holland safenet livehack hid usb pineapple_cain_oph_with_video
DESCRIPTION
Life Hacking presentation Roy Gray, SafenetTRANSCRIPT
Insert Your Name
Insert Your Title
Insert Date
New World – New Security
BYOD…. & some cool h@ck1ng gadgets / tools….
Roy Gray
CISSP-CCIE-CCNA-CEH-CHFI
© SafeNet Confidential and Proprietary
© SafeNet Confidential and Proprietary 2
Who We Are
Trusted to protect the world’s most sensitive data for the world’s most trusted brands.
We protect the most money that moves in the world, $1 trillion daily.
We protect the most digital identities in the world.
We protect the most classified information in the world.
FOUNDED
1983
REVENUE
~500m
EMPLOYEES
+1,500In 25 countries
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000Customers in100 countries
ACCREDITED
Products certifiedto the highest security standard
3© SafeNet Confidential and Proprietary12
-Disclaimer-Local Laws-USB HID Device-Cool Wi-Fi story-Wi-Fi MITM Experiment….Want to take part? -Example “cracking” sites-Cain & Able ARP MITMA-Cain & Able Brute Force-Cain & Able R$A Calculator-OPH Rainbow tables
4© SafeNet Confidential and Proprietary12
Legal Disclaimer
Hacking without permission may result in a prison sentence – do not try any of
these techniques at home
*See Hacking Law’s from CEH*
Do send me a postcard though and tell me which one
you used!
5© SafeNet Confidential and Proprietary
6© SafeNet Confidential and Proprietary
+
© SafeNet Confidential and Proprietary
USB HID- Scripting 101
7
As Storage
As Keyboard
© SafeNet Confidential and Proprietary 8
Script Encode Payload
usb-hid-rickroll.mp4
USB HID- Keyboard Scripting For Fun
© SafeNet Confidential and Proprietary 9
USB HID- Keyboard Scripting Not For Fun
Script Encode Payload
© SafeNet Confidential and Proprietary 10
usb-hid-rev-shell.mp4
USB HID- Keyboard Scripting Not For Fun
11© SafeNet Confidential and Proprietary
Imagine you are Chuck, a Wi-Fi penetration tester at ACME Corp., sitting at the cafeteria. Busy office workers that BYOD, are eating, socializing and using the Internet from their laptops, smartphones and tablets.
Alice is sitting across from you pulling a tablet from her purse.She intends to connect to the wireless, and surf during lunch. The tablet, waking up, transmits Wi-Fi probe requests looking for preferred networks.
12© SafeNet Confidential and Proprietary
Since Alice has connected to ACME Corp. wireless from her tabletin the past it remembers the network name (SSID) and looksfor it periodically in this fashion. If the network iswithin range it will receive a probe response to its probe request.
The probe responses provides Alice’s tablet withthe necessary information it needs to associate with ACME Corp.network. Since this process happens automatically for every network Alice frequently connects to, both on her tablet and laptop she isn’t inconvenienced by choice when getting online at the office, home, cafes or even airplanes!
Probe responses
Probe requests
13© SafeNet Confidential and Proprietary
Chuck (that’s you!) has a Wi-Fi Pen testing device in his bag. The device is constantly listening for probes requests. When it hears the probe request for the ACME Corp. network from Alice’s tablet it responds with an appropriately craftedprobe response. This informs Alice’s tablet that the device is in fact the ACME Corp. wireless network. Of course this is a lie that Alice’s tablet will believe. This simple yet effective lie is responsible for the device’s code name “Jasager” –German for “The Yes Sayer” or “The Yes Man”.
14© SafeNet Confidential and Proprietary
Once Alice’s tablet receives the probe response from Chuck’s device they begin the process of associating, and within moments her tablet has obtained an IP address this the Pen test device’s DHCP server. The Pen test device’s DHCP server provides Alice’s tablet with not only an IP address, but DNS and routing information necessary to get her online. Chuck has the Pen test device “dialled-up” to the internet via a pre -configured USB Modem, the default gateway used by Alice’s tablet will be the IP of the Pen test device.
Probe responses
Probe requests
15© SafeNet Confidential and Proprietary
Now that Chuck’s internet enabled device has made friends with Alice’s tablet she is free to browse the web and Chuck is free to eavesdrop and even change the web she sees.
Using man in the middle tools, Chuck is able to watch what web sites Alice visits (url snarf).
Since Chuck is particularly mischievous he prefers to change what servers Alice connects to when looking up a website (dns spoof)—thus replacing would be kitten videos with ones of puppies. Oh the horrors!...
16© SafeNet Confidential and Proprietary
Chuck is even capable of saving Alice’s browsing sessions to disk for later analysis (tcpdump), intercept secure communications (sslstrip), or inject malicious code on to websites (ettercap-ng). Alternatively if Chuck chooses not to provide internet access at all the device will still be an effective wireless auditing tool.
By enabling DNS spoof Chuck is able to redirect Alice’s browsing session from legitimate websites to the device’s built in web server, which may host a number of phishing sites, password harvesting or malware.
17© SafeNet Confidential and Proprietary
Since Chuck can’t stay at the ACME Corp. cafeteria all day, he considers leaving his device on site. The device is concealed in a case with a battery pack, hidden in plain sight.
18© SafeNet Confidential and Proprietary
In this case Chuck is able to remotely manage the device a few ways. If no internet access is being provided Chuck must be within range of the device wireless network in order to connect to the management SSID. If internet access is provided, Chuck can configure a persistent SSH tunnel. With an SSH or VPN tunnel enabled, internet traffic from the device connected client routes through the tunnel endpoint – typically a virtual private server. From this VPS Chuck may also extend the man in the middle attack.
19© SafeNet Confidential and Proprietary
www
Probe requests
Probe requests
Probe
reques
ts
Pro
be
req
ues
ts
20
Wi-Fi MITM Experiment : mk4 karma, urlsnarf, dns spoof , facebook/twitter phishing
urlsnarf-karma-dns-spoof-fb-phish.mp4
phishing site
21
Cell phone tracking device….send pic…see gps,txt,calls,email….
cpr-pineapple urlsnarf.mp4
22© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
23© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
24© SafeNet Confidential and Proprietary
Hacking Gadgets…..who needs them….when..
25© SafeNet Confidential and Proprietary
The Weapons – Hands On
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by:
-Sniffing the network-Cracking encrypted passwords using Dictionary-Brute-Force and Cryptanalysis attacks-Recording VoIP conversations-Decoding scrambled passwords-Recovering wireless network keys-Revealing password boxes-Uncovering cached passwords-Analyzing routing protocols….and more.
26© SafeNet Confidential and Proprietary
Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons.
The latest version is faster and contains a lot of new features likeAPR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.
The new version also includes routing protocols authentication monitors & routes extractors, dictionary & brute-force crackers for all common hashing algorithms & for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders & some not so common utilities related to network and system security.
The Weapons – Hands On
27© SafeNet Confidential and Proprietary
- Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.- Added Abel64.exe and Abel64.dll to support hashes extraction on x64 OS.- Added x64 operating systems support in NTLM hashes Dumper,
MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder, Credential Manager Password Decoder, DialUp Password Decoder.- Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP, SMTP and LDAP accounts.- Fixed a bug of RSA SecurID Calculator within XML import function.- Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU utilization while forwarding data.- Executables rebuilt with Visual Studio 2008.
**Be very aware of versions with screenscrape / backdoors, not downloaded from the correct source.
The Weapons – Hands On
28© SafeNet Confidential and Proprietary
ARP Poison Select interface - Scan for hosts - Poison ARP Table - Look for PW’s
Brute Force
R$A Calculator…and more
Lets take it for a “Test Drive”
IndustryExample:
This Can Be Beat!cain-apr-owa.mp4
cain brute force.mov
RSA.mov
The Weapons – Hands On
29© SafeNet Confidential and Proprietary
Ophcrack is an open source (GPL licensed) program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. It is claimed that these tables can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few minutes.
A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible.
The Weapons – Hands On
30© SafeNet Confidential and Proprietary
XP Rainbow Tables Example:The Weapons – Hands On
31© SafeNet Confidential and Proprietary
Vista / Win 7 Rainbow Tables Example:The Weapons – Hands On
32© SafeNet Confidential and Proprietary
Example using a XP VMLength = 14 Predefined Charset :Base64 = Decimal + Lowercase + Uppercase + Special Characters
< 4min
CRACKED!
The Weapons – Hands On
33© SafeNet Confidential and Proprietary
Lets take it for a “Test Drive”
In Under 4min
ophcrack.mov
The Weapons – Hands On
34© SafeNet Confidential and Proprietary
CAIN vs OPHCRACK
The Weapons – Hands On
35© SafeNet Confidential and Proprietary
CAIN vs OPHCRACK
The Weapons – Hands On
36© SafeNet Confidential and Proprietary