Holland safenet livehack hid usb pineapple_cain_oph_with_video

Insert Your Name
Insert Your Title
Insert Date
New World – New Security
BYOD…. & some cool h@ck1ng gadgets / tools….
Roy Gray
CISSP-CCIE-CCNA-CEH-CHFI
roy.gray@safenet-inc.com
© SafeNet Confidential and Proprietary

2© SafeNet Confidential and Proprietary
Who We Are
Trusted to protect the world’s most sensitive data for
the world’s most trusted brands.
We protect the most
money that moves in
the world, $1 trillion
daily.
We protect the most digital
identities in the world.
We protect the most
classified information
in the world.
FOUNDED
1983
REVENUE
~500m
EMPLOYEES
+1,500
In 25 countries
OWENERSHIP
Private
GLOBAL FOOTPRINT
+25,000
Customers in
100 countries
ACCREDITED
Products certified
to the highest
security standard

-Disclaimer
-Local Laws
-USB HID Device
-Cool Wi-Fi story
-Wi-Fi MITM Experiment….Want to take part?
-Example ―cracking‖ sites
-Cain & Able ARP MITMA
-Cain & Able Brute Force
-Cain & Able R$A Calculator
-OPH Rainbow tables

Legal Disclaimer
Hacking without permission may result
in a prison sentence – do not try any of
these techniques at home
*See Hacking Law’s from CEH*
Do send me a postcard
though and tell me which one
you used!

+

USB HID- Scripting 101
As Storage
As Keyboard

Script Encode Payload
USB HID- Keyboard Scripting For Fun

USB HID- Keyboard Scripting Not For Fun
Script Encode Payload

USB HID- Keyboard Scripting Not For Fun

Imagine you are Chuck, a Wi-Fi penetration tester at
ACME Corp., sitting at the cafeteria. Busy office workers that
BYOD, are eating, socializing and using the Internet from their
laptops, smartphones and tablets.
Alice is sitting across from you pulling a tablet from her purse.
She intends to connect to the wireless, and surf
during lunch. The tablet, waking up, transmits Wi-Fi probe
requests looking for preferred networks.

Since Alice has connected to ACME Corp. wireless from her tablet
in the past it remembers the network name (SSID) and looks
for it periodically in this fashion. If the network is
within range it will receive a probe response to its probe
request.
The probe responses provides Alice’s tablet with
the necessary information it needs to associate with ACME Corp.
network. Since this process happens automatically for every
network Alice frequently connects to, both on her tablet and
laptop she isn’t inconvenienced by choice when getting online
at the office, home, cafes or even airplanes!
Probe responses
Probe requests

Chuck (that’s you!) has a Wi-Fi Pen testing device in his bag.
The device is constantly listening for probes requests.
When it hears the probe request for the ACME Corp. network
from Alice’s tablet it responds with an appropriately crafted
probe response. This informs Alice’s tablet that the device
is in fact the ACME Corp. wireless network.
Of course this is a lie that Alice’s tablet will believe.
This simple yet effective lie is responsible for the
device’s code name ―Jasager‖ –German for
―The Yes Sayer‖ or ―The Yes Man‖.

Once Alice’s tablet receives the probe response from Chuck’s
device they begin the process of associating, and within
moments her tablet has obtained an IP address this the
Pen test device’s DHCP server. The Pen test device’s DHCP
server provides Alice’s tablet with not only an IP address, but
DNS and routing information necessary to get her online.
Chuck has the Pen test device ―dialled-up‖ to the internet via a
pre -configured USB Modem, the default gateway used by
Alice’s tablet will be the IP of the Pen test device.
Probe responses
Probe requests

Now that Chuck’s internet enabled device has made
friends with Alice’s tablet she is free to browse the
web and Chuck is free to eavesdrop and even
change the web she sees.
Using man in the middle tools, Chuck is able to
watch what web sites Alice visits (url snarf).
Since Chuck is particularly mischievous he prefers
to change what servers Alice connects to when
looking up a website (dns spoof)—thus replacing
would be kitten videos with ones of puppies. Oh the
horrors!...

Chuck is even capable of saving Alice’s browsing
sessions to disk for later analysis
(tcpdump), intercept secure communications
(sslstrip), or inject malicious code on to websites
(ettercap-ng).
Alternatively if Chuck chooses not to provide
internet access at all the device will still be an
effective wireless auditing tool.
By enabling DNS spoof Chuck is able to redirect
Alice’s browsing session from legitimate websites to
the device’s built in web server, which may host a
number of phishing sites, password harvesting or
malware.

Since Chuck can’t stay at the ACME Corp. cafeteria
all day, he considers leaving his device on site. The
device is concealed in a case with a battery
pack, hidden in plain sight.

In this case Chuck is able to remotely manage the
device a few ways. If no internet access is being
provided Chuck must be within range of the device
wireless network in order to connect to the
management SSID.
If internet access is provided, Chuck can configure
a persistent SSH tunnel. With an SSH or VPN
tunnel enabled, internet traffic from the device
connected client routes through the tunnel endpoint
– typically a virtual private server. From this VPS
Chuck may also extend the man in the middle
attack.

www
Probe requests
Proberequests

20
Wi-Fi MITM Experiment : mk4 karma, urlsnarf, dns spoof , facebook/twitter phishing
phishing site

21
Cell phone tracking device….send pic…see gps,txt,calls,email….

Hacking Gadgets…..who needs them….when..

The Weapons – Hands On
Cain & Abel is a password recovery tool for Microsoft Operating
Systems.
It allows easy recovery of various kind of passwords by:
-Sniffing the network
-Cracking encrypted passwords using Dictionary
-Brute-Force and Cryptanalysis attacks
-Recording VoIP conversations
-Decoding scrambled passwords
-Recovering wireless network keys
-Revealing password boxes
-Uncovering cached passwords
-Analyzing routing protocols….and more.

Cain & Abel has been developed in the hope that it will be useful for
network administrators, teachers, security consultants/professionals,
forensic staff, security software vendors, professional penetration tester
and everyone else that plans to use it for ethical reasons.
The latest version is faster and contains a lot of new features like
APR (Arp Poison Routing) which enables sniffing on switched LANs
and Man-in-the-Middle attacks.
The sniffer in this version can also analyze encrypted protocols such
as SSH-1 and HTTPS, and contains filters to capture credentials from a
wide range of authentication mechanisms.
The new version also includes routing protocols authentication monitors &
routes extractors, dictionary & brute-force crackers for all common
hashing algorithms & for several specific authentications,
password/hash calculators, cryptanalysis attacks, password decoders
& some not so common utilities related to network and system security.

-Added support for Windows 2008 Terminal Server in APR-RDP sniffer filter.
- Added Abel64.exe and Abel64.dll to support hashes extraction on x64 OS.
- Added x64 operating systems support in NTLM hashes Dumper,
MS-CACHE hashes Dumper, LSA Secrets Dumper, Wireless Password Decoder,
Credential Manager Password Decoder, DialUp Password Decoder.
- Added Windows Live Mail (Windows 7) Password Decoder for POP3, IMAP, NNTP,
SMTP and LDAP accounts.
- Fixed a bug of RSA SecurID Calculator within XML import function.
- Fixed a bug in all APR-SSL based sniffer filters to avoid 100% CPU
utilization while forwarding data.
- Executables rebuilt with Visual Studio 2008.
**Be very aware of versions with screenscrape / backdoors, not downloaded from the correct source.

ARP Poison
Select interface - Scan for hosts - Poison ARP Table - Look for PW’s
Brute Force
R$A Calculator…and more
Lets take it for a ―Test Drive‖
Industry
Example:

Ophcrack is an open source (GPL licensed) program that cracks Windows passwords
by using LM hashes through rainbow tables. The program includes the ability to import
the hashes from a variety of formats, including dumping directly from the SAM files of
Windows. It is claimed that these tables can crack 99.9% of alphanumeric passwords
of up to 14 characters in usually a few minutes.
A rainbow table is a lookup table offering a time-memory tradeoff used in recovering
the plaintext password from a password hash generated by a hash function, often a
cryptographic hash function. A common application is to make attacks against hashed
passwords feasible.

XP Rainbow Tables Example:

Vista / Win 7 Rainbow Tables Example:

Example using a XP VM
Length = 14
Predefined Charset :
Base64 = Decimal + Lowercase + Uppercase + Special Characters
< 4min
CRACKED!

Lets take it for a ―Test Drive‖
In Under 4min

CAIN vs OPHCRACK

Holland safenet livehack hid usb pineapple_cain_oph_with_video

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Holland safenet livehack hid usb pineapple_cain_oph_with_video

Similar to Holland safenet livehack hid usb pineapple_cain_oph_with_video (20)

Recently uploaded

Recently uploaded (20)

Holland safenet livehack hid usb pineapple_cain_oph_with_video