Abusing the Windows WiFi native API to create a covert channel - - PowerPoint PPT Presentation

abusing the windows wifi native api to create a covert
SMART_READER_LITE
LIVE PREVIEW

Abusing the Windows WiFi native API to create a covert channel - - PowerPoint PPT Presentation

Oct 08, 2022 376 likes •770 views

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

slide-1
SLIDE 1

Andrés Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel

1

slide-2
SLIDE 2
  • Covert Channels
  • Attack Vectors and Scenarios
  • IEEE 802.11 Fundamentals
  • Covert Channel Design
  • Implementation
  • Demo
  • Future Work and Enhancements

Outline

2

slide-3
SLIDE 3

What's a covert channel?

“... any communication channel that can be exploited by a process to transfer information in a manner that violates the system's security policy.”

Department of Defense Trusted Computer System Evaluation Criteria 3

slide-4
SLIDE 4

What's a covert channel?

Hiding information inside "safe" network packets could be used to bypass network security protections. (e.g., HTTP proxies, Firewalls, IDS/IPS, etc.)

4

slide-5
SLIDE 5

What's a covert channel?

Why should we try to pass t h r o u g h t h e s e c u r i t y measures, when we can fly

  • ver it.

5

slide-6
SLIDE 6

Network Boundaries

6

Like a castle

slide-7
SLIDE 7

Network Boundaries

The old days

slide-8
SLIDE 8

Network Boundaries

Nowadays

slide-9
SLIDE 9

Network Boundaries

9

From secure to unsecured

slide-10
SLIDE 10

Attack Vectors & Scenarios

Escaping the hard way

10

slide-11
SLIDE 11

Attack Vectors & Scenarios

Jumping the fence

11

slide-12
SLIDE 12

Attack Vectors & Scenarios

Attacking hosts with no connectivity

12

slide-13
SLIDE 13

Prior Art

  • MS Windows Soft AP
  • Vendor-specific Soft AP

13

slide-14
SLIDE 14

Comparison with MS Windows SoftAP

Windows SoftAP WiFi Native API Covert Channel Supported from Windows 7 and Windows Server 2008 R2 or later Supported from Windows Vista or later Needs administrator privileges Doesn't need administrator privileges Good bandwidth Limited bandwidth Not supported on every Windows driver

To receive the Windows 7 logo, a wireless driver must implement the wireless Hosted feature.

Should work with any driver that works on Windows User can notice the SoftAP is running Hidden from user

14

slide-15
SLIDE 15

IEEE 802.11Fundamentals

AP Announcement

Station Station Station Station

Access Point

beacon b e a c

  • n

b e a c

  • n

beacon

15

slide-16
SLIDE 16

Station

IEEE 802.11Fundamentals

Active Scan for networks

probe request “Net A” probe request “Net A” probe request “Net B” probe request “Net B”

Access Point

Access Point

Access Point

16

slide-17
SLIDE 17

Station Access Point

IEEE 802.11Fundamentals

Joining a network

Probe Response Probe Request Authentication Authentication Association Request Association Response

17

slide-18
SLIDE 18

Victim Attacker

Probe Response Probe Request

Covert Channel Design

Hiding ourselves

18 Ref: Attacking Automatic Wireless Network Selection (http://www.theta44.org/karma/aawns.pdf)

slide-19
SLIDE 19

Covert Channel Design

Hiding ourselves

slide-20
SLIDE 20

Covert Channel Design

Beacon Frames

2

Frame ctl Duration

2 6

DA SA

6 6

BSS ID

2

Seq ctl Frame Body

Variable

FCS

4 MAC Header 2

Timestamp

8

Beacon Interval

2

Capab. Info

Variable

SSID

7

FH Parameter Set DS Param. Set

2

CF Parameter Set

8 = channel data 20

slide-21
SLIDE 21

Covert Channel Design

Probe Request Frames

2

Frame ctl Duration

2 6

DA SA

6 6

BSS ID

2

Seq ctl SSID

Variable

FCS

4 MAC Header

Supported Rates

Variable

Ext. Supported Rates

Variable Frame Body = channel data 21

slide-22
SLIDE 22

Covert Channel Design

Probe Response Frames

2

Frame ctl Duration

2 6

DA SA

6 6

BSS ID

2

Seq ctl Frame Body

Variable

FCS

4 MAC Header 2

Timestamp

8

Beacon Interval

2

Capab. Info

Variable

SSID

7

FH Parameter Set DS Param. Set

2

CF Parameter Set

8

Information Element

Variable

Robust Security Network

Variable = channel data 22

slide-23
SLIDE 23
  • Sometimes information elements cannot be injected.
  • Depends on the driver.
  • If available, channel bandwidth increases.
  • Covert channel packet size is limited
  • 32 Bytes if only SSID Information Element is

controlled.

  • ~255 Bytes if arbitrary IE is controlled.

Covert Channel Design

Considerations

23

slide-24
SLIDE 24

Reading Data on Win XP

DWORD WINAPI WlanGetAvailableNetworkList(

__in HANDLE hClientHandle, __in const GUID *pInterfaceGuid, __in DWORD dwFlags, __reserved PVOID pReserved, __out PWLAN_AVAILABLE_NETWORK_LIST *ppAvailableNetworkList); 24

slide-25
SLIDE 25

Reading Data on Win XP

typedef struct _WLAN_AVAILABLE_NETWORK_LIST { DWORD dwNumberOfItems; DWORD dwIndex; WLAN_AVAILABLE_NETWORK Network[1]; } WLAN_AVAILABLE_NETWORK_LIST, *PWLAN_AVAILABLE_NETWORK_LIST;

25

slide-26
SLIDE 26

Reading Data on Win XP

typedef struct _WLAN_AVAILABLE_NETWORK { ... DOT11_SSID dot11Ssid; ... } WLAN_AVAILABLE_NETWORK, *PWLAN_AVAILABLE_NETWORK;

slide-27
SLIDE 27

Reading Data after Win XP

DWORD WINAPI WlanGetNetworkBssList( __in HANDLE hClientHandle, __in const GUID *pInterfaceGuid, __opt const PDOT11_SSID pDot11Ssid, __in DOT11_BSS_TYPE __in BOOL bSecurityEnabled, __reserved PVOID pReserved, __out PWLAN_BSS_LIST *ppWlanBssList);

slide-28
SLIDE 28

Reading Data after Win XP

typedef struct _WLAN_BSS_LIST { DWORD dwTotalSize; DWORD dwNumberOfItems; WLAN_BSS_ENTRY wlanBssEntries[1]; } WLAN_BSS_LIST, *PWLAN_BSS_LIST;

slide-29
SLIDE 29

Reading Data after Win XP

typedef struct _WLAN_BSS_ENTRY { DOT11_SSID dot11Ssid; ... DOT11_MAC_ADDRESS dot11Bssid; ... ULONG ulIeOffset; ULONG ulIeSize; } WLAN_BSS_ENTRY, *PWLAN_BSS_ENTRY;

29

slide-30
SLIDE 30

30

Demo

Reading data “from the air”

slide-31
SLIDE 31

Injecting Data

DWORD WINAPI WlanScan( __in HANDLE hClientHandle, __in const GUID *pInterfaGuid, __in_opt const PDOT11_SSID pDot11Ssid, __in_opt const PWLAN_RAW_DATA pIeData, __reserved PVOID pReserved);

31

slide-32
SLIDE 32

32

Demo

Writing data “to the air”

slide-33
SLIDE 33

Summary

PoC covert channel between a compromised host and an attacker

  • Win Vista - 7 through Native API
  • Can coexist with active WiFi connections
  • Difficult to discover, unless actively (manually) looking for it
  • Can serve as fallback from other “connect from” payloads
  • Bypass network “boundaries”

33

slide-34
SLIDE 34

Conclusions

  • WiFi covert channels are useful as post-

exploitation fallback methods.

  • Active client-side attacks can also deploy a

wireless covert channel endpoint.

  • The Windows Native WiFi API, by design,

allows covert communications with low privileges.

34

slide-35
SLIDE 35

Conclusions

  • Perimeter is gone, wireless vectors such as

bluetooth and WiFi will evolve with “device” evolution.

35 http://eprint.iacr.org/2010/332.pdf

slide-36
SLIDE 36

Future work & enhancements

  • Evolve prototype to a usable full covert

channel

  • Work out WinXP availability
  • Many-to-one communication (many clients to
  • ne attacker) - Multiplexing
  • Encryption

36

slide-37
SLIDE 37

Questions

37

slide-38
SLIDE 38

Mini-challenge

A Windows host will be broadcasting a secret message. Find the secret message and win a Mate combo

Contact: (ablanco|egutesman) [a7] coresecurity [d07] com