everybody's seen these before.
But you've got WEP and thenyour WPA suite.
Wpa comes in WPA 1, 2, and 3,and then those all come in
standard or enterprise.
Which standard is your home one?
Enterprise is where you'reusing an actual radius server so
you kind of authenticate thoseReally in this presentation,
(09:34):
since this was made for noobs, Idon't really go into the
enterprise one.
To be honest, I wish I had,because when I presented this in
Deadwood I finished way tooearly and I would have had
plenty of time to talk aboutenterprise.
But oh well, then WPS is thelast thing I wanted to mention
on here.
It really shouldn't be used inany businesses.
(09:56):
But that's the whole systemwhere you can push the button on
the router and it's going toinitiate that sending of the
credentials to the device andthen the device can connect.
Obviously that is not a goodidea and is broken in many ways,
but the real thing to payattention to on this slide,
though, is that little photothere, which was from Wiggle in
(10:17):
the same month that I presentedthis.
I'm sure those numbers have notchanged too much between now
and then, but you'll notice thatWPA2 is 72%, or over 72%, of
the wireless networks out there.
To me, that number wasabsolutely shocking, because
WPA2 is broken.
You can definitely break intothat in multiple different ways.
(10:37):
That we're about to go overSame with WPA.
Web's been broken for a longtime, and then no encryption
obviously is not a good idea,but places are still going to do
it for a long time.
And then no encryptionobviously is not a good idea,
but places are still going to doit for things like coffee shops
and things like that.
So, yeah, so the next thingwe're going to talk about is
Wi-Fi reconnaissance, which tome, lines up with the
identification of the target inour kill chain.
(10:58):
So, really, the main kind ofWi-Fi reconnaissance thing is
war driving, or war walking, assome people like to call it.
The name actually comes fromwar dialing, which was back in
the day, you know, like wargames and things like that,
where people would just dialrandom numbers until they hit a
modem and that gave them atarget, because now they know,
(11:19):
okay, well, there's a computeron the other side of this.
That's something that I can canget into.
So kind of.
In a similar way, war drivingis just driving around
physically looking for targets,kind of in the same way they
used to do that with corddialing, uh.
How it's done is you just putyour kind of wireless access or
your wireless clients intopromiscuous mode, uh, which
(11:42):
allows it to pick up anything,not just the things that are
sent directly to it.
This is used for sniffingtraffic on either wired networks
or wireless, but in this casewe're doing it for the wireless
and driving around with the GPS.
When you pair that GPS data ofyour current location with the
Wi-Fi, data of this SSID is onthis channel with this security.
(12:05):
But now you've got a aggregatedlist of targets If you switch
the slide.
I believe the next one waswigglenet.
Again, these are actuallyexamples of war driving devices.
You can see on the left therethat device.
It's clearly very purpose-builtand I can't even remember how
(12:29):
many antennas are there, butthat's able to sniff every
single band, or not every band,but every channel all at once,
and so some people will buildthese devices like that to be
able to drive around and justpick up the most data possible.
But the alternate to that iskind is those methods there on
the right, which one of those isjust a Raspberry Pi with an
Alpha card strapped onto it anda GPS.
(12:51):
The next one is just a guy'slaptop sitting in his lap while
he's driving around.
It just goes to show that youcan spend as much or as little
as you want on something likethis, but it can all still work
the same way.
I've actually got an examplehere.
I built this one a while back,just kind of as a proof of
concept, but you can see it'sjust a uh, just a little esp
(13:13):
unit attached to a nine voltbattery and that's enough.
Eric Brown (13:25):
You can still do these attacks with that and that
was five dollars worth of parts.
And, dennis, if, if somebodywanted to see if their business
or their home wireless networkwas captured in uh war driving
or recorded somewhere, is therea a website that you can go to
to see that?
Dennis Pelton (13:45):
Yes, that's actually the next slide, I
believe, Ah here we go.
Yeah, so Wigglenet is where youcan then upload all this data,
and on Wiggle you can kind of goto any location, you can zoom
in, you can browse around thingslike that and it's going to
show you everything that anyonehas collected and uploaded here
and they have various contestsand things like that from and
it's gonna show you everythingthat anyone has collected and
uploaded here and they havevarious contests and things like
(14:07):
that.
From time to time there'sdifferent teams, that kind of
accrue points on here, butreally it's just about
collecting all that data andeveryone aggregating it together
.
But that means that, yeah, youcan check if you're on here
which I checked, my house isdefinitely on here but it means
that also, if you're looking fora target, all you need to do is
know where they're located andyou can zoom in and find what
(14:29):
their exact AP is called.
You know the SSID of that, youcan find the channel it's
running on and get all that dataahead of time, before you even
go out there to your target.
So, yeah, the next step isdispatching your forces to the
target.
To me this was kind of likerogue wireless attacks or really
just kind of any wirelessattacks in general.
(14:49):
And so, yeah, the first thingwe'll talk about is a karma
attack, and this is kind of whatwe were talking about before
with the, where everyone'sbroadcasting their PNL and
they're broadcasting their SSIDs.
Well, what a karma attack is?
It's where the ap is speciallyconfigured to just, like you
said, reply with whatever it isthey get.
So if they have a phone thatcomes up and says, hey, are you
(15:10):
starbucks?
It replies back and says yeah,I'm starbucks.
So now the phone thinks it'sconnecting to starbucks, even
though it's connecting to eitheryeah, like it's a wi-fi
pineapple, or or even one ofthese little guys.
You know, whatever it may be,it's going to reply that it's
that.
And actually, at WildHackenfest I made a handful of
(15:30):
these, which were little badgesthat were running wireless
access points on the back andthey were doing that same thing.
So if you connected to awireless network there, it very
well could have been my badge orone of the other ones that I
handed out there, but it justgoes to show you these can be
anything.
They can be disguised to looklike anything, they can be super
(15:51):
simple or super complex.
Eric Brown (15:55):
Yeah, Kyle, what's the Ponegachi thing that you
have?
You were doing something verysimilar, weren't you?
Kyle Rosendahl (16:03):
Yeah, that does something similar and we'll
probably get into it, but itdoes more of like a
deauthentication attack, whereit actually kind of intercepts
the four-way handshake as it'sgoing to and from, or it watches
for those four-way handshakestaking place and then grabs a
copy of those and brings it downso that you can, I think,
basically break into the keysthat are passed between the
access point and the client andthen to force them to
(16:25):
authenticate.
It'll send a deauth packet,knock them off the Wi-Fi and
then watch them reconnect to tryand grab all the information.
Yeah, so with the Karma attack,then, when doing this type of
attack right, you've got yourdevice, you've got someone to
connect to it Is the purposethen to have that person connect
(16:46):
and then pass the internet backto them and intercept what's in
the middle, or kind of what'sthe benefit of running an attack
like this?
Dennis Pelton (16:54):
So there's honestly a couple, and I think I
went into a few of them in here.
But yeah, the first one wouldbe if you're presenting as
something like Starbucks, forexample, you may just want to
hijack their traffic.
It's something where if you setup a little DNS server in there
, then you are essentiallycontrolling where their traffic
goes.
Actually, I think that is thisslide here If they accept your
(17:18):
probe request, they connectunder those false presenses.
Now you can control theirtraffic.
So when they go to googlecom,you're sending them to a fake
googlecom that maybe asks fortheir password or something like
that.
You get to pick what it does atthat point.
But that's really only gonnawork if you know what the
authentication is.
(17:38):
The other point of it is, yeah,as you had mentioned before,
where you can kind of start toget into that four-way handshake
and if you can kick them offthe network with a deauth packet
, now you can kind of interceptthat handshake and get both
sides of it, and we'll kind ofget into that further down in
the slides.
But that's how you crack theWPA keys.
Kyle Rosendahl (18:04):
Cool.
So essentially, you want to setwith a Karma attack I mean the
main purpose or the easy I don'twant to say easiest, but most
fruitful maybe would be tocontrol that DNS, send them
somewhere that looks likefacebook but it's your facebook,
and then get their facebookpassword as they type it into
your fake facebook that'sprobably the most common thing
(18:26):
that people end up doing with it.
Sure, most common that's.
Dennis Pelton (18:29):
That's a good way to put it you know people get
creative sometimes but, yeah,totally cool.
So I think, yeah, the next onehere is talking about kind of
DNS and this goes back to the,yeah, manipulating DNS to
control the traffic is the mostcommon thing that people would
do with this.
So how that ends up working DNSkind of in an extreme nutshell
(18:50):
here, of like just doing thehighest level overview, you know
, when they type in somethinglike wildwesthackinfestcom into
their browser, their browser isgoing to query a DNS server.
That DNS server is going toreturn the IP address and then
the browser goes to the IP andit was returned.
But if you're the onecontrolling that DNS server, you
know you can send it backwhatever you want and their
(19:14):
browser is just going to gothere and you know, accept that
that was the truth.
So once you control thattraffic, you control where
they're going.
And yeah, this was kind of whatwe talked about just a minute
ago of you know, in a real lifescenario, this is kind of how
that would play out.
Eric Brown (19:31):
Oh, this is, while we were talking about this, with
the Ponegachi scenario too.
Dennis Pelton (19:39):
Exactly Yep.
So what if they're alreadyconnected?
Just like you said, deauth.
The way that deauth works isjust APs can send out those
deauth packets.
That's really if the clientshave degraded service or if the
client is sending out issues orthings like that, the AP is kind
(20:02):
of able to sever thatconnection and force a reconnect
.
It's really for AP handoff iskind of the main thing that it's
for.
But yeah, you can send thosefrom anywhere, assuming it's WPA
or WPA2.
In WPA3, they started to kind ofget a little smarter about how
those are handled and so there'ssome kind of validation there
between the device and the APsaying, hey, is this legitimate?
(20:24):
And the AP has to respond withyes, this is legitimate.
So yeah, the Deauth, it willonly work with WPA2 and WPA.
The reason for this is that the802.11 frame headers in those
two are not encrypted.
They're necessary for thestandard operations of the
actual spec itself, but theydidn't feel like it was
(20:46):
necessary to encrypt those.
Now, the 802.11w spec didactually kind of deal with that
problem.
But the problem with that isthat it needs to be supported
and enabled on both the clientand the AP.
It's really not in most casesand because most clients don't
(21:06):
support it.
Most APs that even do supportit don't have it turned on
because that would cause issues.
So really that one didn't helptoo much.
Wpa3 did pull all that workfrom the 802.11w spec into it.
So once that gets some higheradoption that's going to solve
the problem.
But as you saw from that wiggleslide a good ways back, the
(21:31):
kind of adoption on WPA3 isbasically non-existent at this
point.
So really the problem kind ofsticks around.
And so, yeah, let's get intoactually breaking of those
networks and the initiation ofthe attack on the target.
So the first one we're going totalk about is called the half
handshake attack, and this isreally when we were talking
(21:52):
about the four-way handshakeearlier.
This is what exploits that.
And so when you do that Wi-Ficonnection you've got kind of
four main things that happen andwe're going to go into each one
of these in depth.
But the first thing thathappens is the AP sends out an
authenticator number to theclient, then the client is going
to send back a transient key.
The AP is going to return witha temporal key and then the
(22:15):
client is going to confirmreceipt of that and actually
start that encryption, thatencrypted connection.
So for that first step, the apsends what they call the anons,
I believe is how they pronounceit.
But it's that authenticatornumber and it's only used one
time.
So it's just a random numberthat that ap actually generates.
(22:36):
So it generates this randomnumber and it sends it over to
the client, and it sends italong with its own MAC address.
So there's no encryption onthat and there's no integrity
validation, because on its ownit has kind of no value
essentially.
But if we're sniffing thistraffic, that means now we have
(22:57):
that random number that'sgenerated, we have its MAC
address, we already know itsSSID and we know the channel.
We know kind of a fair amountof information at this point
just from that one packet andthe bit that we've seen so far.
So then, once the clientreceives that, it's going to
create what's called thepairwise transient key or the
PTK, and what that includes isthat's going to be the's called
(23:18):
the pairwise transient key orthe PTK.
What that includes is that'sgoing to be the authenticator
number that was sent from the AP.
It's going to generate its ownrandom number, which is called
the supplicant number.
That includes the MAC addressof the AP that was sent to it
and the MAC address of itself.
Then it's going to include ahashed version of the SSID and
(23:38):
the password.
So it sends this with messageintegrity code and that's just
basically another hash of allthat information.
So it does not send the PTK, itonly sends that message
integrity code, which is thehashed version of all that
information that it created withits PTK.
(24:00):
This is important because thatmeans that it's not actually
sending that password.
The AP is then going to createa PTK of its own.
It's going to have all thatsame information, because now it
has some of that that it gotback from the client and it has
the rest of it that it generatedon its own.
Then it's going to create thatmessage integrity code and
(24:20):
compare the two.
If those two match, then itknows that the SSID and password
that the client was sending isthe same as the one that it
generated.
So it knows there's a match, itknows everything's good and
that's when it sends the grouptemporal key.
It sends that also with messageintegrity code.
But now they're ready tocommunicate because now they
both have that main key.
(24:41):
So now we can jump into how canwe actually kind of exploit this
.
So the PTK is the mostimportant part of this, but it
doesn't get sent.
We only have the messageintegrity code that was sent of
that.
So we've already captured theauthenticator number from those
AP packets.
We've captured the MAC address.
We've already captured theauthenticator number from those
AP packets.
We've captured the MAC address,we've captured the supplicant
(25:02):
number and we've captured theMAC address of the client.
So we have every single part ofthis except the password.
But we have that messageintegrity code, which is the
hash of all of those things puttogether.
So we can build our own PTKsand compare them to that message
integrity code to see do wehave the right password here?
(25:24):
Obviously this would takeforever, but Aircrack NG has
automated this process for us.
So we can send it a passwordlist and it's just gonna roll
through that list of you know10,000 passwords or whatever,
comparing each one of thosemessage integrity codes to the
one that it sniffed until itfinds the password.
You can actually set these upahead of time too.
(25:46):
If you did something like goingonto wigglenet and grabbing the
SSID, it may even have the MACaddresses too.
I can't remember, butessentially you can prepare a
lot of that ahead of time andmake it go even faster.
So the next thing we'll talkabout with the four-way
handshake is what's called thecrack attack, and I've never
(26:07):
actually been able to pull thisone off successfully.
So at least for me it's more ofa just kind of fun thing to kind
of think about and keep in mymind.
But it has been done before, soit is a proven thing that does
have a proof of concept Withthis one.
Basically, if the client doesnot complete step four, that
(26:29):
kind of confirmation that itreceived that group temporal key
, the AP will resend it.
And each time the AP resends it, or each time the client
receives it, I should say getsreinstalled.
And that means that since it'susing the packet number as the
IV for the encryption, thatmeans you can essentially reset
(26:49):
the IV of that client'sencryption by resending it, that
GTK.
So at that point it's reusingthe key stream for its
encryption, which means you cannow decrypt that traffic.
So even if you don't know whatthe password is, if you can
force it to re-accept that GTK,you can decrypt their traffic as
(27:11):
they're sending it, even thoughit's encrypted.
Mandi Rae (27:13):
Is this the four-way handshake details you've been
looking for, Kyle?
Kyle Rosendahl (27:19):
Oh, that and more Mandy yeah.
We love a four-way handshakeFor those that don't know.
I mean, what is the IV kind ofin layman's terms?
Dennis Pelton (27:34):
So it's the value that it's using for the
encryption, but the IV is goingto change each time a new packet
is sent.
It's not like you're using, Iguess, trying to think of a good
way to put this but somethinglike a Route 13, which obviously
not encryption, but somethinglike Route 13,.
Every single message you sendthat was Route 13 encoded is
(27:57):
going to be decoded in the exactsame way, but with an IV it's
going to change each time it'sused.
So you can't just use the samemethod to decrypt one packet as
the next one unless you knowwhat that IV is, because the IV
is going to continue changing inthe same pattern.
Kyle Rosendahl (28:14):
I guess I'm trying to think if there's a
better way to explain this, butby forcing them to reinstall,
then you can essentially figureout what the IV is and decrypt
the traffic.
Yes, exactly, to force areinstallation of that GTK at
the client end, I meantheoretically and proof of
concept wise would that be?
I mean injecting some sort ofdeauthentication midstream
(28:39):
during the handshake.
Or I mean what are kind of theproof of concepts that
theoretically could work, eventhough they haven't maybe been
used in the field necessarily?
Dennis Pelton (28:49):
So really it's not deauthentication, but it's
similar to a deauthentication inthe sense where when you send a
deauth packet, you're sendingsomething that should have been
coming from the AP and you'reforcing the client to accept it
With the GTK.
It's very similar where you arejust resending that GTK that
you captured and the client isjust going to accept it and
(29:09):
accept that it came from the AP.
Kyle Rosendahl (29:13):
Got it.
So it would really be capturingthe GTK in transit and then
continually pushing it to theclient to get that IV and that
decrypt the traffic.
Dennis Pelton (29:24):
Yeah, and again, like I said, I've never actually
done this one, it's more justone I've read about and kind of
done a lot of research into andit really just fascinated me
that.
You know, I'm sure it's noteasy, but at least as far as how
it works it's fairly simplistic.
Kyle Rosendahl (29:42):
Sure, and the packet number.
Is that the sequence of GTKsthat were received, or is that
just something that you add aspart of the header of the packet
that you're sending over?
Dennis Pelton (29:53):
So the packet number is basically part of that
stream of traffic and sinceit's using the packet number as
the IV, yeah, so that's wherethat comes in.
And that's going to be a littlebit of.
Kyle Rosendahl (30:10):
Yeah, so there'd be a little bit of logic in out
.
Where in the stream are we?
Which GTK is this?
But not a lot of guesswork.
If you're at that point whereyou could then say, well, I'm
somewhere in this range, I'mgoing to try all of them and
figure out which one decrypts it, and then you're locked in and
keep going.
Dennis Pelton (30:28):
Yep, yeah, just like that.
Yeah, for known content,decryption becomes a lot easier.
So if you know that they aregoing to you know googlecom or
something like that then youknow what it should look like,
and you're just comparing it towhat it does look like at that
point, and you know, at thatpoint you can reset the IV as
well, which makes it evensimpler for you Got it Cool.
Kyle Rosendahl (30:48):
That makes sense .
That's awesome.
Dennis Pelton (30:51):
And so, yeah, the last part is the kind of
destruction of the target.
Really, for us this is kind oftotal pwnage, in the sense of
you know at that point in timethat you're able to read their
encrypted traffic and you'reable to get onto their network
because you know the passwordand things like that, and you
know I think the next slideshows it but, yeah, it's, it's
pretty much you know wreak havocin any way that you see fit at
(31:14):
that point, because you'reyou're on their network, you can
control their traffic, you canharvest their credentials, you
can sniff their internal traffic, you can do anything at that
point.
So, yeah, that's kind of theend of the how to get onto it
section.
So then, how do you protectagainst this kind of thing?
Really, with Wi-Fi, the bestadvice to give is use common
(31:38):
sense.
Now that you know how thesework, you can think of different
ways to break this kill chain.
Like the slide about kill chainsaid, it's something where,
once you understand the killchain, you can break it, and if
you can break it you can stopthat end goal of the attacker.
There's a couple more thingsI've got listed here than just
(31:59):
common sense.
But, yeah, disabling theability for your devices to just
connect to networks you've beento before.
There's a lot of different waysto do this.
There's a screenshot there froma Mac on the iPhone I think
it's yeah, ask to join networks.
You can set that to ask insteadof auto join.
You know, really just connectonly when you need to.
(32:22):
Don't let your phone just kindof connect to every little thing
that it comes across, force itto actually ask you like hey, do
you want to connect toStarbucks?
And you're like wait a minute,I'm on an airplane.
I don't think I do.
You know, just kind of usingcommon sense in that way of like
, you know, look at the thingsyou're connecting to make sure
you're connecting to somethingthat makes sense and something
(32:42):
that you want to connect to.
This is kind of one of thosethings where it's easy to say
and it's not as easy to convinceothers to do it and this really
goes back to that quote that Ihad near the beginning of people
are going to opt forconvenience, and this is where,
if you make it slightly lessconvenient for yourself, you
know put some kind of barrierthere where you have to look at
it and you have to accept thatnetwork.
(33:04):
It makes it a lot more secure.
Eric Brown (33:07):
I know Mandy and I in the past have done some
security education seminars andwe'll set up a pineapple ahead
of time in the room and juststart collecting the SSIDs from
people's devices as they come inand then towards the end of the
presentation we flip over tothat pineapple screen and we
(33:33):
show all of the networks andpeople's mouths just hang open
when they see their homeinternet on that list.
It's pretty funny to see and itreally does get people to start
to think differently aboutwireless.
Dennis Pelton (33:51):
Yes, yeah, and honestly, that's kind of the
thing that I love doing the mostwith things like this is it
kind of when you can showsomeone these things in that
kind of a way where it's likeyou show them with this massive
impact and it's just, yeah,people don't even know that kind
of stuff is possible.
So when you show them somethinglike that where it says you
know, this is your home network,it's just you know.
Mandi Rae (34:14):
Yep, I also want to add I'll get a cat if y'all find
me, a cat that wears a hoodie,like in your presentation.
Eric Brown (34:24):
That was the cutest thing I've seen all week.
I do love that picture.
Kyle Rosendahl (34:33):
I don't even know where you'd get a hoodie
that tiny, but you got to custommake one.
Put the ITI.
Mandi Rae (34:37):
Lab's logo on it.
Man, there you go, you can beour mascot, yeah.
Dennis Pelton (34:43):
Yeah.
The next one is use a guestWi-Fi for employee devices.
This is another one that's veryeasy to say and it's a lot
harder to actually kind ofimplement out of place.
But the you know things likethe half handshake attack.
It requires proximity to adevice that knows the password.
So if you're talking about yourcorporate network, you know if
(35:04):
employees devices are connectingto it and then they're going
out to the club or they're goingto.
You know if employees devicesare connecting to it and then
they're going out to the club orthey're going to.
You know wherever they go onvacation.
You know now the attackers canactually imitate that and get
that password.
But if they've only everconnected to the guest Wi Fi,
the most they're going to get isthe guest network, in which
case it doesn't really matter ifthey have that information.
(35:25):
You know it's not going toremove the risk entirely.
It's only going to lower therisk because the laptops will
still have that risk.
So if you go to Starbucks andstart working on your laptop,
your laptop's probably connectedto the corporate Wi-Fi.
There's not really much of away around that one, but if at
least your phones are not, thatdoes reduce the risk.
Mandi Rae (35:45):
I think I mentioned this to you outside of the
podcast recording, but theimagery within this presentation
is amazing.
So if you're listening to usaudibly and you have a good
sense of humor, I encourage youto check out the YouTube.
Definitely worth seeing and Iappreciate everything you put
into this.
Dennis Pelton (36:04):
Yeah, it was definitely a lot of fun to make.
I wanted to make sure it was,you know, even if people thought
the content was kind of dry, Ifigured as long as the memes are
there, it should be pretty good.
Mandi Rae (36:14):
You nailed it.
Well thank you.
Dennis Pelton (36:18):
Yeah, the last one is secure your APs and use
like rogue AP detection if youcan.
I've gone to a lot of placeswhere the APs were literally
just sitting on employees' desks.
They said well, tim, part ofyour desk is taken up now
because we need the Wi-Fi to behere, and that's just a bad idea
.
It's super easy to just swipethat when nobody's looking or
(36:39):
swap it out for something else.
There's all kinds of terriblethings that people could do if
they have that physical accessto the device.
So put them up in the ceiling,hide them, secure them.
Whatever it is you can do tokeep the physical devices away
is going to be a good thing.
And then rogue AP detection.
Not everything supports it, butI know with the unified devices
(36:59):
they support it and I do a lotof Wi-Fi testing here at home
and that rogue AP detectionworks.
If you start trying to mimicone of my networks, it's going
to throw me an email and I'm, ofcourse, just going to ignore it
because I'm doing it so muchmyself, but in a normal business
you want those kind of alerts.
(37:20):
And then, yeah, use strongpasswords and keep your devices
updated.
The half handshake attack andthe crack attack those both rely
on a password that can becracked with something like
aircrackng.
If you make your passwordstupid long and really hard,
you're just making it a lotharder on someone trying to get
in.
Karma relies on WPA or WPA2.
If you run WPA3, you're goingto be in a lot safer place.
(37:43):
At least last time I checked itstill had not been broken yet.
Obviously it's going to be atsome point in time.
Someone's going to find a flaw,but you know it's a lot more
secure to be on something likeWPA3 than to be on something
that we know for a fact isbroken and has been automated.
And yeah, that's the end.
Eric Brown (38:04):
A couple questions for you, Dennis.
Yeah, that's the end.
A couple questions for you,Dennis.
Yeah, go for it.
How about VPN?
Using a VPN to encrypt thattunnel that might go through a
rogue AP?
Would that be something thatusers could do to protect
themselves, like at a coffeeshop, or something like that?
Dennis Pelton (38:23):
That's actually a great question.
I hadn't really thought aboutthat, but yeah, I mean, it makes
sense to me, assuming that yourVPN is actually encrypting all
of your traffic and not justsome of it, because they have
those, you know, the ones whereit only encrypts the traffic.
Yeah, there's the tunnels whereit only encrypts the traffic
that it needs to, in which case,if you sent out a DNS request
(38:44):
for googlecom, it's still goingto send you to the malicious one
, but if you had the kind ofmore egregious one that's going
to encrypt all of your traffic.
Yeah, I mean, I suspect thateverything is going to be piped
through, so you're not reallygoing to.
At least, you know, in my headI'm trying to think of ways that
this attack could still affectsomeone like that.
Kyle Rosendahl (39:08):
But yeah, I think that would actually work.
And what about something I meanjust going off what you said
with DNS, right, I mean, there'sthose VPNs where you can use
secure DNS and it forces itthrough those secure servers.
What if, like on yourworkstation or phone, you have a
hard-coded DNS inside?
Is that going to make a Karmaattack more difficult?
So you're using a service likeQuad9 or OpenDNS or something
(39:33):
and you push all your trafficout your devices through that?
Are you still hijackable, or isit only if you're automatically
configuring your DNS?
Dennis Pelton (39:41):
So that's actually also a great question.
I suspect that it would becomea lot harder to hijack that
traffic if you were hard codingyour, you know, like quad nines,
like you said, or somethinglike that.
Yeah, again, honestly, I'm kindof curious to play with that
now.
Yeah, because I suspect there'sprobably still a way to do it.
(40:03):
In fact, now that I'm thinkingabout it, I'm betting you could
just do some kind of a rule thatwould redirect any traffic
bound for, you know, quad eights, quad nines, quad ones, any of
those and force it to your DNSserver.
But yeah, it's definitelysomething that like, at least
personally, I have neverattempted to do that.
(40:24):
I wouldn't have thought of itbefore today.
At least personally, I havenever attempted to do that.
I wouldn't have thought of itbefore today.
Kyle Rosendahl (40:30):
So you know, yeah, just making it a little
faster outrunning the bear rightLike probably still vulnerable.
Dennis Pelton (40:39):
You're just making them take another step to
get you Possibly.
But yeah, that does make mewant to start playing with that
now and see how difficult itwould be to still hijack that
traffic.
Eric Brown (40:46):
One other question for you, dennis, maybe not
necessarily related to hackingthe Wi-Fi, but a user question
that comes up from time to timeand it's around the portals.
So when you go to a hotel oryou go to a coffee shop,
(41:07):
sometimes they present thatportal that you need to go
through in order to get on thewireless.
Sometimes that portal doesn'tpresent.
You know you try to go to awebsite, the portal doesn't
present.
Do you have any tips or trickson how to get on those networks?
(41:28):
I've tried things like going to1.1.1 or 0.0.0 or just you know
different things like that, butI don't have a foolproof way to
be able to get those portals topop up sometimes.
Dennis Pelton (41:49):
Sometimes, yeah, so I know, when they set those
up it's usually something wherethey're basically just
redirecting any website to theirportal essentially, and so,
just kind of out of laziness,they're going to set it up for,
you know, starnet, starcom,starorg, and just say send those
here.
But that does mean that, yeah,if you attempted to go to like
infosecexchange, that's notincluded, it's going to be
(42:11):
blocked because it's not goingto the portal, but it's also not
going to trigger the portal tocome up.
Honestly, for me, what Iusually do, because I've run
into that same thing where I tryto go somewhere, the portal
doesn't come up, and now I'mkind of in this weird locked
state where I'm connected,portal doesn't come up, and now
I'm kind of in this weird lockedstate where I'm connected but
I'm not able to get on, and Ijust try going to googlecom
because I figure that's yourstandard user.
(42:32):
That's probably going to betheir first place they go.
That one's got to be in thelist of things that's going to
get hijacked and redirected totheir portal.
Eric Brown (42:40):
But sure, I've played around with it before and
then looked at the IP addressthat they gave me and then tried
to go to .1 on that network tosee if that was their gateway.
And you know, it's all sorts ofthings that the general user
would do and these things arestuff that happens to the
everyday user.
So it's, you know, I like youridea there of just suggesting
(43:02):
try to go to Google or a commonwebsite.
That would be captured.
Dennis Pelton (43:08):
Yeah, although interesting point about those
captive portals.
That's another thing that Iwish I would have put into my
presentation, but I didn't isthat most of those they're on a
unsecured network.
They just do the securitythrough the portal rather than
through the network, which doesmean you could spin up something
like a Wi-Fi pineapple put on afake captive portal that you
(43:30):
know mimics whatever that hotelis, or whatever coffee shop
you're in, or whatever, and thenasks you know, please log in
with your Gmail account.
Well, now you're harvestingGmail credentials because
anytime somebody connects toyour network, it's going to
force them to your portal, andnow you've captured whatever it
is you're trying to capture fromthem.
Eric Brown (43:50):
Awesome.
Well, Dennis, thank you so much.
Mandi Rae (43:53):
Well, thank you for joining us on this episode of
the Audit.
We appreciate our guest DennisPelton, sharing with us the Wild
West Hacking presentation.
If you want to get a hold ofDennis or get more information
about him, hit him up onmastodon at
coldbrewinfosecexchange.
For more information on ITAudit Labs, you can visit us on
(44:16):
our website, itauditlabscom.
Eric Brown (44:20):
If you have pictures or a way for a cat to get a
hoodie, I think Mandy would beappreciative of that.
Mandi Rae (44:29):
I need some cat hoodies or pictures of cute cats
in hoodies.
Well, thanks again, dennis.
Bye guys.
Eric Brown (44:41):
In the current technology landscape, managing
risk, among other operations,can be incredibly challenging.
Let IT Audit Labs expertsprovide a detailed, thorough
examination in preparation foryour upcoming audit.
Contact us to learn more.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.