On September 18, 2018, Chai Kunzhe, head of wireless security of 360 Group, delivered a speech titled “The Art and The Future of wireless penetration utilization” at the “third SSC Security Summit 2018 – White Hat Night”. IT big said as the exclusive video partner, by the organizers and speakers review authorized release.

Read the word count: 2828 | 8 minutes to read

Obtain guest speech video and PPT, please click:
t.cn/EAdw9Pe.

Abstract

Now wireless is basically very common, basically everywhere can search wifi, so enterprises will face a variety of security problems. We’re going to talk about wireless security today.

Wireless security risks

Wireless insecurity, I believe that both companies and individuals have some understanding. But companies often don’t make wireless security a concern when developing defense standards or systems. Because while they know wireless isn’t secure, they don’t know exactly where it is.

Wireless is pretty much ubiquitous now, and you can search for wifi almost anywhere. Therefore, enterprises will face a variety of security problems, first of all, wireless signal diffusion, unlike traditional cable security, as long as it is enough to fix the plug. On the other hand are corporate executives, whose wireless accounts or phones contain a lot of high-privilege things, such as higher access rights, more data on the phone, which makes the company more vulnerable to attack. So we need to protect not only the entire corporate defense system, but also the wireless security of personal devices.

The figure above shows the domestic WiFi encryption diagram, in which WEEK is weak encryption, that is, the password of pure number. It should be mentioned that no matter Tencent free wifi, 360 free wifi or other tools, they all have a specific standard, that is, they cannot upload encryption based on EAP, that is, they cannot target enterprise users.

Of those, only 0.4 percent were considered high-risk. The so-called high risk refers to the type of ARP fragments, DNS fragments or attacks on the Intranet that are detected by various vendors through wifi. Once we connect to these risky wifi networks in our lives, our assets and data are at risk of being hacked.

The previous focus is on the C-side, now let’s take a look at the vulnerability tree of the device manufacturers that provide wifi access. The title is IoT Device, so it doesn’t just refer to wireless solutions. The most common solution we see in penetration is H3C, probably because it’s cheap.

The report above documents wifi security related to mobile devices. Here are the numbers extracted from the report.

  • Eighty-one percent of CIOs said their organizations had a wifi-related security incident in the past year

  • Fifty-seven percent of CIOs suspect their mobile employees have been hacked in the past year or have had a related mobile security issue.

  • 62% of wifi-related security incidents occurred in cafes.

  • Ninety-four percent of CIOs believe that the rise of BYOD has exacerbated mobile security risks.

  • Forty-six percent of the companies surveyed said their employees use a mobile VPN every time they are connected to a public WiFi location.

case

This is the topology diagram of the penetration test we are doing. The hacker may attack the wireless client first. If the client is taken down, it means that he has obtained the login credentials and can access the Intranet through this. The other is a wireless solution for corporate buildings, which is relatively simple because hackers typically only break into clients when they can’t get to the building.

Due to certain requirements, employees often try to establish wireless hotspots by connecting to routers privately or using portable wifi products, and most of them do not adopt secure encryption mode. This is a very big security point for intruders, and the wifi that spreads out will have full access to the machine.

Weak password can be said to be a historical legacy, here to tell you a case. We’re infiltrating a domestic infrastructure with a large internal network. The node’s wifi is completely unencrypted, the entire network topology is chaotic, and all devices are in a WLAN. After we connected to wifi, we scanned more than 190 devices, including video mirroring servers, file servers, staff computers, printers and so on. Being a rough player, we started with a weak password and gained control of the node.

And then we want to gain access to all the relevant infrastructure in the country by hacking into the core network. However, network access control permissions are generally granted between network segments. In this network, it is also impossible to access the core network directly through the existing network.

After logging in to the devices in the nodes, we found that one of the video mirroring servers has dual network cards, and the other network is the core network. Eventually we used the machine as a springboard to infiltrate the core network.

Another case is the penetration of the information department of domestic airlines. Whether it is wireless penetration or physical penetration, there must be a place where you can search the WiFi of their company. Generally, after connecting to WiFi, a web page will pop up for you to enter your user name and password to log in. This is called portal network.

The Portal authentication machine must have access permission to the core machine on the Intranet. That is, the Portal authentication machine can roaming the Intranet. One of the parameters of the portal authentication machine on the network we infiltrated just happened to be suitable for an intrusion attack, allowing us to easily take down its access.

Many people like to call portal network encryption, but the most important encryption is data packet encryption, and data packets in Portal network are all plaintext, so I think it is a way of access. All HTTP and TCP requests are redirected to the Portal authentication machine.

The main problems of Portal are as follows: data is not encrypted; it cannot defend against man in the middle attack; the Portal machine itself can directly lead to ACL bypass; and the most important problem is MAC address spoofing.

Post wireless and unpredictability

Not everyone in our team is engaged in wireless security-related research, and some students are engaged in Windows and Linux related infiltration, which gives us a lot of time for thinking collision, looking at security issues from multiple perspectives, and looking for an intersection between traditional security and wireless security.

Just a quick example. SMB attacks have probably been a Windows bug for decades. We all know that when we connect to portal, the login page pops up. What if we tamper with the page?

For example, if you insert an IMG image label into a page, the requested address is the address of the Intranet shared server. If you’re using a Windows computer, it will automatically send out a copy of the hash, which you can then re-upload to the Exchange server and exploit the Exchange vulnerability to execute malicious files, such as popping out of a calculator while opening a web page.

In fact, wireless security is a personal security concept, the key word is combined. For example, combine mobile security, radio security, traditional security and wireless security.

In June 2018, the Wi-Fi Alliance officially launched the quasi-WPA3. Addressing technical flaws in WPA2 from the ground up, mitigating wireless attacks such as Krack and de-Auth, and enhancing security and functionality in configuration, authentication and encryption. The standard also includes two modes, Person and Enterprise, and can also be applied to the field of Internet of Things.

It will probably take another year or two for this standard to become widely available, during which time we will conduct some safety studies on WPA3.

That’s all for today’s sharing. Thank you!