TOP December 15-16, 2010 Top secnemcemm-Tmomnn TOP SECRETHCOMINTHNOFORN Classification The overall classification of this presentation is All slides and materiels contained in this presentation should be considered classified (unless otherwise noted) TOP SEGRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Section Overview BADDECISION Overview ?e BADDECISION Components BADDECISION Prerequisites BADDECISION Operational Flow BADDECISION Step Through Instructor-led Demos and Labs BADDECISION Pros/ Cons TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN At The ACC You should be able Understand BADDECISION Components >Understand the BADDECISION Prereqs. Conduct a BADDECISION Operation. 5* List the Pros Cons of TOP SECRETHCOMINTHNOFORN TOP SECRET//COMINT//NOFORN BADDECISION Overview ~ CLOSE ·t) ACCESS BADDECISION is an "802.11 CNE tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server." ~ Takes advantage of shared open medium and the HTTP protocol. ~ Works for WPA I WPA2! TOP SECRET//COMINT//NOFORN TOP SECRET//COMINT//NOFORN BADDECISION Prerequisites ~ CLOSE l,) ACCESS Working BLINDDATE Survey! ~ Client on the Target network ~ Security Level: WPA I WPA2 ~ Ability to maintain a reliable connection to a target network. ~Don't forget FOXACID Tag! TOP SECRET//COMINT//NOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Components HAPPYHOUR SECONDDATE Open Sources Tools 33> macchanger wireshark nmap ettercap TOP SECRETHCOMINTHNOFORN BADDECISION Preparation TOP SECRETHCOMINTHNOFORN CNN Web Server Target Client TOP SECRETHCOMINTHNOFORN FOXACID Server Internet Operator TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Target Client Operator SECONDDATE TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN cess Point IP: 192.168.1.1 Target Client { MAC : AA IP: 192.168.1.2 } MAC : BB Operator IP: 192.168. 1.3 MAC : CC cess Point Target Client IP: 192. 168.1.1} { MAC: AA IP: 192.168.1.2} { MAC : BB Hey Ac cess Point! Send everything destined for IP 192.168.1.2 to MAC CC. Operator IP: 192.168.1.3 MAC: CC cess Point Target Client IP: 192. 168.1.1} { MAC: AA IP: 192.168.1.2} { MAC : BB Hey Targe t Client! Send everything destined for IP 192.168.1.1 to MAC CC. Operator IP: 192.168.1.3 MAC: CC cess Point IP: 192.168.1.1 Target Client { MAC : AA IP: 192.168.1.2 } MAC : BB Operator IP: 192.168. 1.3 MAC : CC cess Point IP: 192.168.1.1 Target Client { MAC : AA IP: 192.168.1.2 } MAC : BB Operator IP: 192.168. 1.3 MAC : CC TOP SECRETHCOMINTHNOFORN Overview of FOXACID Operational Server Scenano Operator with BLINDDATE CNN Web Server FOXACID Tag issued for Target. Target Client browsing the Internet via web browser Internet Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Server Webpage Request Target issues HTTP GET Request CNN to webpage of Web Server interest (cnn.com) erne Target Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Server Injection 3* Operate uses SECONDDATE to CNN inject a redirection Web Server payload at Target Client Internet 3* Target Client?s original HTTP GET Requestcon?nues on it?s normal path. Target Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Refresh and Covert Request Fr- Injected payload forces Target Client CNN to refresh and send Web Server another HTTP GET Request to desired webpage. it Covert Request is issued by Target {3:15 Client to FOXACID TarQ Server. Client Internet are Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Request Received 3> FOXACID receives request from entity. Be- Entity is validated as Target Client by FOXACID Tag. Fe Response to original HTTP GET Tafget Request is dropped chem (but don?t worry, that?s good) Operator Internet TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID 85$ a Server CESS Browser Survey 3> FOXACID Server 5 instantiates CNN browser survey on Web Server Target Client to detect Internet vulnerabilities. Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Server ESS Browser Survey FOXACID Server instantiates CNN browser survey on Web Server Target Client to detect Internet vulnerabilities. Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Survey, Payload, Server EXplOltation >Covert communicates continue between Web Server FOXACID and Target until found not vulnerabilities or exploited. 33> Target Client continues normal Tar webpage browsing, Cllent completely unaware Internet Operator TOP SECRETHCOMINTHNOFORN WHACKED That?s the ultimate goal. TOP SECRETHCOMINTHNOFORN CNN Web Sewer h. I ?v Whacked!! Ta rget Client TOP SECRETHCOMINTHNOFORN FOXACID Operator TOP SECRETHCOMINTHNOFORN CLOSE BADDECISION Step ThroughACCES Fe? Let?s go through this because there are many more pieces! TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN CL OS BADDECISION Demos and La ASCC Fe Grab a partner! One Target Client, one Operator. Have fun getting whacked! TOP SECRETHCOMINTHNOFORN TOP SECRET//COMINT//NOFORN BADDECISION Pros I Cons )i..,- CLOSE ACCESS Pros ~ Works for WPA I WPA2 networks. ~ Can reliability see all communications between target and FOXACID. )i..,- Cons ~ Larger signature than NIGHTSTAND. ~ Requires higher SNR to maintain reliable communications between target and FOXACID. TOP SECRET//COMINT//NOFORN 1 ·~) TOP Questions?