Whitepaper: The Black Art of Wireless Post-Exploitation – Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

At DEF CON 25 we introduced a novel attack that can be used to bypass port-based access controls in WPA2-EAP networks. We call this technique an Indirect Wireless Pivot. The attack, which affects networks implemented using EAP-PEAP or EAP-TTLS, takes advantage of the fact that port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as a NAC cannot effectively protect network endpoints if the attacker has physical access to a switch, a NAC can also be bypassed if the attacker can freely control the physical layer using rogue access point attacks. The fact that this technique is possible invalidates some common assumptions about wireless security. Specifically, it demonstrates that port-based NAC mechanisms do not effectively mitigate the risk presented by weak WPA2-EAP implementations.  While creating the Indirect Wireless Pivot, we also developed a second technique that we call the Hostile Portal Attack. This second technique can be used to perform SMB Relay attacks and harvest Active Directory credentials without direct network access. Both techniques are briefly described below, and in greater detail in the attached PowerPoint slides and whitepaper.       Hostile Portal Attacks This is a weaponization of the captive portals typically used to...
Read more

Whitepaper: Identifying Rogue Access Point Attacks Using Probe Response Patterns and Signal Strength

Last summer we released material at DEF CON 2016 documenting our research on rogue access point attack detection. As a follow-up, we are releasing our extended whitepaper on the subject. The whitepaper begins by providing a thorough overview of the weaknesses that make 802.11 susceptible to rogue access point attacks. We also explain why these weaknesses are still relevant in today’s wireless landscape, with a particular focus on enterprise environments. Previous attempts at remediating these issues are also explored, as is the evolution of rogue access point technology over the past decade. Finally, with this background information out of the way, we deliver two new techniques for detecting evil twin and Karma attacks. Potential areas for future research are also identified, providing a starting point for future exploratory endeavors. Our whitepaper can be found at the following URL: https://github.com/gdssecurity/Whitepapers/blob/master/GDS Labs - Identifying Rogue Access Point Attacks Using Probe Response Patterns and Signal Strength.pdf To check out our previous work on the subject, including our DEF CON material and Sentrygun rogue AP killing software, please refer to the links below:https://github.com/gdssecurity/sentrygunhttps://github.com/gdssecurity/sentrygun-serverhttps://www.youtube.com/watch?v=dtNUFGnToQshttps://docs.google.com/presentation/d/1uwlF2nl6EtC70yryK8MleACMl72EGwkCZWng5eVONOQ/edit
Read more