CompTIA Pentest+ PT0-002 – Section 9: Wireless Attacks Part 4

81. On-path and Relay Attacks (OBJ 3.2)

In this lesson, we’re goin’ discuss On-path and Relay Attacks. First, we have an on-path attack, which was formally referred to as a man in the middle attack. Now, an on-path attack occurs when a threat actor makes an independent connection between two victims, and is able to read and possibly modify the network traffic between them. Essentially, with an on-path attack, you find some way you get in between the data flowing, from that victim machine to a server. And by doing so, you can listen and capture the data that’s being sent between the two devices. With a standard on-path attack, you can only capture the data in a more passive method, but in a relay attack, you can capture that data, modify it, and send it onward to it’s destination. For example, if there’s a client device trying to log in to an online bank’s website to conduct a transaction, you can put yourself between the client device and that server using a relay attack. Then you could modify the transaction that’s being requested. Let’s pretend the client logs in to the website and initiates a transaction to transfer $50 to their account numbered 1 2 3 4 5. If you were able to get in between that communication, you could modify the data being sent in those packets, so it now says to transfer $5,000 to the account number 6 7 8 9 0. which is an account you own. Now when the bank receives the request, they believe it came from the authorized client. And now that money is going to be moved into your account. By conducting this relay attack, you were able to breach both the confidentiality and integrity of the transaction, because you could see the transaction being requested which violates confidentiality, and you changed or modified the requested amounts and accounts, which is a violation of integrity. To execute an on-path or relay attack, what are the easiest methods is to execute an evil twin attack, since the client will connect to your wireless access point to gain access to the internet, and then the associated remote servers. This gives you a prime spot to observe and possibly modify any traffic as it passes through the access point that you control.

To counter the threat of an on-path or relay attack, most organizations have implemented some kind of security controls, to authenticate clients when they join their corporate wireless networks, using technologies like 802.1x, and requiring the use of encryption between clients and servers by implementing TLS and digital certificates. Let’s do a quick review of how 802.1x works, and then we’ll talk about some ways you can bypass it as a penetration tester. Now 802.1x is a standard for conducting port based network access control. When a client connects to a corporate owned wireless network using enterprise mode, they’re going to be required to authenticate themself using the 802.1x protocol. The device that’s requesting to join the network is called the supplicant, and they first connect to a wireless access point, which we call the authenticator. The authenticator then reaches out to the authentication server, which is usually a radius server to check the credentials and authentication of the supplicant. If the credentials are validated, then the supplicant is considered authenticated, and becomes authorized to use the wireless network. Now, to protect this authentication process, the Extensible Authentication Protocol known as EAP, is usually going to be used to create an encrypted tunnel between the supplicate all the way through that authenticator, into the authentication server. And that way, they can pass the credential securely over to the authentication server for processing.

The most common forms of EAP are the Protected Extensible Authentication Protocol known as PEAP, the EAP with Tunnel TLS, known as EAP-TTLS, and EAP with Flexible Authentication via Secure Tunneling known as EAP-FAST. Using these different EAP methods, either the server, the client, or both, are going to be required to use digital certificates as part of the authentication process. Now, as a penetration tester, if you want to attack this secure process, you need to set up a wireless access point as an evil twin. When a client connects to the evil twin, the rogue access point is going to provide a forged digital certificate to that client. If the client accepts that certificate, the client will provide its authentication credentials or digital certificate to the rogue access point. The rogue access point can now forward that genuine certificate to the upstream server, and it acts as a relay or proxy between the client and its final destination server. From this on-path position, the rogue access point can now monitor or modify any traffic between the client and the server. So for the exam, remember this, on-path and relay attacks are very similar in their form and function. The big difference is that an on-path attack is used to monitor and capture the data being sent through the connection, while a relay attack is going to be used to monitor, capture and modify that data as it passes from the client, through a rogue access point and onto the server. So remember, a relay attack is really just a form of an on-path attack, that allows you to modify things too.

82. Bluetooth Attacks (OBJ 3.2)

Bluetooth has become a common method of connection between desktops, laptops, and mobile devices, with different types of peripherals, like mice, keyboards, and headphones being used. When these devices are connected to the system, a personal area network connection is created over the 2.4 GHz frequency band. And this allows wireless connectivity at a distance of up to about 30 feet. While this is convenient, Bluetooth does introduce many vulnerabilities to an organization’s network and connected devices, including Bluejacking, Bluesnarfing, BlueBorne, and Bluetooth Low Energy attacks. First, we have Bluejacking. Bluejacking occurs when unsolicited messages are sent to a Bluetooth enabled device. To prevent this, devices should not be put into discoverable mode, unless the user is actively connecting to a new peripheral. When the user finishes that configuration, they should then turn the discoverable mode back off. In general, Bluejacking isn’t that dangerous, and is mostly just an annoyance for users, but it is still a valid attack vector in the hands of a good social engineer. For example, a good social engineer might trick a user into downloading some kind of malicious content that’s sent using Bluejacking. But due to the limited range of Bluetooth being only about 30 feet, it is harder to implement than using a regular phishing or smashing campaign.

To conduct Bluejacking, there’s no special tools or software that’s required of you. Instead, you simply need to find a device that’s within your range, and is set to discoverable mode. Then, you can send them a message using a Bluetooth Protocol. Second, we have Bluesnarfing. Bluesnarfing is used when somebody makes an unauthorized access to a device through the Bluetooth connection. Now, in this case, an attacker tries to take data off of the device using that Bluetooth connection. If an organization is trying to set up a high security environment within their facilities, it is much better to disable Bluetooth altogether, and simply use cabled mice, keyboards, and headsets, to eliminate this vulnerability. Now, the goal with Bluesnarfing is to read sensitive data or information from a victim’s device. This can include things like their calendars, their contacts, their emails, their text messages, or their pictures. If the victim’s device is set to non discoverable mode though, then Bluesnarfing is also rendered ineffective most of the time. For the exam, you should remember that Bluejacking involves sending information, whereas Bluesnarfing is about stealing and receiving information. Also, remember that both Bluejacking and Bluesnarfing can be rendered ineffective, if the user’s device is set to non discoverable mode inside of their Bluetooth settings. Third, we have BlueBorne. BlueBorne is a more modern threat than Bluejacking or Bluesnarfing. BlueBorne is an attack that allows the attacker to gain complete control of a device, without even being connected to the target device. Blueborne is actually a set of eight different vulnerabilities, that can be used to exploit the Bluetooth protocol itself on Windows, Linux, Android, and Apple devices. Blueborne can be used to conduct information leaks, remote code execution vulnerabilities, and logical flaw vulnerabilities, in the victimized client devices. Fourth, we have Bluetooth Low Energy attacks known as BLE attacks.

Now Bluetooth Low Energy or BLE, is a variation on the normal Bluetooth technology that’s used to communicate wirelessly over shorter distances and uses less energy. Usually, Bluetooth Low Energy is going to be used to exchange data between personal devices like smartphones, tablets, printers, laptops, and other peripheral devices. Now due to its low energy usage, Bluetooth Low Energy is extremely popular in smart home devices, motion sensors, and other Internet of Things devices as well. Due to its limited distance and lower energy though, Bluetooth Low Energy usually transmits less data than a regular Bluetooth implementation, and this way it can conserve energy. Even still, you can capture some useful data from these BLE devices, such as their model, software and versioning details, different activities conducted in a smart home or smart office, email addresses and phone numbers, and you can even eavesdrop on voice assistant commands that have been issued.

As a penetration tester, the biggest challenge of conducting an attack against Bluetooth Low Energy devices, is actually getting close enough to those devices, because they typically have a very short range inside of their communications. To attack Bluetooth, you’re going to need to have some specialized software focused on exploiting the Bluetooth Protocol. The Bluetooth Protocol was designed to use frequency hopping to prevent attackers from easily capturing data being sent and received over the protocol. And this makes signal exploitation more challenging against the Bluetooth target. Also, the password or PIN that’s used to pair these devices is only sent once during the initial pairing. So wireless attacks like de-authentications in order to try to capture a new handshake, are not going to work for you. This is because once the pairing has been completed, those devices store the security keys internally to themself, and they’re then going to use that for future communication.

This means that for every subsequent connection after the initial pairing, no keys are actually being transmitted between those two devices. To conduct Bluetooth attacks, you’re going to need to learn how to use hciconfig, which is a tool to configure your Bluetooth interface, hcitool, which is a tool to scan and discover devices in range, B L E A H, which is a tool used to enumerate Bluetooth devices, and either Gatttool, Bettercap or Bluepy to interact and communicate with Bluetooth devices in the real world. For the exam though, the only tool listed by your exam objectives is Spooftooph, which is designed to automate the spoofing and cloning of a Bluetooth device’s name, class, and address. By cloning this information, you can then set your own Bluetooth devices to report this information, in order to spoof your device’s identity, and that way you can effectively allow your Bluetooth device to hide in plain sight during your engagements.

83. RFID and NFC Attacks (OBJ 3.2)

In this lesson, we’re going to explore attacks against devices using RFID and NFC. First, let’s look at RFID. Now, RFID, or radio frequency identification is a form of radio frequency transmission that has commonly been modified for use in authentication and tracking systems. In an RFID-based system, two components known as the tags and the readers are going to be used. This is heavily used in inventory tracking systems where an RFID tag can be placed on an object, like a shipping container or pallet. And then we have readers that can be used to identify the container or pallet as it’s placed into the warehouse, loaded onto a truck or moved along its designated logistical route. Another common place to find RFID technology is inside of enterprises, where they use it for their employee badges. An RFID tag can be embedded into an employee’s identification badge and used as a possession factor inside of that authentication. Because it uses radio frequency, there is a danger that that signal could be captured by an attacker or penetration tester, and then retransmitted. For this reason, when using RFID as an authentication system we usually should use a second authentication factor, like a pin or a password.

Now, if you want to clone an RFID tag as a penetration tester, you’re going to need to have a specialized hardware device that can read the existing tag and then write its data to a new tag. Since these badges are considered contactless, you only really need to be within the range of that badge in order to read its authentication information. For example, if an employee has their badge on a lanyard around their neck, you could then accidentally bump into them, and that reader inside your backpack could pick up the RFID’s tag. And that way you could gather that detail and store it for later. Most RFID readers can actually read the badge from up to a few feet away.

Now, this was actually a very common technique for older RFID badges that relied on the system called EM4100, which uses 125 kilohertz technologies, because those badges did not support encryption and they would transmit any time there was a reader nearby. Unfortunately for us as penetration testers though, the newer RFID badges that are in use today in modern authentication systems actually use higher frequencies that provide higher data rates and those do support encryption. Many of these systems also don’t send the entire authentication data from the badge during the transmission. And instead they only transmit some key identifying attributes to identify the user. All these security features combined do make it harder to effectively conduct badge cloning on newer RFID-based badges, but there’s still lots of old badges out there and in use in most organizations. To conduct RFID cloning, you need to either build your own reader/writer or you can purchase a prebuilt one that was especially made for this purpose. Remember, regular business people also need a way to read these tags and write new tags. So, there’s lots of tools that are widely available.

For example, if you go on to Amazon you’re going to find many of these RFID readers and writers for under a hundred dollars that come with two day delivery. And most of these even come with some RFID key fobs and cards that you can use as well. So, if you’re interested in playing around with RFID hacking and cloning, you can easily get the supplies you need and practice with those. Now, for NFC-based badges, these work much the same way as an RFID-based badge but they do use different frequencies and they have a much shorter range. Now, the nice thing about NFC is that most of our phones these days have NFC readers built into them because it comes standard with most Android and iPhones. This makes it easier for us to read and clone these NFC badges because we can use tools like the Android-based, MIFARE Classic Tool that can be used to read and write tags, as well as edit and add key files directly to your Android device, and then use that as your key. Another common NFC attack is known as an amplification attack.

Now, one of the big problems with NFC is that it has a very short distance. Remember, near-field communication is a set of standards for mobile devices that was designed to establish radio communication with each other, by being touched together or brought within a short distance. This standard regulates a radio technology that allows these two devices to communicate when they’re in that close proximity. And normally we define that as a few centimeters. And this allows the secure exchange of information. Now, to try and overcome this short range limitation though, we can then try to create a NFC amplified antenna to extend the range of those NFC devices, so we can read those signals from longer distances. Still though, the distances can be fairly limited, even with amplification. Due to the frequencies and antennas used in those NFC tags, you shouldn’t expect to pick up an NFC signal if you’re more than about eight to 10 inches away or about 20 to 30 centimeters away, even with a strong amplification antenna being used.

• Category: Uncategorized