Saturday, September 20, 2014

"Above the Clouds" - Cisco Meraki AP as a Wireless WMD (and a heavy dose of industry criticism) - Part 1

Gang Starr – Above The Clouds

What has always appealed to me about my profession is that it rewards hard work, analysis and critical thinking... far more than any other.

The ability to digest a massive amount of information in a short amount of time is crucial. If you plan ahead, you know what your opponent is going to before even THEY know what they're going to do. If you do it right, you can push them where you want them to go. You don't only control the game, you control the rules as well.
All of that being said, what you're about to see is pretty scary from an engineering and security perspective. I stated all of that because they're important concepts to understand if you have any hope of surviving in sea of threats and attacks against information assets and infrastructure.

Bring disaster...
I'm no fan of the cloud.

The borders grow fuzzier but expectations and responsibilities don't.  Allowing things outside of your perimeter of control but not transferring or remediating the risk is a recipe for career implosion. Technology folks are asked to trust the fact that someone else is taking care of it. In my experience, they aren't. In fact, they're hoping you don't ask. Many providers that I've worked with (or against) are far more concerned with producing profit, efficiency and market penetration numbers than providing a product that provides their customers with peace of mind or secure solutions.

The sales guys rehearse the pitch, explaining to you why it's the greatest nerve tonic you've ever had and that it will fix all of your problems. He doesn't care when your hair falls out or your skin turns green. He's on to the next town.

Experience, the best teacher
The problem with "The Cloud" is simple.

The sales pitch is, "You can access your data, at any time, anywhere in the world."

See the problem?

If you can access your data, at any time, anywhere in the world...

....anyone can.

You trust that a retailer or processor is practicing due care in regards to your information or services. Every major data breach over the last few years will show you that it is increasingly likely that they're not.

Availability is a keystone to the CIA triad of security. Providing it in an intelligent manner is tricky.

Stand like Colossus, regardless to whom or what
Cisco is a giant in the industry and the Meraki solution is pretty awesome. I can think of a few usage cases where this thing would be perfect. They're relatively low-cost,  well-designed and the interface is intuitive, powerful and sleek.

Meraki was started by a group of MIT students and was eventually acquired by Cisco. They provide a cloud-based wireless solution with management from a web interface. They packed a lot of punch into this little device.

Meraki will be more than happy to provide you with a device and 3 year subscription to their service for the low, low cost of sitting through a one hour webinar and a quick registration.

They're looking for market penetration and adoption through saturating the market and tech saavy folks with equipment. Anyone who has ever worked a tech show or conference will tell you that if you play to the cheapness of IT folks and their love of free stuff, no matter how ridiculous the item is, they'll gladly accept it. (I attended a Microsoft launch event several years ago where they were handing out clear plastic Microsoft clip-ons that had an embedded blue LED. It blinked several different patterns. Almost every person there had one clipped to themselves because it "looked cool" and it was free. I nearly had a seizure from drowning in a sea of several thousand blinking lights.)

Don't worry, I'm getting to the point here...

Our hands are on the ammo, 'cause the battle's still on

Turning the system on itself is getting easier. The more complex things are, the easier it is to create a failure.

Meraki provides a cloud management service and a powerful set of tools that take very little time to get up and running. The beauty of it is, you can access your AP, at any time, anywhere in the world.

Many IT staff, administrators and engineers who manage their network and perimeter are underskilled, overworked, disgruntled, unaware of current threats  or too permissive in providing services to their users. It's a harsh truth. I can say that because like all of you, I've been all of those things at some point. Several times, I've been a combination of those things.

Meraki has attempted to address those issues. What should strike fear into your heart is that they've provided a platform to exploit all of them.

Sound the horn, we come rumblin' through the function

You can get far more advanced, sexy or precise with what I'm going to cover. What should alarm you (and what I'm going to demonstrate) is that all of this is done with open-source, free or simple to use tools in a minimal amount of time with devastating impact.

</end rant>

Let's set the table

The average IT person is not working in a large, well-funded or staffed environment. They're doing the best they can in a super-competitive job market and with companies that look at technology as an expense and not an asset. Many times they're getting pressured by their co-workers and managers to provide a permissive environment, concierge-like service for problems and are treated like glorified janitors.

The perimeter and attack surface of a network is poorly designed or not patrolled in a lot of cases because of the issues stated above. Instituting controls such as static/sticky MAC, wireless IDS, and proper desktop security are time consuming. Most IT folks are playing catch-up or getting push back on the budget to implement those things.

You'd be amazed how easily you can walk into a secure area. I'll cover that in future posts. The art of social engineering is something I can (and do) talk for hours about. An attack that I have had great success with, particularly when I can't crack the perimeter of a network, is to socially engineer staff, talk my way inside the building and plant a device which will give me remote access and information gathering to an organization.

Meraki has provided a fantastic platform for doing so.

The Storm Cloud

The APs or network you create a controlled through a cloud-based dashboard. One of the trickier parts of planting a device inside the perimeter is that you need to know a bit about the network before you break in. If you're planning on seizing control of wireless infrastructure, you need to setup a few items or applications ahead of time, do some surveying, plant devices, hope they "call home" and you've likely made some noise through having the device(s) connecting to a uncommon address or DNS name.

Meraki gave you all of these tools in a pretty package.

The calm before the storm

This is the Monitor tab. Most of the "interesting stuff" is here.

Drill into your Access Points and you're going to get a great jump off point. If you've successfully planted this device, depending on your attack profile, you may be on the local wired subnet or not. You're looking to get internet access, period. It can be done via direct connection, piggybacking the target or a third-party, all of that depends on how well you've done your homework.

When you examine your AP, you'll see some very useful information by just plugging in.

You've got the local LAN configuration. If the administrator hasn't instituted some sort of Network Access Control (and frequently, they don't), you're already on the internal network. You have a good amount of information to work from, direct network access and hard to detect point of egress/ingress for infiltration and exfiltration.

You can stop there if you like, but what's the point? What if that's not your goal? What if you're more interested in a specific target, the infrastructure is patched frequently or a foothold is harder to establish? What if you're unsure or unable to gather enough information beforehand? What if you were unable to get access to the wired network and you're piggybacking?

You have the egress IP of the network you're on. If you're inside, you now have an important piece to work with. In smaller environments, the admin typically makes this the IP hosted services are operating on. A simple ARIN query can yield a good amount of information about the organization. If you're unsure what you've accessed, you can start collecting and aggregating data. (This is another subject I will dive deeply into at a later date.)

You also have the DNS server which can be attacked via multiple methods. You can set the DNS yourself, if you don't want to arouse suspicion of IT staff. If they're asleep at the wheel, they're not blocking external DNS queries or MAC address tables. If they're watching DNS queries on the DNS server, you're avoiding them completely.

You have a fairly good set of network mapping tools as well. You can look at the ARP table, ping internal hosts and run traceroute. You can build a good map of the network from there, without having to hookup a machine via wifi. That's the beauty of this.

Wi-Fi is limited by proximity. You have to be within a fairly close range to execute attack methods. Additionally, this type of attack package took some installation, knowledge, skill and a little luck. It took time and money. Meraki made it easy AND free. Yes, you can drive by later and exploit. You can do this from anywhere in the world.

The clients tab is next. You'll be able to watch the network and clients from here.

This will give you a nice little graph of the network utilization and the clients you've captured. This is an incredibly useful place to come back to.

The description column will give you the name of the clients you've got associated. The Meraki will also track these over time. This table will track data usage, the OS and IP of clients, the SSID they attached to (if you're spoofing or hijacking) the MAC address and chipset. THIS IS ALL DEVASTATING INFORMATION TO HAND TO A REMOTE PARTY. The best part? I haven't tripped off any (or very few) technical controls that are implemented in a typical SMB network. This is all egress traffic. Your inbound firewall rules are useless.

Even better? The Meraki AP has a built in firewall and an NMAP scan turns up little information about the device. It is also not picked up by other vulnerability assessment or network audit tools. It occupies a network IP but is difficult to fingerprint and doesn't present banners for grabbing. About all you can get from a simple scan is that it will return a ping and has no ports open.

If you're not a little concerned right now, the next few things I'm going to show are going to have you running for the hills.

Yes, they included a packet capture service with the device. You can visually inspect or save these for later use.

Even scarier?

You can capture wireless packet traffic or get it at the wire. Both have their advantages, too deep to look at.

Besides, the HORRIFYING drop-down isn't that one, it's this one:

Yes, you can view it in real-time. You can also save it as a PCAP file and break it down in wireshark.

The last one is brutal.

You can upload it to a public CloudShark server. You can post it on a third-party site where you can retrieve it later, post it for your friends/accomplice's examination or share the capture with anyone who has the URL or can guess it.


It doesn't stop there....

Air Marshal is where you can rain down death and destruction.

Air Marshal is an IPS/IDS that Meraki has provided to its customers. From here, you can start performing some truly devastating and evil attacks.

You can have this device running scans on site, for you. Instead of walking around with NetStumbler, Kismet or any other tool, it's all here for you to use. Once again, anywhere in the world.

The keyword in this page is contain. Meraki enables you to use this device as an IPS that will act as an attack tool against any AP or SSID broadcasting in the area. You can select by keyword, name or LAN. If it detects another AP on the LAN, you can have it de-authorizing requests to it. You can pick another SSID in the area and have it send de-auth requests to its clients. the click of a mouse in a drop-down box.

Read that again.

If you're not following, they've made DoS'ing someone else's wireless network THAT EASY. If you want to enrage your neighbors, just install this and contain every other AP in your neighborhood.

Sure, that's a low-tech attack and more a nuisance than anything.

We need to go deeper.
The Meraki device allows you to broadcast a number of other SSID's. My device has 15 available for use.

One could effectively DoS every other SSID and start propping your own up.

I said something earlier that should be ringing in your head:

"If you do it right, you can push them where you want them to go. You don't only control the game, you control the rules as well."

See where this is going?

Wireless, Social Engineering and the predictability of stupidity
Wireless works on a few simple concepts.

1. "The strongest signal wins."

If I can survey the area remotely, I can prop my own SSID up that matches someone else's settings. If it's encrypted or locked down, I can attack those in another manner to get the key. There are several direct and side-band attacks. If I'm on the same LAN, I can attack the device itself and attempt to compromise it for the key. I can compromise a machine on the network and extract it from there. The point is: I have an unlimited supply of vectors. I have an unlimited amount of time.

All that matters is that I can get stations to associate with me and control the flow of traffic or examine it.

If they're close (or I'm running the IPS with another paired device, de-authorizing stations), I'm going to capture them and  control the rules.

2. "De-authorizing forces machines off-line or interrupts their connection."

I can deny service to other SSID's or stations. A typical user won't know how that happens, much less what it looks like when it does. They'll attempt access via other means.

3. "Stations probe for existence of SSID's and automatically connect if configured to do so."

Your laptop or device doesn't go out and LOOK for wireless, exactly. It sends out a list of what it is looking for as well. It sends out requests. If you have an ear out there, you can "hear" what they're looking for and start advertising it. You can gather devices up just by listening.

If this is in public, propping up an SSID called "Free Public Wi-Fi" or "Starbucks" will net a slew of clients automatically. I have a list of commonly used SSID's in public areas. I can just go back to my list of 15 and start adding them. People check that little "Connect Automatically" box pretty easily.

Either way, stations will automatically associate. This attack works, a lot.

One more reason to be concerned about this is one that is likely outside your perimeter of control.

Home wireless.
If your users are allowed to connect to their home wireless and they didn't setup their network correctly, you're exposed.

If their kid setup OPEN wireless on their home SSID, you can simply rename the attacking SSID to that and you've captured the station.

There are a bunch of other ways to attack this. The possibilities are almost endless.

The next useful tool is a portable locator and surveyor, RF Overview

 You can start examining the area for other APs and identify them. Querying WIGLE (a free site) for geographic location of other AP's will tell you a lot about the geographic area, right down to street addresses. If you want to be clever, you can query WIGLE before hand and configure this device ahead of time.

Useful stuff here, excellent for staging attacks and gathering information.

The last tool I'll show for this post is a fantastic client-side exploitation tool that can be leveraged numerous ways, the Summary Reports.

If you're passively sniffing and profiling, you can start building some really interesting attack vectors at this point. You're getting a rich view of the traffic habits of machines and users, the sites they visit, the top OS's you're going after and how busy the area is. This is a wide net to throw out, fishing for prey.

You're even getting a breakdown of the habits and applications on workstations, without having to do anything other than listen.

You can build, from these simple tools, a very dangerous and nearly unstoppable platform for malicious activity.

If you're not scared now, wait until you see what else they provided. It gets much more malicious from here, including your own webpage host and walled garden.

Stay tuned.

No comments:

Post a Comment