A novel way for hackers to find a victim is to have the victim find them. This can easily be done by having the victim simply visit a web page for less than two seconds. Literally, if a victim visits a malicious web page for two seconds, the victim’s corporate laptop could be completely hacked if it is not protected while it is mobile.
Here are the steps to performing this attack: 1. Create a malicious web site.
2. Have a user view that web page. 3. Exploit the victim’s machine.
134 Chapter 5 ■ Understanding the Need for Mobile NAC
1. User with company laptop connects to the
internet.
2. Surfs the Web, visiting various web
pages.
3. Visits a malicious web site
that takes advantage of a known vulnerability. Laptop becomes infected with a keylogger, etc. 4. Infected device connects via VPN into the corporate network,
receives Internet Explorer patch to protect against web surfing
vulnerability. Machine is already infected and infects other machines on
the LAN. Internet
Figure 5-2 Exploitation as a result of visiting a web site
The steps sound simple — and they are. The reason the corporate system is vulnerable is because it is mobile and its security posture is deficient. Figure 5-2 shows the flow of how this exploit will work.
Let’s start by creating the malicious web site. There are a number of ways to do this, but let’s again use Metasploit to perform this exploit. As shown in Chapter 2, Metasploit is a framework that allows for many different exploits to be incorporated into the tool. To create this malicious web page, let’s use an exploit that takes advantage of the Internet Explorer VML Rectfill vulnerability.
It is important to note that this is but one example of an Internet browser- based vulnerability. If you look at the patches released by Microsoft on a routine basis, you will find many critical patches and vulnerabilities relating to Internet Explorer. This exploit will take advantage of the vulnerability described as MS06-055. The following information regarding this vulnerability is available via Microsoft’s web site atwww.microsoft.com/technet/security/Bulletin/ MS06-055.mspx:
VML Buffer Overrun Vulnerability — CVE-2006-4868:
A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted web page or HTML e-mail that could potentially allow remote code execution if a user visited the web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mobile NAC and Direct Attacks 135
Affected Software:
Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Recommendation: Customers should apply the update immediately
There are a few key points to note about this vulnerability. First, it affects a lot of different systems. Second, it allows a hacker to take complete control of a system. The recommended fix for this problem is to apply Microsoft’s patch for the vulnerability as soon as possible. In many companies, that patch gets applied once a laptop physically comes onto the corporate LAN or when a user decides to VPN into the corporate network. In many cases, that is simply too late.
N O T E One reason companies do not patch devices while they are mobile is because they want to control the distribution of patches from a central location, as well as protect the integrity of the corporate image. A good Mobile NAC solution would provide this. The other reason is because their systems simply are physically incapable of patching outside the LAN. A good Mobile NAC solution will address this, as well.
Once in Metasploit, the exploit to use must be chosen, and then the payload must be selected. The payload is what will happen to the exploited system once it is exploited. Metasploit has many different payloads that are available. In this case, let’s use thewin32_reversepayload, which will open a shell between the exploited machine and the hacker. Once the exploit and payload are selected, the various options can be set and the exploit can be run. Figure 5-3 shows the use,set, andshowcommands in action.
All that’s left to do now is set the various options and run the exploit. The exploit is run by typing theexploitcommand, and then Metasploit simply waits for connections, as shown in Figure 5-4.
At this point, Step 1 is complete. The malicious code has been created, and you can pretty much do whatever you want with this code. Figure 5-5 shows the HTML code for this exploit.
136 Chapter 5 ■ Understanding the Need for Mobile NAC
Figure 5-3 Selecting the payload
Figure 5-4 Typing ‘‘exploit’’ and waiting for connections
Now, you must get a victim to view the web page. This could be done by a user simply coming across the web page, or you could try to entice the user to view the web page. An e-mail is a great way to get a victim to visit the web page, especially if it is hidden as something else. Figure 5-6 shows an e-mail message where the URL provided actually goes to something other than what is being shown in the e-mail. This is a common phishing tactic.
Mobile NAC and Direct Attacks 137
Figure 5-5 Exploit HTML code
Figure 5-6 E-mail using a phishing tactic
N O T E The malicious code can also be part of a legitimate web site. Recently,
Monster.comvisitors were exploited by malicious code placed on that web site.
All the victim needs to do is click on the link. Internet Explorer will be launched, the web page will be loaded, and in less than two seconds, the victim’s system will be completely compromised. The site being accessed contains the malicious HTML code, and once it is loaded into the browser, the machine is hacked.
You’ll recall that this exploit was configured to create a reverse shell to the hacker. This shell gets created by using the well-known tool Netcat. The hacker runs Netcat in listening mode, where it listens for incoming communications over port 4321, as configured in Metasploit. When the victim is exploited by viewing the malicious web site, the exploit communicates back to the hacker
138 Chapter 5 ■ Understanding the Need for Mobile NAC
Figure 5-7 Netcat command being run on the hacker’s machine
over port 4321, and a reverse shell is created. Figure 5-7 shows the Netcat command being run on the hacker’s machine, and the reverse shell being created back on the victim’s machine.
Thec:\Documents and Settings\Demo\Desktop>prompt is actually on the victim’s system. As easily as viewing a web page for two seconds, the victim has been exploited. Now that all the steps have been completed, the hacker can poke around the victim’s machine and pretty much do whatever he or she wants. As a quick example, this hacker finds aTopSecret.txt document in theSecretDatafolder and views it, as shown in Figure 5-8.
Mobile NAC and Direct Attacks 139 This is but one example of what a hacker could do with this exploit. Some other malicious acts could include the following:
Stealing VPN configuration information, so the hackers themselves could connect to the VPN.
Disabling antivirus and other security applications. Installing a rootkit.
Installing a keylogger that will automatically capture every key typed by the user and e-mail this information back to the hacker on a routine basis. This data would include not only sensitive file data but also all typed usernames and passwords.
Turning the victim into a bot to be used in a bot network, where large numbers of other exploited systems are used to perform malicious acts. Practically anything the hacker wants.
So, just how likely is it that such an attack will take place? Does it seem like kind of a long shot that this could actually happen? In actuality, as many as 1 in 10 URLs will attempt to do something bad to a user who simply visits the web page. That’s 10 percent!
The ‘‘Ghost in the Browser, Analysis of Web-based Malware,’’ is a great report that came out earlier this year. This report was created by Google, and it shows just how likely this type of attack can happen. Following are the key concepts of the report:
After an in-depth analysis of 4.5 million URLs, it was found that 450,000 URLs were engaging in drive-by downloads; 700,000 seemed to be mali- cious.
An exploit made possible by the missing patch MS07-009 is specifically mentioned in the report as an exploit that is used by malicious web sites to infect users.
The report specifically states that, while many antivirus engines rely on creating signatures from malware samples, adversaries can prevent detection by changing binaries more frequently than antivirus engines are updated with new signatures.
I reference this report in many of my presentations. This is great objective information that shows just how important Mobile NAC is to protecting devices as they are mobile.
The preceding example shows how a malicious web page could be created and, by using phishing techniques, a victim can be enticed to view the malicious web page. Let’s take this a step further and see how many machines can be exploited in a short period of time with a variation of this exploit.
140 Chapter 5 ■ Understanding the Need for Mobile NAC
Protecting against AP Phishing and Evil Twin
Public Wi-Fi hotspots are everywhere, and they pose a tremendous threat for a lot of different reasons. One of the biggest threats is that mobile computers are connecting to wireless networks, and the users of these systems have no way to judge if these networks are real, or if they are malicious networks set up by people with ill intent. These types of attacks are known as AP Phishing and Evil Twin. These have received a great deal of press over the past few years, and there’s good reason why.
Wireless hotspots are everywhere, and for most users, the process to connect to them is pretty much the same:
1. Go the hotspot and start up the laptop.
2. Launch Windows Zero Config (WZC) and see what wireless signals are present.
3. Select the desired signal and connect.
4. Open Internet Explorer (or another browser). If it’s a free and open web site, then the user can start surfing the Internet. If it’s a pay hotspot or if there are terms and conditions that must be agreed to, the user must enter information or click on a button displayed in the walled garden, then the user will be connected to the Internet.
A big threat surrounds Steps 2 and 3. The end user has no means to know if a wireless signal that is being broadcast is real or fake. The user can only go by the name that is being presented in the wireless program. This is a problem since hackers can create their own fake wireless networks with the names of commonly used public Wi-Fi hotspots. The users think they are real, connect, and can then be exploited.
There’s a really cool program out there called Airsnarf, which is essentially a bunch of scripts that enable a laptop computer to ‘‘become’’ a public Wi-Fi hotspot. With this functionality, a hacker can take a laptop into a public place, turn it into a hotspot, and watch as people mistakenly connect to the fake Wi-Fi network. This trick would be incredibly successful if it were run in an airport, coffee shop, or other public area where users typically use their computers to connect wirelessly.
Airsnarf performs the following functionality:
Transmits any Service Set Identifier (SSID) that is configured in the pro- gram. For example, it can be configured to transmit astmobile,
concourse,Panera, and so on.
Accepts connections and establishes Layer 3 connectivity between the computer running Airsnarf and the computer connected via Wi-Fi.
Mobile NAC and Direct Attacks 141 Displays a web page that is served to the victim when the victim estab-
lishes the connection and launches a browser.
To configure the SSID to be broadcast, theairsnarf.cfgfile simply needs to be modified. The following code shows the contents of an airsnarf.cfg file that will broadcast the signal astmobile. To make the system look as if a different SSID is being broadcast,tmobilecan simply be replaced withPanera, Concourse,Free WiFi, and so on. You should also note that there are variables to configure the IP network, gateway, and so on.
ROGUE_SSID="tmobile" ROGUE_NET="192.168.1.0" ROGUE_GW="192.168.1.1" ROGUE_INTERFACE="wlan0"
#export ROGUE_SSID ROGUE_NET ROGUE_GW ROGUE_INTERFACE
Once properly configured, the airsnarf command can be executed. Figure 5-9 shows theairsnarf command being executed and the program waiting for connections to be established.
At this point, any computer within wireless range would see thetmobile signal being broadcast by this laptop. They would have no reason to think that it wasn’t a real T-Mobile hotspot. Figure 5-10 shows how the signal would appear in WZC.
Figure 5-9 The airsnarf command being executed and the program waiting for connections
142 Chapter 5 ■ Understanding the Need for Mobile NAC
Figure 5-10 How the signal would appear in WZC
A critical item to note is that the T-Mobile SSID being broadcast actually looks like it is coming from an access point. It is likely that you have heard about users being tricked into connecting to ad hoc networks, where the Wi-Fi signal is actually a peer-to-peer, or computer-to-computer, connection. These types of connections are quite easy for even basic users to differentiate. An example of an ad hoc network is shown in Figure 5-11. This ad hoc network is namedelvis, although it could easily have been namedtmobileor even free wifi.
With the fake T-Mobile SSID being broadcast, it is only a matter of time before users connect. Again, this would be really easy to do in a public place. So what’s the big twist on the previous hack? Well, that takes us to the Step 4, opening up a browser and seeing what page the hotspot displays. Instead of serving up just any page, what if a malicious web page were displayed? That way, every single user who connected to the fake hotspot and opened a browser could become infected by simply viewing the web page that the hotspot is displaying. With this method, many, many laptops could become infected in a very short period of time.
Instead of creating a reverse shell, a hacker could choose a different payload. Perhaps the hacker would choose a payload that installs malware (such as a keylogger) onto the machine. All that the user wanted to do was connect to a well-known Wi-Fi hotspot, and in no time, the user’s machine can be completely compromised. This is certainly crazy stuff!
Mobile NAC and Direct Attacks 143
Figure 5-11 Example of an ad hoc network