OCR of the Document

View the Document >>

National Security Agency//CSS, Introduction to BADDECISION, Powerpoint Presentation, December 15, 2010

TOP December 15-16 2010 Top SECRETHGOMIHTIWORN TOP SECRETHCOMINTHNOFORN Classification The overall classification of this presentation is All slides and materiels contained in this presentation should be considered classified unless otherwise noted TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Section Overview BADDECISION Overview BADDECISION Components BADDECISION Prerequisites BADDECISION Operational Flow e BADDECISION Step Through Instructor-led Demos and Labs BADDECISION Pros Cons TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN At The You should be able Understand BADDECISION Components Understand the BADDECISION Prereqs Conduct a BADDECISION Operation 3 List the Pros Cons of TOP SECRETHCOMINTHNOFORN TOP SECRET COMINT NOFORN BADDECISION Overview CLOSE ·t ACCESS BADDECISION is an 802 11 CNE tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server Takes advantage of shared open medium and the HTTP protocol Works for WPA I WPA2 TOP SECRET COMINT NOFORN TOP SECRET COMINT NOFORN BADDECISION Prerequisites CLOSE l ACCESS Working BLINDDATE Survey Client on the Target network Security Level WPA I WPA2 Ability to maintain a reliable connection to a target network Don't forget FOXACID Tag TOP SECRET COMINT NOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Components HAPPYHOUR SECONDDATE Open Sources Tools macchanger wireshark 3 nmap ettercap TOP SECRETHCOMINTHNOFORN BADDECISION Preparation TOP SECRETHCOMINTHNOFORN CNN Web Server Target Client TOP SECRETHCOMINTHNOFORN FOXACID Server Internet Operator TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Target Client Operator SECONDDATE TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN BADDECISION Preparation Operator TOP SECRETHCOMINTHNOFORN cess Point IP 192 168 1 1 Target Client MAC AA IP 192 168 1 2 MAC BB Operator IP 192 168 1 3 MAC CC cess Point Target Client IP 192 168 1 1 MAC AA IP 192 168 1 2 MAC BB Hey Ac cess Point Send everything destined for IP 192 168 1 2 to MAC CC Operator IP 192 168 1 3 MAC CC cess Point Target Client IP 192 168 1 1 MAC AA IP 192 168 1 2 MAC BB Hey Targe t Client Send everything destined for IP 192 168 1 1 to MAC CC Operator IP 192 168 1 3 MAC CC cess Point IP 192 168 1 1 Target Client MAC AA IP 192 168 1 2 MAC BB Operator IP 192 168 1 3 MAC CC cess Point IP 192 168 1 1 Target Client MAC AA IP 192 168 1 2 MAC BB Operator IP 192 168 1 3 MAC CC TOP SECRETHCOMINTHNOFORN Overview of FOXACID Operatronal Server Scenano Operator with BLINDDATE CNN System Web Server FOXACID Tag issued for Target Target Client browsing the Internet via web browser Internet Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Server Webpage Request Target issues HTTP GET Request CNN to webpage of Web Server interest cnn com erne Target Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Server Injection 3 Operate uses SECONDDATE to CNN inject a redirection Web Server payload at Target Client Internet Ire Target Client s original HTTP GET Requestcon nues on it s normal path Target a Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN Refresh and CESS Covert Request Injected payload forces Target Client CNN to refresh and send Web Server another HTTP GET Request to desired webpage 3 Covert Request is issued by Target Client to FOXACID Server Internet Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Request Received FOXACID receives request from entity Entity is validated as Target Client by FOXACID Tag Be Response to original HTTP GET Tafget Request is dropped Chem but don t worry that s good Operator Internet TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID SEQ FOXACID 5 Server CESS Browser Survey FOXACID Server instantiates CNN browser survey on Web Server Target Client to detect vulnerabilities Internet Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID FOXACID Server ESS Browser Survey 3 FOXACID Server instantiates CNN browser survey on Web Server Target Client to detect Internet vulnerabilities Client Operator TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN FOXACID Survey Payload 5 Server EXplOltatlon E -Covert communicates CNN continue between Web Server FOXACID and Target until found Internet not vulnerabilities or exploited S s Target Client continues normal webpage browsing completely unaware Operator TOP SECRETHCOMINTHNOFORN WHACKED That s the ultimate goal TOP SECRETHCOMINTHNOFORN CNN Web Sewer h w If Whacked Ta rget 3 Client TOP SECRETHCOMINTHNOFORN FOXACID Operator TOP SECRETHCOMINTHNOFORN CLOSE BADDECISION Step Let s go through this because there are many more pieces TOP SECRETHCOMINTHNOFORN TOP SECRETHCOMINTHNOFORN CLOS BADDECISION Demos and La bb sCC Fe Grab a partner One Target Client one Operator 59- Have fun getting whacked TOP SECRETHCOMINTHNOFORN TOP SECRET COMINT NOFORN BADDECISION Pros I Cons i - CLOSE ACCESS Pros Works for WPA I WPA2 networks Can reliability see all communications between target and FOXACID i - Cons Larger signature than NIGHTSTAND Requires higher SNR to maintain reliable communications between target and FOXACID TOP SECRET COMINT NOFORN 1 · TOP Questions IDP