holland safenet livehack hid usb pineapple_cain_oph_with_video

Insert Your Name

Insert Your Title

Insert Date

New World – New Security

BYOD…. & some cool h@ck1ng gadgets / tools….

Roy Gray

CISSP-CCIE-CCNA-CEH-CHFI

[email protected]

© SafeNet Confidential and Proprietary

© SafeNet Confidential and Proprietary 2

Who We Are

Trusted to protect the world’s most sensitive data for the world’s most trusted brands.

We protect the most money that moves in the world, $1 trillion daily.

We protect the most digital identities in the world.

We protect the most classified information in the world.

FOUNDED

1983

REVENUE

~500m

EMPLOYEES

+1,500In 25 countries

OWENERSHIP

Private

GLOBAL FOOTPRINT

+25,000Customers in100 countries

ACCREDITED

Products certifiedto the highest security standard

3© SafeNet Confidential and Proprietary12

-Disclaimer-Local Laws-USB HID Device-Cool Wi-Fi story-Wi-Fi MITM Experiment….Want to take part? -Example “cracking” sites-Cain & Able ARP MITMA-Cain & Able Brute Force-Cain & Able R$A Calculator-OPH Rainbow tables

4© SafeNet Confidential and Proprietary12

Legal Disclaimer

Hacking without permission may result in a prison sentence – do not try any of

these techniques at home

*See Hacking Law’s from CEH*

Do send me a postcard though and tell me which one

you used!

5© SafeNet Confidential and Proprietary


+

© SafeNet Confidential and Proprietary

USB HID- Scripting 101

7

As Storage

As Keyboard


Script Encode Payload

usb-hid-rickroll.mp4

USB HID- Keyboard Scripting For Fun


USB HID- Keyboard Scripting Not For Fun

Script Encode Payload


usb-hid-rev-shell.mp4

USB HID- Keyboard Scripting Not For Fun


Imagine you are Chuck, a Wi-Fi penetration tester at ACME Corp., sitting at the cafeteria. Busy office workers that BYOD, are eating, socializing and using the Internet from their laptops, smartphones and tablets.

Alice is sitting across from you pulling a tablet from her purse.She intends to connect to the wireless, and surf during lunch. The tablet, waking up, transmits Wi-Fi probe requests looking for preferred networks.


Since Alice has connected to ACME Corp. wireless from her tabletin the past it remembers the network name (SSID) and looksfor it periodically in this fashion. If the network iswithin range it will receive a probe response to its probe request.

The probe responses provides Alice’s tablet withthe necessary information it needs to associate with ACME Corp.network. Since this process happens automatically for every network Alice frequently connects to, both on her tablet and laptop she isn’t inconvenienced by choice when getting online at the office, home, cafes or even airplanes!

Probe responses

Probe requests


Chuck (that’s you!) has a Wi-Fi Pen testing device in his bag. The device is constantly listening for probes requests. When it hears the probe request for the ACME Corp. network from Alice’s tablet it responds with an appropriately craftedprobe response. This informs Alice’s tablet that the device is in fact the ACME Corp. wireless network. Of course this is a lie that Alice’s tablet will believe. This simple yet effective lie is responsible for the device’s code name “Jasager” –German for “The Yes Sayer” or “The Yes Man”.


Once Alice’s tablet receives the probe response from Chuck’s device they begin the process of associating, and within moments her tablet has obtained an IP address this the Pen test device’s DHCP server. The Pen test device’s DHCP server provides Alice’s tablet with not only an IP address, but DNS and routing information necessary to get her online. Chuck has the Pen test device “dialled-up” to the internet via a pre -configured USB Modem, the default gateway used by Alice’s tablet will be the IP of the Pen test device.

Probe responses

Probe requests


Now that Chuck’s internet enabled device has made friends with Alice’s tablet she is free to browse the web and Chuck is free to eavesdrop and even change the web she sees.

Using man in the middle tools, Chuck is able to watch what web sites Alice visits (url snarf).

Since Chuck is particularly mischievous he prefers to change what servers Alice connects to when looking up a website (dns spoof)—thus replacing would be kitten videos with ones of puppies. Oh the horrors!...


Chuck is even capable of saving Alice’s browsing sessions to disk for later analysis (tcpdump), intercept secure communications (sslstrip), or inject malicious code on to websites (ettercap-ng). Alternatively if Chuck chooses not to provide internet access at all the device will still be an effective wireless auditing tool.

By enabling DNS spoof Chuck is able to redirect Alice’s browsing session from legitimate websites to the device’s built in web server, which may host a number of phishing sites, password harvesting or malware.


Since Chuck can’t stay at the ACME Corp. cafeteria all day, he considers leaving his device on site. The device is concealed in a case with a battery pack, hidden in plain sight.


In this case Chuck is able to remotely manage the device a few ways. If no internet access is being provided Chuck must be within range of the device wireless network in order to connect to the management SSID. If internet access is provided, Chuck can configure a persistent SSH tunnel. With an SSH or VPN tunnel enabled, internet traffic from the device connected client routes through the tunnel endpoint – typically a virtual private server. From this VPS Chuck may also extend the man in the middle attack.


www

Probe requests

Probe requests

Probe

reques

ts

Pro

be

req

ues

ts

20

Wi-Fi MITM Experiment : mk4 karma, urlsnarf, dns spoof , facebook/twitter phishing

urlsnarf-karma-dns-spoof-fb-phish.mp4

phishing site

21

Cell phone tracking device….send pic…see gps,txt,calls,email….

cpr-pineapple urlsnarf.mp4


Hacking Gadgets…..who needs them….when..


The Weapons – Hands On

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by:

-Sniffing the network-Cracking encrypted passwords using Dictionary-Brute-Force and Cryptanalysis attacks-Recording VoIP conversations-Decoding scrambled passwords-Recovering wireless network keys-Revealing password boxes-Uncovering cached passwords-Analyzing routing protocols….and more.


Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons.

The latest version is faster and contains a lot of new features likeAPR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.

The new version also includes routing protocols authentication monitors & routes extractors, dictionary & brute-force crackers for all common hashing algorithms & for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders & some not so common utilities related to network and system security.



- Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.- Added Abel64.exe and Abel64.dll to support hashes extraction on x64 OS.- Added x64 operating systems support in NTLM hashes Dumper,

MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.- Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.- Fixed a bug of RSA SecurID Calculator within XML import function.- Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.- Executables rebuilt with Visual Studio 2008.

**Be very aware of versions with screenscrape / backdoors, not downloaded from the correct source.



ARP Poison Select interface - Scan for hosts - Poison ARP Table - Look for PW’s

Brute Force

R$A Calculator…and more

Lets take it for a “Test Drive”

IndustryExample:

This Can Be Beat!cain-apr-owa.mp4

cain brute force.mov

RSA.mov



Ophcrack is an open source (GPL licensed) program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. It is claimed that these tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few minutes.

A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible.



XP Rainbow Tables Example:The Weapons – Hands On


Vista / Win 7 Rainbow Tables Example:The Weapons – Hands On


Example using a XP VMLength = 14 Predefined Charset :Base64 = Decimal + Lowercase + Uppercase + Special Characters

< 4min

CRACKED!



Lets take it for a “Test Drive”

In Under 4min

ophcrack.mov



CAIN vs OPHCRACK


holland safenet livehack hid usb pineapple_cain_oph_with_video

Technology

safenet confidential

proprietary usb

alices tablet

proprietary disclaimer

proprietary script

proprietary chuck thats

probe responses probe

wifi probe requests