Near-source penetration is a hot topic that has been frequently discussed by security professionals in the past two years. Different from other vague security concepts, the wireless security, physical security, and social engineering involved in near-source penetration are very easy to implement. Many internal offensive and defensive confrontation exercises have also appeared “excessive” near-source penetration. The attacking technique taught the defensive team a vivid lesson. This article will talk to you about my understanding of near-source penetration.
01 What is red and blue confrontation
The red-blue confrontation was originally a military concept, which refers to the establishment of a force (the blue army) that acts as an imaginary enemy to conduct confrontational exercises with our frontal forces (the red army) during a simulated confrontation. The red-blue confrontation in the field of information security is similar in thinking. One party plays the role of a hacker and the other party plays the role of a defender to conduct cyber security offensive and defensive exercises. During the exercise, the Blue Army simulated real attacks to evaluate the security capabilities of the company’s existing defense system, and the Red Army made corresponding optimization and rectifications for the problems found. Through periodic red and blue confrontation offensive and defensive exercises, continuously improve the company’s capabilities in attack protection, threat detection, and emergency response.
It is now popular to use Red Team to represent the attacker and Blue Team to represent the defender.
02 What is near-source penetration
I define near-source penetration as “referring to the general term for the method by which the tester is close to or located inside the test target building, using various wireless communication technologies, physical interfaces, and smart devices to conduct penetration testing.”
In layman’s terms, it means to physically invade the corporate office area through disguise, social engineering, etc., through various potential attack points (such as Wi-Fi network, RFID access control, exposed wired network ports, USB interfaces, etc.) ) Obtained “success”, and finally brought out and reported the evaluation results in a secret manner, thus proving the existence of loopholes in corporate security protection.
You can intuitively feel that the main difference between near-source penetration and traditional penetration testing lies in the understanding of “boundary”. On the way to invade the enterprise through the entrance of the external network, it will face numerous defense measures such as firewall and intrusion detection, and the threshold of attack will gradually become higher. In the near-source penetration scenario, because testers are located near the target company or even inside the building, there are often a large number of security blind spots that are ignored by the company. We can flexibly change the penetration testing method according to the target’s network status, site environment, physical location and other factors, which is closer to the essence of penetration testing.
03 Test targets for near-source penetration
If a complete attack point analysis is done, there will be many test objects involved in near-source penetration, including WiFi, Bluetooth, RFID, ZigBee, cellular, Ethernet and other IoT communication technologies and even the embedded security of smart devices. In this article, I will select one of the more common and easy to implement in the red-blue confrontation near-source penetration technology for discussion.
3.1 Wireless penetration
For a long time in the past, because there was no obvious competitor, people generally used wireless security as a synonym for Wi-Fi security and equated wireless networks with Wi-Fi. I will continue to use this habit below.
In March 2015, due to an open wireless network within a company, a node of the supercomputer “XX One” was attacked, and a large amount of sensitive information was suspected to be leaked.
In May 2015, insufficient security facilities and code loopholes in the server of a terminal Wi-Fi provider caused the disclosure of user privacy data in the server.
In 2016, a mobile after-sales center was invaded by attackers due to Wi-Fi security flaws.
In April 2016, former Foxconn employees secretly bridged the wireless network to invade Apple’s network, providing others with “repair and unlock” services.
In 2018, a security researcher attended a security conference in Singapore. During his stay in a hotel, he hacked into the internal system through the hotel’s wireless network and published a blog about the intrusion process.
Nowadays, wireless networks have in fact become an important infrastructure for enterprise mobile office. However, due to the general lack of effective management, the lack of security awareness and professional knowledge of deployment and users, AP distribution is chaotic, equipment security is fragile, and wireless The network has increasingly become a breakthrough point for hackers to invade the corporate intranet. Because of this, I spent a lot of time in “Near-Source Penetration Testing” describing security attacks and defenses based on wireless networks. Wireless networks are currently the main testing method for near-source penetration.
In my previous work, I have done a large number of wireless penetration testing services for customers in various industries such as military, energy, finance, government and enterprises, and telecommunications, and found that the construction of wireless security by enterprises is relatively vague and weak. In the stage, there are three main reactions:
1. Don’t know how many wireless hotspots are inside
From the perspective of “whether issued by AP” and “purpose of use”, the hot spots existing in the enterprise can be divided into the following categories:
Official hot spot
Formal hot spots: long-term hot spots planned to be built
Event hotspots: short-term hotspots supporting business projects
Historical hotspots: hotspots that are no longer in use but not offline
Neighborhood hotspots: all hotspots not connected to the internal network
Business hotspots: hotspots established by the business department after filing for approval
Employee private hotspots: hotspots shared by wireless network cards on office machines.
Malicious hot spots: Phishing hot spots used to attack clients
2. Don’t know the specific attack methods of hackers
From the perspective of the targets of wireless attacks, it can be divided into three categories:
Bypass wireless authentication and gain wireless network access
Attack wireless terminals and steal sensitive information
Destroy wireless infrastructure
These targets may appear at the same time, such as attacking the wireless terminal first to obtain credentials, and then using the credentials to connect to the network. For the corresponding target, hackers will adopt corresponding specific attack methods.
3. Don’t know how to do wireless protection
Without knowing the first two points, it is impossible to do good protection.
Knowing which wireless hotspots exist inside is actually sorting out the exposed attack points. If you don’t have a clear understanding of this, wireless security protection on this basis is just like the “Machino Line of Defense”, which is useless.
I was once invited to do a wireless security test on a large financial company. Due to the sensitivity of the industry and their senior leaders have a clear understanding of the insecurity of wireless networks, they adopted a strategy of not deploying any wireless networks. At first glance, even if the wireless network is not deployed, it will naturally not face wireless threats. The fact is that I found a privately built hotspot shared by the mac office machine in the area where the mobile terminal development team of the company is located. After cracking the password and connecting to the network, I have the same access rights of the office machine and directly connected to the intranet. . Such a simple privately built hotspot broke the imagined “impeccable” wireless protection strategy.
From the perspective of the target of a wireless attack, you will find that obtaining wireless network access is only one of its purposes. I know that the current enterprise-level APs basically have their own phishing hotspot protection function, so how do employees use it in public places to prevent phishing hotspots? Mobile office is an irreversible trend. We have to assume that employees will work in an environment where there are phishing hotspots. Based on this assumption, the protection strategy proposed can withstand real attacks.
For another purpose of “destroying wireless infrastructure”, you can imagine a scenario: due to the popularity of mobile office, everyone is accustomed to using laptop devices to work, assuming that during a critical period the attacker secretly places a wireless device at the workstation of the target team. Wi-Fi Deauth attacks are carried out on different fully blocked boxes, which greatly reduces the operation capability of the victim in a short time. So can we combine AP logs to establish a mechanism for timely detection of Wi-Fi Deauth attacks, physical location, and on-site investigation of suspicious personnel/devices? In extreme cases, can these notebooks quickly connect to the network through a network cable?
The construction of enterprise wireless security system is a huge topic that includes technology and management. In order not to deviate from the topic, I will only give an example and will not explain it further. Although this part of the content is written from the perspective of the defender, after understanding the difficulties of the defender, you can point the way for the attack test.
3.2 HID attack
HID (human interface device) refers to human-computer interaction devices such as keyboards, mice, and game benchmarks that provide data input for computers. An attacker can simulate a special USB device as a keyboard, and perform a predetermined malicious operation once connected to the computer. This is an HID attack.
In the past ten years, there have been various types of HID attack devices such as Teensy, USB Rubber Ducker, BadUSB, BashBunny, WHID, etc., which have been publicized through security conferences and news media such as DEFCON and BlackHat. People outside the industry have a certain understanding and awareness of this attack technique. I will introduce two more concealed HID attack methods to get close to the attack scenarios in the real environment.
1. Use Android devices to execute HID attacks
The advantages of this method are obvious. You can easily switch and modify the attack commands on the mobile phone. The built-in power supply eliminates the not-short initialization time from plugging in to before launching an attack, which greatly increases the concealment of the attack. Of course, this has certain requirements for Android devices. You need root and the kernel must be plugged into the USB HID patch (https://github.com/pelya/android-keyboard-gadget).
I like to use Kali Linux Nethunter to deploy this attack tool. NetHunter is an Android-based open source penetration testing platform, jointly created by the Kali Linux community and Offensive Security. The system contains a large number of penetration testing tools in Kali Linux, and also supports 802.11 frame injection, HID attacks, MANA malicious hotspot attacks, etc. Using the DuckHunter HID tool, after writing a script in the USB Rubber Ducky format, connect the Android device to the target computer, and then it will simulate a keyboard for input.
It takes only a few seconds from inserting the computer to the completion of the malicious operation.
The following content is visible to members
[wc_pay_can_read id=’2026,2029,2030′ tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]
Previously, the Android phone was transformed into a HID attack device, and USBNinja was even more excessive, pretending to be a data line.
It has the same appearance as a normal data cable, and can charge and transmit data like a normal data cable. Once it receives the command from the remote control or mobile phone APP, it will execute the preset attack command, simulating keyboard input or mouse click to attack.
It has been further enhanced in the recently updated USBNinja Pro version. All configuration processes can be carried out on the mobile phone APP. At the same time, it has faster USB2.0 typing speed, self-destruct mode clear firmware, automatic detection of caps lock, support BLE5.0 New features such as keyboard and mouse have also been added.
The Pro version of the USBNinja data cable costs about US$50-100. Although the price is more expensive, it is recommended that you buy at least one set. We may suspect U disks and mobile phones, but it is really difficult to doubt a data cable that can charge.
LockPicking refers to the art of unlocking. At the DEFCON conference, there has always been a LockPicking Village exhibition area to teach participants how to unlock locks. Although lock picking is often associated with crimes, unlocking skills can also be learned as a useful life skill, or as a hobby . In most cities around the world, as long as it is not used for criminal purposes, learning unlocking techniques is feasible and legal.
The reason why the safety of locks is mentioned here is that I have seen too many sensitive areas in various companies that only use A-level or B-level lock cylinders. These two security levels are very easy to be affected. Pry open. For example, I once found in an enterprise that the weak current well doors on all floors use Class A locks, which can be easily opened with a portable tool in the form of a single hook, and there are multiple switches and server equipment behind the door. Think about it.
3.4 Physical infiltration
Infiltration here refers to entering the target area without authorization, which is also an interesting topic that has nothing to do with Cyber Security. Considering the sensitivity of the topic, readers of the following content please consider it to be fictitious.
In the movie “Sherlock on the Plain”, the protagonist needs to enter a high-end community to track the target. The community has stricter access control management. Only one person can enter each time the access card is swiped and cannot follow. So the protagonist found a way to get a set of clothes for delivery, and asked the security guard to open the door and enter the community in the name of delivery.
XX City Science and Technology Museum, because it is the summer peak to enter the venue, you need to make an appointment in advance, is it impossible to enter today? I found that on the side of the stadium was an office building connected to it, and I was not blocked when I walked into the office building. Step into the elevator at the corner to the 3rd floor and walk to the corridor connecting the office building and the stadium. There was a security guard standing at the junction. I sorted out my expressions and walked over generously. Sure enough, the security staff did not stop me. Their task was to prevent the audience from entering the office area, and in the opposite direction, they let me go by default. In this way, I entered the stadium.
XX scenic spots in XX city, as the city’s well-known free scenic spots, need a long line to enter every holiday. At this time, someone came over and whispered, “It’s normal to line up for 1 hour, and you can get in in 5 minutes if you take the VIP channel for 100 yuan. Because with friends, I paid to avoid meaningless queuing. He led me down the path and entered in less than 5 minutes, but then I realized that this so-called VIP channel is not a fire channel.
XX country XX security meeting, the ticket is very expensive, the first floor is the ticket gate, the staff can take the escalator to the second floor meeting area after review. As a speaker, although I have a ticket, my companions cannot enter. At this time, we found a freight elevator in the corner. We took to the second floor and opened the fire safety door to directly enter the venue area. Although there are no audience badges, no one in the venue has checked.
These cases all reflect one thing in common. The front entrance is a strictly audited area, but for “hidden entrances” such as artificial passages, fire passages, freight elevators, and underground garages, they are often in weak security areas. For near-source infiltrators, the closer they can enter the target, the greater the possibility of finding problems.
04 Future development of near-source penetration
Proximity penetration is not a new concept. There have been terms such as “proximity attack” and “physical penetration” in the past, but compared to 10 years ago, the test subjects of proximity penetration have added more wireless communication technologies. This is because with the vigorous development of the Internet of Things (IoT), various forms of smart devices have appeared within enterprises, such as Bluetooth keyboards and mice, wireless printers, smart lighting, smart cameras, smart TVs, smart speakers, etc. The list continues increase. Even in elevators, vending machines, central air conditioners, or other infrastructure, the Internet of Things technology is also used, and they communicate via Wi-Fi, Bluetooth, ZigBee, NFC, or other wireless technologies.
For enterprises, the characteristics of IoT devices pose serious security challenges to enterprises. Various device appearances, equipped with various sensor components, adopt different wireless communication technologies, and run on different operating systems and CPU architectures. Most of them do not have a fixed security configuration, no user interaction interface, and cannot install security software or agents for easy management and control. Traditional security practices such as firewalls, anti-malware or other security solutions are not enough when facing security threats from the Internet of Things. IT managers can only find 40% of the devices in the enterprise, like smart devices brought by employees They are all in the blind zone of corporate management, let alone how to protect them, and they may have been connected to the corporate intranet in some form.
For potential attackers, using these IoT devices as penetration points is very imaginative:
In 2016, Bastille’s research team released a vulnerability disclosure regarding wireless mouse and wireless keyboard. Attackers can sniff and hijack the operation instructions from the wireless keyboard and mouse;
In 2017, Tencent Blade Team used drones to penetrate smart buildings and remotely control smart devices such as lighting, air conditioning, sockets and electric curtains in office buildings;
In 2019, researchers such as Takeshi Sugawara, associate professor at Tokyo Electric and Communication University, published an attack method that uses lasers to hijack smart speakers. When the researchers change the laser intensity at a specific frequency, the smart device will think that it has received a specific frequency of sound, and then receive instructions. ；
In 2020, Haite Lab announced an attack against Bluetooth at the BlackHat conference. Attackers can use Bluetooth vulnerabilities in Android devices to steal sensitive information such as user address books, call history records, and SMS verification codes.
It is foreseeable that more and more companies and teams will hope that offensive and defensive exercises such as red-blue confrontation can cover the enterprise’s Internet of Things environment and explore potential security threats in the near-source environment. These new requirements still need to be met by regular security service teams. In fact, this requires our penetration testing practitioners to master more near-source penetration technologies to respond to related offensive and defensive needs.
For a wider range of information security researchers, near-source penetration will also be the best scenario for implementing offensive and defensive theories in security fields such as wireless communication security, Internet of Things security, physical security, and social engineering.
From my personal point of view, due to the mobility and flexibility of various wireless networks, any user in the wireless coverage area may access or monitor data, and wireless-level identity authentication may eventually be bypassed. . The prevalence of wireless communication technology in enterprises will inevitably disrupt the traditional credit strategy based on network boundaries. Taking the various attack paths that may be involved in the near-source penetration scenario as an example, it can be found that: To better respond to all-round security threats, Need to do “confirm user identity information”, “control user’s network access authority”, “confirm whether the device is properly configured for security”, “confirm whether the running application software is safe”, “encrypt the communication link”, etc. A series of measures.
It sounds familiar, but this is actually the concept of a zero-trust security system. I have the opportunity to talk with you in the following article, how to use the idea of zero trust security to solve the security problems such as “phishing hotspots” and “private hotspots” in enterprise wireless security.