Curiosity part 2

So it appears that our LAN team said all peer to peer communication should be off, and I was able to replicate the issues I found the other day. To make things worse, each of our Access Points (APs) have 3 or more SSID’s. our networks are laid out as follows on a single AP, keep in mind the building I work in is very large, and we have 10k employees that work in the building, so there are hundreds of APs that work as repeaters throughout the building.

Guest – Our open wireless network, available to employees and visitors

Company – Open network, but requires you to use your network login to access (functions much like the “Accept” page on most public wifi’s in hotels or coffee shops)

Hidden – A non broadcast SSID, you need a corporate issued certificate to authenticate.

I found that DHCP is not handled by the Access points, but by a DHCP server behind them, so no matter which of the networks you connect to, you get the same IP address.

One flaw I had found a few months ago (that they have fixed now) was that I could set up a server running on the “Company” open wireless network, and connect to it from our “Guest” network. As you can imagine, this posed a few separate threats, because it meant that data was not segragated to each of the networks, and it didn’t matter which you connected to, because all the data was visible.

I can still find the IP addresses of almost all the IP’s on any network through netdiscover, and due to the sensitive nature of the company I work for, I will not be posting ANY of my collected data. However, I found that there are SOME computers, (not all) that I am able to connect to and scan.

the ones that pose the biggest problem are unpatched XP machines, which have RDP open. I have tried my attack on both the Guest network and Company network and found that I am able to connect to select machines, even though that functionality is supposed to be turned off.

It is possible that these machines are bypassing the network security protocols because of malware, but at this point, we are unsure. This is again, just a reminder that you should constantly be checking your own network security, because a bug you find, and fix, is one that an attacker wont be able to destroy you with later!

Curiosity can be your friend

When it comes to hacking, and network security, most holes are found by accident. It’s important to pro actively scan your network for problems so that you are not caught by surprise later. With computer and network security you have to make sure you have permission to do the scanning, or you could find yourself in a world of hurt. It is illegal to access data that is not yours and you don’t have permission to access. I’m writing this post for personal networking purposes, so that you can protect your own networks, not so that you can do harm to another person.

At work, I’m not on the LAN team, nor am I ‘officially’ part of the network security team, but I have permission from both teams to help test our public wireless network since they know I enjoy hacking and network security. They are short-staffed and do not have the manpower or time to manage every aspect of such a large wireless network, 100% of the time. I have personally found a few other security holes on our wireless network, and helped to secure it because I have found banking data, and other account information floating around for anyone to see, and now those things are closed and secured again the way they should be.

Today I found a problem, that caused me to alert the LAN team immediately without even taking the time to get multiple tests, and extra proof, since they know I know what I’m talking about, having proof of concept is enough for them to take me seriously. Today I was using rediscover (which I’ve posted about before) and found a few MAC addresses that were by non standard manufactures (at least our company standard.) Since it was a manufacture I don’t normally see, it drew my curiosity and I decided to nmap the host. I found normal ports running like windows file sharing (smb) and Remote Desktop, but nmap was also able to give me the user ID, and operating system.

The first point of alarm is that all peer communication is supposed to be turned off on our public network, and I should not even be able to tell a host is live, let alone see what services are running. To make sure I was seeing a true report of services, I fired up my RDP client, and was presented with a windows login screen. Since this is a security issue of itself, so I did a user lookup, and went to the internal IT group who supports this user. My friend who supports him, noticed that he was using a hard-wired connection to the LAN, which means that he was connected both to the corporate LAN (with all the sensitive data, AND the wide open wireless network) so if an attacker was able to compromise this users machine, they would have access to a treasure trove of intellectual Property.

The moral of the story is this; Constantly check your network for its security, and ONLY use one connection at a time. If you are using a wired connection, disable your wireless, because otherwise you open your LAN to attack, and if you are using wireless, don’t plug into a LAN.