We love ZACon and to present in our home town is always special. This year, we have two plakkers presenting on cool new research.
Dominic White (our CTO) on 'Zombie Mana; How to make your wifi attacks go viral'
At Defcon 22 we presented a rogue access point toolkit for attacking clients of wireless networks named mana. This tool implemented a new variant of the ageing KARMA attacks, as well as extended the attack to work with secure (EAP) networks and Apple's hidden network behaviour.
At WiSec 2015, a team of researchers presented an attack against implementations of the 802.11n wireless standard's use of frame aggregation, a technique used to improve throughput. However, their attack only demonstrated an access point radiating malicious frames. We have modified the attack to show that a client can be made to appear to be sending the malicious frames through traffic reflection.
We believe the mana and packet-in-packet attacks can be combined, to cause a successfully compromised mana victim to rebroadcast advertisements for the malicious access point. Initial tests with hostapd show this to be possible, but more work is needed to provide a full dynamic implementation, something we would develop and release at ZaCon VI.
If that didn't make sense, just imagine mana with a zombie virus. Now, when a victim is bitten, they'll try and bit others too.
Dane Goodwin on 'Upping the ante : Automating the process of mapping and compromising internal networks'
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and in South Africa specifically; one of the first goals of any internal penetration test is to get Domain Administrator (DA) level access. In demonstration of how common a goal and practise this is, a plethora of tools and techniques exists to assist with this process, from the initial "in" through to to elevation of privilege and eventually extracting and cracking all domain credentials.
However, the processes followed is still manual and time consuming. This both detracts from potentially more dangerous attacks that may be specific to the organisation under assessment, as well as limits those who know of their vulnerabilities to those willing to pay for an assessment.
Observing this, we decided to construct a framework for automating such activities. This framework orchestrates the industries currently favoured tools to get DA on internal networks.
The goal for the project is to get Domain Admin rights as quickly as possible, so that analysts can start an internal assessment as a privileged user, rather than finishing as one. This will allow analysts to spend time on engagements emulating real life hacking scenarios, such as going after business critical applications, while still comprehensively assessing the internal network. Combining the software vulnerabilities, as well as a realistic idea of how people with malicious or criminal intent might reach them, will provide organisations the information they need to actually improve their defensive posture.
This talk will involve an introduction to owning Microsoft Windows Domains, then cover a method for automating this task, and finally introduce our tool for automating this.