Discussion 5.1 and 5.2
Advanced Persistent Threat Hacking Chapter 7
By
Professor Henry A. McKelvey
Remote Presence Reconnaissance
Finding remote users
Wi-Fi (with and Without VPN)
VPN Connected (DSL, Cable Modem)
Information
Home Addresses
Travel Habits
Places Frequented
Associations (Business and Personal)
Information on People
Where to look
Spokeo
Intelius
People Finder
Many public and private databased
Place People Go (Easier Said Than Done)
Happy Hour
Team Functions
After Hours get away
Social Spear Phishing
Uses secondary targets as entry vectors
Family members
Friends
Associates
Target goal
Compromise computers of
Friends (Why)
Family (Why)
Wireless Attack Phases
Wireless Reconnaissance
Frequency Determination
Frequency Use
Attack wireless access points
Jamming
Reassignment (AKA Re-Association)
Attack wireless clients
Rouge use
Gather information
APT Wireless Tools
Wireless Cards
Wireless Standards Supported
802.11b, g, n (2.4GHz)
802.11a, ac (5-5.950 GHz)
Antenna Supported
Dipole
Yagi (log periodic)
Monopole
Connection Type
(BNC, TNC, SMA, SMB, N-Type, F)
Power
Wattage requirements (sensitivity input) (Power Output)
Chipset Type
PRISM
Broadcom
Atheros
See pages 217-240 for additional information on attack tools
vulnerabilities hackers use to attack wireless networks
Old encryption standards
WEP (Flaw found by retransmitted initialization Vectors)
WPA (flaw found by generation of default passwords)
SSID (Service Set Identifier)
Can be reversed engineered to determine possible default passwords (see page 242)
vulnerabilities hackers use to attack wireless networks (Cont.)
Post –Exploitation Exploration
Goal to find other connections
Make sure you are undetected
Gather information about the network
Client Hacking
After all else has failed, go in through the front door
Hack the Client instead of the network
Possible targets
Smart Phones
Tablets
E-readers
Point of Sale Systems
Specialized handheld systems
Client Hacking (Cont)
Steps
Setup Rouge Access Point
Identify device
Keep record of MAC Addresses
Attack insecure protocols
Use Social Engineering to gather additional data
Deploy Rouge Access Point to main network
Force client to connect to rouge network
Some will connect automatically some have to be coerced
Attack clients once they are on the rouge network
See pages 248 – 258 for attack method
HTTP Attack
Proxy the user’s connection to the legitimate site
Record all GET and POST Requests
Inject hidden iframes to steal cookies
Inject hidden iframe to gather Windows credentials
Inject hidden iframe with signed JAVA applet
Inject hidden iframe with browser_auotpwn
Host malicious executable and prompt user to install to use hotspot