You want to make a bet that I don’t need to steal your password, and that your computer will give it to me freely? I wouldn’t take that bet… How much would losing that bet cost you? Or your company? This is the second part of our blog series about the dangers and vulnerabilities with public networks.
Read the first part of this blog series here: The Simple Dangers of Open Public Networks: Part 1.
Using people removed from their native working environment, we are going to attempt to shed light on or prove our hypothesis which is:
Using open public networks, without proper protections, you are making you and your company more vulnerable to threat actors. It is still possible to gather valuable information from these networks such as usernames, passwords and company names simply by listening to the network traffic.
It should be clearly stated that this is very passive. Just listening to the traffic, and not at all performing any activity towards any targets on the network. As in, anyone on the network can see the same traffic as we do. This is essentially, looking out the window and watching people and cars go by.
People needs WiFi everywhere...
As we enter the train in the morning, people are already starting to take their seats and open their computers. With a journey that takes possibly several hours, you can’t just not sit there and do nothing. With our computers these days being so powerful, mobile, and connected, you are expected to be working regardless of your location. And this is a little bit why we have this issue. People are always connected. And always need WiFi.
What they don’t realize is that there is a huge difference between connecting to your office or home WiFi compared to a public network. And that is that you do not know and trust the other people and computers on that network. It is outside of your “safe” operating zone. This is not your trusted network. Anyone can get access. This of course is the whole point with these open networks, but it´s also why you should think twice before connecting to them (and why the providers should make every effort in securing them properly).
Since most of the traffic nowadays is encrypted, it is not possible to see most of the traffic in clear text. Which is obviously a good thing. But there are many more protocols flying around that you don’t see every day and maybe aren’t aware of. It is also possible to manipulate them to a certain degree, or just listen in and see what is happening. It’s like eavesdropping on a conversation.
What we found
After sifting through the massive amount of combined data, we were able to collect dozens of different usernames, computer names and company names. This information by itself might not seem so valuable, but in the next post we will show you more about what we can do with it and why any and all information is valuable to an attacker.
The main point for this is of course to make employees and companies aware that when you step outside of your secure network that you have built, it drastically increases risk and opportunity for attacks.
Looking back at our hypothesis, were we correct in our assumptions? I would say, with a fair bit of certainty, YES!
We spent over 16 hours on the trains gathering data that everyone else’s computer sees as well. This is pretty standard behavior for networks like this. There are so many protocols flying back and forth, broadcast and announcements to the entire subnet, that there is always a chance of some information leakage. Some of the more interesting ones that we saw a lot of were SMB, LLMNR, NBT-NS broadcasts. But also, a little HTTP and MSSQL. Nothing too severe or out of the ordinary. All the more reason to make sure that every service you are using is encrypted.
What else is possible?
This leads us to wonder what would be possible in a setting like this. There are way too many possible attacks that listing them all would be impractical. However, some of them are very hard to detect and come with serious implications. Top picks are:
- Arp-spoofing – Proxying all user(s) traffic through your machine. This will allow you to inspect everything that is being send and received by that computer. Combined with an SSL Splitting attack, this could reveal sensitive information by breaking the encryption for HTTP traffic.
- LLMNR & NBT-NS poisoning – This attack usually ends with serious domain compromise. But starts with revealing the user/domain/hashes of the users. This can also be combined with a SMB relay attack which send the authentication back to the original host (or another that the user has access to) to gain access. This bypasses the need to crack the password hash.
- Man-in-the-Middle – while the previous attack examples are MitM attacks, there are numerous more that can be applied here. The main point is that you are on a network which you do not trust. With people you do not trust. And every bit of information you send could potentially be collected and compromised by one of those persons.
And for our next trick... What can someone actually do with all this information. How far can they get? What resources are available for the curious hacker? Stay tuned for the next part where we break down what we found, and what is possible.
This article is a part of a summary on what we found and how to improve in your organization’s security as well as the awareness of employees.
Read the full report here: