So it appears that our LAN team said all peer to peer communication should be off, and I was able to replicate the issues I found the other day. To make things worse, each of our Access Points (APs) have 3 or more SSID’s. our networks are laid out as follows on a single AP, keep in mind the building I work in is very large, and we have 10k employees that work in the building, so there are hundreds of APs that work as repeaters throughout the building.
Guest – Our open wireless network, available to employees and visitors
Company – Open network, but requires you to use your network login to access (functions much like the “Accept” page on most public wifi’s in hotels or coffee shops)
Hidden – A non broadcast SSID, you need a corporate issued certificate to authenticate.
I found that DHCP is not handled by the Access points, but by a DHCP server behind them, so no matter which of the networks you connect to, you get the same IP address.
One flaw I had found a few months ago (that they have fixed now) was that I could set up a server running on the “Company” open wireless network, and connect to it from our “Guest” network. As you can imagine, this posed a few separate threats, because it meant that data was not segragated to each of the networks, and it didn’t matter which you connected to, because all the data was visible.
I can still find the IP addresses of almost all the IP’s on any network through netdiscover, and due to the sensitive nature of the company I work for, I will not be posting ANY of my collected data. However, I found that there are SOME computers, (not all) that I am able to connect to and scan.
the ones that pose the biggest problem are unpatched XP machines, which have RDP open. I have tried my attack on both the Guest network and Company network and found that I am able to connect to select machines, even though that functionality is supposed to be turned off.
It is possible that these machines are bypassing the network security protocols because of malware, but at this point, we are unsure. This is again, just a reminder that you should constantly be checking your own network security, because a bug you find, and fix, is one that an attacker wont be able to destroy you with later!