This is a cross-post from the GDS Labs blog. The original post can be found here: https://blog.gdssecurity.com/labs/2017/8/31/whitepaper-the-black-art-of-wireless-post-exploitation-bypas.html
At DEF CON 25 and Hackfest 0x9 I introduced a novel attack that can be used to bypass port-based access controls in WPA2-EAP networks. I call this technique an Indirect Wireless Pivot. The attack, which affects networks implemented using EAP-PEAP or EAP-TTLS, takes advantage of the fact that port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as a NAC cannot effectively protect network endpoints if the attacker has physical access to a switch, a NAC can also be bypassed if the attacker can freely control the physical layer using rogue access point attacks. The fact that this technique is possible invalidates some common assumptions about wireless security. Specifically, it demonstrates that port-based NAC mechanisms do not effectively mitigate the risk presented by weak WPA2-EAP implementations.
While creating the Indirect Wireless Pivot, I also developed a second technique that I’ve named the Hostile Portal Attack. This second technique can be used to perform SMB Relay attacks and harvest Active Directory credentials without direct network access. Both techniques are briefly described below, and in greater detail in the attached PowerPoint slides and whitepaper.
HOSTILE PORTAL ATTACKS
This is a weaponization of the captive portals typically used to restrict access to open networks in environments such as hotels and coffee shops. Instead of redirecting HTTP traffic to a login page, the hostile portal redirects traffic to a SMB share located on the attacker’s machine. The result is that after the victim is forced to associate with the attacker using a rogue access point attack, any HTTP traffic generated by the victim will cause the victim’s machine to attempt NTLM authentication with the attacker. The attacker also performs an LLMNR/NBT-NS poisoning attack against the victim.The Hostile Portal attack gets you results that are similar to what you’d expect from LLMNR/NBT-NS poisoning, with some distinct advantages:
- Stealthy: No direct network access is required
- Large Area of Effect: Works across multiple subnets – you get everything that is connected to the wireless network
- Efficient: This is an active attack that forces clients to authenticate with you. The attacker does not have to wait for a network event to occur, as with LLMNR/NBT-NS poisoning.
INDIRECT WIRELESS PIVOTS
The Indirect Wireless Pivot is a technique for bypassing port-based access control mechanisms using rogue access point attacks. The attacker first uses a rogue AP attack to coerce one or more victims into connecting. A Hostile Portal Attack is then combined with an SMB Relay attack to place a timed payload on the client. The rogue access point is then terminated, allowing the client to reassociate with the target network. After a delay, the payload will execute, causing the client to send a reverse shell back to the attacker’s first interface. Alternatively, this attack can be used to place an implant on the client device.
POWERPOINT SLIDES AND WHITEPAPER:
For an in-depth look at both of these attacks, check out the Power Point slides and whitepaper on the subject.