This picture shows someone’s intentions in broad daylight, but it’s also easy to get information related to an office’s WiFi access points from a stealthier position, let’s say from inside a car in the parking lot, or from somewhere off the premises. While this may sound like a usual approach for conducting an attack against WiFi to gain access to the network (free internet anyone?), getting network BSSIDs and MACs to generate a map of electronic assets is part of a process called Attack Surface Analysis, and that’s what we’ll address today.
We’ll divide this into different sections, and look at each one from an offensive perspective—as a red team or an attacker could once an asset discovery is perpetrated.
Entrée - Determining how to get access
What is attack surface analysis?
Attack surface analysis is the examination of a logical or physical infrastructure for security holes that could allow attackers to take advantage and compromise services.
While this is a common practice among attackers, it’s also used by security personnel to discover possible attack vectors that could be used against their protected environment’s best interests.
This is a very important process for security teams, and will help you understand how vulnerable an infrastructure really is—by observing it from an offensive point of view.
Testing the reconnaissance process
As we explained earlier, defining the attack surface is paramount. To analyze it from the outside we’re using our Attack Surface Intelligence tool, which will determine what we can use to gain access to the network.
Unfortunately, our findings differ from the image above. This particular network we’re analyzing restricts almost all external access. While there are some open ports, they’re somewhat secured, so a perimetral breach seems difficult enough that we’re encouraged to look elsewhere.
So what if we approach this from a “social engineering” perspective? By taking advantage of some of the best phishing tools available, we could lure employees into our trap, then gain access to their work stations, and move horizontally from there.
It could work, but we’d need superior access levels to the infrastructure. And while phishing and social engineering are effective ways of gaining access to users’ infrastructure, we’d still need access to the administrators’ workstations, and sending them deceptive signals of this type could actually expose our intentions.
It’s time to get bold and creative. From out in the parking lot, and using a WiFi gun in a van, we succeeded in identifying and mapping our desired attack surface.
By using this DIY solution in conjunction with a scanning tool, you can do a variety of things like:
Capture BSSID’s MAC addresses (which may uncover WiFi access point vendors)
Capture SSID names for interesting labels such as mycompany
Get WiFi encryption and possible handshakes without the need to force user de-authentication.
Generate a heat map showing WiFi access points, transmitting power, number of connected users, frequencies, channels, etc.
Now we’ve managed to gain enough information to know that the sysadmin team has its own WiFi hotspot, which is somewhat protected but not thoroughly. And even from our position far from the building, we’ve managed to accomplish a useful handshake.
After running our findings through aircrack-ng, the SSID’s password was revealed, and we connected to the DevOps’ network. We identified the WiFi model, brand, and IP information, then left the scene.
Let’s call it a day!
Main course - Invading the network and staying there
Measuring and assessing the attack surface should be our next step, just as attackers look for devices that could be compromised. Here’s what we need to accomplish:
Enter the network again, lay low, and stay under the radar
Deceive DevOps/sysadmin people, steal credentials, and gain privileged access
Get whatever information we’re there for
With the best case scenario of a WiFi router compromise, we can hijack this network thusly:
With the router’s ID, we download firmware from its official support page
We execute binwalk and extract the squashfs filesystem, determine what’s in there, then find a bug to upload unauthorized files or steal credentials from the files inside (which is something APT teams do with their own zero-days or by using existing exploits)
Once the firmware sections are extracted, we can determine how this piece of software was assembled. This guides us in building binaries and putting them in.
In this case, the firmware was built using the popular firmware builder buildroot version 2010.02.x and kernel version 2.6.30. With this information you can search for ways to gain privileges, by querying any of the top exploit databases available.
- We have to figure out how to gain control of that box, whether by using a reverse shell, or with some sort of magic!
Now to install our exploitation pack inside the brand new firmware. Know that you can even buy the same model from used hardware suppliers on eBay to get familiar with the device, which is extremely helpful for getting your malicious firmware to work perfectly.
So what do we end up using for stealthy, illegal information gathering? Nothing short of magic—find out how in the next section!
Dessert - Getting the goodies
Imagine we choose to deploy an IP to IP VPN client within the firmware, to reroute certain desired traffic outside the premises and fake the servers that administrators connect to. A diagram of that would look like this:
So by redirecting interesting traffic, let’s say the SSH, we deployed (in a server under our complete control) a deceiving software such as the Kippo Honeypot to capture the credentials.
Another approach would be to launch a man-in-the-middle attack against attractive services with insufficient protections, where access can be compromised in stealth mode, without administrators noticing.
Regarding traffic routing, it’s a fairly common legal practice among services to filter out inward or outward internet traffic, such as anti-DDoS protection services. Those services utilize GRE (Generic Routing Encapsulation) tunnels to create IP-over-GRE communications.
So if we’re serious about doing an APT against our target we could potentially ship all interesting office traffic through a stealth endpoint and collect sensitive information.
All this communication should take place using a specially crafted covert channel that will help extrude all desired information, or deceive people into believing they’re connecting to their actual servers.
“Café et mignardises” - Learn more about these topics
There are lots of little bits of information to gather during the analysis process, whether we’re discovering how to compromise, or how to be compromised.
Here’s a list of useful resources. Some are directly related to the topics covered in this article, and some are not. All, however, are valuable:
This discipline covers a lot more than the familiar ‘Internet of things’ devices, like sensors or home equipment. Practically every small device connected to any network is potentially exploitable. Here are a few good starting points:
IoT Hackers Handbook (Aditya Gupta) - This is a great introduction to the subject, one that addresses attack surface analysis from several standpoints, from hardware diagnostics port discovery and surface analysis mapping to firmware extraction, backdooring, re-packing and exploitation.
Damn Vulnerable Router Firmware - This is an awesome place to start your journey of firmware analysis and vulnerability discovery. From here you can delve into the world of attack surface mapping by using vulnerable code, showing you common ways to gain privileges.
Firmware analysis toolkit - This set of tools (such as binwalk) was put together to extract and analyze information relevant to your desired investigation.
Hackaday - This website is a hardware hacker’s paradise, with an incredible amount of information and numerous available learning resources covering a range of topics, from hacking into simple electronics to car hacking.
Attack surface mapping
There are several tools available for mapping different entry points to network infrastructure. Here are a few:
- Masscan - This super fast port scanner and banner retriever lets you keep an eye on your assets.
- SecurityTrails ASI - Our Attack Surface Intelligence platform is an excellent choice for checking your infrastructure—and identifying any security issues you may have.
- OWASP Cheat Sheet - This is an article with tip-top advice on how to conduct a fast-starting attack surface analysis, what to look for, and how to approach it.
While this isn’t an extensive list, it should guide you in the right direction. Start here, and you’ll get a handle on where to find additional information. Your curiosity can take you far.
Managing your infrastructure’s attack surface is of great importance. Always stay aware of network configuration changes such as:
New opened or closed TCP and UDP ports.
New network traffic flows such as ICMP, DNS, and others that could be used as covert channels for data exfiltration.
New devices connecting to the net (regardless of how secure you think you are).
Configuration changes on network devices or services offered by your IT assets.
There’s a lot more to be said in this area, but the general idea is to protect your company—even from your own team. Attackers will surely use anything to gain access if they’ve made up their mind to do it, whether that leads them to a logical or a physical address.
That’s why staying ahead of the offensive game is of the utmost importance. And according to the IT security community, the best way to do just that is to constantly analyze whatever happens with your digital fingerprint.
Another important but frequently overlooked subject is employee education. This is paramount for managing information in a healthy manner, and for staying alert toward possible anomalies. This rings especially true for people-facing roles like receptionist or call-center attendant, but even IT people such as help desks or DevOps teams should be on the loop of constant security best practices teaching.
In this game, awareness is our best wingman.