Whitepaper: The Black Art Of Wireless Post-Exploitation – Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

HomeAon’s Cyber Labs → Whitepaper: The Black Art Of Wireless Post-Exploitation – Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
Thursday, August 31, 2017 At 2:36PM

At DEF CON 25 we introduced a novel attack that can be used to bypass port-based access controls in WPA2-EAP networks. We call this technique an Indirect Wireless Pivot. The attack, which affects networks implemented using EAP-PEAP or EAP-TTLS, takes advantage of the fact that port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as a NAC cannot effectively protect network endpoints if the attacker has physical access to a switch, a NAC can also be bypassed if the attacker can freely control the physical layer using rogue access point attacks. The fact that this technique is possible invalidates some common assumptions about wireless security. Specifically, it demonstrates that port-based NAC mechanisms do not effectively mitigate the risk presented by weak WPA2-EAP implementations.

While creating the Indirect Wireless Pivot, we also developed a second technique that we call the Hostile Portal Attack. This second technique can be used to perform SMB Relay attacks and harvest Active Directory credentials without direct network access. Both techniques are briefly described below, and in greater detail in the attached PowerPoint slides and whitepaper.

Hostile portal attacks

This is a weaponization of the captive portals typically used to restrict access to open networks in environments such as hotels and coffee shops. Instead of redirecting HTTP traffic to a login page, the hostile portal redirects traffic to a SMB share located on the attacker’s machine. The result is that after the victim is forced to associate with the attacker using a rogue access point attack, any HTTP traffic generated by the victim will cause the victim’s machine to attempt NTLM authentication with the attacker. The attacker also performs an LLMNR/NBT-NS poisoning attack against the victim.
The Hostile Portal attack gets you results that are similar to what you’d expect from LLMNR/NBT-NS poisoning, with some distinct advantages:
  • Stealthy: No direct network access is required
  • Large Area of Effect: Works across multiple subnets – you get everything that is connected to the wireless network
  • Efficient: This is an active attack that forces clients to authenticate with you. The attacker does not have to wait for a network event to occur, as with LLMNR/NBT-NS poisoning.

Indirect wireless pivots

The Indirect Wireless Pivot is a technique for bypassing port-based access control mechanisms using rogue access point attacks. The attacker first uses a rogue AP attack to coerce one or more victims into connecting. A Hostile Portal Attack is then combined with an SMB Relay attack to place a timed payload on the client. The rogue access point is then terminated, allowing the client to reassociate with the target network. After a delay, the payload will execute, causing the client to send a reverse shell back to the attacker’s first interface. Alternatively, this attack can be used to place an implant on the client device.

Powerpoint slides and whitepaper

For an in-depth look at both of these attacks, check out the Power Point slides and whitepaper on the subject.
PowerPoint Slides:
Whitepaper:

 

Author: Gabriel Ryan



Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.


Copyright 2019 Aon plc. All Rights Reserved.


Copyright 2019 Aon plc. All Rights Reserved.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.