Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: anton

Allow me to give you a real world example that is counter to your point.

During an active pen test of a bank, I walked the outside of the building and noticed that on of the doors did not shut all the way. I walked up to the door and pushed it open. That let me into a hallway that had a printer. The printer was connected to both power and a wall plate that had an active Ethernet port. I took my wifi extender, and plugged it into the second port and sure enough got a connection. The wifi extender was configured to allow me to access that port via the wifi link. So I went back outside, pulled my car into the parking lot (Wendy’s I think) that was opposite the door. I jumped on the laptop, connected to my wifi device and I was on their branch office network.

This particular branch also had a guest wifi for their customers and in internal wifi for their conference rooms. Now I know how lazy IT people can be so I figured I would crack the wifi password and try to use the same password to get to the switch. So I set the wifi up to require someone to log in. It is basicly a reset packet that dumps the wifi connection. Most users dont notice it because the default configuration is to attempt to reestablish connection by logging back in. I did care who it was because I just wanted to get a copy of the hash. Sure enough, I was able to grab a trace of their connect request and the hash is contained in that request.

Using my Verizon 4G hot spot, I sent that hash back to my cracking rig and had the wifi password in less than 10 min. I dont know exactly how long it took because I went into a coffee shop for a coffee after I sent over the hash. Once I had that password, I went back to the connection that I had put in and sure enough, the infrastructure ... all of the switches, used the same password. Now I could see the branch’s traffic Every single connection. A simple reconfiguration of the switch and now my wifi connection would receive a copy of any person’s traffic that I wanted to see. From there, using a similar trick as the wifi reset, I executed a TCP reset on someone’s traffic, captured the hash that was sent across the network, and sent that hash to my cracking rig.

So before lunch, I had user credentials and their password and a connection to the backbone along with the infrastructure password The infrastructure password was “Yankees11!”

No one challenged me.
No one stopped me.
Heck, I didnt even see anyone in the hallway.
After lunch I contacted my security contact and asked if any alarms were going off. Nope, not one.

Owned in less than 4 hours.

Granted, that is the exception rather than the rule and I have purposely left out some details. But I did not target any user. I just cracked the passwords of those that were easy to obtain.


25 posted on 04/25/2018 2:22:01 PM PDT by taxcontrol (Stupid should hurt)
[ Post Reply | Private Reply | To 24 | View Replies ]

To: taxcontrol

Nice :-D


26 posted on 04/26/2018 1:49:08 AM PDT by cartan
[ Post Reply | Private Reply | To 25 | View Replies ]
To: taxcontrol

Thanks once more. Internet/Net security, is not a static issue and not being an expert by any stretch of imagination, it is interesting to see the issue from the eyes of one engaged in the process.


28 posted on 04/26/2018 2:15:12 AM PDT by wita (Always and forever, under oath in defense of Life, Liberty and the pursuit of Happiness.)
[ Post Reply | Private Reply | To 25 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson