CUSTOMER
The Customer is an international bank with $500 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers
In a nutshell
Our team was tasked to conduct a wireless network penetration test for an international financial institution that needed validation on its network design and implementation.
We simulated a cyber-attack from a black box perspective that implied zero knowledge about the customers IT system. We managed to connect to their internal network via corporate WiFi which in turn granted us unrestricted access to the customer’s office domain and to internal systems vulnerable to other exploits.
This case is illustrative of how keeping an eye out for the little things could save your business.
PROCESS – EVIL TWIN ATTACK
The customer had carefully designed the network to provide separate access to employees and guests. The guest network revealed that it was physically separate from the company WAN. However, the employee wireless clients were configured with certain flaws, which made our attack attempts to exploit the network fully successful.
To initiate the WIFI penetration test, we set up a wireless Evil Twin PoC at the customer’s premises. I.e., we created a fake wireless hotspot with authorization on the web-interface – Captive Portal – that has a similar identifier to the legitimate access point. After this has been done, to speed up the reconnaissance process we made the legitimate access point to go offline with the jammer attack. In such a way, we forced devices already connected to the target network to reconnect. Thus far the clients connected to the fake access point automatically since it was similar to the legitimate one. Upon reconnect, clients provided us with a 4-way handshake used to authenticate devices to the network. These handshakes have been captured in order to crack the network password via a brute force or dictionary attack. This final step of cracking the password let us into the network.
WIFI hacking scenario: here the scenario is boiled down to setting up a bogus access point with a fake captive portal, DoS-attack the legitimate access point, and use the fake one to steal login credentials from a WPA enterprise network.
RESULTS
Executing evil twin attack, we swiftly managed to break into the network via corporate WiFi. As the wireless networks used RADIUS authentication with AD credentials, a successful handshake capture was enough to gain initial access to the network and an account in the office domain. Provided that the Customer did not employ any wireless scanning tools, so the Evil Twin AP would remain undetected for a long period of time.
Demonstrating the weaknesses and respective confidentiality risks of the system, we have advised to change encryption to impersonate a legitimate AP to reject networks without the proper SSID and authentication settings and helped to implement security restoration measures.
TECHNOLOGIES AND TOOLS
Methodology: SniffAir
Tools: Kali Linux distribution kit (Aircrack, Wireshark Filters, Wifijammer, internal-twin, Wifiphisher), Hashcats, Captive Portals, MAC-spoofing, Airgeddon, Dns Spoofing and BeEF using WiFi Pumpkin, rouge-wifi and evilAP defender.