 Hey everyone, my name is Eric Escobar and today my talk is going to be on detecting the unseen adversary Which is really just wireless blue teaming with a snappy sounding name to it So this talk is gonna be a one-cut take There's gonna be a lot of ums a lot of us a lot of me fumbling with my mouse trying to transition a slide So this is gonna be just as if I were up on stage and the demo gods are just gonna be as much of a problem So without further ado, let's talk about me Um, so I like to kind of pose the the point that I'm the forever noob The best thing about computers and computer security is that no one is ever gonna know everything and the person that says that they do Is just completely lying Um, I started off my pressure my professional career as a civil engineer You know, I got my my degrees in civil engineering to build bridges dams and all these big things that you see out on the highway Um, I got the opportunity to basically be an analyst at a at a company I got a great opportunity there. Um, and we started coming to def con from I believe def con 22 Uh, and from there I was competing the wireless capture the flags We won a couple of times and now I'm one of the village members and uh And yeah, I get to help make the challenges. Um, and my full-time job now is as a pentester for secure works Where I basically just pentest wireless all day. Uh, and this talk is is really one of these talks of You know stuff that isn't crazy super hackery stuff that isn't completely unobtainable It's a lot of simple tactics that I used to get into a lot of really large companies Uh, and really this talk kind of stems from the fact that These are conversations that I have with my clients day in and day out And it'd be really nice to point people in the direction of kind of like my overall summary of this stuff Um, okay, so detecting the unseen adversary. It's like a super marketing title that I'm not in love with obviously Um, but whatever I needed a tagline Um, so one of the things that I've discovered just doing wireless pentests Is that a lot of my clients have robust logging and alerts for all of their internal network security and all their external network security Um, no one to say external. I'm talking about like the public internet So they have firewalls that detect when scans get run, you know They can detect somebody doing some nefarious stuff on their internal environment But they almost all fall down when it comes to detecting anything On their enterprise wireless. So any, you know, wids or whips, which is wireless intrusion prevention Or intrusion detection Um, it's basically, you know back into the 90s, you know, there are not a lot of companies that do it And if they do anything regarding it, it's not um, it's not really that robust and can get knocked over pretty easily Um, so some of the benefits of wireless attacks I don't have to have any internal access to any to any network to any environment Um, you know, I have to sneak in anywhere. I don't have to clone keys badges or do any of this I can typically just post up in a park um with a you know with a long range antenna or um, you know sit in some kind of lobby or common area and You know, I don't need any special access like I would if I were going to try and plug in a device It's way easier for me to stay anonymous and I can stay out of sight and then especially if I'm attacking somebody's external infrastructure There's really not any IP addresses that are going to be logged or anything along those lines that That are going to get me caught or at least create a footprint Um, so that's a lot of the reasons why I like, you know, doing wireless from that kind of standpoint Um, this is kind of an old image, but this kind of goes back to my old kit of what I, you know What was founded out of competing the wireless etf Basically, it's just comprised of a little lithium or a little lipo battery. You know, is that lipo? No, it's a whatever just a little anchor battery Connected to a raspberry pi and the raspberry pi has a usb, you know wireless adapter that I can put in a monitor mode That that's an old tp link network adapter. It's um, you know old compared to today's standards You know, now I use something like a panda that can do 2.4 and 5 gigahertz frequencies um, but at the end of the day that can easily just fit in my pocket fit in a backpack and um, I can then use my phone to connect into that raspberry pi and simply have You know a an airman screen or any of my normal tools that run off of you know Whatever flavor of operating system that you want on that raspberry pi And I can sit there with this device in my pocket pen testing your network, you know Just sitting like, you know any other college student just, you know, leaned up against a wall You know that wouldn't attract a ton of attention. I'm not going to be like, you know, some of the wild ctf You know members or competitors that walk around with like a laptop in their face You know with all these antennas and porcupine, you know stuff all over I'm not going to be the wi-fi cactus or anything like that when I come to try and pen test your site And this is just a screenshot of my of my iphone And you know just just some of the things that I can see out of the glance and again If you just see somebody walking with their cell phone, you're not going to think anything of it, right? And then this is something that we've taken on engagements where we've, you know Gone on to a large large site that we have to walk around And really this this is just the black backpack, you know You'd have to look a little bit harder to see that there are actually a bunch of omni and directional antennas Along with, you know, a bunch of just different network adapters all put into this into this backpack Um, and it's one of those things that if you're not looking for it You know, these antennas could easily be placed inside of the backpack But at the end of the day, we've been able to do engagements that cover thousands of acres worth of You know worth of a client's site and you know, there was full on, you know, public people there There were, you know staff there. There were security people there And no one sauce we didn't stick out at all just because we're normal people with normal backpacks And again, it's one of those things that it's easy to remain unseen and still do nefarious things Here's another clip of the backpack. Basically, it's just some larger anchor batteries hooked into multiple raspberry pies And again, you can see on on the right hand side A bunch of omni directional antennas that are kind of just placed, you know And not necessarily covert but in a way that you'd have to really look at that look at that to know what To know what's going on Um, so I think one of the biggest things, uh, the biggest fly on the wall here is rogue access points. Everybody at least I shouldn't say everybody A large amount of my clients are all very concerned with rogue access points, but they really don't they really don't have any Idea what they say or what they mean when they talk about rogue access points And really by definition a rogue access point is just any wireless access point That's not within your control that um, you know, that's in your airspace, you know That your physical airspace that you do control where your access points might be So, I mean really at the end of the day technically any phone or any hotspot could be a rogue access point It could be considered a rogue access point, but that's not really what clients most care about They most care about access points that that are designed to mimic their own access points That then their users will connect to and get tricked into, you know Potentially providing credentials or some other type of data that they shouldn't right? So I'll just give you a couple access points of what rogue access point can do. Um, there's this tool that I use from time to time called uh Wi-Fi Fisher and essentially all that it does is it just stands up Um, you know a hotspot with whatever name I want to give it And it will kick off users by de-authenticating them from their current network with the goal of having them connect to my rogue access point Um, and when they connect to my rogue access point I send them to a captive portal and the captive portal looks like a, you know, just a simple It takes their user agent. So if they're coming from an iPhone, this would be like the iPhone Wi-Fi screen This this example is coming from a, you know, Windows 10 laptop So when they open up their browser, it looks like oh man, I need to type in my wireless network key What most users don't realize and most users, you know, aren't security people or tech wizards that are really gonna, you know Analyze this but if you have a full screen browser window open, um, you'll notice that that that's all just rendered in the browser that that You know, what's asking for your key now if a user types in their key and hits next That will then submit it to me in clear text because I run that web server. That's that's my rogue access point Um, and then it's configured in such a way that the second that they give me a valid credential It will then shut down my rogue access point so that means an attacker can just automatically just say hey, okay Like I'm going to be quiet now. I'm not I'm going to try and draw any more attention to myself As one of those things that like is this a crazy super sophisticated hacker technique? Absolutely not are people in the wireless village going to make fun of me for even probably talking about this Sure, um, but at the end of the day This has gotten me so many credentials that it's kind of sad and this is you know, been the downfall of so many corporate networks that It's it's definitely worth mentioning because people use it and it works as an attack vector and people are tricked by it Because at the end of the day if you're watching this, you're probably a security minded person and you would probably say Oh man, there's no way that I would fall for it but you know, take a take a step back and Think of everybody in your organization that you know that deals with wi-fi that deals with You know just any device that's connected to the internet. Would they fall for it? Well, at the end of the day, I just need a single person to fall for it. And that's it I just need one person to fall for it Um, and then I have your you know in in this case. It's a you know, pre-shared key so wpa to psk network, um, but but there are other attacks such as e-pammer that um, you know, they can they can mimic a A corporate internet, you know, that's that's wpa to enterprise where a user were typing their credentials And then I could get hash credentials clear text credentials if there's you know, gtc downgrade But really at the end of the day this all surrounds You know rogue access points and somebody standing up an access point that mimics your own Um and being able to detect that it's happening because at the end of the day I'd say that that fewer than 10 percent of our clients even know when we stand up a rogue access point That they're even looking for it and even if they're looking for it. They may not even get the alerts I've had plenty of clients that have said like, oh, yeah, we have rogue access point detection and You know after the pentest we went back and looked at our logs and we got all these alerts But you know, they were never configured to go anywhere They were they were never you know configured to to get acted upon really is the is the best case for that I'm and again It seems super silly that this is all that my attack vector is is staying up rogue access point and hoping to fish some credentials But at the end of the day it works And just the fact that it works is scary enough because it's it's a really old style kind of attack really Um, rogue access points like I was talking about they can lead to stolen credentials if you're using say e-pammer to get wpa2 enterprise credentials or In the case of wi-fi fishery you can use that for psk. So just you know shared networking like you probably have at home Um, you know, and that can lead then to a full full internal network compromise. So it can lead to compromise work stations They can also It can also basically lead to Data being exfiltrated, right? So if if an end user connects to to my access point I can exfiltrate data off that system without it going through any of the normal controls or processes that it normally would Um, and then it can also allow users to circumvent corporate policies So a lot of time that um say say your corporate your corporation blocks netflix or facebook or something End users might connect their their laptop or their mobile device that's work provided They might connect it to another rogue access point In hopes that that they can circumvent that and that they can watch netflix that they can do any other Basically types of types of activities that would probably be blocked on any other network So it's one of those things that that end users, you know, may not always get tricked They might willingly connect to other access points To get to you know, whatever stuff that they want to that's being blocked by corporate policies Um, and so this is this is one of these matrices that I kind of like to reference and use it might seem a little bit dense But really at the end of the day rogue access points are kind of summed up in this way So the easiest rogue access point for, you know, corporation detect is an exact match of of whatever the ssid is And ssid is just their wireless name. So So say that's like, you know, home network 123 So you would see then a second home network 123 with a mac address of 0012, you know all the way through 55 That would be the easiest to detect because that is completely different, you know Then your than your normal whatever your your normal mac address would be and that's just a hardware address That that is associated with that that wireless radio The next hardest would be then Basically that exact same ssid with just some some random characters that You know, just randomly a generated mac address hardware address Then as you kind of like go down that difficulty scale or up the difficulty scale You're going to see it's going to be an exact match of that, you know ssid with then a mac address that's similar to the mac addresses of the access points that you run That might be harder for some, you know, for some intrusion prevention detection software to detect is Something that's similar to what would be expected And then if you're talking about a larger client say I go to You know, say they say it's a bank, right? A bank will have multiple branches say I went to one bank and copied a mac address from that site And took it to another branch, you know in the same town or, you know, same vicinity where Wirelessly they won't touch but they but that mac address is at least valid on the network, right? And I stand that up as an access point Well now the intrusion prevention detection system is not going to detect me because it is technically somewhere in the system The controller will just not have any idea of the geography behind that and so that makes it harder to detect You know, and then you keep going and then now you can make say your ssid is is just similar But not an exact match to To what that that Wi-Fi would be with again random mac addresses And then, you know, similar and then going down that same spectrum at the end of the day This is just something that an attacker can use and kind of see like, okay Well, you know, what level of sophistication does your does your monitoring the hardware? You know in detection system. What what does that look like? um, because for example here, uh, say say you were looking for An ssid that matched exactly and it was cloned from a mac address of the same site Well, what happens if there's some weird reflection or attenuation there that that makes your wireless signals bounce from place to place? Well, if you're doing detection on a mac address seen by different access point Now all of a sudden that gets a lot harder and a lot more complicated of a thing to program And it's probably gonna generate a lot of false positives. So it's one of these things that at the end of the day It's easy to say. Oh, man. We need, you know, row access point detection Or row access point detection really is an entire, you know, suite of what is an attacker doing And so it's really important just to kind of break down that nuance and see that, you know You know, some clients might might see an exact match of 0 1 1 2 2 3 3 4 4 5 or maybe even random But similar to known access points or clone from a different site or the same site That's typically not going to get picked up and it allows an attacker like myself Who's already, you know attacking wirelessly and is not going to be seen it allows me to basically not trigger any logs or Trigger any detection, which again, you know, is there some software that can detect that? Absolutely. How many clients actually run it? Not a lot Again, I've probably been detected less than 5 10 percent of the time which is kind of surprising Um, and this kind of brings me into simple is is not the same thing is is easy, right? Like all of these things that I've talked about that they're simple to understand But they may not be that easy to configure, right? And that's an important distinction because just looking for excessive password spraying, you know, you know watching for devices that continually try credentials over and over and over and over again There's been a number of sites where I basically just sprayed an access point with with user credentials That I got off linked in with the attempt of trying to authenticate to their access point And eventually it worked sure it took a long time. I spent all night trying to, you know Associate with with credentials until a pair of them worked But at the end of the day, that's all that it took And if somebody was watching their logs, they would have seen wow 10 000 attempts. That seems a bit strange But again, a lot of people don't look at their logs. And is that is that a simple thing for me to say? Yeah, absolutely. Is it easy? Definitely not And then same thing get alerts from rogue access points a bunch of my clients Will have, you know software or some type of controller available to them that That will actually look for rogue access points. I mean at home. I run ubiquity and it will If I check that box, it will determine, you know, hey, there's a rogue access point detected I'm going to send you a push notification to your phone There's a lot of end users a lot of clients a lot of corporations out there that don't even have that box checked And and even though they're controller, even though whatever software they have Is capable of seeing it. They don't even check the box. So they'll they'll never even get that notification Even though the their software their controller, whatever it may be Has that, you know out of the box as an option And then have a plan to to what to do when you do detect a rogue access point That's one of those things that's like, cool. You detect a rogue access point. Now what, you know, depending on the size of your site That might be just, you know, taking a walk around the office or it might be Trying to take a walk around a multi acre, you know area or an entire campus or An entire outdoor place or an entire sporting arena And so it's one of those things that, you know, you have to plan to the scale of your corporation your company or organization Whatever it may be Is to, you know, how are you going to locate these as your controller software? Is it capable of saying, you know This was seen from from this access point or from this location Or is that something you're going to have to deploy is they're going to have to be somebody trained in that A lot of times it's not it's not enough just to Detect them. You have to locate them to see, you know, is this is somebody that was doing this nefariously or is it, you know Some some error in the system Being able to distinguish that and being able to have a game plan for when that happens Will make it less of a panic situation, right? And a lot of that is is having a wireless pen test, right? Like like knowing where your weakness is live before you actually have to You know, rely on your logs and rely on your locating relying on on pretty much everything, right? Um, really log your data. It's one of those things. It's simple It's not easy like to log your data and look at your logs because a lot of the times when I'm when I'm doing something when I'm pen testing Um, all that data is probably logged somewhere or at least can be enabled or there's some logging software or Um, you know, something available to you, but people don't look at their logs, you know Uh, sis admins have a busy job and typically don't Look at their logs or really investigate that stuff or there may not even be a person dedicated to just wireless It might just be the network security team and they don't even bother to ingest, you know Their wireless logs that that are being generated So again, all of these things they're really simple. I feel a little bit sheepish giving to talk about how simple these things are But each and every one of these things, you know, I haven't been done when I've been on a pen test At times and it's allowed me to compromise a full entire organization Um, you know, because any number of these, you know, or combination of these weren't done and again, they're they're simple But they're not easy to enact. Um, and it's just one of those things again These are simple ways that that somebody could get in. Um, that typically aren't covered Um, now, okay, so like kind of switching gears There's a bunch of other information that wireless devices emit and and there's far more than this But I just kind of want to give out the basics of it. Um, but really Devices, you know, they can allow users to be tracked. You can identify the type of the device You can see what devices are connected to what networks. Um, just using a tool like airdump, which again is a super old tool But still works great You can, you know, take a look at the screen and if you're not familiar with the screen, then then oh, well I'll kind of explain it really right now. So if you look at the top left corner There's bss id and that is basically, you know, the access point hardware address And then down below you see the the access point and then devices connected to that access point And if you just take a quick look, you can see power levels will kind of associate roughly with, you know Distance away from that access point the the power level is what you'd be looking at And then if you can see devices that are connected to that access point, well mac addresses are basically handed out Um, or at least ranges of them are handed out to hardware manufacturers And they can be identified by just a couple of octets and so if you were to plug in So if you have a hollow, I'll switch back. Um, if you look at this, uh, you'll see that basically Um, you know that that 18 b4 30 if you're to plug that into google What that gets you is that it says, oh, that's nest and so from that I can say, okay Well, maybe they have a nest camera on this network, you know, should I look for nest cameras? You know, maybe there is a nest thermostat, you know, and and you can basically as an attacker I don't need to know what your username your password is. I don't need to know You know really anything else about your your company organization or wireless networks because I can see all of that in the clear I can see, you know, what the least types of devices are connected And so really it's one of these things. I know I'm going to keep saying it over and over and over and over but it's it's It's simple to detect somebody like me on your network, but it's typically not easy And really I just kind of want this to be one of those wake-up calls that You know, if you are a sysadmin if you do control wireless networks to kind of take a look Kind of take a look at the security policies the monitoring capability that you have Because at the end of the day, you don't want to be scrambling If you do detect something or if you do detect a breach or some some weirdness And again, I think just going back to this last slide and showing, you know Check for password spraying, you know, check for any rogue access points that are in your area Have a plan on how to locate them, you know understand what data somebody like me can see You know know how far your access points, you know broadcast You know log the data that you do collect that you have the capability of collecting and then look at them from time to time And notice if there's anything strange or weird And then maybe build some policies out to alert you if anything funky does look like it's happening Again, I think this is all simple It's not easy always to configure. So Hopefully that was helpful I will be around in the wireless village if anybody wants to send me questions And maybe I'll add some contact information to this on the page after it gets posted But again, I hope it's helpful. I know this may seem like seem like a super one-on-one easy mode talk Um, but each and every one of these aspects is something that you know One of my clients has has potentially not done that has led me to compromise their organization And if and if everybody looked at this and kind of had this in the back of their mind If if your sysadmin that controls networks Or maybe you're not even a sysadmin that controls your wireless networks, but you could bring this to them Um, it would it would go pretty darn far because at the end of the day everybody has logging in place for Their external network infrastructure and for their internal network infrastructure But wireless for some for some reason is the extension of your You know of your internal network beyond your walls Potentially and it can let somebody like me or somebody worse than me somebody who actually is is trying to do some harm to your network Um in and you won't even see them. You won't even know that they're there. They will be uh, you know for your eyes unseen Again, hopefully it's helpful. I know this may seem like like kind of like a one-on-one ish talk, but um Uh, it might be something that you need to hear. So take it forward. It's worth And if you have any questions, um, feel free to contact me and I'll be in discord. All right. Talk to you guys later