Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: The right tools for the job...

  1. #1
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    7

    Default The right tools for the job...

    I guess this is the best place to post this.

    1st of all, I would like to start off by saying Thank you. Not only for the collecting of tools and the proper environments to use them, but for the seeming wealth of knowledge I've already come across on this forum.

    I am a Linux "newbie" and even more so a BT Newbie. I've messed around with Linux a handful of times over the past few years, but always ended up going back to windows because it is what I know and am comfortable with. But as I always say to others, comfort breeds laziness.

    I happened upon BackTrack because I was looking for a way to not only detect a hidden rogue AP in one of my branches at work, but a way how to crack it to demonstrate not only to the user, that will eventually be fired for putting unauthorized network equipment on our network, but to his boss and the higher ups as well as to the reason we currently do not allow WAPs at our branch locations. I went looking for information on how to do this on youtube and came across several demonstrations as well as somewhat newbie-proof tutorials. As my experience with linux has been mostly with a very basic setup of RHEL 3.5 for file servers at work and a few months of Ubuntu starting with 7.10.

    I recently found Mint7 which I actually do like a lot and since it is built off of Ubuntu it's somewhat familiar.

    Now to the meat of this topic. The equipment I am working with...

    Dell Latitude D630, 2.2ghz C2D CPU, 4gb of ram, with an nVidia M135 (256mb) video card. The internal wlan card is a Broadcom 1395. But I do have an ALFA AWUS036H to work with this system as well as a spare Broadcom 1390 (which I know works in BT3 and BT4)

    Also and Dell Vostro A90 (business class version of the Mini9), Atom N270 1.6ghz cpu, 2gb Kingston HyperX ram, Intel GMA950 video and internal Broadcom 1390 wlan.

    I have BT4-PF on a persistent 8gb usb flash and have just setup BT3 on a persistent 8gb usb flash as well.

    1st: job, penetrate and crack the rogue AP in the branch. As well as research best practices so that someday, hopefully soon, we could actually deploy WAPs at branches with some type of security to help defend against the wrong crowd. I've just started looking into OpenVPN for this thanks to a suggestion from someone.

    I am still trying to find the best way to defeat this Rogue AP, which I suspect is an Airport Extreme. I know that it is not broadcasting it's SSID. I know this because the last time I was at the branch, my Windows laptop was not detecting it, yet two people in that branch were connected to it. My 1st question is, which version of BT would be best suited for starting out? I would like to assume it would be BT4 since it too is Ubuntu based and the tools on the setup as fairly up to date. However with BT3 being out as long as it has, I kind of figured it might be the way to do, with possibly some tool updates. I've been trying to get myself familiar with the aircrack suite as well as cowpatty. I've been practicing on an Airport Extreme (although probably the older model than what is in the branch) but can never seem to get enough of the handshake for cowpatty, using one of the rainbow tables from O-S.com's site to get cowpatty to start cracking it.


    2nd: learn method of attack and remote logging of bluetooth and rf keyboards (not as sever as first job, but something I want to show the higher ups as well).

    Is the equipment I have listed adequate enough for the jobs listed? Would a different wlan adapter work to a higher benefit for this task?

    I know this is somewhat long winded and I apologize for that. I'm just trying to give enough information as to the circumstance of my situation some that I might be able to get a more informed opinion or method of attack.

    Thank you guys again for what I have been able to find on this forum so far. I look forward to the education ahead of me.

  2. #2
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Hi Mr Faust,

    First off, there is a ton of more experienced people on this forum. I consider myself a noob as well. Their advice is probably much better than mine, but I have dealt with this issue so I am going to go ahead and post.

    What is your role in the company? Are you part of the IT dept. or just an employee who shares an interest in security?

    A lot of people here are going to shoot you down and rightfully so. BackTrack should not be used on a live network, even your own company, without explicit written permission from whoever manages that part of the company. You could be setting yourself up for a legal issue if you try to do something you don't have permission to. You also might want to consider who you want to "hack" into. If this rogue AP belongs to a branch manager you might be barking up the wrong tree by "demonstrating" how insecure this is. Another point is it sounds like you don't know what you are doing (respectively speaking to using BackTrack), you could end up making things worse for the network.

    If you are in a position of being able to do what you were saying you might want to see if your company will invest in taking some of the training from Online Security Training from the Creators of BackTrack The pentesting101 course with BackTrack is an amazing course as well as the Wireless class. I have taken both and highly recommend them.

    As for the original issue, this can be done many ways. If you do work in the IT dept. for your company you ought to have some switch level/router level access. You can start by sniffing the traffic with wireshark or airodump-ng, then block the port (either by MAC address or turning off the port) on the switch or creating ACL on the router. This is assuming someone just purchased a wireless AP for example and plugged it into a port picking up an IP on your network. A lot more information is needed for how your network is managed, to proceed.

    It sounds like you are really want to learn BackTrack, you ought to consider the classes offered by the remote-exploit team I posted above. Hope this helps

  3. #3
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    Please forgive me if I misunderstood but there seems to be inconsistencys in what you are saying.

    "but can never seem to get enough of the handshake for cowpatty"

    What "handshake" are you talking about exactly, you mention rainbow tables so I am going to presume you mean a wpa handshake. Well the point i make is that you also say

    "I know this because the last time I was at the branch, my Windows laptop was not detecting it, yet two people in that branch were connected to it"

    Well if this wap is wpa or wep-ska protected the users of the connected machines would have had to aquire the key so why dont you just ask them about it?

    If what you mean is that when you was scanning you noticed that 2 clients was connected to the ap, and that you dont actually know what machines were the clients. Then a cheap directional antenna for your awus036h will home you into within a few feet of the client using the power readings on your software.

    Now if what you are saying is that someone has setup a complete rouge ap within your facility with a login page stealin credit details etc then an unbroadcasted ssid doesnt make much sense? infact it makes 0 sense.

    Do you understand why im confused? I am not acusing you of anything just giving you the points you need to clear up so we can help you.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    7

    Default

    Thanks for the comments and obviously the concerns. Yes I am a part of the IT department. I run our companies helpdesk. So there for I am the one to interact with the users more than the other guys.

    A little more detail on the situation. The user in question had logged a ticket needing some software installed on his machine. We have restricted software installation by users for more than obvious reasons. I remoted the users system to do the install and noticed his wireless nic was actively connected to a wap. Now knowing that we do not have any waps deployed in the field, I check real quick to see the bssid of the one he was connected to. Being personally familiar with that office and knowing the two other businesses around that offices location do have waps but are wpa secured. Plus the user actually put his last name as part of the bssid. The next day I ended up "needing" to do some routine maintenance at that branch after advising my boss of the situation.

    While doing some "malware and virus scanner updates" to the laptop users systems since they leave our network regularly, I scouted around each of the systems to check for preferred wireless networks. This is when I learned that one of the other employees had been accessing this wap as well. Although he was smart enough to turn off his wireless nic sometime before I got to his office, since I normally check in with the branch managers upon arrival to advice them of what I am doing there that day. During this time I had brought my own work issued laptop and fired it up to see if I could detect an waps in use. This was before I started experimenting with BT and the aircrack suite. At this point the AP "Bobs_Airport" was broacasting. The user who's system I was working on came back to his office to ask a few semi-technical questions about our blackberries at which time he saw me turn off his nic. He shortly there after sent, what I can only assure was a text message to the other user. Because two minutes later I refreshed my laptop to check for APs and the rogue was now gone.

    Two days later I drove back to that branch and parked outside next to the building. I had during this time discovered BT4 and aircrack. After watching a few demos on youtube I decided to sit outside and scan for the AP. At this point the AP is not showing up in the Windows wireless network manager nore is it showing up in airodump. However the mac address for the two laptops associated with the rogue are showing up. I ended up needing to put a fresh image on one of the laptops that had been connecting to the AP. So I took it back to my office to do the imaging since I didn't bring ghost or my portable image drive with me that day. I returned to laptop the next day with a fresh image and checked for the AP real quick via windows network manager. I did not show up. I later remoted the user in question's system after hours and saw that he was still connected to the AP so this would lead me to believe that they, the two users, know that I am aware of the AP and are trying to hide it now by turning off the broacasting of the ssid. I don't believe these guys are using the AP for nefarious reasons. But more so for plain laziness of being able to access the internet for on their iphones and/or itouches while at work, which is pretty funny to me personally since their line is a fractional T1 that is always slow, but still. My concern is the fact that once connected to the AP, which I did later on one of the users systems, I was able to connect to the available network shares as well as our proprietary software which can only be accessed inside our network.

    I do have expressed permission not only from my direct boss, but from one of the owners of the company as well. We are not a large company so dealing with the owners on a daily basis is a common occurrence. The owner that we deal with directly is away of the situation that is going on. And while he has some technical background and basic understandings of things, he doesn't get detailed involved. But he wants to know if this type of situation is a danger, how so, how could someone exploit it if they were so inclined to do so and what steps could we take to prevent any exploitation if we decided to later deploy secure waps at the branches since he can see a possible use for them in the future.

    I actually got my practice Airport Extreme from the owner my department deals with directly. His home network is all mac related and he has recently updated one of this routers at home. The "handshake" that I am referring to use while running an airodump session, sending a deauth to kick off a client from the AP to get the WPA handshake so that I can run the cap against one of the wpa rainbow tables I downloaded from offensive-security's website. However when doing this, cowpatty returns an error saying there is not enough information there and that I would try to do more of the 4 part handshake.

    I had discussed this issue with someone else recently who does pentesting. His suggestion was instead of trying to "crack" the wpa2 AP, rather to "clone" it if possible by creating a fake AP and somehow overloading the real AP so that the uses would therefore connect to the fake AP, giving up the credentials we need to access to the real AP. I'm not sure what all would be involved in setting up this situation, but from what I've briefly read so far, mdk3 can be used possibly to get there.

    As for the courses, this exercise that I am doing is also partially to get the owner to pay for some of these classes. And even if the classes are 101, I would think there is still an assumption of basic knowledge before starting them. So I'm learning what I can now to be acquainted with at least some of the tools and the environment they are used in.

    Obviously there is going to be some reserve on the other users here in answering some of these questions because I am "new" to this forum. Plus the tactics here could always have a blackhat purpose. But I would argue that anything discussed on this forum can be used in that manner. But being cautious is never a bad thing Thanks again for the input.

  5. #5
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Something to consider is if the employees are "on to you" and are smart enough to remove the SSID and use WPA2 they could be smart enough to use a complex password that might take forever to crack. This of course is not always the case but something to consider.

    I don't believe these guys are using the AP for nefarious reasons. But more so for plain laziness of being able to access the internet for on their iphones and/or itouches while at work, which is pretty funny to me personally since their line is a fractional T1 that is always slow, but still. My concern is the fact that once connected to the AP, which I did later on one of the users systems, I was able to connect to the available network shares as well as our proprietary software which can only be accessed inside our network.
    Do you guys have a security policy in place? Does it specify no wireless? The easiest thing to do would be send it out globally to remind everyone not to use wireless and it's against the company policy to setup an AP. More than likely out of fear they will disable it. If not, just go talk to them. It seems you have an idea of who these users are. I am sure they don't want to lose there jobs, and that will probably be the easiest and best thing to do.

    I know that's probably not the cool haxor way but its the most practical and easiest to implement.

  6. #6
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    7

    Default

    Upon finishing up my last post I received an email update. The CEO inquired about the status of this project and was advised that we still had not "cracked' the AP but had blocked it at the switch. He then sent an email to that branch manager letting them know what was going on in the branch and to have both the user removed from their post and all equipment in his office disabled and collected for our pickup tomorrow since the user had actually been told about violations to company policies regarding not only unauthorized equipment but unauthorized software as well. We assume he has had adequate time to remove his AP by now.

    However now my direct boss still wants me to continue the course of action with our test router as well as come up with a way to setup a monitoring station at each branch for this type of occurrence until we get a plan together to deploy secure APs at each branch. Do the push is no longer as dire as it was. But the motivation is still there. I've been discussing with him about the courses offensive-security offers to help with the training in this area. Hopefully I will get a positive answer by the end of the week.

    While I am still very new to this, I feel I've already learned a decent amount in the last two weeks to get a decent handle on this for future endeavors.

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Your CEO did the right thing.
    As was stated above a security policy in place will help to curtail these sort of activities.
    A policy that was read/signed by the employees is generally never going to be a bad thing.

    Although there will still be people who may try, seems that a lot of times a friendly reminder is all that is needed to make the problem "go away".
    I might suggest that in addition to your other "learnings" you look into HIDS/WIDS Snort comes to mind to help mitigate what gets connected to the network. Anything "new" that is not authorized by IT would set off an alarm.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by MrFaust View Post
    Upon finishing up my last post I received an email update. The CEO inquired about the status of this project and was advised that we still had not "cracked' the AP but had blocked it at the switch. He then sent an email to that branch manager letting them know what was going on in the branch and to have both the user removed from their post and all equipment in his office disabled and collected for our pickup tomorrow since the user had actually been told about violations to company policies regarding not only unauthorized equipment but unauthorized software as well. We assume he has had adequate time to remove his AP by now.

    However now my direct boss still wants me to continue the course of action with our test router as well as come up with a way to setup a monitoring station at each branch for this type of occurrence until we get a plan together to deploy secure APs at each branch. Do the push is no longer as dire as it was. But the motivation is still there. I've been discussing with him about the courses offensive-security offers to help with the training in this area. Hopefully I will get a positive answer by the end of the week.

    While I am still very new to this, I feel I've already learned a decent amount in the last two weeks to get a decent handle on this for future endeavors.
    Easiest way is to enable port security(I think that's the name) on your switches. Only allow the computer at the desk to connect to the port. Any other devices make the port turn off.

    I've also found the best tool for this is a hammer.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  9. #9
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Well, looks like they got what they deserved

    An easy way to implement security is on the switch level. What type of switch are you using? For example, Cisco uses port-security. I am sure almost all business switches have something similar if not the same.

    Lock down Cisco switch port security

    It's a little tedious but free and this will eliminate anyone plugging an AP, notebook, or anything to a live port without the corresponding MAC associated to that port. If someone tries to plug something else in, the port will error-disable out and you will know when and where someone tried to do this.

    Also turn off ports not being used. How did the user get an AP going? Did they have to disconnect something to plug it in? It's good practice to only have what needs to be connected activated.

    edit: Doh, was typing when Barry posted same thing.

  10. #10
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    7

    Default

    Quote Originally Posted by archangel.amael View Post
    As was stated above a security policy in place will help to curtail these sort of activities.
    A policy that was read/signed by the employees is generally never going to be a bad thing.

    Although there will still be people who may try, seems that a lot of times a friendly reminder is all that is needed to make the problem "go away".
    I might suggest that in addition to your other "learnings" you look into HIDS/WIDS Snort comes to mind to help mitigate what gets connected to the network. Anything "new" that is not authorized by IT would set off an alarm.
    I would very much agree with a written/signed use and abuse policy. Believe it or not that is something we've been trying to implement for a while now, but seems to be getting roadblocked for reasons I am unaware of.

    I will converse with our network admin about HIDS/WIDS. Since I am not the network admin and don't wish to step on toes. I'm trying to be more proactive in the field since I'm the main helpdesk person that interacts at the end-user level. So there for I see things on the computers more often than the others might. Plus it never hurts to have more education for things beneficial to your employer, especially when it comes time for revues and possible raises, not to mention future employment opportunities as they arise.

    I believe all of our branch level switches are Dell PowerConnects of some breed. So I will have to figure out their form of port security in the meantime.

    Thanks again for the input folks. My yellowpad of items to research is already getting fuller by the minute.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •