Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:16

Hello and welcome to the Audit presented by IT Audit Labs. I'm Mandy, and joining me from the IT Audit Lab team is Eric and Kyle. We have a special guest today, Dennis Pelton. Hi everybody. Hey, mandy.

Eric Brown: 0:36

So, dennis, thanks for joining us today. You and I met a couple of months ago at wild west hackenfest in deadwood and you were presenting this uh presentation and you were presenting it to a packed house, if I recall. Yeah, and was that your first time in deadwood and and going to wild west?

Dennis Pelton: 1:04

yeah, yeah, it was my first time going. I'd been wanting to go for quite a while, but never really had an excuse to go, and so when I saw they had opened the CFP, I kind of put together some of the stuff I'd been working on recently and, yeah, sure enough got accepted.

Eric Brown: 1:20

Yeah, nice. Yeah, I had never been either, and one of the things I thought was pretty neat about Deadwood was there's I think there are more slot machines than people in that town.

Dennis Pelton: 1:35

Yeah, pretty much.

Eric Brown: 1:37

It's a fun time though it was, it was good. Yeah, lots of bars too. Well, let's jump in and, if you don't mind, we probably have some questions or some things that we can interject with along the way. Sure.

Dennis Pelton: 1:51

Sounds good. So, yeah, I'm Dennis Pelton, cissp, a couple of the specialty certs from AWS and GCP Security Plus and I'm actually working on my oswp right now for the wireless stuff. I'm currently working at foghorn consulting doing the cloud security stuff there and I'm also a kind of hardware hacker and rgb enthusiast. Just I love messing with hardware, building new things, stuff like that and, yeah, wireless noob. I'm just getting started into wireless and learning everything I can, having a blast and people.

Eric Brown: 2:27

You do some. You're on Mastodon right. Are we calling them toots on Mastodon?

Dennis Pelton: 2:35

Apparently so. Yeah, I don't know. I've been seeing a lot of that. Yeah, it's coldbrew at infosecexchange and so yeah, so this presentation really kind of goes over a number of different things but kind of starts with the current landscape of wireless what kind of wireless stuff you'll see in the workplace and home, then what is a kill chain, and then we'll kind of go through a little bit about how wireless works, just to kind of get the basics down on that, and then go over Wi-fi reconnaissance and then segue straight into the actual wi-fi attacking and then finally how to protect your network from this kind of stuff and is that a picture of your cat?

Eric Brown: 3:17

I wish it was just something that cracked me up online but I think you almost have to have a cat to be an InfoSec. I don't know yeah it's probably true. I've got a couple, but See, mandy, you're going to need a cat. There you go, Step one.

Mandi Rae: 3:36

Can't take a cat to the dog park.

Dennis Pelton: 3:40

It's true, you really can't. So, yeah, wireless is pretty much everywhere at this point in time in our lives. In this office building here that we've got you can see they've got like a wireless AC controller, wireless access points, wireless printer. You know, they probably got a Prox system for the doors, things like that, light sensors, all of that light sensors, all of that and all of it, whether it's 802.11, wi-fi or IoT or Prox cards or any of those different technologies that are wireless, they're all vulnerable in some way. And so, yeah, really, people complain about security, but they opt for convenience, and this was something that I saw on the PageDuty website, actually, and it really just summed up Wi-Fi for me. People want what's going to be the most convenient, and that doesn't always line up with what's the most secure. Securing wireless is all about trying to make it as convenient as possible while still being secure.

Eric Brown: 4:40

When you're doing pen tests, because you do some pen tests for your day job, right yeah, do you do wireless attacks at all? Do you find you have to do that to get into places?

Dennis Pelton: 4:55

No. So unfortunately we don't get to do any of the wireless stuff at my work, so any of the wireless stuff that I've done has all just been here at home for fun. I would love for that to be one of our offerings in the future, but currently we just do like application pen testing and things like that, sure. So yeah, this presentation is called the Wireless Attack Kill Chain. So what is a kill chain? So it's actually a military term which I know a lot of people kind of poo poo against those. But really it just lines up so perfectly to me with kind of how the wireless attacks work. So you've got the identification of the target, you've got your dispatching of forces to the target, initiation of the attack and then destruction of the target, and so we'll kind of come back to these throughout the presentation. But to me that really does line up with how you do like a pen test of either wireless or otherwise. You really have to go through all these steps. So that was kind of why I chose this name.

Dennis Pelton: 5:51

Sure, all right, so in order to attack something, you got to know how it works. So this is kind of my little explanation of how Wi-Fi works in a nutshell. Obviously there's a lot more to it than just these parts. But you've got the wireless APs and those are all broadcasting their SSIDs using what's called beacon frames and those are basically just blasting out their name out there for everyone to see. And then you've got your wireless clients which are broadcasting what's called the PNL or their preferred network list, and so that is your phone just blasting out things that it's connected to in the past, saying like hey, are you Starbucks? Hey, are you Starbucks Looking for anything that it knows it can connect to? Every once in a while there's going to be a match. The client will send a probe request. At that point in time the AP replies the probe response, and now you've got that handshake started and that's kind of the first part that you can start to exploit when you're kind of breaking into a wifi network.

Eric Brown: 6:49

And this is how, if you're using security tools like a pineapple, where that pineapple would capture and rebroadcast out those SSIDs that a person's wireless client was attempting to connect to- oh yeah.

Dennis Pelton: 7:10

Yeah, there's a lot of different attacks that are kind of based on that back and forth of those different broadcasts that are sent out. So yeah, one quick note there is that DOS attacks can work against these. It's something where, when I first wrote this slide, it was something where I just kind of said, you know, yeah, it is possible, no one's going to do it, it's not. It doesn't really make sense in any way. But I was actually showing this presentation to a buddy of mine and this slide actually sparked this whole conversation. And one, you know, proof of concept but at least it was something viable that he had mentioned when he saw this was that if you were to essentially spam the APs of a business with these broadcast requests, it's going to reply to every single one of those. So if you slam it with enough of them to take down the Wi-Fi network, you're probably taking down their camera system as well, which means now someone from the outside has the ability to get in without being caught on camera.

Dennis Pelton: 8:15

And it's you know, I don't know if it would actually work or not, but it's enough of a threat that it really made this slide. A lot more impactful to me when you mentioned that.

Eric Brown: 8:24

Yeah, absolutely Good to point that out. For sure, I've seen some security cameras that have the SSD cards embedded in the camera, you know removable, so they're recording to that SSD card and then presumably also shipping it off to a central server somewhere.

Dennis Pelton: 8:51

But you know, fair point If that SSD card wasn't there and they're just relying on that wireless network. It would be susceptible, yeah, or if they chose to use really small SD cards where it can only store, say, an hour's worth of downtime. So yeah, a little bit more about Wi-Fi. It's got different security options to utilize. Everybody's seen these before. But you've got WEP and then your WPA suite. Wpa comes in WPA 1, 2, and 3, and then those all come in standard or enterprise. Which standard is your home one? Enterprise is where you're using an actual radius server so you kind of authenticate those Really in this presentation, since this was made for noobs, I don't really go into the enterprise one.

Dennis Pelton: 9:39

To be honest, I wish I had, because when I presented this in Deadwood I finished way too early and I would have had plenty of time to talk about enterprise. But oh well, then WPS is the last thing I wanted to mention on here. It really shouldn't be used in any businesses. But that's the whole system where you can push the button on the router and it's going to initiate that sending of the credentials to the device and then the device can connect. Obviously that is not a good idea and is broken in many ways, but the real thing to pay attention to on this slide, though, is that little photo there, which was from Wiggle in the same month that I presented this. I'm sure those numbers have not changed too much between now and then, but you'll notice that WPA2 is 72%, or over 72%, of the wireless networks out there. To me, that number was absolutely shocking, because WPA2 is broken. You can definitely break into that in multiple different ways. That we're about to go over Same with WPA. Web's been broken for a long time, and then no encryption obviously is not a good idea, but places are still going to do it for a long time. And then no encryption obviously is not a good idea, but places are still going to do it for things like coffee shops and things like that. So, yeah, so the next thing we're going to talk about is Wi-Fi reconnaissance, which to me, lines up with the identification of the target in our kill chain.

Dennis Pelton: 10:58

So, really, the main kind of Wi-Fi reconnaissance thing is war driving, or war walking, as some people like to call it. The name actually comes from war dialing, which was back in the day, you know, like war games and things like that, where people would just dial random numbers until they hit a modem and that gave them a target, because now they know, okay, well, there's a computer on the other side of this. That's something that I can can get into. So kind of. In a similar way, war driving is just driving around physically looking for targets, kind of in the same way they used to do that with cord dialing, uh. How it's done is you just put your kind of wireless access or your wireless clients into promiscuous mode, uh, which allows it to pick up anything, not just the things that are sent directly to it. This is used for sniffing traffic on either wired networks or wireless, but in this case we're doing it for the wireless and driving around with the GPS. When you pair that GPS data of your current location with the Wi-Fi, data of this SSID is on this channel with this security. But now you've got a aggregated list of targets If you switch the slide.

Dennis Pelton: 12:13

I believe the next one was wigglenet.

Dennis Pelton: 12:16

Again, these are actually examples of war driving devices. You can see on the left there that device. It's clearly very purpose-built and I can't even remember how many antennas are there, but that's able to sniff every single band, or not every band, but every channel all at once, and so some people will build these devices like that to be able to drive around and just pick up the most data possible. But the alternate to that is kind is those methods there on the right, which one of those is just a Raspberry Pi with an Alpha card strapped onto it and a GPS. The next one is just a guy's laptop sitting in his lap while he's driving around. It just goes to show that you can spend as much or as little as you want on something like this, but it can all still work the same way. I've actually got an example here. I built this one a while back, just kind of as a proof of concept, but you can see it's just a uh, just a little esp unit attached to a nine volt battery and that's enough.

Eric Brown: 13:25

You can still do these attacks with that and that was five dollars worth of parts. And, dennis, if, if somebody wanted to see if their business or their home wireless network was captured in uh war driving or recorded somewhere, is there a a website that you can go to to see that?

Dennis Pelton: 13:45

Yes, that's actually the next slide, I believe, Ah here we go.

Dennis Pelton: 13:50

Yeah, so Wigglenet is where you can then upload all this data, and on Wiggle you can kind of go to any location, you can zoom in, you can browse around things like that and it's going to show you everything that anyone has collected and uploaded here and they have various contests and things like that from and it's gonna show you everything that anyone has collected and uploaded here and they have various contests and things like that. From time to time there's different teams, that kind of accrue points on here, but really it's just about collecting all that data and everyone aggregating it together. But that means that, yeah, you can check if you're on here which I checked, my house is definitely on here but it means that also, if you're looking for a target, all you need to do is know where they're located and you can zoom in and find what their exact AP is called. You know the SSID of that, you can find the channel it's running on and get all that data ahead of time, before you even go out there to your target. So, yeah, the next step is dispatching your forces to the target.

Dennis Pelton: 14:43

To me this was kind of like rogue wireless attacks or really just kind of any wireless attacks in general.

Dennis Pelton: 14:49

And so, yeah, the first thing we'll talk about is a karma attack, and this is kind of what we were talking about before with the, where everyone's broadcasting their PNL and they're broadcasting their SSIDs.

Dennis Pelton: 14:59

Well, what a karma attack is? It's where the ap is specially configured to just, like you said, reply with whatever it is they get. So if they have a phone that comes up and says, hey, are you starbucks? It replies back and says yeah, I'm starbucks. So now the phone thinks it's connecting to starbucks, even though it's connecting to either yeah, like it's a wi-fi pineapple, or or even one of these little guys. You know, whatever it may be, it's going to reply that it's that. And actually, at Wild Hackenfest I made a handful of these, which were little badges that were running wireless access points on the back and they were doing that same thing. So if you connected to a wireless network there, it very well could have been my badge or one of the other ones that I handed out there, but it just goes to show you these can be anything. They can be disguised to look like anything, they can be super simple or super complex.

Eric Brown: 15:55

Yeah, Kyle, what's the Ponegachi thing that you have? You were doing something very similar, weren't you?

Kyle Rosendahl: 16:03

Yeah, that does something similar and we'll probably get into it, but it does more of like a deauthentication attack, where it actually kind of intercepts the four-way handshake as it's going to and from, or it watches for those four-way handshakes taking place and then grabs a copy of those and brings it down so that you can, I think, basically break into the keys that are passed between the access point and the client and then to force them to authenticate.

Kyle Rosendahl: 16:26

It'll send a deauth packet, knock them off the Wi-Fi and then watch them reconnect to try and grab all the information. Yeah, so with the Karma attack, then, when doing this type of attack right, you've got your device, you've got someone to connect to it Is the purpose then to have that person connect and then pass the internet back to them and intercept what's in the middle, or kind of what's the benefit of running an attack like this?

Dennis Pelton: 16:54

So there's honestly a couple, and I think I went into a few of them in here. But yeah, the first one would be if you're presenting as something like Starbucks, for example, you may just want to hijack their traffic. It's something where if you set up a little DNS server in there, then you are essentially controlling where their traffic goes. Actually, I think that is this slide here If they accept your probe request, they connect under those false presenses.

Dennis Pelton: 17:22

Now you can control their traffic. So when they go to googlecom, you're sending them to a fake googlecom that maybe asks for their password or something like that. You get to pick what it does at that point. But that's really only gonna work if you know what the authentication is. The other point of it is, yeah, as you had mentioned before, where you can kind of start to get into that four-way handshake and if you can kick them off the network with a deauth packet, now you can kind of intercept that handshake and get both sides of it, and we'll kind of get into that further down in the slides. But that's how you crack the WPA keys.

Kyle Rosendahl: 18:04

Cool. So essentially, you want to set with a Karma attack I mean the main purpose or the easy I don't want to say easiest, but most fruitful maybe would be to control that DNS, send them somewhere that looks like facebook but it's your facebook, and then get their facebook password as they type it into your fake facebook that's probably the most common thing that people end up doing with it. Sure, most common that's.

Dennis Pelton: 18:29

That's a good way to put it you know people get creative sometimes but, yeah, totally cool. So I think, yeah, the next one here is talking about kind of DNS and this goes back to the, yeah, manipulating DNS to control the traffic is the most common thing that people would do with this. So how that ends up working DNS kind of in an extreme nutshell here, of like just doing the highest level overview, you know, when they type in something like wildwesthackinfestcom into their browser, their browser is going to query a DNS server. That DNS server is going to return the IP address and then the browser goes to the IP and it was returned. But if you're the one controlling that DNS server, you know you can send it back whatever you want and their browser is just going to go there and you know, accept that that was the truth. So once you control that traffic, you control where they're going. And yeah, this was kind of what we talked about just a minute ago of you know, in a real life scenario, this is kind of how that would play out.

Eric Brown: 19:31

Oh, this is, while we were talking about this, with the Ponegachi scenario too.

Dennis Pelton: 19:39

Exactly Yep.

Dennis Pelton: 19:40

So what if they're already connected? Just like you said, deauth. The way that deauth works is just APs can send out those deauth packets. That's really if the clients have degraded service or if the client is sending out issues or things like that, the AP is kind of able to sever that connection and force a reconnect. It's really for AP handoff is kind of the main thing that it's for. But yeah, you can send those from anywhere, assuming it's WPA or WPA2.

Dennis Pelton: 20:14

In WPA3, they started to kind of get a little smarter about how those are handled and so there's some kind of validation there between the device and the AP saying, hey, is this legitimate? And the AP has to respond with yes, this is legitimate. So yeah, the Deauth, it will only work with WPA2 and WPA. The reason for this is that the 802.11 frame headers in those two are not encrypted. They're necessary for the standard operations of the actual spec itself, but they didn't feel like it was necessary to encrypt those. Now, the 802.11w spec did actually kind of deal with that problem. But the problem with that is that it needs to be supported and enabled on both the client and the AP. It's really not in most cases and because most clients don't support it. Most APs that even do support it don't have it turned on because that would cause issues. So really that one didn't help too much. Wpa3 did pull all that work from the 802.11w spec into it. So once that gets some higher adoption that's going to solve the problem. But as you saw from that wiggle slide a good ways back, the kind of adoption on WPA3 is basically non-existent at this point. So really the problem kind of sticks around.

Dennis Pelton: 21:39

And so, yeah, let's get into actually breaking of those networks and the initiation of the attack on the target. So the first one we're going to talk about is called the half handshake attack, and this is really when we were talking about the four-way handshake earlier. This is what exploits that. And so when you do that Wi-Fi connection you've got kind of four main things that happen and we're going to go into each one of these in depth. But the first thing that happens is the AP sends out an authenticator number to the client, then the client is going to send back a transient key. The AP is going to return with a temporal key and then the client is going to confirm receipt of that and actually start that encryption, that encrypted connection. So for that first step, the ap sends what they call the anons, I believe is how they pronounce it. But it's that authenticator number and it's only used one time. So it's just a random number that that ap actually generates. So it generates this random number and it sends it over to the client, and it sends it along with its own MAC address. So there's no encryption on that and there's no integrity validation, because on its own it has kind of no value essentially. But if we're sniffing this traffic, that means now we have that random number that's generated, we have its MAC address, we already know its SSID and we know the channel. We know kind of a fair amount of information at this point just from that one packet and the bit that we've seen so far.

Dennis Pelton: 23:10

So then, once the client receives that, it's going to create what's called the pairwise transient key or the PTK, and what that includes is that's going to be the's called the pairwise transient key or the PTK. What that includes is that's going to be the authenticator number that was sent from the AP. It's going to generate its own random number, which is called the supplicant number. That includes the MAC address of the AP that was sent to it and the MAC address of itself. Then it's going to include a hashed version of the SSID and the password. So it sends this with message integrity code and that's just basically another hash of all that information. So it does not send the PTK, it only sends that message integrity code, which is the hashed version of all that information that it created with its PTK. This is important because that means that it's not actually sending that password. The AP is then going to create a PTK of its own. It's going to have all that same information, because now it has some of that that it got back from the client and it has the rest of it that it generated on its own. Then it's going to create that message integrity code and compare the two. If those two match, then it knows that the SSID and password that the client was sending is the same as the one that it generated. So it knows there's a match, it knows everything's good and that's when it sends the group temporal key. It sends that also with message integrity code. But now they're ready to communicate because now they both have that main key.

Dennis Pelton: 24:41

So now we can jump into how can we actually kind of exploit this. So the PTK is the most important part of this, but it doesn't get sent. We only have the message integrity code that was sent of that. So we've already captured the authenticator number from those AP packets. We've captured the MAC address. We've already captured the authenticator number from those AP packets. We've captured the MAC address, we've captured the supplicant number and we've captured the MAC address of the client. So we have every single part of this except the password. But we have that message integrity code, which is the hash of all of those things put together. So we can build our own PTKs and compare them to that message integrity code to see do we have the right password here? Obviously this would take forever, but Aircrack NG has automated this process for us. So we can send it a password list and it's just gonna roll through that list of you know 10,000 passwords or whatever, comparing each one of those message integrity codes to the one that it sniffed until it finds the password. You can actually set these up ahead of time too. If you did something like going onto wigglenet and grabbing the SSID, it may even have the MAC addresses too. I can't remember, but essentially you can prepare a lot of that ahead of time and make it go even faster.

Dennis Pelton: 26:02

So the next thing we'll talk about with the four-way handshake is what's called the crack attack, and I've never actually been able to pull this one off successfully.

Dennis Pelton: 26:10

So at least for me it's more of a just kind of fun thing to kind of think about and keep in my mind. But it has been done before, so it is a proven thing that does have a proof of concept With this one. Basically, if the client does not complete step four, that kind of confirmation that it received that group temporal key, the AP will resend it. And each time the AP resends it, or each time the client receives it, I should say gets reinstalled. And that means that since it's using the packet number as the IV for the encryption, that means you can essentially reset the IV of that client's encryption by resending it, that GTK. So at that point it's reusing the key stream for its encryption, which means you can now decrypt that traffic. So even if you don't know what the password is, if you can force it to re-accept that GTK, you can decrypt their traffic as they're sending it, even though it's encrypted.

Mandi Rae: 27:13

Is this the four-way handshake details you've been looking for, Kyle?

Kyle Rosendahl: 27:19

Oh, that and more Mandy yeah. We love a four-way handshake For those that don't know. I mean, what is the IV kind of in layman's terms?

Dennis Pelton: 27:34

So it's the value that it's using for the encryption, but the IV is going to change each time a new packet is sent. It's not like you're using, I guess, trying to think of a good way to put this but something like a Route 13, which obviously not encryption, but something like Route 13,. Every single message you send that was Route 13 encoded is going to be decoded in the exact same way, but with an IV it's going to change each time it's used. So you can't just use the same method to decrypt one packet as the next one unless you know what that IV is, because the IV is going to continue changing in the same pattern.

Kyle Rosendahl: 28:14

I guess I'm trying to think if there's a better way to explain this, but by forcing them to reinstall, then you can essentially figure out what the IV is and decrypt the traffic. Yes, exactly, to force a reinstallation of that GTK at the client end, I mean theoretically and proof of concept wise would that be? I mean injecting some sort of deauthentication midstream during the handshake. Or I mean what are kind of the proof of concepts that theoretically could work, even though they haven't maybe been used in the field necessarily?

Dennis Pelton: 28:49

So really it's not deauthentication, but it's similar to a deauthentication in the sense where when you send a deauth packet, you're sending something that should have been coming from the AP and you're forcing the client to accept it With the GTK. It's very similar where you are just resending that GTK that you captured and the client is just going to accept it and accept that it came from the AP.

Kyle Rosendahl: 29:13

Got it. So it would really be capturing the GTK in transit and then continually pushing it to the client to get that IV and that decrypt the traffic.

Dennis Pelton: 29:24

Yeah, and again, like I said, I've never actually done this one, it's more just one I've read about and kind of done a lot of research into and it really just fascinated me that. You know, I'm sure it's not easy, but at least as far as how it works it's fairly simplistic.

Kyle Rosendahl: 29:42

Sure, and the packet number. Is that the sequence of GTKs that were received, or is that just something that you add as part of the header of the packet that you're sending over?

Dennis Pelton: 29:53

So the packet number is basically part of that stream of traffic and since it's using the packet number as the IV, yeah, so that's where that comes in. And that's going to be a little bit of.

Kyle Rosendahl: 30:10

Yeah, so there'd be a little bit of logic in out. Where in the stream are we? Which GTK is this? But not a lot of guesswork. If you're at that point where you could then say, well, I'm somewhere in this range, I'm going to try all of them and figure out which one decrypts it, and then you're locked in and keep going.

Dennis Pelton: 30:28

Yep, yeah, just like that. Yeah, for known content, decryption becomes a lot easier. So if you know that they are going to you know googlecom or something like that then you know what it should look like, and you're just comparing it to what it does look like at that point, and you know, at that point you can reset the IV as well, which makes it even simpler for you Got it Cool.

Kyle Rosendahl: 30:48

That makes sense. That's awesome.

Dennis Pelton: 30:51

And so, yeah, the last part is the kind of destruction of the target. Really, for us this is kind of total pwnage, in the sense of you know at that point in time that you're able to read their encrypted traffic and you're able to get onto their network because you know the password and things like that, and you know I think the next slide shows it but, yeah, it's, it's pretty much you know wreak havoc in any way that you see fit at that point, because you're you're on their network, you can control their traffic, you can harvest their credentials, you can sniff their internal traffic, you can do anything at that point. So, yeah, that's kind of the end of the how to get onto it section. So then, how do you protect against this kind of thing? Really, with Wi-Fi, the best advice to give is use common sense. Now that you know how these work, you can think of different ways to break this kill chain. Like the slide about kill chain said, it's something where, once you understand the kill chain, you can break it, and if you can break it you can stop that end goal of the attacker.

Dennis Pelton: 31:56

There's a couple more things I've got listed here than just common sense. But, yeah, disabling the ability for your devices to just connect to networks you've been to before. There's a lot of different ways to do this. There's a screenshot there from a Mac on the iPhone I think it's yeah, ask to join networks.

Dennis Pelton: 32:17

You can set that to ask instead of auto join. You know, really just connect only when you need to. Don't let your phone just kind of connect to every little thing that it comes across, force it to actually ask you like hey, do you want to connect to Starbucks? And you're like wait a minute, I'm on an airplane. I don't think I do. You know, just kind of using common sense in that way of like, you know, look at the things you're connecting to make sure you're connecting to something that makes sense and something that you want to connect to. This is kind of one of those things where it's easy to say and it's not as easy to convince others to do it and this really goes back to that quote that I had near the beginning of people are going to opt for convenience, and this is where, if you make it slightly less convenient for yourself, you know put some kind of barrier there where you have to look at it and you have to accept that network. It makes it a lot more secure.

Eric Brown: 33:07

I know Mandy and I in the past have done some security education seminars and we'll set up a pineapple ahead of time in the room and just start collecting the SSIDs from people's devices as they come in and then towards the end of the presentation we flip over to that pineapple screen and we show all of the networks and people's mouths just hang open when they see their home internet on that list. It's pretty funny to see and it really does get people to start to think differently about wireless.

Dennis Pelton: 33:51

Yes, yeah, and honestly, that's kind of the thing that I love doing the most with things like this is it kind of when you can show someone these things in that kind of a way where it's like you show them with this massive impact and it's just, yeah, people don't even know that kind of stuff is possible. So when you show them something like that where it says you know, this is your home network, it's just you know.

Mandi Rae: 34:14

Yep, I also want to add I'll get a cat if y'all find me, a cat that wears a hoodie, like in your presentation.

Eric Brown: 34:24

That was the cutest thing I've seen all week. I do love that picture.

Kyle Rosendahl: 34:33

I don't even know where you'd get a hoodie that tiny, but you got to custom make one. Put the ITI.

Mandi Rae: 34:37

Lab's logo on it. Man, there you go, you can be our mascot, yeah.

Dennis Pelton: 34:43

Yeah. The next one is use a guest Wi-Fi for employee devices. This is another one that's very easy to say and it's a lot harder to actually kind of implement out of place. But the you know things like the half handshake attack. It requires proximity to a device that knows the password. So if you're talking about your corporate network, you know if employees devices are connecting to it and then they're going out to the club or they're going to. You know if employees devices are connecting to it and then they're going out to the club or they're going to. You know wherever they go on vacation.

Dennis Pelton: 35:11

You know now the attackers can actually imitate that and get that password. But if they've only ever connected to the guest Wi Fi, the most they're going to get is the guest network, in which case it doesn't really matter if they have that information. You know it's not going to remove the risk entirely. It's only going to lower the risk because the laptops will still have that risk. So if you go to Starbucks and start working on your laptop, your laptop's probably connected to the corporate Wi-Fi. There's not really much of a way around that one, but if at least your phones are not, that does reduce the risk.

Mandi Rae: 35:45

I think I mentioned this to you outside of the podcast recording, but the imagery within this presentation is amazing. So if you're listening to us audibly and you have a good sense of humor, I encourage you to check out the YouTube. Definitely worth seeing and I appreciate everything you put into this.

Dennis Pelton: 36:04

Yeah, it was definitely a lot of fun to make. I wanted to make sure it was, you know, even if people thought the content was kind of dry, I figured as long as the memes are there, it should be pretty good.

Mandi Rae: 36:14

You nailed it. Well thank you.

Dennis Pelton: 36:18

Yeah, the last one is secure your APs and use like rogue AP detection if you can. I've gone to a lot of places where the APs were literally just sitting on employees' desks. They said well, tim, part of your desk is taken up now because we need the Wi-Fi to be here, and that's just a bad idea. It's super easy to just swipe that when nobody's looking or swap it out for something else. There's all kinds of terrible things that people could do if they have that physical access to the device. So put them up in the ceiling, hide them, secure them. Whatever it is you can do to keep the physical devices away is going to be a good thing. And then rogue AP detection. Not everything supports it, but I know with the unified devices they support it and I do a lot of Wi-Fi testing here at home and that rogue AP detection works. If you start trying to mimic one of my networks, it's going to throw me an email and I'm, of course, just going to ignore it because I'm doing it so much myself, but in a normal business you want those kind of alerts.

Dennis Pelton: 37:20

And then, yeah, use strong passwords and keep your devices updated. The half handshake attack and the crack attack those both rely on a password that can be cracked with something like aircrackng. If you make your password stupid long and really hard, you're just making it a lot harder on someone trying to get in. Karma relies on WPA or WPA2. If you run WPA3, you're going to be in a lot safer place. At least last time I checked it still had not been broken yet. Obviously it's going to be at some point in time. Someone's going to find a flaw, but you know it's a lot more secure to be on something like WPA3 than to be on something that we know for a fact is broken and has been automated. And yeah, that's the end.

Eric Brown: 38:04

A couple questions for you, Dennis. Yeah, that's the end. A couple questions for you, Dennis. Yeah, go for it. How about VPN? Using a VPN to encrypt that tunnel that might go through a rogue AP? Would that be something that users could do to protect themselves, like at a coffee shop, or something like that?

Dennis Pelton: 38:23

That's actually a great question. I hadn't really thought about that, but yeah, I mean, it makes sense to me, assuming that your VPN is actually encrypting all of your traffic and not just some of it, because they have those, you know, the ones where it only encrypts the traffic. Yeah, there's the tunnels where it only encrypts the traffic that it needs to, in which case, if you sent out a DNS request for googlecom, it's still going to send you to the malicious one, but if you had the kind of more egregious one that's going to encrypt all of your traffic. Yeah, I mean, I suspect that everything is going to be piped through, so you're not really going to. At least, you know, in my head I'm trying to think of ways that this attack could still affect someone like that.

Kyle Rosendahl: 39:08

But yeah, I think that would actually work. And what about something I mean just going off what you said with DNS, right, I mean, there's those VPNs where you can use secure DNS and it forces it through those secure servers. What if, like on your workstation or phone, you have a hard-coded DNS inside? Is that going to make a Karma attack more difficult? So you're using a service like Quad9 or OpenDNS or something and you push all your traffic out your devices through that? Are you still hijackable, or is it only if you're automatically configuring your DNS?

Dennis Pelton: 39:41

So that's actually also a great question. I suspect that it would become a lot harder to hijack that traffic if you were hard coding your, you know, like quad nines, like you said, or something like that. Yeah, again, honestly, I'm kind of curious to play with that now. Yeah, because I suspect there's probably still a way to do it. In fact, now that I'm thinking about it, I'm betting you could just do some kind of a rule that would redirect any traffic bound for, you know, quad eights, quad nines, quad ones, any of those and force it to your DNS server. But yeah, it's definitely something that like, at least personally, I have never attempted to do that. I wouldn't have thought of it before today. At least personally, I have never attempted to do that. I wouldn't have thought of it before today.

Kyle Rosendahl: 40:30

So you know, yeah, just making it a little faster outrunning the bear right Like probably still vulnerable.

Dennis Pelton: 40:39

You're just making them take another step to get you Possibly. But yeah, that does make me want to start playing with that now and see how difficult it would be to still hijack that traffic.

Eric Brown: 40:46

One other question for you, dennis, maybe not necessarily related to hacking the Wi-Fi, but a user question that comes up from time to time and it's around the portals. So when you go to a hotel or you go to a coffee shop, sometimes they present that portal that you need to go through in order to get on the wireless. Sometimes that portal doesn't present. You know you try to go to a website, the portal doesn't present. Do you have any tips or tricks on how to get on those networks? I've tried things like going to 1.1.1 or 0.0.0 or just you know different things like that, but I don't have a foolproof way to be able to get those portals to pop up sometimes.

Dennis Pelton: 41:49

Sometimes, yeah, so I know, when they set those up it's usually something where they're basically just redirecting any website to their portal essentially, and so, just kind of out of laziness, they're going to set it up for, you know, starnet, starcom, starorg, and just say send those here. But that does mean that, yeah, if you attempted to go to like infosecexchange, that's not included, it's going to be blocked because it's not going to the portal, but it's also not going to trigger the portal to come up. Honestly, for me, what I usually do, because I've run into that same thing where I try to go somewhere, the portal doesn't come up, and now I'm kind of in this weird locked state where I'm connected, portal doesn't come up, and now I'm kind of in this weird locked state where I'm connected but I'm not able to get on, and I just try going to googlecom because I figure that's your standard user. That's probably going to be their first place they go. That one's got to be in the list of things that's going to get hijacked and redirected to their portal.

Eric Brown: 42:40

But sure, I've played around with it before and then looked at the IP address that they gave me and then tried to go to .1 on that network to see if that was their gateway. And you know, it's all sorts of things that the general user would do and these things are stuff that happens to the everyday user. So it's, you know, I like your idea there of just suggesting try to go to Google or a common website. That would be captured.

Dennis Pelton: 43:08

Yeah, although interesting point about those captive portals. That's another thing that I wish I would have put into my presentation, but I didn't is that most of those they're on a unsecured network. They just do the security through the portal rather than through the network, which does mean you could spin up something like a Wi-Fi pineapple put on a fake captive portal that you know mimics whatever that hotel is, or whatever coffee shop you're in, or whatever, and then asks you know, please log in with your Gmail account. Well, now you're harvesting Gmail credentials because anytime somebody connects to your network, it's going to force them to your portal, and now you've captured whatever it is you're trying to capture from them.

Eric Brown: 43:50

Awesome. Well, Dennis, thank you so much.

Mandi Rae: 43:53

Well, thank you for joining us on this episode of the Audit. We appreciate our guest Dennis Pelton, sharing with us the Wild West Hacking presentation. If you want to get a hold of Dennis or get more information about him, hit him up on mastodon at coldbrewinfosecexchange. For more information on IT Audit Labs, you can visit us on our website, itauditlabscom.

Eric Brown: 44:20

If you have pictures or a way for a cat to get a hoodie, I think Mandy would be appreciative of that.

Mandi Rae: 44:29

I need some cat hoodies or pictures of cute cats in hoodies. Well, thanks again, dennis. Bye guys.

Eric Brown: 44:41

In the current technology landscape, managing risk, among other operations, can be incredibly challenging. Let IT Audit Labs experts provide a detailed, thorough examination in preparation for your upcoming audit. Contact us to learn more.