welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly
embellished truths about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways
all to protect you from cyber criminals and now here's your hosts mike rotondo zach fuller and
lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller
joined by mike rotondo and lauro chavez and today we are talking about wireless penetration testing
why because it's awesome but before we do that mr rotondo you're up hello and welcome to cyber
iran's headlines as vaccine mandate spreads so do vaccine scams uh there's an article about
how since copenhagen vaccines have been readily available there have been scammers looking to profit from it this is off the dark web you can get according to checkpoint vaccine passports on
sale for 250 fake coba tests 25 vaccine doses for 500 to a thousand and then there's been an
increase in vaccine advertisement on dark web for over 300 but lately cyber criminals have tried
another way to defraud they're sending an official email just to uh be a service to receive a new
vaccine passport and friends if you don't respond immediately it could be 12 months before you receive another invitation it's a phishing email it's asking for a ton of information so be careful
with that just watch out cyber criminals are going to profit anywhere they can since it's close to halloween i thought this was important ransomware attack disrupts production at ferrara candy makers
of brock's candy corn yep cyber criminals are trying to destroy halloween um chicago-based
candy company which makes brock candy corners hit by a ransomware attack the destruction disrupted production earlier this month but the hacks shouldn't affect supplies but it's how we
treat so we got lucky on that one accenture consulting company and security company ransomware
attack breached proprietary data centers confirmed a regular activity in its iit network last quarter
which is discovered in august resulted in a breach of sensitive information it appeared apparently they declined to pay its attackers leaving all of the stolen data eventually get dumped online
so can i point something out i love that term they've confirmed that our irregular activity
has occurred that's that's great that's a very nice way of sugarcoating a cyber attack
yeah this is not bad at all though no there was just some irregular activity we'll be back to our normal programming you know mr johnson you having a regular heartbeat
and i'm sorry mrs johnson he's passed away yeah microsoft fixes windows 10 off issue impacting
remote desktop microsoft has fixed a known windows 10 issue causing smart card authentication to fail
when trying to connect using remote desktop after installing the cumulative updates released during last month's patch tuesday there's a malicious npm package caught running crypto miner on windows
linux mac os devices this is a story for all those people out there say i have nothing to steal that they want this is what they're doing the javascript library is uploaded to the official npm
package repository have unmet have been unmasked as crypto mining malware once again demonstrating
how open source software package repositories are becoming a lucrative target for executing an array of tags on windows mac and linux systems and lastly there's a new linux kernel memory
corruption bug that causes full system compromise it was originally identified 19 in 2017 by mcafee
there was a udp fragmentation offload that allowed people to gain local privilege google's project
zero team and shared detail was a similar yet much simpler bug that can cause complete system compromise uh researchers dubbed in a straightforward linux kernel locking bug
that they exploited against debian's buster ford 4.9. 4.19.0.13 amd 64 kernel so if you're running
linux check that out there's some other headlines we're going to post there's two i just want to mention real quick our evils ransomware torside for hijacked which i just find i love the irony
of and 5.2 billion dollars worth of bitcoin transactions are possibly tied to ransomware so
that's another interesting story so with that wow laurel what else do you use that for and you know
it's a dovetail on your conversation about the ransomware um check your uploaders because um if
you if you're not doing sanitization or sanitizing files that are going into your uploaders it's easy to get an executable buy or some type of php file that you can call later so that's another way that
they can abuse and get the ransomware on your machines uh let's talk about exploits this week
one thing that i thought interesting and remember when we talk about these exploits these are these are payloads that i can download anybody can download and the metasploit professional or even
just metasploit framework today and use the attack against the target that's vulnerable so we we have
the weaponization code ready to go today i want to talk about mitsubishi electric i think a lot of
individuals here in the states that maybe not travel abroad don't realize that mitsubishi makes a lot of other items and products besides the vehicles that we know and love
and so one of the things that they do is they you know with the scada equipment and that sort of thing they're they're they've been building these remote terminal units and they're basically
intelligent remote terminals that supply data what's interesting is that they're going to use these types to to move water and power and gas and so you know these are these are hardware based
mechanisms right intelligent mechanisms so they're opening valves and closing them and those sorts of things well we've got two exploit payloads for this specific mitsubishi rtu here yeah one of them
is a source code disclosure which i think is kind of interesting because now if you can get some of the source code out of the out of the device you can start building a better attack plan so
um there's been two that have been posted um the cves for 2018 but two of these have been
posted one for that source code disclosure which is going to lead to further attacks and then the next one is for a reflected cross site scripting so probably on the login
for the device um you can get some reflection there and get start capturing passwords and those sorts of things so if you're in big industry of any kind and you're using any of
these mitsubishi electrics make sure you check the versions on that these are not exempt from flaws
the other thing i want to bring to the table this week is sonic wall has a password reset so if
you're running sonicwall sma 10.2 make sure you're updating that because the password reset is flawed
and allows you to basically delete the persist database so you've got you can basically curl
a command um let's see to the cgi bin essentially and delete that persist.db
and force a password reset on reboot so check that if you're running sonic wall and of course it wouldn't be exploit conversation without wordpress right we all love it i know you
guys are being quiet i can't believe this yeah wordpress is on the news again nothing to say nothing shocked nothing snarky nothing snarky of course it's there okay so if you're letting me
which one is it which one is it just three you know what it's like the balloon wall at the fair just throw a dart pop when you win a prize i guarantee you they probably all have something but
if you're using the duplicator wordpress plugin which is kind of like a it helps you do backups
and migrations and things like that um there's an authenticated arbitrary file read associated with that plug-in and if you're using the theme which is another attack surface so yeah you got
plug-ins and you've got themes right so this is a this is a theme that's got cross-site scripting reflected cross-site scripting so if you're using the um enfold 483 theme make sure that you
get that updated um before someone embeds something on your site okay or you could
just use not wordpress other stuff zach what are we talking about today not not wordpress plugins
i love this topic not wordpress plugins nope microsoft we're going to talk about the latest
rambo movie rambo six you guys have both seen it right sixth blood yes i don't know all right no
actually we are talking about wireless penetration testing but before we do we're gonna take a quick
commercial break want even more cyber ants be sure to subscribe to the cyber rants podcast
get your copy of our best-selling book cyber rants on amazon today this podcast is brought
to you by silent sector a firm dedicated to building world-class cyber security programs
for mid-market and emerging companies across the us silent sector also provides industry-leading
penetration tests and cyber risk assessments visit silentsector.com and contact us today
all right and we're back wireless penetration testing is something that a lot of organizations
should be doing but often in the realm of penetration testing it's kind of put on the back burner for a lot lots and lots of years sometimes until it's too late
but organizations are getting a little more conscious of this and the importance and just
the realm of capabilities that wireless network can bring an attacker so let's talk about that
you know what what do you see in terms of the importance of wireless pen testing in other words
why why does it matter and who should consider getting a wireless penetration test good questions
um anybody who's running wireless networks for business and who have employees that
are using their devices um you know kind of unbeknownst to connecting to wireless networks as they go through their day and and you know maybe you know visit cafes and visit
different places i certainly think it's a it's a good exercise but most certainly if you have a corporate infrastructure that's leveraging wireless and in any capacity guest or even if
you have a corporate you know kind of corporate wireless and it certainly needs to be checked so yeah for the for the naysayer out there that says oh well everybody just works from home now and
nobody's using their corporate wireless networks anymore i say that's rubbish i say i say nay
says where are we where we see this happening uh quite a bit uh healthcare let's give a couple
couple examples healthcare facilities huge wireless networks lots of reach um oftentimes
hundreds of yards out in the parking lot or not hundreds but 100 yards out in the parking lot certainly seen that that can be not good another place schools right especially kids kids these
days you know getting this doing some malicious activity they got wireless access you don't even
necessarily know what they're up to it's all about knowing that's that's half the battle so i think those are those are just a couple examples but i think any organization
that's heavily reliant on wireless should be considering this let's talk a little bit about
the process of penetration testing so for those people who haven't been through it maybe you could share from a pen tester perspective what you go through what you're thinking about and
what types of areas you're trying to exploit to see what cyber criminals can see i love
this topic how should i begin this topic i really really enjoy wireless penetration testing i think
i think it's one of the probably one of the most fun exercises that i get to participate in so um
thank you guys for for letting me put my wireless stuff um i think there's a let me let me preface
the question with just a statement that there's a false sense of security around wireless i think a lot of individuals think that because you're on a home network or that you hide your ssid or that
you use hardware certificates to validate from a network access control perspective your hosts that
get onto the wireless networks okay all that is is false to quote uh to quote one of my favorite
um my favorite movies mr universe says the signal goes everywhere okay you can't stop the signal and
for those of you or firefly fans you know what i'm talking about and that's true right because these these radios that are that are emitting this wireless at you know 2.4 g and 5 gigahertz they're
emitting this the signal in a you know just a huge huge area that you might not realize um that
coverage area is is bound to buy a like a strength right we reference it by decibel right because it
is kind of a it is a signal based data capture right so we're going to measure in decibels but you know i think the common things that that i see or again that that kind of false insecurity where
they believe that they've locked things down with certificates and they've they've hidden the ssid
and they have strong authentication and that's unfortunately that's that's only half of the
security for wireless and so the common things that you know i think really really matter from
from a process perspective is just i mean really you just need to be in proximity to users of a
wireless infrastructure or within radio range of the wireless infrastructures emission outside
of the building right we call that tuning right where exactly we're talking about it's 100 yards
out into the parking lot that just means what what happens is that you you know the it infrastructure
will get you know because you'll do this this kind of mesh right and you kind of know how many access points you need for the square footage of your building how many people you have in different
areas what will happen is that that that number needs to probably be maybe for maybe maybe it's like 50 or 60 access points for your building size and financial squashies so you'll do that same try
to introduce that same footprint with like 15 radio aps and so you'll boost the you'll boost
the signal to get better coverage for the for the gaps and those ones that are close to the edge
um are getting pushed out of the building and out into the parking lot where they have a really really good signal rating where we can we can still pick up the the wireless and we know that
patrons are going to be sitting probably in their you know their cars for lunch surfing on the guest network things like that um but process um we start with an internal attest and that really
just kind of involves you know getting positioned in the inside of your building someplace uh sometimes if it's a large building we'll we'll move to two or three different locations
from the outside edge of the building in a cubicle to maybe like a coffin and then the second part is is is really an external um they used to be referred to as war driving um i
don't really like that term it's it's more of like fishing for them i don't really drive i just i sit
so i sit and fish right and it's it's really um it's really just a waiting game and so uh both both cases right i think for the internal the internal wireless phishing and the external
wireless fishing right from the penetration test perspective those are just waiting gains it's a guarantee you're going to catch something you just need to it's just a matter of time
sometimes that happens in minutes um seconds sometimes that happens and you know 30 40 minutes
before something comes along but you will pretty much always guarantee to catch a fish but that's that's really kind of the process did that help zach was that was that too much is that too little
that's great i mean i think it's it's it's right on i mean just to kind of add some detail i mean
it really is a process of going through uh sitting in different locations in in the building um
generally for this it's not you know they you're not sneaking in or anything people know that you're there um you're going in and you're sitting um trying to get signals from other people's
devices get them get them connected and then and then like you said sitting in the parking lot
right driving around different spots seeing how far out you can get them signal um and and what we do is create maps of of the signal and show people from you know basically an aerial aerial
imagery of their building where we're getting signal from different several different locations
outside of that and that's pretty pretty amazing when you see how far this these signals can reach
a lot of times in other buildings the other the other cool thing that i'll mention that i've seen is the massive amounts of of wireless networks that are out there
that can be picked up that often the companies don't even know that these these are there that
they're in the same space as their own environment and um and then people's own individual
wireless networks that they're broadcasting within the company there's a lot of cool really cool information that you can gather and it's kind of funny you know
you always see there's always like a batman uh ssid out there somewhere
some pretty funny names people get creative with it yeah they really do it maybe it'll
help a little bit to talk about how we use this technology against everybody who's using it for daily daily business purposes so i'll just you know again we're we're technology
agnostic but i'm certainly going to call the technologies we use here so we have we have a wi-fi pineapple we've got a couple nanos and a tetra and two by five pineapples
yeah we do want mine there yeah nuts you can't i i have um allocated that for uh other purposes i
have justified we've taken that no i need to give some pineapple back yeah no no no those pen testers out there don't loan your wi-fi pineapples to people they just never come back
i've got your book too they're all taken care of i promise they're being used
greatly the book i only read once it's kind of like loaning somebody a pistol for a murder right
i mean then so so lauro's got your your wi-fi pineapple who knows where yeah serial number
stamped right on it exactly right to miles back to the purchase order for mike yeah i'm not going
to leave my own pineapple in this environment all these mics exactly now you guys know what's
going on okay so so if you're not familiar with the hack 5 wi-fi pineapple it is just a
very very well put together device for assessing wireless networks and building an attack surface
on a wireless network and so what i think a lot of you know some of the signal guys know this but but
you know wireless technologies emit a beacon okay for 80q.1 and for any of your 2.45 gs you're gonna
have a beacon request that's going to go out okay and so typically that that beacon request um is going to you know carry like a public thing with an ssid right so that people can find that
your wireless network is not but you can hide that you can say however i'm going to hide just like you can change your web port i'm going to change my port put it up forty thousand i'm never gonna
find it anyway so it's you know security through obscurity is really what it is right you're going to hide your ssid but but the beat but the aps and the devices have to make a beacon request out
okay these radios intercept that beacon and so they know that there's a hidden network here and it's got clients on it and then after several beacon requests i can find out what the ssid
is for that but it doesn't matter like i don't need to know the ssid and i think that's what the i think there's a misunderstanding around how the wireless testing works is that a lot of times
don't i'm not going to use your wireless network to break into your network and get access to your database and make an administrator account that's really not how this process works in a perfect
world sure but there's a lot of segmentation that engineers have gone through a lot of trouble to
put in place to build you know kind of a defense and depth strategy around implementing wireless
because they've they've heard of this sort of stuff right so there's a different attack uh methodology we use we we essentially don't need to break onto your network we lure
all of your wireless users off of your network onto our network which is now mimicking yours
and so there's a there's a d auth request that is is frequently used in this infrastructure
to basically offload wireless hosts so you can weaponize that just like you could back in the
day with a ping of death or you can weaponize a diod attack against wireless clients and what that does is it tells the wireless device now let me say that none of you don't know any of
this is really happening you might you might be streaming netflix on your phone in a break room on the public wi-fi at the library or wherever else and you might get a pause in your stream for
just a second but what's happened is the pineapple has told your device say hey you don't need this
network that you're on that's the old network this is the new network and it's exactly the same as your old network and so what will happen is it'll flip your device to the new network
and there's some crafty little things that we can do with that now the nature of our work again is
not is not to break glass and clean up glass right we're simply pointing out there's a window there
and we have a rock the antenna and all of that is in the details of the code and and the details
of the the testing that demonstrate that if you through the rock at the window it's 99 probably
gonna shatter we're gonna be replacing the window so we don't like to go that far and pull data and
break things but we we get right on the edge of that line right so exactly we're not going to be dressed in black with backpacks and face paint and the middle of the night sitting in a it's just not
how this works right we're professionals we we get a permission we're usually escorted by the
you know the it you know individuals or i.t security individuals at the client site and then we're we're noticed by physical security as we're doing our driveway we're you know we're
telling them our license plate we're giving them the identification of our vehicle how many of you know we have the visitor badge the whole bit right this is all done during daylight hours it doesn't
matter already you could be doing at any time but you know we we choose to do that with the clients
um during business hours so you know but the same data holds true and so essentially by building in
other types of uh you know essentially snare traps like a certificate authority so maybe
or capture portal which is what we've done lately right you can you can apply a lot of tools to the
pineapple so php it does captive portals so now you can do a really simple captive portal where
if if it's a if it's an android device or even if it's an ios device it'll switch over and it'll pop
the captive portal on the device and say whoops we're sorry you just lost connecting to your company's wi-fi network for whatever reason could you please re-enter your guest wi-fi password
and so we we offer an opportunity of of learning there and in malicious scenarios that certificate
and the other types of captive portals can be used to capture all in-stream data so when your mobile device is in your pocket or in your purse or in your desk
and you've left apps open like your bank app or maybe you're on blink or maybe you've got reddit open or maybe you've got twitter open all those apps are open and they're doing a refresh
every so often right they're going to they're going to replay that token back out to the app server and re-authenticate your connection so that when you go back and click on the app you
don't have to log in again some of them have some session based things they're going to log you out but a lot of them are going to try to keep that session alive so if you get swung to my pineapple
the certificate's in place now we can break the traffic we can see all of the data coming through
the web so the tls session that you have set up with twitter and everything else no matter matters we're capturing that data we can replay that back to twitter back to reddit back to your bank
so there's there's a lot of bad things can happen and so really it's it's it demonstrates to the
organizations that while they have implemented decent security on one side of the fence
they haven't quite quite done it to the other which which i like to attribute to if you've ever seen chain link with directional barbed wire it's either designated it's it's in a 45
degree angle at the top it's designated to keep a person out if it's on the point facing the outside of the fence if it's facing the inside of the yard it's meant to keep something in
that is essentially how this works you've applied security in your internal network but the barbed wire is 45 degree angle so if you come from the other side you can climb over without any worry
of getting pricked right so there's two sides to the security of wireless and i think that most all the organizations that we serve and that we've served in the past are their their
technicians and not not to any fault right i mean the whole reason we do this is we learn to be better together but they've only really considered the condition of protecting that one side of the
fence right and so they've only got hardened controls on the inside so you can't really abuse the internal technologies but they don't have protections in place to to prevent this type
of activities from occurring with this device and also awareness and training for the users and the user devices that to be lured off of their corporate networks onto a uh a faked clone network
that's probably a lot exactly probably quiet no that was that was outstanding we could just
transcribe that and you have a book on wireless pen testing that was pretty funny about that appreciate it um yes i hope that paints a good picture though right so it's not you know what i'm
trying to describe essentially it's not as trying to to use your wireless technologies to break into your own network i can get one of your patrons on my wireless network and get their password
and then i can log in as them and then have pivot access from there right so um even with hardware
certificates and those types of things there's you know still a lot of vulnerability service with with wireless um you can certainly secure it and you can certainly tune your radios down and you
can certainly enable modules that will prevent and um contain devices like the wi-fi pineapple now
you know these these things in the past and mike i think you probably know about this is it when when cisco came out with with some of their first wireless stuff you could suppress rogue devices
to the point where it almost burned the chip out but no boss would ever let us turn us on never we never got to turn that on we only got to basically go go get the log file that something
was there and a heat map and then go try to find it but but that's that's the protocol right that's what's supposed to happen we're supposed to get an alert that there's some rogue device that's
operating in the area and you're supposed to send a human to go track it down in the profile of the footprint of mesh there's some hideous wireless attacks out there too and some of them we heard
about recently i mean if someone were they were mailing wireless devices eavesdropping devices
in packages to companies that were stuffed in like teddy bears and stuff like that that were going to critical people they were sending gifts and it was uh i i can't remember the name
of the attack but it was basically it would sit there and run for could be good the battery be good for a week and it would get there in a couple days and that would eavesdrop as much as it could
and then would die out on its own yeah absolutely i know exactly what you're talking about and you
know the the i'm working on a small kit for the wi-fi nano to go with a lithium battery out of
like an 18-volt battery out of like a milwaukee drill right i'm trying to do the down stepping for it so that you just got this just like incredibly long um duration like you know maybe like i'm
hoping i can get like three or four weeks out of it probably not realistic but you know all that will fit in the you know you can put all this in a small box you know like the size of a mac mini and
just like you said you can you can put these in various places no one would know you know you can take them to tool shops and an old toolbox and put it behind the building and some junk
and no one will ever look for it there and the whole time you can just sit 100 yards away from it
connect to it get all the data you need out of it that it's gotten so far and then just drive away so you know wireless is certainly a it's certainly a double-edged sword um as far as yeah you know of
course for the people who've gone to defcon right you see people walking around with the directional wireless antennas to get you know reach for much much longer distances i mean it's a it's a real
issue and i think as we see more and more uh like what you're describing you know essentially
corporate espionage it's a real thing and it's it's happening all the time there are a lot of people that want to see us fail as a country and and one of the ways they do that
is by undermining the economy and and doing these types of activities so very real thing out there
definitely something to pay attention to and if you think this applies to you it's definitely worth getting it tested see what comes up but any final comments thoughts
ideas words of wisdom that you want to share i would just say if you're at defcon where and you're staying in the hotel where defcon is turn your damn wireless off
because you're going to lose everything you have yeah quite quite possibly super super good words
of wisdom you need to wrap yourself in aluminum foil yes turn off your phones and laptops just
leave them at home and better not even have that turn off your bluetooth turn off everything because you are a target and nothing but a science experiment just people i've been there many times
i've seen it so yeah yeah be careful well i guess just to add on to that you know you you be careful
at home too because all these attacks can work just just right out from the curb of your home too if you're running wireless networks we can you know lure devices the iot devices refrigerators
washer dryers your home network you're at your home computers my modus operandi um is that when
my devices are not being used by me in my hand the wireless and all the all the ethernets get turned
off so i don't i don't i'm not that computer nerd that's got 46 computers in this lab running and they're all turned on and no no every one of my devices is off it may be powered on but the
network is disabled and you know that that stuff doesn't stay on because i do this for a living
call me paranoid i don't know um but it's just it's more of a practice right i practice what we what we try to instill in the other organizations you know just a duct tap
that if you live in an apartment complex be really careful you know make sure your smart tv is
maybe not so smart and you you know those kind of things yeah you can get messed with pretty
hardcore if you get if you get somebody with one of these devices on a smart tv and if you if you look on reddit you'll find a lot of places where some of these tvs have been hijacked
there was one of the news lately where there was some adult stuff happening on one of the while they were trying to get the weather there was some which i thought was really great but um somebody
went into an amish restaurant in pennsylvania someplace and took over their wireless tv
and played weird out yankovic it's a amish paradise over the loudspeaker
so i and there's been some other ones right there's been some billboards and things like that so keep this in mind you know your smart tvs are certainly there but you're you know also the
refrigerators with the tvs on them right those are also susceptible anything with an lcd screen
can be programmed to scroll something probably yeah we should we should do an episode on
reminds makes me start thinking about other iot devices things like your alexa right and and um
those devices that people use for convenience that's a whole nother whole other animal another
conversation we know but if it but but before you go i will say that in a recent murder case they
were able to tell when the or this i'm sorry it was a murder case was the recent spy case right the american spy scandal they were able to determine when that individual's phone went on to
airplane mode and the exact location that it did keep that in mind that there's a lot to unpack there and i think the government's had some pretty crazy capabilities for a long time but that said
it's all classified so we won't talk about it we don't talk about that but thank you
for listening go to cyberrantspodcast.com if you have any suggestions ideas questions about any of
this stuff and there's a web form there reach out to us and we're happy to answer that be sure to
subscribe if you're not already and check out the book on amazon thanks a lot and have a great day
