Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
description
Transcript of Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
![Page 1: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/1.jpg)
©SecurityTube.net
Scenario Based Hacking – Enterprise Wireless Security
Vivek Ramachandran
Founder, SecurityTube.net
![Page 2: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/2.jpg)
©SecurityTube.net
Vivek Ramachandran
WEP Cloaking Defcon 15
Caffe Latte Attack Toorcon 9
Microsoft Security Shootout
Wi-Fi Malware, 2011
802.1x, Cat65k Cisco Systems
B.Tech, ECE IIT Guwahati
Media Coverage CBS5, BBC
Trainer, 2011
![Page 3: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/3.jpg)
©SecurityTube.net
In-Person Trainings
![Page 4: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/4.jpg)
©SecurityTube.net
SecurityTube Online Certifications
25+ Countries
![Page 5: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/5.jpg)
©SecurityTube.net
Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads
![Page 6: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/6.jpg)
©SecurityTube.net
Scenario Based Hacking
• Multiple courses are available from different certification bodies
• Concentrate more on tools than application
• Script kiddie mentality
• Real world scenarios are not used
• Student finds it tough to excel in the real world
![Page 7: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/7.jpg)
©SecurityTube.net
The Real World
• Complicated scenario
• Heterogeneous architecture
• Multiple security controls present at the same time
– Firewalls, IDS/IPS, etc.
• Requires one to be a Master of all, rather than a Jack of all
• Basically “Scenario Based Hacking”
![Page 8: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/8.jpg)
©SecurityTube.net
Understanding Scenario Based Hacking
Component Scenario 1 Scenario 2 Scenario 3 Scenario 4
Patches X Present Present Present
Personal Firewall X X Present Present
AV X X X Present
NAT X X X X
Firewall X X X X
IDS X X X X
IPS X X X X
WAF X X X X
…
…
![Page 9: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/9.jpg)
©SecurityTube.net
Simple Scenarios
Internet
• No patches • No AV • No Firewall • No Network IDS/IPS • Direct Access (No NAT) • …..
![Page 10: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/10.jpg)
©SecurityTube.net
Complicated
![Page 11: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/11.jpg)
©SecurityTube.net
Interesting Ones!
Airport
Coffee Shop
![Page 12: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/12.jpg)
©SecurityTube.net
Scenario Based Hacking for Wireless
• Enterprise Wireless Attacks
– PEAP
– EAP-TTLS
• Enterprise Rogue APs, Worms and Botnets
![Page 13: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/13.jpg)
©SecurityTube.net
Enterprise Wireless Attacks PEAP and EAP-TTLS
![Page 14: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/14.jpg)
©SecurityTube.net
WPA-Enterprise
Association
Authenticator Supplicant
Authentication Server
EAPoL Start
EAP Request Identity
EAP Response Identity
EAP Request Identity
EAP Packets
EAP Packets EAP Success
EAP Success PMK to AP
4 Way Handshake
Data Transfers
![Page 15: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/15.jpg)
©SecurityTube.net
WPA-Enterprise
• Use a RADIUS server for authentication • Different supported EAP types – PEAP, EAP-TTLS, EAP-TLS etc. • De facto server
– FreeRadius www.freeradius.org
• Depending on EAP type used Client and Server will need to be configured
![Page 16: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/16.jpg)
©SecurityTube.net
FreeRadius Wireless Pwnage Edition
http://www.willhackforsushi.com/FreeRADIUS-WPE.html
![Page 17: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/17.jpg)
©SecurityTube.net
WPA/WPA2 Enterprise
EAP Type Real World Usage
PEAP Highest
EAP-TTLS High
EAP-TLS Medium
LEAP Low
EAP-FAST Low
…. ….
![Page 18: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/18.jpg)
©SecurityTube.net
PEAP
• Protected Extensible Authentication Protocol • Typical usage:
– PEAPv0 with EAP-MSCHAPv2 (most popular) • Native support on Windows
– PEAPv1 with EAP-GTC
• Other uncommon ones – PEAPv0/v1 with EAP-SIM (Cisco)
• Uses Server Side Certificates for validation • PEAP-EAP-TLS
– Additionally uses Client side Certificates or Smartcards – Supported only by Microsoft
![Page 19: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/19.jpg)
©SecurityTube.net Source: Layer3.wordpress.com
![Page 20: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/20.jpg)
©SecurityTube.net
Understanding the Insecurity
• Server side certificates – Fake ones can be created – Clients may not prompt or user may accept invalid certificates
• Setup a Honeypot with FreeRadius-WPE – Client connects – Accepts fake certificate – Sends authentication details over MSCHAPv2 in the TLS tunnel – Attacker’s radius server logs these details – Apply dictionary / reduced possibility bruteforce attack using
Asleap by Joshua Wright
![Page 21: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/21.jpg)
©SecurityTube.net
Windows PEAP Hacking Summed Up in 1 Slide
![Page 22: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/22.jpg)
©SecurityTube.net
Demo of Enterprise Wireless Attacks PEAP
![Page 23: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/23.jpg)
©SecurityTube.net
EAP-TTLS
• EAP-Tunneled Transport Layer Security
• Server authenticates with Certificate
• Client can optionally use Certificate as well
• No native support on Windows
– 3rd party utilities to be used
• Versions
– EAP-TTLSv0
– EAP-TTLSv1
![Page 24: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/24.jpg)
©SecurityTube.net
Demo of Enterprise Wireless Attacks EAP-TTLS
![Page 25: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/25.jpg)
©SecurityTube.net
Can I be Secure? EAP-TLS
• Strongest security of all the EAPs out there
• Mandates use of both Server and Client side certificates
• Required to be supported to get a WPA/WPA2 logo on product
• Unfortunately, this is not very popular due to deployment challenges
![Page 26: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/26.jpg)
©SecurityTube.net
Enterprise Rogue APs, Backdoors, Worms and Botnets
![Page 27: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/27.jpg)
©SecurityTube.net
• How Malware could leverage Wi-Fi to create
– Backdoors
– Worms
– Botnets
Objective
![Page 28: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/28.jpg)
©SecurityTube.net
• Allows Client to connect to an Access Point
• First time user approves it, Auto-Connect for future instances
• Details are stored in Configuration Files
Background – Understanding Wi-Fi Client Software
![Page 29: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/29.jpg)
©SecurityTube.net
Command Line Interaction?
• Scanning the air for stored profiles
• Profiling the clients based on searches
• Different clients behave differently
• Demo
![Page 30: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/30.jpg)
©SecurityTube.net
See All Wi-Fi Interfaces
Netsh wlan show interfaces
![Page 31: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/31.jpg)
©SecurityTube.net
Drivers and Capabilities
Netsh wlan show drivers
![Page 32: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/32.jpg)
©SecurityTube.net
Scan for Available Networks
Netsh wlan show networks
![Page 33: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/33.jpg)
©SecurityTube.net
View Existing Profiles
Netsh wlan show profiles
![Page 34: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/34.jpg)
©SecurityTube.net
Starting a Profile
Netsh wlan connect name=“vivek”
![Page 35: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/35.jpg)
©SecurityTube.net
Export a Profile
Netsh wlan export profile name=“vivek”
![Page 36: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/36.jpg)
©SecurityTube.net
• Requirement for special drivers and supported cards
• Custom software used – HostAPd, Airbase-NG
• More feasible on Linux based systems
Creating an Access Point on a Client Device
![Page 37: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/37.jpg)
©SecurityTube.net
• Available Windows 7 and Server 2008 R2 onwards • Virtual adapters on the same physical adapter • SoftAP can be created using virtual adapters
– DHCP server included
“With this feature, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.” http://msdn.microsoft.com/en-us/library/dd815243%28v=vs.85%29.aspx
Generation 2.0 of Client Software – Hosted Network
![Page 38: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/38.jpg)
©SecurityTube.net
Feature Objective
• To allow creation of a wireless Personal Area Network (PAN)
– Share data with devices
• Network connection sharing (ICS) with other devices on the network
![Page 39: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/39.jpg)
©SecurityTube.net
Demo of Hosted Network
Demonstration
![Page 40: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/40.jpg)
©SecurityTube.net
Creating a Hosted Network
![Page 41: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/41.jpg)
©SecurityTube.net
Driver Support
![Page 42: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/42.jpg)
©SecurityTube.net
Client still remains connected to hard AP!
![Page 43: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/43.jpg)
©SecurityTube.net
Wi-Fi Backdoor
• Easy for malware to create a backdoor
• They key could be: – Fixed
– Derived based on MAC address of host, time of day etc.
• As host remains connected to authorized network, user does not notice a break in connection
• No Message or Prompt displayed
![Page 44: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/44.jpg)
©SecurityTube.net
Understanding Rogue Access Points
Rogue AP
![Page 45: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/45.jpg)
©SecurityTube.net
Makes a Rogue AP on every Client!
Rogue AP Rogue AP
Rogue AP
![Page 46: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/46.jpg)
©SecurityTube.net
Best Part – No Extra Hardware!
![Page 47: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/47.jpg)
©SecurityTube.net
Advantages?
Internet
![Page 48: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/48.jpg)
©SecurityTube.net
Advantages?
Internet
Wicked Network
![Page 49: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/49.jpg)
©SecurityTube.net
Why is this cool?
• Victim will never notice anything unusual unless he visits his network settings – has to be decently technical to understand
• Attacker connects to victim over a private network – no wired side network logs: firewalls, IDS, IPS – Difficult, if not impossible to trace back – Difficult to detect even while attack is ongoing
• Abusing legitimate feature, not picked up by AVs, Anti-Malware
• More Stealth? Monitor air for other networks, when a specific
network comes up, then start the Backdoor
![Page 50: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/50.jpg)
©SecurityTube.net
Chaining Hosted Networks like a proxy?
• Each node has client and AP capability
• We can chain them to “hop” machines
• Final machine can provide Internet access
• Like Wi-Fi Repeaters
![Page 51: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/51.jpg)
©SecurityTube.net
Chaining Infected Laptops
AP AP AP Client Client Client
Authorized AP
![Page 52: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/52.jpg)
©SecurityTube.net
Package Meterpreter for full access?
• Once attacker connects to his victim, he would want to have access to everything
• Why not package a Meterpreter with this?
• How about a Backdoor post-exploitation script for Metasploit?
![Page 53: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/53.jpg)
©SecurityTube.net
Demo
Coupling Hosted Network with Metasploit
![Page 54: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/54.jpg)
©SecurityTube.net
• Passive Monitoring for SSIDs available
• Trigger SSID causes Wicked Hosted Network to start and create application level backdoor
• Attacker connects and does his job
• Shuts off Trigger SSID and Malware goes to Passive Monitoring again
Increasing Stealth
![Page 55: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/55.jpg)
©SecurityTube.net
• Victim connects by mistake or misassociation
• Victim opens browser, Metasploit Browser_Autopwn exploits the system
• Hacker gets access!
• Biggest Challenge – Victim notices he is connected to the wrong network and disconnects himself
Karmetasploit
![Page 56: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/56.jpg)
©SecurityTube.net
• Upon Exploitation, create the hosted network backdoor
• User disconnects, but this hosted network still remains active
• Attacker connects via this network
Enhancing Karmetasploit
![Page 57: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/57.jpg)
©SecurityTube.net
What about older clients and other OSs?
• Windows < 7, Mac OS do not have the Hosted Network or alike feature
– Use Ad-Hoc networks
– Use Connect Back mechanism
• When a particular SSID is seen, connect to it automatically
• Blurb reporting “Connected to ABC”
– Could we kill it?
![Page 58: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/58.jpg)
©SecurityTube.net
Hosted Network Meterpreter Scripts
http://zitstif.no-ip.org/meterpreter/rogueap.txt http://www.digininja.org/projects.php
![Page 59: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/59.jpg)
©SecurityTube.net
Dissecting Worm Functionality
Exploit
Worm
Propagation Technique
![Page 60: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/60.jpg)
©SecurityTube.net
Hosted Network Encryption
• Uses WPA2-PSK for encryption
• Key is encrypted in configuration file
• Can be decrypted
• What if there is an office network configured on the same machine with WPA2-PSK?
![Page 61: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/61.jpg)
©SecurityTube.net
1. Infect Authorized Computer and Decrypt Passphrase
![Page 62: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/62.jpg)
©SecurityTube.net
Decryption Routine
![Page 63: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/63.jpg)
©SecurityTube.net
Alternate – Dump and Copy
![Page 64: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/64.jpg)
©SecurityTube.net
2. Create a Soft Access Point with the same Credentials
OfficeAP OfficeAP
Worm Infected Laptop
![Page 65: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/65.jpg)
©SecurityTube.net
3. Signal Strength Game
OfficeAP
OfficeAP
Worm Infected Laptop
![Page 66: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/66.jpg)
©SecurityTube.net
4. Hop and Exploit
OfficeAP
Exploit
![Page 67: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/67.jpg)
©SecurityTube.net
5. Replicate and Spread
OfficeAP
OfficeAP
![Page 68: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/68.jpg)
©SecurityTube.net
Worms Wi-Fi Network Signal Strength > AP
OfficeAP OfficeAP
OfficeAP
OfficeAP OfficeAP
![Page 69: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/69.jpg)
©SecurityTube.net
Wi-Fi Worm
• Retrieve the network key for the network
• Create a hosted network with the same name
• When the victim is in the vicinity of his office, worm can be activated
• At some point the signal strength may be higher than real AP
• Other colleagues laptops may hop and connect – Conference rooms, Coffee and Break areas
![Page 70: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/70.jpg)
©SecurityTube.net
Why is this interesting?
• Worm uses its own private Wi-Fi network to propagate
• Does not use the Wired LAN at all
• Difficult for network defenses to detect and mitigate
• Targeted APT against an Enterprise
![Page 71: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/71.jpg)
©SecurityTube.net
Demo
![Page 72: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/72.jpg)
©SecurityTube.net
On the Run
![Page 73: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/73.jpg)
©SecurityTube.net
APIs for the Hosted Network Feature
![Page 75: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/75.jpg)
©SecurityTube.net
SecurityTube Online Certifications
25+ Countries
![Page 76: Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)](https://reader034.fdocuments.net/reader034/viewer/2022052411/55636074d8b42ae6088b47ba/html5/thumbnails/76.jpg)
©SecurityTube.net
Free DVD (12+ Hours of HD Videos)
http://www.securitytube.net/downloads