Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals and now  here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyber  ants podcast this is your co-host zach fuller  
joined by mike rotondo and lauro chavez and today  we are talking about wireless penetration testing  
why because it's awesome but before we do that  mr rotondo you're up hello and welcome to cyber  
iran's headlines as vaccine mandate spreads so  do vaccine scams uh there's an article about  
how since copenhagen vaccines have been readily  available there have been scammers looking to   profit from it this is off the dark web you can  get according to checkpoint vaccine passports on  
sale for 250 fake coba tests 25 vaccine doses  for 500 to a thousand and then there's been an  
increase in vaccine advertisement on dark web for  over 300 but lately cyber criminals have tried  
another way to defraud they're sending an official  email just to uh be a service to receive a new  
vaccine passport and friends if you don't respond  immediately it could be 12 months before you   receive another invitation it's a phishing email  it's asking for a ton of information so be careful  
with that just watch out cyber criminals are going  to profit anywhere they can since it's close to   halloween i thought this was important ransomware  attack disrupts production at ferrara candy makers  
of brock's candy corn yep cyber criminals are  trying to destroy halloween um chicago-based  
candy company which makes brock candy corners  hit by a ransomware attack the destruction   disrupted production earlier this month but the  hacks shouldn't affect supplies but it's how we  
treat so we got lucky on that one accenture  consulting company and security company ransomware  
attack breached proprietary data centers confirmed  a regular activity in its iit network last quarter  
which is discovered in august resulted in a breach  of sensitive information it appeared apparently   they declined to pay its attackers leaving all  of the stolen data eventually get dumped online  
so can i point something out i love that term  they've confirmed that our irregular activity  
has occurred that's that's great that's a  very nice way of sugarcoating a cyber attack  
yeah this is not bad at all though no  there was just some irregular activity   we'll be back to our normal programming you  know mr johnson you having a regular heartbeat  
and i'm sorry mrs johnson he's passed away yeah  microsoft fixes windows 10 off issue impacting  
remote desktop microsoft has fixed a known windows  10 issue causing smart card authentication to fail  
when trying to connect using remote desktop after  installing the cumulative updates released during   last month's patch tuesday there's a malicious  npm package caught running crypto miner on windows  
linux mac os devices this is a story for all  those people out there say i have nothing to steal   that they want this is what they're doing the  javascript library is uploaded to the official npm  
package repository have unmet have been unmasked  as crypto mining malware once again demonstrating  
how open source software package repositories  are becoming a lucrative target for executing an   array of tags on windows mac and linux systems  and lastly there's a new linux kernel memory  
corruption bug that causes full system compromise  it was originally identified 19 in 2017 by mcafee  
there was a udp fragmentation offload that allowed  people to gain local privilege google's project  
zero team and shared detail was a similar  yet much simpler bug that can cause complete   system compromise uh researchers dubbed in  a straightforward linux kernel locking bug  
that they exploited against debian's buster ford  4.9. amd 64 kernel so if you're running  
linux check that out there's some other headlines  we're going to post there's two i just want to   mention real quick our evils ransomware torside  for hijacked which i just find i love the irony  
of and 5.2 billion dollars worth of bitcoin  transactions are possibly tied to ransomware so  
that's another interesting story so with that wow  laurel what else do you use that for and you know  
it's a dovetail on your conversation about the  ransomware um check your uploaders because um if  
you if you're not doing sanitization or sanitizing  files that are going into your uploaders it's easy   to get an executable buy or some type of php file  that you can call later so that's another way that  
they can abuse and get the ransomware on your  machines uh let's talk about exploits this week  
one thing that i thought interesting and remember  when we talk about these exploits these are these   are payloads that i can download anybody can  download and the metasploit professional or even  
just metasploit framework today and use the attack  against the target that's vulnerable so we we have  
the weaponization code ready to go today i want  to talk about mitsubishi electric i think a lot of  
individuals here in the states that maybe not  travel abroad don't realize that mitsubishi   makes a lot of other items and products  besides the vehicles that we know and love  
and so one of the things that they do is they  you know with the scada equipment and that sort   of thing they're they're they've been building  these remote terminal units and they're basically  
intelligent remote terminals that supply data  what's interesting is that they're going to   use these types to to move water and power and gas  and so you know these are these are hardware based  
mechanisms right intelligent mechanisms so they're  opening valves and closing them and those sorts   of things well we've got two exploit payloads for  this specific mitsubishi rtu here yeah one of them  
is a source code disclosure which i think is kind  of interesting because now if you can get some of   the source code out of the out of the device  you can start building a better attack plan so  
um there's been two that have been posted um  the cves for 2018 but two of these have been  
posted one for that source code disclosure  which is going to lead to further attacks   and then the next one is for a reflected  cross site scripting so probably on the login  
for the device um you can get some reflection  there and get start capturing passwords and   those sorts of things so if you're in big  industry of any kind and you're using any of  
these mitsubishi electrics make sure you check the  versions on that these are not exempt from flaws  
the other thing i want to bring to the table this  week is sonic wall has a password reset so if  
you're running sonicwall sma 10.2 make sure you're  updating that because the password reset is flawed  
and allows you to basically delete the persist  database so you've got you can basically curl  
a command um let's see to the cgi bin  essentially and delete that persist.db  
and force a password reset on reboot so  check that if you're running sonic wall   and of course it wouldn't be exploit conversation  without wordpress right we all love it i know you  
guys are being quiet i can't believe this yeah  wordpress is on the news again nothing to say   nothing shocked nothing snarky nothing snarky of  course it's there okay so if you're letting me
which one is it which one is it just three you  know what it's like the balloon wall at the   fair just throw a dart pop when you win a prize i  guarantee you they probably all have something but  
if you're using the duplicator wordpress plugin  which is kind of like a it helps you do backups  
and migrations and things like that um there's  an authenticated arbitrary file read associated   with that plug-in and if you're using the theme  which is another attack surface so yeah you got  
plug-ins and you've got themes right so this is  a this is a theme that's got cross-site scripting   reflected cross-site scripting so if you're  using the um enfold 483 theme make sure that you  
get that updated um before someone embeds  something on your site okay or you could  
just use not wordpress other stuff zach what are  we talking about today not not wordpress plugins  
i love this topic not wordpress plugins nope  microsoft we're going to talk about the latest  
rambo movie rambo six you guys have both seen it  right sixth blood yes i don't know all right no  
actually we are talking about wireless penetration  testing but before we do we're gonna take a quick  
commercial break want even more cyber ants be  sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought  
to you by silent sector a firm dedicated to  building world-class cyber security programs  
for mid-market and emerging companies across the  us silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit and contact us today  
all right and we're back wireless penetration  testing is something that a lot of organizations  
should be doing but often in the realm  of penetration testing it's kind of   put on the back burner for a lot lots and  lots of years sometimes until it's too late  
but organizations are getting a little more  conscious of this and the importance and just  
the realm of capabilities that wireless network  can bring an attacker so let's talk about that  
you know what what do you see in terms of the  importance of wireless pen testing in other words  
why why does it matter and who should consider  getting a wireless penetration test good questions  
um anybody who's running wireless networks  for business and who have employees that  
are using their devices um you know kind  of unbeknownst to connecting to wireless   networks as they go through their day and and  you know maybe you know visit cafes and visit  
different places i certainly think it's a it's  a good exercise but most certainly if you have   a corporate infrastructure that's leveraging  wireless and in any capacity guest or even if  
you have a corporate you know kind of corporate  wireless and it certainly needs to be checked so   yeah for the for the naysayer out there that says  oh well everybody just works from home now and  
nobody's using their corporate wireless networks  anymore i say that's rubbish i say i say nay  
says where are we where we see this happening  uh quite a bit uh healthcare let's give a couple  
couple examples healthcare facilities huge  wireless networks lots of reach um oftentimes  
hundreds of yards out in the parking lot or not  hundreds but 100 yards out in the parking lot   certainly seen that that can be not good another  place schools right especially kids kids these  
days you know getting this doing some malicious  activity they got wireless access you don't even  
necessarily know what they're up to it's all about  knowing that's that's half the battle so i think   those are those are just a couple  examples but i think any organization  
that's heavily reliant on wireless should be  considering this let's talk a little bit about  
the process of penetration testing so for those  people who haven't been through it maybe you   could share from a pen tester perspective what  you go through what you're thinking about and  
what types of areas you're trying to exploit  to see what cyber criminals can see i love  
this topic how should i begin this topic i really  really enjoy wireless penetration testing i think  
i think it's one of the probably one of the most  fun exercises that i get to participate in so um  
thank you guys for for letting me put my wireless  stuff um i think there's a let me let me preface  
the question with just a statement that there's  a false sense of security around wireless i think   a lot of individuals think that because you're on  a home network or that you hide your ssid or that  
you use hardware certificates to validate from a  network access control perspective your hosts that  
get onto the wireless networks okay all that is  is false to quote uh to quote one of my favorite  
um my favorite movies mr universe says the signal  goes everywhere okay you can't stop the signal and  
for those of you or firefly fans you know what  i'm talking about and that's true right because   these these radios that are that are emitting this  wireless at you know 2.4 g and 5 gigahertz they're  
emitting this the signal in a you know just a  huge huge area that you might not realize um that  
coverage area is is bound to buy a like a strength  right we reference it by decibel right because it  
is kind of a it is a signal based data capture  right so we're going to measure in decibels but   you know i think the common things that that i see  or again that that kind of false insecurity where  
they believe that they've locked things down with  certificates and they've they've hidden the ssid  
and they have strong authentication and that's  unfortunately that's that's only half of the  
security for wireless and so the common things  that you know i think really really matter from  
from a process perspective is just i mean really  you just need to be in proximity to users of a  
wireless infrastructure or within radio range  of the wireless infrastructures emission outside  
of the building right we call that tuning right  where exactly we're talking about it's 100 yards  
out into the parking lot that just means what what  happens is that you you know the it infrastructure  
will get you know because you'll do this this kind  of mesh right and you kind of know how many access   points you need for the square footage of your  building how many people you have in different  
areas what will happen is that that that number  needs to probably be maybe for maybe maybe it's   like 50 or 60 access points for your building size  and financial squashies so you'll do that same try  
to introduce that same footprint with like 15  radio aps and so you'll boost the you'll boost  
the signal to get better coverage for the for the  gaps and those ones that are close to the edge  
um are getting pushed out of the building and  out into the parking lot where they have a really   really good signal rating where we can we can  still pick up the the wireless and we know that  
patrons are going to be sitting probably in their  you know their cars for lunch surfing on the guest   network things like that um but process um we  start with an internal attest and that really  
just kind of involves you know getting positioned  in the inside of your building someplace uh   sometimes if it's a large building we'll  we'll move to two or three different locations  
from the outside edge of the building in  a cubicle to maybe like a coffin and then   the second part is is is really an external um  they used to be referred to as war driving um i  
don't really like that term it's it's more of like  fishing for them i don't really drive i just i sit  
so i sit and fish right and it's it's really  um it's really just a waiting game and so   uh both both cases right i think for the internal  the internal wireless phishing and the external  
wireless fishing right from the penetration test  perspective those are just waiting gains it's   a guarantee you're going to catch something  you just need to it's just a matter of time  
sometimes that happens in minutes um seconds  sometimes that happens and you know 30 40 minutes  
before something comes along but you will pretty  much always guarantee to catch a fish but that's   that's really kind of the process did that help  zach was that was that too much is that too little  
that's great i mean i think it's it's it's right  on i mean just to kind of add some detail i mean  
it really is a process of going through uh sitting  in different locations in in the building um  
generally for this it's not you know they you're  not sneaking in or anything people know that   you're there um you're going in and you're sitting  um trying to get signals from other people's  
devices get them get them connected and then and  then like you said sitting in the parking lot  
right driving around different spots seeing how  far out you can get them signal um and and what   we do is create maps of of the signal and show  people from you know basically an aerial aerial  
imagery of their building where we're getting  signal from different several different locations  
outside of that and that's pretty pretty amazing  when you see how far this these signals can reach  
a lot of times in other buildings the other  the other cool thing that i'll mention   that i've seen is the massive amounts of  of wireless networks that are out there  
that can be picked up that often the companies  don't even know that these these are there that  
they're in the same space as their own environment  and um and then people's own individual  
wireless networks that they're broadcasting  within the company there's a lot of cool   really cool information that you can  gather and it's kind of funny you know  
you always see there's always like  a batman uh ssid out there somewhere
some pretty funny names people get creative  with it yeah they really do it maybe it'll  
help a little bit to talk about how we use  this technology against everybody who's   using it for daily daily business purposes so  i'll just you know again we're we're technology  
agnostic but i'm certainly going to call  the technologies we use here so we have   we have a wi-fi pineapple we've got a couple  nanos and a tetra and two by five pineapples  
yeah we do want mine there yeah nuts you can't i  i have um allocated that for uh other purposes i  
have justified we've taken that no i need  to give some pineapple back yeah no no no   those pen testers out there don't loan your wi-fi  pineapples to people they just never come back
i've got your book too they're all taken  care of i promise they're being used  
greatly the book i only read once it's kind of  like loaning somebody a pistol for a murder right  
i mean then so so lauro's got your your wi-fi  pineapple who knows where yeah serial number  
stamped right on it exactly right to miles back  to the purchase order for mike yeah i'm not going  
to leave my own pineapple in this environment  all these mics exactly now you guys know what's  
going on okay so so if you're not familiar  with the hack 5 wi-fi pineapple it is just a  
very very well put together device for assessing  wireless networks and building an attack surface  
on a wireless network and so what i think a lot of  you know some of the signal guys know this but but  
you know wireless technologies emit a beacon okay  for 80q.1 and for any of your 2.45 gs you're gonna  
have a beacon request that's going to go out  okay and so typically that that beacon request   um is going to you know carry like a public thing  with an ssid right so that people can find that  
your wireless network is not but you can hide that  you can say however i'm going to hide just like   you can change your web port i'm going to change  my port put it up forty thousand i'm never gonna  
find it anyway so it's you know security through  obscurity is really what it is right you're going   to hide your ssid but but the beat but the aps  and the devices have to make a beacon request out  
okay these radios intercept that beacon and so  they know that there's a hidden network here   and it's got clients on it and then after several  beacon requests i can find out what the ssid  
is for that but it doesn't matter like i don't  need to know the ssid and i think that's what   the i think there's a misunderstanding around how  the wireless testing works is that a lot of times  
don't i'm not going to use your wireless network  to break into your network and get access to your   database and make an administrator account that's  really not how this process works in a perfect  
world sure but there's a lot of segmentation that  engineers have gone through a lot of trouble to  
put in place to build you know kind of a defense  and depth strategy around implementing wireless  
because they've they've heard of this sort of  stuff right so there's a different attack uh   methodology we use we we essentially don't  need to break onto your network we lure  
all of your wireless users off of your network  onto our network which is now mimicking yours  
and so there's a there's a d auth request that  is is frequently used in this infrastructure  
to basically offload wireless hosts so you can  weaponize that just like you could back in the  
day with a ping of death or you can weaponize  a diod attack against wireless clients and what   that does is it tells the wireless device now  let me say that none of you don't know any of  
this is really happening you might you might be  streaming netflix on your phone in a break room   on the public wi-fi at the library or wherever  else and you might get a pause in your stream for  
just a second but what's happened is the pineapple  has told your device say hey you don't need this  
network that you're on that's the old network  this is the new network and it's exactly the   same as your old network and so what will happen  is it'll flip your device to the new network  
and there's some crafty little things that we can  do with that now the nature of our work again is  
not is not to break glass and clean up glass right  we're simply pointing out there's a window there  
and we have a rock the antenna and all of that  is in the details of the code and and the details  
of the the testing that demonstrate that if you  through the rock at the window it's 99 probably  
gonna shatter we're gonna be replacing the window  so we don't like to go that far and pull data and  
break things but we we get right on the edge of  that line right so exactly we're not going to be   dressed in black with backpacks and face paint and  the middle of the night sitting in a it's just not  
how this works right we're professionals we we  get a permission we're usually escorted by the  
you know the it you know individuals or  i.t security individuals at the client site   and then we're we're noticed by physical security  as we're doing our driveway we're you know we're  
telling them our license plate we're giving them  the identification of our vehicle how many of you   know we have the visitor badge the whole bit right  this is all done during daylight hours it doesn't  
matter already you could be doing at any time but  you know we we choose to do that with the clients  
um during business hours so you know but the same  data holds true and so essentially by building in  
other types of uh you know essentially snare  traps like a certificate authority so maybe  
or capture portal which is what we've done lately  right you can you can apply a lot of tools to the  
pineapple so php it does captive portals so now  you can do a really simple captive portal where  
if if it's a if it's an android device or even if  it's an ios device it'll switch over and it'll pop  
the captive portal on the device and say whoops  we're sorry you just lost connecting to your   company's wi-fi network for whatever reason could  you please re-enter your guest wi-fi password  
and so we we offer an opportunity of of learning  there and in malicious scenarios that certificate  
and the other types of captive portals  can be used to capture all in-stream data   so when your mobile device is in your  pocket or in your purse or in your desk  
and you've left apps open like your bank app  or maybe you're on blink or maybe you've got   reddit open or maybe you've got twitter open all  those apps are open and they're doing a refresh  
every so often right they're going to they're  going to replay that token back out to the app   server and re-authenticate your connection so  that when you go back and click on the app you  
don't have to log in again some of them have some  session based things they're going to log you out   but a lot of them are going to try to keep that  session alive so if you get swung to my pineapple  
the certificate's in place now we can break the  traffic we can see all of the data coming through  
the web so the tls session that you have set up  with twitter and everything else no matter matters   we're capturing that data we can replay that  back to twitter back to reddit back to your bank  
so there's there's a lot of bad things can happen  and so really it's it's it demonstrates to the  
organizations that while they have implemented  decent security on one side of the fence  
they haven't quite quite done it to the other  which which i like to attribute to if you've   ever seen chain link with directional barbed  wire it's either designated it's it's in a 45  
degree angle at the top it's designated to keep  a person out if it's on the point facing the   outside of the fence if it's facing the inside  of the yard it's meant to keep something in  
that is essentially how this works you've applied  security in your internal network but the barbed   wire is 45 degree angle so if you come from the  other side you can climb over without any worry  
of getting pricked right so there's two sides  to the security of wireless and i think that   most all the organizations that we serve and  that we've served in the past are their their  
technicians and not not to any fault right i mean  the whole reason we do this is we learn to be   better together but they've only really considered  the condition of protecting that one side of the  
fence right and so they've only got hardened  controls on the inside so you can't really   abuse the internal technologies but they don't  have protections in place to to prevent this type  
of activities from occurring with this device  and also awareness and training for the users   and the user devices that to be lured off of their  corporate networks onto a uh a faked clone network  
that's probably a lot exactly probably quiet  no that was that was outstanding we could just  
transcribe that and you have a book on wireless  pen testing that was pretty funny about that   appreciate it um yes i hope that paints a good  picture though right so it's not you know what i'm  
trying to describe essentially it's not as trying  to to use your wireless technologies to break into   your own network i can get one of your patrons  on my wireless network and get their password  
and then i can log in as them and then have pivot  access from there right so um even with hardware  
certificates and those types of things there's  you know still a lot of vulnerability service with   with wireless um you can certainly secure it and  you can certainly tune your radios down and you  
can certainly enable modules that will prevent and  um contain devices like the wi-fi pineapple now  
you know these these things in the past and mike  i think you probably know about this is it when   when cisco came out with with some of their first  wireless stuff you could suppress rogue devices  
to the point where it almost burned the chip  out but no boss would ever let us turn us on   never we never got to turn that on we only got to  basically go go get the log file that something  
was there and a heat map and then go try to find  it but but that's that's the protocol right that's   what's supposed to happen we're supposed to get  an alert that there's some rogue device that's  
operating in the area and you're supposed to send  a human to go track it down in the profile of the   footprint of mesh there's some hideous wireless  attacks out there too and some of them we heard  
about recently i mean if someone were they were  mailing wireless devices eavesdropping devices  
in packages to companies that were stuffed  in like teddy bears and stuff like that that   were going to critical people they were sending  gifts and it was uh i i can't remember the name  
of the attack but it was basically it would sit  there and run for could be good the battery be   good for a week and it would get there in a couple  days and that would eavesdrop as much as it could  
and then would die out on its own yeah absolutely  i know exactly what you're talking about and you  
know the the i'm working on a small kit for the  wi-fi nano to go with a lithium battery out of  
like an 18-volt battery out of like a milwaukee  drill right i'm trying to do the down stepping for   it so that you just got this just like incredibly  long um duration like you know maybe like i'm  
hoping i can get like three or four weeks out of  it probably not realistic but you know all that   will fit in the you know you can put all this in a  small box you know like the size of a mac mini and  
just like you said you can you can put these in  various places no one would know you know you   can take them to tool shops and an old toolbox  and put it behind the building and some junk  
and no one will ever look for it there and the  whole time you can just sit 100 yards away from it  
connect to it get all the data you need out of it  that it's gotten so far and then just drive away   so you know wireless is certainly a it's certainly  a double-edged sword um as far as yeah you know of  
course for the people who've gone to defcon right  you see people walking around with the directional   wireless antennas to get you know reach for much  much longer distances i mean it's a it's a real  
issue and i think as we see more and more uh  like what you're describing you know essentially  
corporate espionage it's a real thing and  it's it's happening all the time there are   a lot of people that want to see us fail as a  country and and one of the ways they do that  
is by undermining the economy and and doing these  types of activities so very real thing out there  
definitely something to pay attention  to and if you think this applies to you   it's definitely worth getting it tested see  what comes up but any final comments thoughts  
ideas words of wisdom that you want to share  i would just say if you're at defcon where   and you're staying in the hotel where  defcon is turn your damn wireless off  
because you're going to lose everything you have  yeah quite quite possibly super super good words  
of wisdom you need to wrap yourself in aluminum  foil yes turn off your phones and laptops just  
leave them at home and better not even have  that turn off your bluetooth turn off everything   because you are a target and nothing but a science  experiment just people i've been there many times  
i've seen it so yeah yeah be careful well i guess  just to add on to that you know you you be careful  
at home too because all these attacks can work  just just right out from the curb of your home   too if you're running wireless networks we can you  know lure devices the iot devices refrigerators  
washer dryers your home network you're at your  home computers my modus operandi um is that when  
my devices are not being used by me in my hand the  wireless and all the all the ethernets get turned  
off so i don't i don't i'm not that computer  nerd that's got 46 computers in this lab running   and they're all turned on and no no every one of  my devices is off it may be powered on but the  
network is disabled and you know that that stuff  doesn't stay on because i do this for a living  
call me paranoid i don't know um but it's just  it's more of a practice right i practice what we   what we try to instill in the other  organizations you know just a duct tap  
that if you live in an apartment complex be  really careful you know make sure your smart tv is  
maybe not so smart and you you know those kind  of things yeah you can get messed with pretty  
hardcore if you get if you get somebody with one  of these devices on a smart tv and if you if you   look on reddit you'll find a lot of places  where some of these tvs have been hijacked  
there was one of the news lately where there was  some adult stuff happening on one of the while   they were trying to get the weather there was some  which i thought was really great but um somebody  
went into an amish restaurant in pennsylvania  someplace and took over their wireless tv  
and played weird out yankovic it's a  amish paradise over the loudspeaker  
so i and there's been some other ones right  there's been some billboards and things like   that so keep this in mind you know your smart tvs  are certainly there but you're you know also the  
refrigerators with the tvs on them right those  are also susceptible anything with an lcd screen  
can be programmed to scroll something probably  yeah we should we should do an episode on  
reminds makes me start thinking about other iot  devices things like your alexa right and and um  
those devices that people use for convenience  that's a whole nother whole other animal another  
conversation we know but if it but but before you  go i will say that in a recent murder case they  
were able to tell when the or this i'm sorry  it was a murder case was the recent spy case   right the american spy scandal they were able to  determine when that individual's phone went on to  
airplane mode and the exact location that it did  keep that in mind that there's a lot to unpack   there and i think the government's had some pretty  crazy capabilities for a long time but that said  
it's all classified so we won't talk about  it we don't talk about that but thank you  
for listening go to if you  have any suggestions ideas questions about any of  
this stuff and there's a web form there reach out  to us and we're happy to answer that be sure to  
subscribe if you're not already and check out the  book on amazon thanks a lot and have a great day