Near-source penetration is a hot topic that has been frequently discussed by security professionals in the past two years. Different from other vague security concepts, the wireless security, physical security, and social engineering involved in near-source penetration are very easy to implement. Many internal offensive and defensive confrontation exercises have also appeared “excessive” near-source penetration. The attacking technique taught the defensive team a vivid lesson. This article will talk to you about my understanding of near-source penetration.
01 What is red and blue confrontation
The red-blue confrontation was originally a military concept, which refers to the establishment of a force (the blue army) that acts as an imaginary enemy to conduct confrontational exercises with our frontal forces (the red army) during a simulated confrontation. The red-blue confrontation in the field of information security is similar in thinking. One party plays the role of a hacker and the other party plays the role of a defender to conduct cyber security offensive and defensive exercises. During the exercise, the Blue Army simulated real attacks to evaluate the security capabilities of the company’s existing defense system, and the Red Army made corresponding optimization and rectifications for the problems found. Through periodic red and blue confrontation offensive and defensive exercises, continuously improve the company’s capabilities in attack protection, threat detection, and emergency response.
It is now popular to use Red Team to represent the attacker and Blue Team to represent the defender.
02 What is near-source penetration
I define near-source penetration as “referring to the general term for the method by which the tester is close to or located inside the test target building, using various wireless communication technologies, physical interfaces, and smart devices to conduct penetration testing.”
In layman’s terms, it means to physically invade the corporate office area through disguise, social engineering, etc., through various potential attack points (such as Wi-Fi network, RFID access control, exposed wired network ports, USB interfaces, etc.) ) Obtained “success”, and finally brought out and reported the evaluation results in a secret manner, thus proving the existence of loopholes in corporate security protection.
You can intuitively feel that the main difference between near-source penetration and traditional penetration testing lies in the understanding of “boundary”. On the way to invade the enterprise through the entrance of the external network, it will face numerous defense measures such as firewall and intrusion detection, and the threshold of attack will gradually become higher. In the near-source penetration scenario, because testers are located near the target company or even inside the building, there are often a large number of security blind spots that are ignored by the company. We can flexibly change the penetration testing method according to the target’s network status, site environment, physical location and other factors, which is closer to the essence of penetration testing.
03 Test targets for near-source penetration
If a complete attack point analysis is done, there will be many test objects involved in near-source penetration, including WiFi, Bluetooth, RFID, ZigBee, cellular, Ethernet and other IoT communication technologies and even the embedded security of smart devices. In this article, I will select one of the more common and easy to implement in the red-blue confrontation near-source penetration technology for discussion.
3.1 Wireless penetration
For a long time in the past, because there was no obvious competitor, people generally used wireless security as a synonym for Wi-Fi security and equated wireless networks with Wi-Fi. I will continue to use this habit below.
In March 2015, due to an open wireless network within a company, a node of the supercomputer “XX One” was attacked, and a large amount of sensitive information was suspected to be leaked.
In May 2015, insufficient security facilities and code loopholes in the server of a terminal Wi-Fi provider caused the disclosure of user privacy data in the server.
In 2016, a mobile after-sales center was invaded by attackers due to Wi-Fi security flaws.
In April 2016, former Foxconn employees secretly bridged the wireless network to invade Apple’s network, providing others with “repair and unlock” services.
In 2018, a security researcher attended a security conference in Singapore. During his stay in a hotel, he hacked into the internal system through the hotel’s wireless network and published a blog about the intrusion process.
Nowadays, wireless networks have in fact become an important infrastructure for enterprise mobile office. However, due to the general lack of effective management, the lack of security awareness and professional knowledge of deployment and users, AP distribution is chaotic, equipment security is fragile, and wireless The network has increasingly become a breakthrough point for hackers to invade the corporate intranet. Because of this, I spent a lot of time in “Near-Source Penetration Testing” describing security attacks and defenses based on wireless networks. Wireless networks are currently the main testing method for near-source penetration.
In my previous work, I have done a large number of wireless penetration testing services for customers in various industries such as military, energy, finance, government and enterprises, and telecommunications, and found that the construction of wireless security by enterprises is relatively vague and weak. In the stage, there are three main reactions:
1. Don’t know how many wireless hotspots are inside
From the perspective of “whether issued by AP” and “purpose of use”, the hot spots existing in the enterprise can be divided into the following categories:
Official hot spot
Formal hot spots: long-term hot spots planned to be built
Event hotspots: short-term hotspots supporting business projects
Historical hotspots: hotspots that are no longer in use but not offline
Neighborhood hotspots: all hotspots not connected to the internal network
Business hotspots: hotspots established by the business department after filing for approval
Employee private hotspots: hotspots shared by wireless network cards on office machines.
Malicious hot spots: Phishing hot spots used to attack clients
2. Don’t know the specific attack methods of hackers
From the perspective of the targets of wireless attacks, it can be divided into three categories:
Bypass wireless authentication and gain wireless network access
Attack wireless terminals and steal sensitive information
Destroy wireless infrastructure
These targets may appear at the same time, such as attacking the wireless terminal first to obtain credentials, and then using the credentials to connect to the network. For the corresponding target, hackers will adopt corresponding specific attack methods.
3. Don’t know how to do wireless protection
Without knowing the first two points, it is impossible to do good protection.
Knowing which wireless hotspots exist inside is actually sorting out the exposed attack points. If you don’t have a clear understanding of this, wireless security protection on this basis is just like the “Machino Line of Defense”, which is useless.
I was once invited to do a wireless security test on a large financial company. Due to the sensitivity of the industry and their senior leaders have a clear understanding of the insecurity of wireless networks, they adopted a strategy of not deploying any wireless networks. At first glance, even if the wireless network is not deployed, it will naturally not face wireless threats. The fact is that I found a privately built hotspot shared by the mac office machine in the area where the mobile terminal development team of the company is located. After cracking the password and connecting to the network, I have the same access rights of the office machine and directly connected to the intranet. . Such a simple privately built hotspot broke the imagined “impeccable” wireless protection strategy.
From the perspective of the target of a wireless attack, you will find that obtaining wireless network access is only one of its purposes. I know that the current enterprise-level APs basically have their own phishing hotspot protection function, so how do employees use it in public places to prevent phishing hotspots? Mobile office is an irreversible trend. We have to assume that employees will work in an environment where there are phishing hotspots. Based on this assumption, the protection strategy proposed can withstand real attacks.
For another purpose of “destroying wireless infrastructure”, you can imagine a scenario: due to the popularity of mobile office, everyone is accustomed to using laptop devices to work, assuming that during a critical period the attacker secretly places a wireless device at the workstation of the target team. Wi-Fi Deauth attacks are carried out on different fully blocked boxes, which greatly reduces the operation capability of the victim in a short time. So can we combine AP logs to establish a mechanism for timely detection of Wi-Fi Deauth attacks, physical location, and on-site investigation of suspicious personnel/devices? In extreme cases, can these notebooks quickly connect to the network through a network cable?
The construction of enterprise wireless security system is a huge topic that includes technology and management. In order not to deviate from the topic, I will only give an example and will not explain it further. Although this part of the content is written from the perspective of the defender, after understanding the difficulties of the defender, you can point the way for the attack test.
3.2 HID attack
HID (human interface device) refers to human-computer interaction devices such as keyboards, mice, and game benchmarks that provide data input for computers. An attacker can simulate a special USB device as a keyboard, and perform a predetermined malicious operation once connected to the computer. This is an HID attack.
In the past ten years, there have been various types of HID attack devices such as Teensy, USB Rubber Ducker, BadUSB, BashBunny, WHID, etc., which have been publicized through security conferences and news media such as DEFCON and BlackHat. People outside the industry have a certain understanding and awareness of this attack technique. I will introduce two more concealed HID attack methods to get close to the attack scenarios in the real environment.
1. Use Android devices to execute HID attacks
The advantages of this method are obvious. You can easily switch and modify the attack commands on the mobile phone. The built-in power supply eliminates the not-short initialization time from plugging in to before launching an attack, which greatly increases the concealment of the attack. Of course, this has certain requirements for Android devices. You need root and the kernel must be plugged into the USB HID patch (https://github.com/pelya/android-keyboard-gadget).
I like to use Kali Linux Nethunter to deploy this attack tool. NetHunter is an Android-based open source penetration testing platform, jointly created by the Kali Linux community and Offensive Security. The system contains a large number of penetration testing tools in Kali Linux, and also supports 802.11 frame injection, HID attacks, MANA malicious hotspot attacks, etc. Using the DuckHunter HID tool, after writing a script in the USB Rubber Ducky format, connect the Android device to the target computer, and then it will simulate a keyboard for input.
It takes only a few seconds from inserting the computer to the completion of the malicious operation.
The following content is visible to members