TOP December 15-16, 2010 mp TOP SECRETHCOMINTHNOFORN Classification The overall classification of this presentation is All slides and materiels contained in this presentation should be considered classified (unless otherwise noted) TOP SEGRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Section Overview Passive to Active Operations WLAN CNE Criteria Assessment Active CNE Operations Introduction to FOXACID TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN At The ACC You should be able as Identify Criteria for ONE Assessment. List the Active CNE Operational Process Describe the purpose of FOXACID. TOP SECRETHCOMINTHNOFORN TOP SECRET//COMINT//NOFORN Passive to Active Operations C LOSE ·t) ACCESS Primary Goal: To enable on-net access to target networks via off-net capabilities. )i..,- Prerequisite: We need to find the network of interest in order to target it. )i..,- Procedure: Conduct passive survey to locate network, then perform active op. )i..,- Solution: Utilize BLINDDATE and the appropriate plug-in solution(s). )i..,- TOP SECRET//COMINT//NOFORN TOP SECRET//COMINT//NOFORN Passive to Active Operations ~ CLOSE ACCESS Successful operation of BLINDDATE is essential to correct usage of plug-ins. ~ Two types of plug-ins exist: ~ ~ ~ Analysis Tool Aids Active CNE Tools We will focus on Active CNE Tools: ~ ~ NIGHTSTAND HAPPYHOUR TOP SECRET//COMINT//NOFORN 1 ·~) TOP SECRET//COMINT//NOFORN Active CNE Assessment ~ CLOSE ACCESS BLINDDATE used as both a survey and vulnerability analysis tool for 802.11 networks. ~ Operator needs to know what vulnerabilities, or criteria, to look for in order to utilize the correct Active CNE Tool (if any) ~ We will focus primarily on criteria necessary to carry out NIGHTSTAND (NS) and BADDECISION (BDN) operations. TOP SECRET//COMINT//NOFORN 1 ·~) TOP SECRET//COMINT//NOFORN Major Assessment Criteria ~ CLOSE ACCESS Clients ~ A client is a prerequisite: If no clients are on the target network, there's nothing to do yet. ~ Security ~ Encryption setting (Open, WEP, WPA, WPA2) dictates which capability can be used (if any). ~ Signal Strength ~ SNR dictates whether we can perform a successful active CNE operation. TOP SECRET//COMINT//NOFORN 1 ·~) TOP SECRETHCOMINTHNOFORN Active CNE Operations ACC What is our end goal? Provide on-net access via off-net means. 3> How do we do that? Redirect the target to the TAO infrastructure. How do we do that? Inject payload destined for the target client. TOP SECRETNCOMINTHNOFORN TOP SECRET//COMINT//NOFORN Active CNE Operations ~ CLOSE l,) ACCESS What does that do exactly? ~ Forces the target to covertly contact a FOXACID server. ~ What is FOXACID suppose to do? ~ Perform vulnerability analysis and exploitation of the target (if possible). TOP SECRET//COMINT//NOFORN TOP SECRETHCOMINTHNOFORN Introduction to FOXACID ACC FOXACID is the cover term for a project to deliver content based exploits (CBE) to web browsers. The greatest vulnerability to your computer: your web browser. TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Introduction to FOXACID FOXACID Servers sit on Internet. Publicly addressable, DNS resolved. Utilizes whitelist for security, filtering. Requires specially crafted URL tag to contact FA Servers (FOXACID Tag). TOP SECRETHCOMINTHNOFORN TOP CLOSE 1 ACCE Examp 6 Tag http:lf lPIuginNamefPluginNameZl I .html http:/l Inested/ attribs/ /form39952_ .html TOP SECRETHGOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Tags - Designed to look ambiguous. - Unique for a particular target operation. - All fields in the tag denote something TOP SECRETHCOMINTHNOFORN TOP SECRET//COMINT//NOFORN Redirection to FOXACID ~ CLOSE ACCESS A FOXACID Tag is a special URL pointing to a particular FOXACID Server. ~ Contacting the FA Server will (hopefully) result in the contactor being exploited. ~ We want the target to be exploited. ~ How do we redirect the target to the FOXACID Server without being noticed. ~ Use NIGHTSTAND or BADDECISION TOP SECRET//COMINT//NOFORN 1 ·~) TOP Questions?