How to: Actually attack computers at cafes - Felix Ryan

[Applause] so hi everyone I'm Felix I'm a freelance pen tester I've been doing this for a while now and breaking it to stuff you know longer but yeah today I'm here to talk to you about some work that I did for my Master's dissertation essentially I was told to always find a find a project you go do some sort of mild research and at the same time I had a client that basically with you to take my word for it they they told me that they had lots of people who lived in cafes and airports and hotels and stuff using free Wi-Fi and open Wi-Fi and they did nothing about it they they essentially had all of the traffic just

going across the internet and and it worried me and and so the guy turn around to me when I was telling him this and said well can you can you prove it can you show me this and because otherwise I'm gonna do nothing about it I had a look around and I genuinely I couldn't find a tool that really did anything that the business care about so I started out by doing it myself the work I'm about to show you relies quite heavily on man-in-the-middle so just as a recap for everyone who may or may not know in the middle conditions are essentially where you have a bit of infrastructure where an attacker controls it and can do stuff with the

communication that's going back and forth between legitimate user and as a service so things you can do listen to communication change the communication or block the communication and so I decided I was gonna basically make my own Wi-Fi access point yeah and it steals some users creds by being a man in the middle and then turn around to my client and say well you know this is why you need to do something about it at this point in time I thought this is gonna be easy you know why would it be hard it's open Wi-Fi right anyway it turns out encryption is a thing obviously I already knew this but it can be done at lots of different places and

these days there's not that much in terms of plain text creds going around the world it's usually encoded in something encrypted somewhere and so that sort of proved very quickly to me that I needed to do something a bit different so the idea was to go from this normal transaction to a little bit more like this and I already had a bit of a plan based on some other work that I've seen and I know is quite prevalent out there in the world and essentially I do stuff down at the bottom with this this pink bit here is where the me as the attacker can I can do stuff as the man in the middle so

what I actually did I took Wi-Fi pineapple and I set up a wireless network and I thought I was pretty obvious with the name that I used you know don't touch it but people did anyway why not and so this is what it actually looked like had a 4G modem my Wi-Fi pineapple battery I wanted to prove to my client that it was portable you could do it anywhere and it was nice and easy anyway so I I decided writing my tool so I had an idea of what I wanted to do with it all and so I I took somebody else's code frankly because it was easy it worked and then I added stuff to it

and and I went through this process over quite a long time of you know building a bit and it worked a bit and then I would come up with a bug later and it'll tear my hair out and leaving it coming back to it later you know a good software development lifecycle obviously but this is what it fundamentally does it is a transparent proxy sat on top of the SMB capture stack from responder and what it does the bit that's important is it inject an image tag in there in HTML because then you I couldn't get plaintext creds so what I was going to do instead is the next best thing and get a net until M hashes so that I can

do cracking against those I call the attack so evil twin authentication capture because you know so windows off one of the things that you can do with windows off is basically use things like Internet Explorer to do authentication attempts against resources that you've got in your control I was convinced that it was really important for me to make sure that this was done against as stock windows as possible because I've seen lots of presentations of similar nature that you kind of tweak things and move stuff around and make it really weak and then it works but I wanted this to be something more real than that so I didn't even install anything so no Firefox or anything along those lines

the only change I made to my victim machines which you'll see in a bit is I added them to an Active Directory domain and sort of so to clarify what I'm trying to do is get Internet Explorer to authenticate against something and the way that by stock it can do that is if on the left hand side there you can see it says automatic logon only on internet zone so if it thinks that it's part of Internet it will do it and the Internet is defined by this one on the right hand side which is essentially all sites that are explicitly listed as your Internet in your internet zone all sites that bypass the proxy server and anything

that is a UNC path better known as the dot rule which essentially means you can only do this against host names you can't do it against IP addresses or fully qualified domain names because well they have a dot in them they're obviously not part of your internet and so on so I realized very quickly I needed a DNS server that was under my control as well oh sorry go back one this is what my attack structure ended up being so first of all you're on the Left you've got the the victim joins the evil twin wireless network ask for DHCP at least and it gets one from the attackers of attackers server and then this bit here we've got two transactions

really one both of them go through the the web proxy but ones the requests and ones the response now on the way out I I do my best not exactly downgraded off but kind of weakened the requests a little bit so deal with certain headers that are in the HTTP transaction and a few other bits and pieces not so much like it has to sell stripping I wasn't interested in that was trying to just make it easy frankly for me on the return path on the return path I then do lots of things but one of them is inject that image tag that I've showed you earlier and then obviously the next bit is the victim

machine needs to know where to send the next request so it has to do a DNS lookup so it gets that and then here in is where the SMB stack stuff from responder kicks in so it asks for a resource it's told no you need to authenticate first and then it oughtn't Achatz and that's where the resource and maybe get something back so that sounds like it should be brilliant right it kind of works I'll explain why first of all HTTP ER is a pain frankly there's quite a lot of variants in there so the Wi-Fi pineapple doesn't have a lot of power to it so one of the things I had to do was not go into just using

other people's libraries and click click click done I had to write most of this myself and then there was status codes that kept coming up with problems I had no idea I've never seen before like four on six which is range not satisfiable or s does that mean and then working through the different types of headers that I spotted which were causing me problems and and then normal error handler because you know sometimes people don't finish a connection it just it dies for whatever reason they can they escape it and then obviously there's differences between transparent proxies and declared proxies sometimes one of the things that I hadn't realized before hundreds of the transparent proxies don't get explicitly

told what port to actually go and make the request on because it's part of the original transaction so if you're doing iptables manipulations you lose some of that information it's it's easy to kind of guess it but you have to code it all in and then my favorite bit was the chunking so HTTP one point naught and one point one working a little bit of a different way and although they are a bit interchangeable one of the most difficult parts of this was dealing with chunked transfer encoding CTE because essentially if you think about it you you get a chunk of information and then the next chunk of the next chunk of the next chunk and and that's fine but you

have to work out what the schema is and there seems to be two main types there's one which are marked try which is on the left hand side at the bottom here and it says how big the next chunk is and then there's ones that don't have any markers at all but either way if you think about it I'm trying to inject an HTML tag you have to be quite careful where that goes otherwise you end up with half of it in one chunk and half of next chunk or you save it all up in your transparent proxy manipulate the whole thing and then spit it out that that then gives you a massive delay which you

know Mike make users suspicious anyway so the success I had was the fact that a standalone Windows 7 machine gave me net and tell'em creds no problem whatsoever every single time it was happy the moment I joined it to an Active Directory domain things started going a bit pear-shaped what happens is you have the the SMB connection up here and almost straightaway it tries to work out where the Kerberos KDC is at the fqdn of its domain that it knows about and when it doesn't get a response back no such name you just it just literally sends an RS team end of connection game over there's lots of ways that I think I could maybe develop this further bluntly

putting it I ran out of time from my master's thesis so I had to submit and it was fine but I think you might well be able to develop this further so that you could impersonate the KDC perhaps depends on exactly what it's looking for to prove that it is within the network that it thinks it's in so in summary my tool is on github I definitely think I could develop it further and I really would like to but you know time needs to happen if you guys want to do it please do essentially ad join network machines not going to happen at this point in time but anything else anything loose you're onto a winner so do I have any

questions