The Black Art of Wireless Post-Exploitation

Presented at BSidesDC 2017, Oct. 8, 2017, 1:30 p.m. (50 minutes).

Wireless is an inherently insecure protocol. Most companies recognize this, and focus their resources on minimizing the impact of wireless breaches rather than preventing them outright. During red team engagements, the wireless perimeter is cracked within the opening days of the assessment, or it isn't cracked at all. From an attacker's perspective, the real challenge lies in moving laterally out of the isolated sandbox in which network administrators typically place their wireless networks. Enterprise network teams are typically aware of this fact, and many will attempt to justify weak wireless perimeter security by pointing out how difficult it is to pivot from the WLAN into production.

However, preventing an attacker from doing so is only easy when the network in question is used exclusively for basic functions such as providing Internet connectivity to employees. When wireless networks are used to provide access to sensitive internal infrastructure, the issue of access control gets significantly messier. A door must be provided through which authorized entities can freely traverse. As with cryptographic backdoors, a door that requires a key is a door no less.

In this presentation, we will focus on methods through which red team operators can extend their reach further into the network after gaining their initial wireless foothold. We'll begin with a quick recap on how to use rogue access point attacks to breach all but the most secure implementations of WPA2-EAP. We'll then demonstrate methods of evading the most commonly used methods of WLAN access control, and explore whether segmentation of a wireless network is truly possible. Finally, we will demonstrate how contemporary network attacks can be combined with wireless man-in-the-middle techniques to create brutal killchains that would be impossible to achieve over a wired medium.


Presenters:

  • Gabriel Ryan / solstice - Security Engineer at Gotham Digital Science   as Gabriel Ryan
    Gabriel Ryan is a security consultant and researcher with a passion for wireless and infrastructure testing. He currently works for Gotham Digital Science at their New York office, where he provides full scope red team penetration testing capabilities for a diverse range of clients. He also contributes heavily to his company's research division, GDS labs. Previously, Gabriel has worked as a penetration tester and researcher for the Virginia-based defense contractor OGSystems, and as a systems programmer for Rutgers University. He also is a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Links:

Similar Presentations: