Your Corporate Networks Are Showing

all right we'll start to get rare car you out there if can you guys hear me okay we can are you Ben do really well yeah good matter you out there as well I am thanks for coming glad you guys said it both Bennett made it to man honey see your last report for us so one more time how you say your last name form fell anymore oh sure I didn't wanna put you're too bad anything my music well thank you both for coming just a yeah real quick for everybody that's on on the line yeah Erica had come last year you've both Matt and Eric work with Michael Bryant over at secure once here works has been one of our

sponsors from from day one we really appreciate all the work that they do especially you Michael and support of not only piece ice cream though but besides everywhere he's always the first first person to be there for everyone and so that's just brings a lot of amazing opportunities so a lot of people and so Eric came last year when we were at the Clemson International Center for Automotive Research or at I car and ran our Wi-Fi security workshop which everyone had a blast with and had really had a great time learned a lot Eric is is definitely by far one of the top Wi-Fi guys in the world I really appreciate him take you the time to come

share with the group I think Eric only has X amount of black badges from Def Con how many do you have in your collection oh I have one hour tony has won several but yeah I only have one personally I thought was that would feel bad to have multiple of those one and done so so again I really appreciate both of you two for coming to share with a group and so with that I will turn it over which one of you needs to share your screen that will be me so let's see things figure out how to do this [Music] right [Music]

let's see it is going to be

you um all right view in full-screen mode my mission is somewhere oh there we go perfect I guess had to be the what's it called the presenter yeah I guess I missed it was gonna be you questions gonna be you and then yeah we can see your screen perfectly so uh we get out of the way and thank you again both and yeah absolutely let's see let's make this screen

you all right you guys do that okay in the fullscreen perfect awesome cool alright so like Michael sayin my name is Erik Escobar and man those are those are way too kind of words I do not think that highly of myself but I appreciate that and then Matt form is also here on the line he's a good friend of mine we both worked at secure works we came from Barracuda and we live not that far away from each other so we do a lot more than just than just computer things so Matt I don't know if you want to introduce yourself you have a principal consultant with the adversarial group here at secure works been doing this the

security thing for almost 10 years now Wireless is fun and it's everywhere absolutely and I think I'd like to kind of just point out that our talk is going to be you know kind of in the direction of wireless and Wi-Fi always seem to be kind of that redheaded stepchild for a pen test when in reality you know Wireless is almost everywhere there you know almost every corporation government out there has some kind of wireless network and really that's just an extension of your internal network but it's out there for everybody to see and so our talk is kind of going to delve into you know what that looks like what that means for your company and

some of the things that you know an adversary can look at and see without you know without you even realizing so without further ado let's see if I can click through this so this started out a while ago with you know my idea of hey I have a two-year-old at home and I don't want to travel and do wireless pen testing so I'm gonna try and figure out a better way you know to have a platform that we can test remotely from and to have like basically a smaller device that's fairly inexpensive that we can keep on a person so we don't ever have to really worry about you know is you know is your Wi-Fi up-to-date you're

trying to pass your you know your wireless cards through a VM or anything like that and so this is my very first iteration from a bunch of years ago and basically just Raspberry Pi with a battery pack and a single 2.4 gigahertz tp-link adapter um the whole goal of this was basically just to keep it you know just just keep this in my pocket and then I was able to control it you know via hotspot and an SSH client as you can see so any of you guys out there are familiar with air dumps this should be a very familiar screen basically this is just what I can see on my phone it is you know I'm screened into an error dump

session so I can monitor all the wireless traffic around me just for my phone and the obvious advantages of that are that if you've ever been on a wireless pen test and you come walking down the hallway and your laptop looks like a porcupine because of all the antennas coming out of it any any adversary any you know person trying to do something dastardly is gonna see you coming from a mile away and they're going to know to you they're gonna know to like turn off whatever they're broadcasting or you know close out of any screen you're going to be super obvious and so this this device is basically meant to dissuade that and it's kind of born out

of the wireless capture-the-flag when you're chasing foxes which are basically just people that have people that have like an access point in their pocket right and so if you're trying to chase them down and they can see you come in they're going to run away from you so it's kind of twofold one for the wireless capture the flag but then also for just clients in general it proved to be really useful Matt I don't know if you want to add anything to that oh yeah just generally right here if you're walking around you got like a backpack on your hands are free get your mobile device out I mean just kind of blend right in like Eric was saying the

other the other feature that too when you're not walking with one hand as laptop tray other hand as keyboard navigator I find my situational awareness is a little better a little bit more aware of sort of the environment that I'm in doing Wireless when you're trying to man in the middle clients right that sometimes that awareness is really sort of your most important tool all right good good air of them for you know whatever men in the middle framework tools you like using running you don't you don't really need to keep eyes on that 24/7 so the fact that you can just sort of switch back to phone modem look around keeping that this a terminal open on your phone

without having to have your laptop out is just a the wind all the way around yeah and the other thing that's also really nice about it that but maybe we'll talk about going forward is since since the raspberry PI's in font home to our you know to our c2 to our Penn lab infrastructure any one of our other consultants that SecureWorks can look at my st. you know they can hop into that same screen session you know from their keyboard and mouse with three screens and they can you know they can say go back look at this look at that so that is that is definitely other powerful pieces that you can have basically a remotely operated person

that's going to walk around get your coverage and somebody else watch so that's kind of a cool piece of it as well keep clicking so this is mass spec I can't let them tell you about that yeah so you can see there's a bunch of bunch of nefarious looking stuff on the outside there's a ninety be also omni um on that right-hand picture than a panel alpha the little adapter there is just a regular alpha 2.4 gigahertz they come in those sort of bulbous cases and they're like you know highlighter yellow or whatever called her stupid Geller so you'll see in a couple pictures further into the slide we built this appliance where we step a whole bunch of hardware

into a gun case basically one of the things we needed to do was was really sort of put a premium on space for that so you can see that's just like a little custom 3d printed adapter Oh slides went forward and then never fails yeah and just kind of toggle back and forth so you can see on on the left there's gray on the right there's a blue I have a couple different USB adapters just sort of stuck to the outside of the backpack and then can you hop one for there you yeah and then inside the back leg you can see is just a couple of pies and again pretty printed just some cases

that hold the a core 10k no and our battery which is an astral power both a PI and two USB NICs for the better part of eight hours so I'm literally walking around right it's the the tactical backpack which whatever is kind of kind of a stupid move on my part um but I think we were actually doing some big external environment that day but you can see instead of having you know a whole bunch of kit hanging hanging off and like antennas and my hands tied up with laptops and radios or whatever I'm literally just a backpack and a dude dressed relatively corporate blending in blending into the noise right so it's just kind of kind of the same thing like

a lot of little incremental improvements to wireless testing basically led us to this place where we can do a bunch of wireless stuff that people just aren't really doing and one thing to that like so so Matt's head sonic for a second and this engagement was us walking through a very heavily crowded theme park for about a week and no one and no one you know knew any of the wiser they didn't realize that we were catching credentials you know from a fortune giant companies you know they had no idea that you know we just looked like any other part gas park attendant with a backpack you know maybe slightly better dressed I may still have falafel on but

but what what does it gives you is it gives you the ability to just kind of blend in which when people think of wireless pen test they think of pineapples they think of you know antennas and all these things you know all this like really all guys grabbed on every year with the craziest thing I've ever the hectic though I forget what his name is but yeah the tech spy yeah yeah maybe ask me anyway the other so the other powerful piece of this is that when when we do a wireless pen test you know a lot of the times you will just think of internal/external pen test your internal pen test is typically you know you're simulating an adversary

on your internal network whether that's from you know one of your end users clicking on some malicious email or phishing link you know whether you have a rogue employee that wants to do some harm or you know some someone breaches your physical security and implanted device you know those are kind of the the things that an internal pen testing device and an external pentoses is you know gal fits into that it's somebody on the public internet try you know hop on your VPN trying to you know pop your Outlook Web Access or any other like Citrix or any other you know stuff that's that's on your public facing internet existence but the thing that many people don't really even think

about it really and care about is their their wireless security and what Wi-Fi networks they're putting out there because when you look at it you know you think of any other building you know so this is just some stock image of like some stock building but it's not dissimilar for many of our clients you know and and I could very easily just sit on a park bench and point you know directional antenna or sometimes just just have my omni antenna and pick up wireless signal and if I'm able to compromise that or compromised credentials I'm able to then hop on that network and I am on your internal network without any real logs or any

real you know I guess suspicion that something had happened right and and kind of going with that what ends up happening in the scenario is that more often than not on a wireless pen test we are you know thrown onto an internal network once we once we've compromised it and it's very few steps to a normal internal pen test which you know typically a domain admin bring it down quickly I don't know if you want to add anything to that oh no I mean I think it's worse exact reference to the point you made earlier about when we show up to do a wireless pen test you know since we have this sort of remote device capabilities to do

remote wireless you really do instead of having sort of one consultant sort of in a bubble on site doing doing this work for you you really sort of do open the door to the whole the whole stable of of our team right so somebody gets on right Eric is able to compromise an account wind up with Active Directory credentials is accessing you know some segmented part of the wireless network finds a web app pulls in it somebody from our team who specializes in web apps all the time 24/7 that's what they're doing so Eric is able to then set up a proxy you get to get how one of our what bad ninjas working on a web app over

wireless and you sort of start to see how this full-spectrum kind of test unfolds right we came on wireless was the point in but you really wind up with with a full security exercise of your internal network out of it yeah yeah exactly and then yeah we'll cover some of the other ways that that external pentest help kind of like our internal and and wireless and how that works too let's see what else we got here um so this is this is one of the tool that we use is called Wi-Fi Fisher so at the end of the day a lot of wireless testing is really you know it's like most things and some key stage in computer security that in

general computers are secure it's the people that are you know your your greatest weakness and so this screen basically what what it does is it's a tool that stands up a rogue access point and if you're not familiar with what a rogue access point is it's basically just just a wireless hotspot it's a wireless network that that shouldn't be there so the only difference between a rogue access point normal access point is that one shouldn't be there and one should ones trying to do nefarious things the other one is just you know giving you access to corporate resources or you know just just internet resources and so when you kind of look at the screen you see oh well I'm just saying

that's an access point and it will try and do authenticate somebody from from the network that they're connected to the one that you're targeting and so in this case you know that will just pick them off with the hope that oh maybe they'll rejoin your wireless and so you can see what happens here is that when we kicked them off of their wireless they then join our wireless network and when they join our wireless network we will serve them up a page that looks like this and so if anybody's seen something similar that says it is the captive portal page but really we crafted this entire page all right when I say we does application crafted this

entire page so there's no internet connection and this you know where it's prompting for that network security key this is actually just you know HTML form that somebody's filling out but it you know it uses a user agent from their device you know and so if you were to connect to this you know using an iPhone it would pop up a safari you know captive portal page if you were to connect it from an Android phone it would pop up you know whatever that user agent was specify so it's kind of customized automatically on the why to be able to make the determination of like hey what are we going to serve them up and the idea being that you know

an astute computer user may look at this and be like oh no this looks kind of sammy but 95% of other computer users they're gonna say oh i must not have you know the wireless password typed in correctly well if i must be doing something kind of wonky or weird and so when they hit next they're basically just submitting a form of a clear text password so you could have a 30 character fully randomized password passphrase whatever that may be and and that end user is just basically being tricked into submitting it to you in clear text and that's why it's called Wi-Fi Fisher because it is you know a normal fishing you know exercise only done in the

wireless realm and yeah I mean this is this is a very similar way to how we get stolen credentials how we compromise workstations if you really wanted to and you were looking for a way to exfil data you know to steal large amounts of corporate data you could exfiltrate it in this way and and the other part of this too which i think is really funny is that a lot of times end users will use you know their own hotspots their own you know access points so let's take insert you know circumvent the corporate policies you know maybe corporate policy doesn't allow you to watch a Netflix on your you know on your laptop but if you

you know if an end-user pulls up their hotspot you know then they can use that and so that works in our favor a lot of times because corporate policies might keep us out but if somebody's doing something to get you know actively against it something that we can always exploit as an adversary I don't know Matt if you want to add anything to that nah oh sweet umm yeah so the next part of that is if there's always a ton of a ton of information I don't think people realize is out there when when you know Wireless is just broadcasting typically people are just familiar with wireless access points when you know they look at

their phone and they see what's around and you know they're trying out it connects a guess network but really most people are most used to seeing Wireless from the form of just what does your phone say and really there's a lot more information that that is being beaconed out that's being emitted out wirelessly that gives off a lot more data than you would think and so we'll take a quick brief look at the so if you look this is that screen that we are looking at before the tool called arrow dum era done basically just just shows in a nice a nice way I mean this may not like look nice to you if you're

not used to looking at it but I'm compared to looking at like raw packets in Wireshark this this is a really great representation of all the wireless networks that are out there so if you look on the left hand column there's a column called the SSID that's a MAC address that's like you think of like a serial number for a wireless hardware device and that typically doesn't change and you look on the far right-hand side and there's something called EFS ID that's your network name that's that's what you normally see on your phone and why that matters is that you can see all this information is just publicly available you know it's not encrypted it's not you know any any end-user any

person that's just sniffing Wi-Fi can see all this information password or not and what you can see here is that there is this this hardware device is connected to this access point and why that matters is because every MAC address manufacturer or every manufacturer of hardware you know registers what they're you know what their subset of their serial number looks like so you can take a look at that you know when I get you remember I'm really just using a dum-dum version of what a MAC address is but you can see that this device is actually a mess you know an S device and so without without knowing anything about this network or whatever it is I know that hey maybe

this is an IOT network because it has an S device on it or maybe you know an S device is allowed on their corporate you know network whatever that may be this gives you insight as an attacker that you didn't need to exploit anything to do you didn't need to transmit a single packet to see this it gives you you know basically just a wealth of information of hey is this a predominantly Apple user shop you know do they have a bunch of iPhones on this network or do they have a bunch of you know Intel chips for maybe their corporate laptops on this network so without seeing anything you you can divine some information which is pretty

darn well and then the other part of that too is that you can also use this to track users because with with wireless and with Wi-Fi you can look at signal strength and so if you have a couple points you know you can know everybody's used to looking at their phone and seen signal bars of Wi-Fi or just you know LTE and so you can tell hey how close am i did this user to this device and why that matters is that you know you can track a device or a user or a access point even if it's moving around and so you can even do this through tools like blue sonar which basically does the same

exact thing but from Bluetooth and when you think of like the ability to track a Bluetooth device it becomes a little scary when I can say hey I'm going to you know look for Eric's left air pod and I'm just going to follow it so if you have a high gain antenna or you know just anything you can just track a single user and correlate their devices where they're going and again all this information is publicly available it's just one of those things kind of have to look under the hood to see and yes so this is so the best part about Wireless is that all for at least some of our clients and a character passwords is you

know is the only thing you need to breach their security and this is the first iteration of our of our wireless testing appliance that Matt so graciously made a much better version of which I think I have go so that's kind of how well that works Matt if you want to talk about your your design here sure um so Eric uh is a little guy go back to those first a little more enthusiastic than I am yeah yeah yeah so you could see the ammo can down there right um so Eric frequently has like really great ideas but but he has so many ideas easily half of them are crap like right out of the gate half of them are

terrible ideas the other half maybe half of those are amazing and the other half would be amazing but they're too much work so kind of when he and I are working together on stuff the role we play the roles we play he comes as sort of the diviner inspired and I'm like dude that's a terrible idea get off my lawn you showed up at my house one day with that green ammo can and it is stuffed with like packing peanuts and like raspberry pies it smells a little bit like electrical fire there's like holes cut it in places and magnets he's like hey dude I figured out how to do Wireless like remotely we could just use

an LP modem and put it in this ammo cannon and ship it so he came over to my house I have a two-story house we went up on my balcony on the top storey and threw it off to source typically what happened with FedEx s we shipped one and it not surprisingly broke open and emptied its contents all over my driveway which was hilarious because it made Erik make like the saddest face you've ever seen right but he had come over here demonstrated that it was viable it works when a guy here until I went full jerk mode and tossed it off the patio everything it in Florence right and then it didn't anymore so we

took basically Eric's Radio Shack build and like put it into a nice little gun case we basically removed all of the so off the shelf components that Eric had used to sort of glue things together and like 3d printed like an internal chassis internal casing and components for everything so that we could actually expect the device to continue to work when we had to ship it to Canada right or wherever it was going so we had substantial gains in sort of stability with the devices like by going this route um at this point we're sort of I think reading it like the third iteration where we've replaced the PI's with like nooks which allows us to do

some cool SVR stuff right so we can throw like a USRP radio in there um basically you know you want to do like low frequency you want to do you like 900 mega like we have a platform right to cobble together that will work with just about any wireless technology that you're employing and for those those of you that are kind of interested in and how like it structurally kind of works so in this one I kinda just threw the Nook in there so the note basically communicates out via LTE back to our you know C to our Penn lab and I also keep a pie in it mostly because I just love pies and it's

one of those things I feel a little nostalgic and like I need to put one and just about everything but what is nice about having a pie that you think that you communicate only with over serial communication is that after you've compromised the network you can always just join it directly to that Network and so there's no other you know network that it's touching that's going to mess anything up you not to worry about any routing any anything like that so you have that extra that extra pie in there that definitely helps out and like matt said to if you want to you can you know we have we have one of these devices are

actually multiple of these boxes now that have you know be two tens and there which are super powerful you know software-defined radio platform you know we can throw in uber tooth no problem if we're gonna do some bluetooth testing or you know if we're gonna do like some Apple bleah style attack we are to stick one if we just want to do some simple STR stuff and then the other one that I have to is another software-defined radio that can basically Mouse jack so if you have a an older-style wireless mouse and keyboard you can basically like remotely send keystrokes to it because the encryption is broken on that so it is one of those things

that is more of a platform and and more importantly is that you know it can be used as a device that we add to mail to a client so we do a pen test remotely or it's a device that you know that we can take with us and you know basically add to our you know pen testing repertoire we're doing like so kind of red team on site yeah so these are Matt's fancy pictures and again I really should have been coated in good everything that was in the the backpack from those earlier yes just names anger one tiny pistol case and the the other funding part I should have really you know maybe so we ever give this talk

ever again I'll throw up some pictures of what my original iteration was because it was like I wanted like jo-ann's fabric and got like you know the the foam that you used to like reupholster a chair and that was like like layers of that and raspberry pies in there it was I think I look over and I'm like do you think this will catch on fire is its flammable and he's just like if you have to ask that question like we need to change this so uh there's a there's a very certain lack of package myths and foam in here and then yeah and Matt if you want to if you want to talk about keep hammering kind of what that

is yeah so so this talk is sort of weird it's sort of a like a general Wireless talk but it's really two parts it's it's half the part we've done which is like hey Wireless here's a here's some stuff about it that you might not have thought of and the other half of this is sort of trying to drive some change in the way that that offenses security consulting services work for ember Wireless has been sort of that that you know under your breath like oh yeah whatever it's just a wireless network right and before we started plumbing Wireless up to SCADA that that was a reasonable sort of assumption operate on it's not anymore

like we routinely take you know a quote unquote Wireless assessment to control of SCADA or to compromise of all for assault trusted force all trusted domains and it's interesting because clients generally are not used to that kind of focused attack on their wireless network right they're used to like somebody coming in with with the cart and doing like heat maps and auditing for WEP right or stuff that was cutting edge a decade ago maybe no I haven't seen weapon a long time but the idea is that your wireless really is just an extension of your internal networks without any physical access control right almost every place I go you can get any of their wireless

networks from the parking lot and we work with relatively large organizations and so I know if it's affecting them it's affecting smaller places too but basically what you have is an internal it's like like if you put an Ethernet jack in the alley behind your building and we see this so much you know we probably out of a sample of like ten Wireless assessments that that will do are teeny of four or five guys to do the majority of our Wireless probably somewhere between seven and nine of them will end in a complete compromise of the entire organization from wireless and and it's low-hanging fruit now because this is sort of a new model we're not there to do an assessment

we're there to show you what could happen right and the tools that support wireless have gotten to the point where they're just amazing like each hammer is a great example each hammer basically a wireless framework that will do all of your man-in-the-middle the authentication of in range clients karma basically so you can supply a SSID name that it will stand up a rogue ap for you you can provide a MAC address when your target client is disconnected from their current session your access point goes up matching not only the network Wireless name but also the bssid the MAC address of the access point so you have a perfect spoof all that needs to happen is for that client to initiate

authentication with you and if they are not that wireless network is not doing both client and server side certificate validation I will almost certainly get hashed Reds and I'll most likely get plaintext crebbs if that's somebody with a BYOD phone or something that supports a GG C downgrade so I don't even have to crack a hash at that point and this tool you know if you are comfortable with some basic fundamentals of wireless and navigating Linux command line this tool might take you an hour to become proficient enough at using to execute relatively sophisticated attacks and I think you sort of have this perfect perfect storm where the tools have gotten really good and nobody is paying

attention to wireless right that's that's the sort of other interesting particularly in the size crash last year I probably did thirty five Wireless assessments probably did thirty let's say in my time it secures I've probably done 50 or 60 I have never seen a log from a point of contact at a client with any detection of anything I've ever done on their wireless network I have gone to look at logs after a test and found that there were a ton of wireless notifications for rogue epeans that I was standing up but the wireless networks not important so those just go straight to them no right like though some logged or aggregated so the rest of this talk really is sort of

about shifting that paradigm from Wireless being like this thing that we don't really need to worry about to wireless being this thing that we really should pay attention to Oh kick it back to you here here you guys Jim you okay sir I got I got bounced off for a second yeah I hear you all right cool you you and so you've got the next big str of your TA

every there so you can see I'm gonna for Eric here for a minute you can see this is a sort of the latest iteration of the so we call the wireless remote testing appliance with WR TAS right pretty pretty creative acronym you can see these ones are a little bigger they actually have I think they're 40 millimeter fans top and bottom there for push-pull there's a couple iterations of that that's actually the one that we use just send out the us our peas the the SDR radios from Edison for sort of non-traditional non 2.49 five gigahertz Wireless testing we also have a box that looks a lot like that and if you've been on any of the other b-sides on the East

Coast you might have seen Michael Bryant lugging one of those around was a whole bunch of pies in it doing sort of the wireless travelling CTF that we have set up [Music] yeah so what looks like the USRP radios on the right-hand side they're got a panel on the back and it's interesting because Eric is driving yeah there we go thank ya okay yeah it is like killing momentarily dropping out but ya know Matt covered it perfectly um this this device basically just extends way past the Wi-Fi gets you into the range of pretty much I realist but he's wireless right like I can open your garage door with this I can you know disable your

simply safe alarm you know at home with this like I mean it does it does a ton of stuff right so this is basically just to show that Wireless was anywhere that there's not wires and so to think that Wi-Fi is just as niche tests or wireless wireless pen test it's just an itch test that like you know only super big organizations need or require it's kind of the opposite right every you know everything that doesn't have a wire which is now everything is is you know susceptible and vulnerable you look at all the Bluetooth sharing options that are out there you look at you know just how you can catch from one device to

another you look how you know you open pretty much anything now if I'm able to hop on that connection whether we know no matter what Wireless means are there you know it's a fun place to be for an adversary and especially two because one of the things that I found is that Wireless is one of those technologies or Wireless in general is just the technology susceptible to being super old because everything have to be backwards compatible everything has to work in general right and so that's where that's where manufacturers get into a bit of a bind of you know like hey if even if there is WPA three out there you know what's going to support

that how long is wpa2 still going to be around I mean look look how long WEP you know still whether I'm like I don't see it very often anymore but you know it's still in some places like I mean I've seen it in the past couple of you know in the past couple of months I've seen you know web on client sites it's not common but and everybody knows that it's broken and yet it's still out there and I can only imagine that WPSU is gonna be the same way so was one of those things that I think the the point that we're trying to drive home is that Wireless is is not a niche test it's not a niche pen

test in fact it should be you know included yeah as a part of like a trifecta of internal/external and wireless because because if I were to ask a client right now hey can you go pull up your wireless logs a lot of times you're just going to blank stare of like what like they may not even be taking logs let alone doing any detection let's see if I can flip the next slide yeah so just I'll do a quick story and then Matt can just obviously just fill in my audio cuts out I just I was on a pen test this last last month he was for it was for some large company right and

what happened in it is they purchased an internal pen test and external pen test and a wireless pen test so kind of the the perfect sweet spot that I kind of feel like of covering all their bases you know everything from the wireless looks pretty darn good there you know it's a little bit of interesting time right now because obviously Cova there's not a lot of users in the office and like I was talking about before you need user you know you need end-user interaction typically to gain some sort of credentials but paired with one of our external penetration tests you know they did some password spraying against office 365 and even though the office

365 instance required multi-factor authentication we basically said well what are the odds that that even though office 365 requires MFA that I can just reuse those credentials to to hop on their wireless network sure enough you know those users credentials even though they were they had two-factor authentication on office 365 worked just fine to get me into the wireless network I'm on their corporate network and I think it was four hours later that we had you know compromised her domain and another four hours later to where we were skated administrator on this you know on this ideas platform and it was a it was an interesting place to be as an attacker and I don't say this as like

the oh my gosh look at Erin's big bad hacker look what he can do but it really gave our clients the ammunition you know to say hey this is this is what was included in the report and it turned our clients from saying hey we know that this is an issue to their board then you know somebody could do something somebody could attack us in this way somebody could gain access in this way to say hey somebody did gain access to us in under a week you know leveraging all of our technology and we didn't we didn't even see them coming and so that's that's really what what I think I'm trying to get out as kind of like

the final piece of this is is that Wireless is a is a part of a broader range of pentesting you know activities but it is just as dangerous it is just as lethal it's not a niche thing and really at the end of the day if it's not so that we can you know say oh look at us look look how cool we are is it so that our clients you know they have a awareness of what a nation-state you know they have the awareness of what a you know persistent adversary actually would do it's not it's not a message and we're you know they're gonna get a report that just has all you have you

know this you know SSL v3 somewhere it's hey this is how we were able to access you know the data that keeps you up at night so anyways yeah that's kind of my story I don't know if Matt won't throw in the historic aynd of elaborate on that one but but yeah I just I think that illustrates nicely they like the point of of combining different types of pen testing to to leverage full domain compromise yeah you also have another interesting sort of point in there Eric and you hinted at it but I think it's worth saying flat out if you are partnering with mentee who's doing penetration testing for you whether it's Wireless or or internal or external if

if that company is worth working with their goal is to give you as their client the leverage that you need to affect positive security change on your network right if you're not getting that back you should go find another provider who is actually looking to partner with you to help you make your things more secure I still run into people doing this kind of work where they were they wanting you know phlex who believed with their with their technical skills you know there was a place in time for that like the before we started seeing some semblance of maturity in you know security consulting space like that that was a reasonable thing because you had to kind of shock

and awe people into wait a second these computer things we got to watch out for stuff but at this point the people that you want breaking in to your place are the people whose goal is to pride you the leverage to affect the change that you already know is is requisite right for your network Wireless fits into that really well but that should be the general approach that you're getting from any security vendor service based security vendor that you're working with you want somebody who is bringing you leverage so that you know you can get the budget you need to go do the projects that you want to do that's not it's not really story time but it is it

is a thing that I it from our clients frequently that that you know our team is the SecureWorks advert adversarial testing group right and we get different responses to that a lot of sort of the ELT c-suite folk are like why would we call it adversarial testing I mean because of the mindset right we we think about how somebody would actually attack you it's not adversarial in that I'm going to be a jerk when we're talking on the phone so it's not a cool story time but it is sort of a general general approach like if if you're not getting actionable information in Intel and demonstration of issues on your network from your providers like go find

a provider who'll get it for who give you what you need tackle the big rocks on your network um I you know there are so many vendors out there go go try vendor if you're experienced at this point has not been you know what you think it should be go try something else whether that secure work sir or anybody else out there it's better than continuing on with somebody who's demonstrated that they're not really interested in providing you with the service that you want right which is some help getting leverage to fix stuff I feel like I feel like this is very much like hey you go to the doctor you should go exercise 30 minutes a day and

eat your fruits and vegetables it's stuff that you know you should be doing it stuff is good for the health of your organization but it helps to hear it and it helps to I feel like it's just one of the things it helps you know hear it again and reinforce it again and again and again so again yeah maybe it's not a super sexy wireless euro day dropping or anything like that but but at the end of the day I think you know I've never broken into a client with a zero-day it's always been you know finding some some security control but that's not a CH tor a person that's not talked to yeah and they're usually known they're

usually things that client points a contact know know where problems right it we're not we're not we're frequently not finding things that they didn't know right we we find unknown unknowns that happens that's great so frequently we're abusing stuff that they knew we were going to abuse like yeah just just the character I know is with that does anybody have any questions for us

I don't know if I can change the presenters viewers yeah I'm looking in the chat and in discord as well I think it's a one question that comes up is this is great especially I appreciate this you guys come in and I have a couple of my students from my Greenbelt tech class is how does somebody get you know what's the best way or get suggestions on how somebody get started in Wi-Fi security I think the the first step is to mess around with your home network you know get a see if you don't already have it you know get a a wireless card or wireless adapter that supports something called monitor mode basically if you

just live on Amazon there's there's an adaptive values for pretty much everything it's just called a panda it's like a PA you nine hundred six hundred I think it's a six hundred PA you six hundred but it's basically dual-band which means it does 5.8 gigahertz and 2.4 gigahertz it can go into monitor mode on both which basically just means that it can you know you can basically unlock a little bit more features and then you know talking super technical you know locks um some features in it that you know Linux tools can take advantage of and then the other part of that too is that you get out of it you know just bill you can plug it into a

laptop I recommend you know getting the raspberry pi because shocking I'd recommend a Raspberry Pi but it's a cheap easy little platform you down to mess with like your main operating system or do anything to get stuff to work and really you can you can take that and look at your own home network obviously don't mess any network that's not yours and just see hey can you recover your own password you know by watching a couple YouTube videos watching a couple talks on how wireless technology works and I think it's fitting that's the best place to go just to see what you can do on your own network and then you know and then just

you can I mean the beautiful parts everybody has a wireless network typically that they have that their own and if you don't it's cheating easy to just get like a little access point that you can you know do your do your tax again so some be my recommendation is is check out that panda wireless adapter watch a couple talks watched a couple videos and then if you have the opportunity to go to any conferences you know and you know I think the ones I can think of are like shmoocon if you're on the East Coast besides Delaware if you go to shoot I mean that's your beachhead screams oh oh like basically just just look for

conferences and see if they have any wireless village because then you'll be able to talk to talk to people that know stuff and they'll probably have some challenges for you love excess lot of food for thought a couple other questions so what are the common issues you come across and household Wi-Fi is other than us creating a spoof so other other things that we see like other attacks that we that we perform or other other just like like misconfigurations yeah maybe yeah read that word for word but maybe yeah just common other issues that you see in Wi-Fi just in general then I'll let you do you want them yeah so so many things start start with a

spoof right because ultimately the goal is to get credentialed access and if you're trying to convince somebody maybe maybe you're not even spoofing you know corporate networks maybe if you're watching what those client devices are beaconing for and you see you know River Matt Comcast home router so I matcom get some router and get an auto connect it's hard to even so Eric made a comment earlier about everything that is not wired is Wireless and that's that's a really big statement they kind of broke me at first because because it's so ubiquitous right it's everywhere so to try to think of what other common things right as a corporate network pen tester I'm I'm breaking into

corporate Wireless I'm spoofing stuff um but I've you know gosh the the thing I always think of is when I travel with my little like Roku stick and I have my my little LTE access point that I set up to spoof my home network name so that my Roku stick will auto connect right it's it's that same exact same idea right like I'm just taking things that I know must exist for this technology to work there must be a way for it to communicate in some back-channel right in sort of shining shining light on that and almost always some some hack falls out gosh stuff that's it I don't even I can't even think of anything that I've done

recently that didn't involve spoofing an AP in some way to get I can establish an initial access I think the other thing to that that is a much bigger problem that maybe people don't realize is just just the sheer fact of you know your normal Wi-Fi that you have at home your pre shared key a lot of organizations will have a you know instead of running you know an enterprise network where everybody is required to use a username and password to log into Wi-Fi they just all have a shared password and that's that's so that's so damaging because it only takes one employee to give it to their you know girlfriend or wife or kid

it only takes one employee to get fired you know to where then you're left you were left with overshoot do we change the wireless password every time that we get a new employee will refire noon or we fire an employee you know there's nothing there's no way to stop you know a person from just giving that out to somebody else there's no like certificates there's nothing right and so I think that's another thing that that maybe isn't you know something that we directly leverage in a pen test you know we're not we're not typically always know I mean I've called it a mission a couple people in the giving me a wireless password but but typically

that's not what we do but but with those kind of pre shared key networks where one key gets you on to that network anybody can share it can be posted in a conference room and so it's not the super sexy like oh man look at this like way that we broke in but it's just one of those things that if you run a wireless network just kind of keep in mind that that that just anybody can hand out that key and you're only strong is that one key there's no second factor authentication or anything like that for Frank it's a bit scary when we see networks with just that one key and maybe a very

simple T advanced certificates are good right yeah well and especially to you because you have so many like IOT devices out there right like so many just random devices that doesn't have screens that you need to somehow connect to a wireless network and so more and more now you're seeing a bunch you know like like companies will have a guest network and they'll have a corporate network and will have an IOC Network and a lot of times they're I owe to networks is the same level of access as their internal corporate network and so the only thing that changes there is like oh oh now like all of you know your security cameras and your current

bridges and all that stuff don't work in - all it takes is me spoofing that to now have the same level of access so it's just just one of them you like network access controls right like on the internal network but all you have to do is start looking at Wireless or things on IOT because you know they got stuck on ISP probably because they don't support certificate op so you you spoof a map of one of those connect to IOT and you just bypassed network access control because you don't need to be physically connected yeah that's good that's a good plan I didn't even think about that where you don't have that capability of the G devices right and

where where that where that is really really really scary is we do a bunt I mean we've done a bunch of tests for hospitals right when all of a sudden your intro and hump when all of a sudden you're like you know you know some controller for some life-saving device and or you see the medical devices or you I come up and you're just like no no no no stop yeah your label yeah I don't want to I don't want to start being a device is there an active surgery right like like those are the things that like you know it oh is it a bummer if you know somebody takes your nests or missed that

off and like your house gets a little warmer yeah that's a bummer but you know see the movies on your liver though yeah when when it's all of a sudden you know somebody likes your blood sugar feel Wi-Fi like that that's a problem and so it is one of those things that yeah again it's not it's not something immediately thought of or super sexy but somebody with a shared password for all of the you know medical devices that all meet this one criteria in a hospital they if they all have their own network if somebody helps on that network a lot of times especially with with with critical you know I would consider that to be critical infrastructure is that

they're given a wide berth as far as security goes you know they're given more access and they probably need because nobody wants to be the guy that you know stopped some life-saving device from working because you know the actually put a guy in a coma update the firmware yeah they don't want to restrict that and so because of that if you can hop on that network you know you know to basically take advantage of that that wide hallway you used to go through now all of a sudden oh that that was the way that a user got in and it doesn't even really have to do with whatever the device is it's just that is a that is a

a message that's that an attacker would use that's typically not seen right so I mean maybe that's not at the heart of the question but but it is one thing just I think it's just interesting can you keep in mind oh definitely no I appreciate the additional insights yeah lots of think about there I have my mind right we owner let's see it's about 12 11 so we're gonna be on lunch break to 12:45 Eric Matt thank you again very very much for coming in and sharing with everybody we really appreciate it for those ease lesson in Eric is gonna be on the pen test panel the Vindhyas firing squad at 2:45 in this track as

well so get a return of Eric later this afternoon so ya will be a break until 12:45 Eric and man thanks again and there actually are a couple more questions in the discord channel if you guys have a chance to jump in there sure the folks would love the opportunity to chat with you guys and we'll see you guys after lunch but thanks again sounds good