Sunday, March 20, 2011

When your network takes a walk

These days when mobile devices and notebooks are everywhere, networks are more difficult to isolate and a new problem is emerging. Nowadays it’s a common thing that companies give their employees notebooks so they can work remotely or take them when they travel. Many of these companies invest a lot of money and resources to secure their networks, but all that money and resources go to the trash the moment your network takes a walk.
Why is an attacker going to target a protected network if even the most simple information gathering could set all the alarms? Instead he could target the notebooks or mobile devices of the company, after all this devices could have sensitive information, credentials or could provide access to the protected network. After all the ‘owners’ of this devices are not careful with the security of the device outside the company, most of them connect to any network they find only to check their facebook account.

In this case I will use as an example all the information I gathered from an Open Access Point of a friend of mine (after some explanation about why an open network is not a good idea my friend changed the security). Apparently my friend got a lot of people connected to his ‘linksys’ Access Point, one of this was taking his company network with him. My friend suddenly wanted to know who was using his connection, so I agree to help him find out for educational purposes.
To find out how this guy was we will analyze all the traffic I passively could get from the device.
Probe request frames tell a lot about the owner of a device, in this case that the person connects to a lot of newtorks (possibly insecure ones). We also see a potential company network appears on the list.

Using the ‘Protocol Hierarchy’ from the Statistics menu on wireshark we can have an idea of what type of traffic and what quantities we have.

It’s always good to start from the beginning, so we start checking DHCP packets, it’s the first thing almost every device does when they connect to a network.

From the analysis of these packets we can gather information like for example:
  • Hostname
  • IP address from the last network the device connect to
  • Fully qualified domian name from the last network the device connect to
  • Etc
Generally, when i analyze traffic, I continue with DNS to see what domains the device try to reach. In many cases with the first DNS queries we can deduce the device vendor or the OS. In this case we are interesting in the queries for domains related to the company.

As we can see on the image, we have some hostnames that are only accessible from the internal network, others that are accessible from the internet and the DNS servers from the company. In some cases we are lucky and only by reading the names we can identify some of the services the host provides.
The next protocol we are going to analyze is NetBIOS. We could also get some interesting information from this traffic.

In this case we could get information like the following:
  • Hostname
  • OS Major Version
  • OS Minor Version
  • Domain names
  • Shares
  • Credentials/Hashes
The next thing that got my attention was some SIP traffic, I’m not a VoIP expert but after checking the packets I got some information like for example:
  • VoIP Server Software
  • IP address and Hostname of the VoIP server
  • Username
  • Hashes
  • First Name and Last Name of an employee
  • Calls information
  • Etc

We also have some IM traffic that could give us:
  • Employees email addresses (useful for client side or social engineering attacks)
  • Trusted contacts (useful for client side or social engineering attacks)
  • Sensitive information
  • Files
  • Etc

Finally, we have some HTTP traffic in this case we don’t have company information but we could get things like:

  • User Agent from browsers or 3rd party applications (useful for client side or social engineering attacks)
  • Company Sites
  • Social networks information (useful for client side or social engineering attacks):
  • Personal Information
  • Contacts
  • Friends
  • Etc
In this case an information gathering got us a lot of information, but if an attacker for example does a MitM attack the consequences could be a lot worse.
To sum up, we can spend a lot of money protecting the network of our company, but these days employees have to understand the security issues of handling devices from the company. It’s a common practice today to give employees mobile devices to stay connected. If your company gives mobile devices (notebooks, netbooks, tablets, cellphones, etc) or let the employees use them to connect to the internal network, be aware that your network could take a walk on the wrong neighborhood.

No comments:

Post a Comment