Contact: James, APS (CCNA, CEH) contactep105t@secure- mail.biz Ok, so this isn t the typical way that a pen test report would start, but we might as well get straight in to it. I am a customer of Sainsbury s, London Colney, and I decided to try the new Mobile Scan & Go service. Upon connecting to the network (using credentials msagtrial) I was granted full access to the network and the WAN, allowing me to browse the internet freely. I began to interrogate the system, and found the following vulnerabilities: **PLEASE NOTE** This entire process was completed whilst spending less than 10 minutes in your store. I will not go in to scrutinizing detail in this report, but am happy to provide live demonstrations and training to your team(s) if you wish to find out more information on how these attacks are carried out and, most importantly, how to protect from them. 1. WEP / WPA / WPA2 Security - : This will allow us to enumerate the WPA key for the network. To start; I will demonstrate how we gain access to ANY of the multiple networks / AP s you have at your Sainsbury s store. For the purpose of this test; we will concentrate on WPA2, as it is arguably the most secure of the three options. To begin with, we identify the networks and protocols available to us.
FIGURE 1.1 Once we have this; we can target a specific network (in this case MSAG) and can begin to capture packets in order to obtain a handshake which is the encrypted version of the WPA key. Once we have the handshake we use a very simple decryption method to enumerate the raw text password. Once we have captured enough packets, we deauthorize the network. FIGURE 1.2 Once we have deauthorized the network (fig. 1.2); we have extracted the handshake (see below in fig. 1.3 top right of text).
FIGURE 1.3 We now have full, privileged access to the network. This can be completed on ANY network you are currently running in your store, including any of the ones listed in figure 1.1. Once we are connected (through hacking the WPA2 security), we then use Wireshark to intercept and sniff all traffic across the network (as seen in fig. 1.4).
FIGURE 1.4 2. Hacking the MSAG Network - : This will demonstrate owning the network in a number of ways. - : This is the first attack I carried out, from a mobile phone. - : Everything from hereon in is carried out with an HTC phone and a custom built app. - : Router Interrogation As you can see; this screenshot shows some valuable information. It gives us the manufacturer of the AP (Aruba), but also the MAC address (fig.2.1). We can use this to carry out a quick online search to find an exploit which will lead to ownership of the entire network and hardware. This test also showed the same information for APPLE devices, Intel, WORKGROUP and many more devices which we can exploit.
FIGURE 2.1 - : Login Cracking If we were not already connected to the network (although in this case, we are), we would use this function to crack the admin password for the AP / network. FIGURE 2.2 - : Port Scanning This operation provides us with a list of open ports, which can be used to exploit the system, create SYNACK floods, DoS attacks etc. In this case, it has only returned port 53, although leaving the device to scan for
longer (even over all 65,535 ports if necessary) would have likely picked up more with different services. FIGURE 2.3 - : OS Detect We use this part of the test to enumerate the OS (Operating System) of the device, although (on this occasion) no OS was identified (due to it being an AP). I have used this on your Apple devices, where is enumerated the OS immediately. FIGURE 2.4
- : Vulnerability Finder The application I have built (used for the purpose of this test) will automatically find information (MAC addresses, IP s, OS s etc) and will search online for known vulnerabilities, therefore allowing you to hack the network Hugh Jackman style. It s pointless showing you a one click hack on this test, but be aware that it is certainly possible with the current state of your network. - : Traffic Sniffing Here we intercept the traffic being sent over the network. This is dumped to a separate log file for further inspection. FIGURE 2.5 We can use this information to sniff peoples phones, grab personal / private data etc. For the purpose of this test; I have not saved or dumped any traffic to any media. - : Kill Connections We use this function to kill all the connections on the network, effectively locking the network for as long as we like. No traffic can pass around the network you can t even access Google! - : Traffic Redirect (URL) This is where it starts getting interesting! We use this function to redirect traffic to wherever we like. Most malicious hackers will use this function to redirect traffic to a malicious site. This could be a clone of the Sainsbury s site, asking people to enter credit card or personal information, for example. As you can see from fig.2.6 below; this is a simple case of typing in the link of
where we want ALL traffic to go and, voilà, all traffic is now heading to our infected website. FIGURE 2.6 - : Session Hijacking Don t worry, we re still in the interesting bit! This function hijacks sessions, or commonly known as cookies. When users of your network are logged in to things such as ebay, Amazon etc on their devices; we can capture their cookies and replay them to the service for authorized access as a privileged user. This is a service used by websites to confirm that you are pre- authorized and have the correct credentials to access the specific service. As you can see; I was able to sniff a LOT of sessions, for all different sites including unobus.info, black- buck.net, bbc.co.uk, adnxs.com etc.
FIGURE 2.7 FIGURE 2.8 - : Replace Images / Video This function allows us to replace ALL images on the network (Sainsbury s logo s, ebay pictures, every pic on your website, banners, ads etc) with an image of our choice. We can also replace all YouTube videos with a video of our choice, using the same method.
FIGURE 2.9 FIGURE 2.10 **INTERESTING NOTE** You may notice the Twitter logo in the corner. All these attacks were carried out whilst I was casually browsing Twitter! - : Code Injection This is, by far, the most powerful part of the exploit. By using the Code Injection function; we can inject a custom script to do ANYTHING. Kill a device (forever), inject a virus, redirect traffic, download data, operate cameras, microphones etc, start a SSH back to us as a hacker the list is endless.
We first select whether we want to inject a pre- prepared code file, or if we want to enter Custom Code (fig 2.11). For this demonstration; we ll be using Custom Code. FIGURE 2.11 We then enter the code (fig 2.12) we wish to inject to EVERYONE on the system. This means as soon as they visit ANY website, ANY link or ANY service; our custom script will interject and pop up. FIGURE 2.12 In this code; we have entered a simple alert (pop- up), which will pop- up on the screen and display whatever we want. In this demo we have used This is just a pop- up, but it could be anything! Very, very dangerous!
Figure 2.13 (below) shows the script confirmation. To demonstrate this working; I have made the video below. This uses the HTC attack machine (on the table) to inject the script to the ENTIRE network. We then use the iphone (also connected the MSAG) to prove the injection is working. Please see this link for video: http://youtu.be/mrywloks7he THIS VIDEO IS UNLISTED AND IS PRIVATE. The video shows the circle running next to the JS Inject function (which shows it s alive), and then also shows my iphone (totally separate device, could be any other customers) running the code we have injected. So this brings me pretty much to the end of the test. Please once again bare in mind that this was all done using a mobile phone, nothing more. I am happy to come and demonstrate exactly what we can do with a computer. I will give you a call later today to follow up.