Chris Avants

Send on behalf of?

Today while working with a friend of mine we identified what we believed is a vulnerability with Microsoft Exchange.  Here’s the scenario, let me know what you think below:)

This morning I was expecting a meeting invite to join a session, and after our scheduled meeting time had come and gone I grabbed the last meeting invite and forwarded that to the host I was expecting the new invite from and when he received it showed that he had e-mailed himself the invite with the message I had written?

In the above message Exchange shows forwarding this message as “On behalf of” which should only be possible with assigned permissions even in your own organization, let alone a completely different organization with no domain trusts configured between the two.

Below is what the message looks like when it’s received via GMAIL account, showing as from ONLY the original sender, not myself as the forwarder:)

If you expand the message again, very little indication it’s not from the original sender although if you look closely you can see via — our domain on Exchange. Again ZERO trusts were set up in order to get these permissions.

We reported this issue via the Microsoft Bug bounty program as we believe this is a major vulnerability. Having a very easy ability to impersonate anyone who sends you a meeting invite by forwarding it could allow malicious code introduction or be used with any number of Social Engineering campaigns.

When your able to forward messages “On Behalf of” implies trust that the sender is operating with permission on behalf of that user.

Microsoft has said they “reported the issue to the appropriate team, but didn’t meet their criteria for a vulnerability”. What do you think, bug, vulnerability, what definition do you use for this?

Let me know your thoughts, below.

Subscribe to my YouTube Channel

Most of you already know, aside from recording new courses professionally and teaching, I have been releasing a lot of new content via WiFiTraining / My YouTube channel. I am releasing content from myself as well as our other Sr. Instructors @ WiFiTraining so it’s a great place to follow.

Here is the link https://youtube.com/user/chrisavants

Here are some of the videos you’ll find there.

 

 

 

 

 

Many ways to configure Monitor Mode on Linux / Kali

Notes on Configuring Monitor Mode 

There are several ways to configure monitor mode on your WLAN adapter in Linux.

One of the easiest requires virtual adapter support using the aircrack-ng suite.

This put’s the adapter in Monitor mode (If the drivers + adapters support this). If your machine does not, do NOT Worry you can use these other methods below.

To put the adapter back in normal mode

airmon-ng check kill

airmon-ng start wlanX

Dump WLAN Survey data

airodump-ng (adapter name)

Using IWCONFIG

sudo ifconfig wlan0 down

sudo iwconfig wlan0 mode monitor

Using IW

IW commands are Linux based commands that are used as configuration utility for wireless devices.

IW commands also provide a connection to WLAN devices however it is not supported advance security modes (supports Non secured networks and WEP only) therefore we normally use that option for debug mode only while working without WPA supplicant.

Using IW

sudo ip link set wlan0 down

sudo iw link wlan0 set monitor none

sudo ip link set wlan0 up

sudo ip link set wlan0 down

sudo iw wlan0 set type managed

sudo ip link set wlan0 up

 

Option 2 for IW

sudo iw phy phy0 interface add mon0 type monitor

sudo iw dev wlan0 del

sudo ifconfig mon0 up

sudo iw dev mon0 set channel/frequency XXXX

NOTE – Before starting Monitor mode on a WLAN adapter, ensure you can see the adapter with “ifconfig” command on Linux. If the command ifconfig doesn’t work, try sudo ifconfig, and if that doesn’t work you need to install network tools (sudo apt install net-tools).

If that doesn’t work, use (sudo iwconfig), and see if you see the WLAN adapter showing there.

Check USB Adapters

If your using a USB WLAN adapter like the Comfast RTL8812AU I recommend, use the command (lsusb) and verify you see the adapter connected to your Kali machine.

Check Integrated Adapters

If your booted from a USB Kali image or performed a bare-metal install of Kali on your laptop and the WLAN adapter does not show use (lspci) to see if the adapter is seen by the kernel. If so note the adapter model, and search for kali drivers for that model. Intel WLAN chipsets usually work well when booting a laptop to Kali.

If your looking to learn Wireless Hacking / Pentesting, I wrote a course called Rockstar Wireless Networking. It’s available at https://store.wifitraining.com or you can check it out below.  I also post other Wireless and Security videos on my YouTube channel https://youtube.com/user/chrisavants

 

Rockstar Wireless Hacking

Share your message

A little secret professional instructors and trainers know, is there is no better way to refine and master your skills than by sharing your knowledge with others. Knowing how to do something really well is one thing, knowing how to teach others to do things really well is another altogether.

Am I saying everyone should quit their jobs and become teachers or course developers? No, I am not. You don’t have to become a full-time instructor to share your message these days. In-fact many great bloggers, course developers, authors, and even instructors do so on a part-time basis.

If you haven’t started a blog, you should. No matter what level you are at now, there are people who want to know what you know. It’s also a great way to grow your presence in the community. As a professional Author / Instructor, I am truly horrible about this. As I write professional courses about various networking, wifi, security, and cybersecurity topics, it’s just hard spending time blogging about the same stuff for free.

Are you a rockstar engineer, the go-to guy that does all the heavy lifting at your company? Consider creating a blog, content for courses, or creating a video course for a new platform we are launching in 2020!

The first time you create course content, or a course it will take you a good deal of time. It’s a natural healthy process. Much of which is actually spent refining what you know, into a coherent message that can be shared with others. This is the point far too many people “give up”, and or feel they may not be as big of a rockstar as they think.

Those that press on and get something developed may find a few extra dollars in their wallets, sometimes much more than a few.  The largest takeaway, however, is a much more refined and sharper skillset at the end of the process, there is nothing like finally getting that first course out there.

  • Be prepared to take all forms of feedback constructively, it comes with the territory.
  • Ask industry veterans for tips, and help when needed.
  • Set timelines, and always keep it moving forward

The last one is important, millions of great course ideas are dead in folders on peoples hard drives who never found the time to actually bring that content into fruition. If you make the decision to take this journey, I wholeheartedly believe it’s a journey worth seeing through.

If you are an author, blogger, course developer, video course author, or you have rockstar level skills with modern technology and would like to get started developing a course, I hold regular workshops for our instructor and developer teams. If you would be interested in attending, contact me with your BIO, and what your project is.

WiFi Pentesting with Kali – Must Learn Commands – Part 1

Currently working on the new Lab Workbook for WLAN Security Professionals @WiFiTraining, and as I share some details to the community wanted to share some details about getting WLAN Pen Testing/hacking setup and working for most users or at least little things I think would be helpful to students based off issues I am seeing when students jump into labs…

A big reason students lose interest or get frustrated learning Wireless Pen-Testing is not having the proper H/W, Code, and many of my students are not familiar with Linux either.

First, if you’re not using the correct WLAN adapters, well it’s going to be quite challenging getting them working if your new at this and your not on devices that are proven to work well with the drivers and tools we use like Aircrack-NG, Hostapd, and others.

If your booting into Linux on enterprise hardware, integrated chipsets seem to work really well right off the bat for most business, enterprise vendors, and that’s because of most of these companies Lenovo, Dell, HP, ASUS (biz), are using Intel/Broadcom chipsets for their WLAN adapters. For external WLAN adapters and running Linux/Kali in a VM, finding the right USB WLAN adapter can be fun, especially looking for ones with modern 802.11 PHY support like 802.11ac, or 802.11ax.

One of my go-to WLAN adapters to use for wireless pen-testing is the Realtek RTL8812AU.

They come in two forms, the Comfast, integrated antennas. and the Yellow adapter dozens of companies rebrand and sell as just RTL8812AU (name of the chipset).

RTL8812AU USB 3.0 WLAN Adapter 1200Mbps 2.4GHz(300Mbps) 5GHz (867Mbps) USB 3.0, 802.11 abgn+ac, MIMO 2x2 WiFi USB Adapter for Kali Linux/Windows XP/Vista/7/8/8.1/10 (32/64bits) MAC OS X/Monitor injec COMFAST Wireless WiFi Adapter USB 3.0, 1200Mbps Dual Band 2.4G/5.8G WiFi Neckwork Adapter for Desktop Laptop, Compatible with Windows 7/8/8.1/10/XP, MAC OS 10.11/10.10/10.9/10.8/10.7/10.6

  • iw list * detailed output shown below
  • lsusbDisplays USB devices seen by the kernel
  • lspci internal chipsets
  • ifconfigShows interfaces seen by the kernel, and lists their status
  • iwconfigShows wireless interfaces and their status
  • iwconfig wlanX mode (managed, ad-hoc, master, ap)
  • Service NetworkManager kill
  • rfkill unblock wlanX
  • AirCrack-NG Suite – Go-to Suite of wireless tools for security professionals. Tools to get you started (Airmon-NG, Airodump-NG, Aircrack-NG, Airbase-ng) there are several others. Check out http://aircrack-ng.org

To get your adapter in 802.11 monitor mode it’s as simple as

  • $ ifconfigverify you see WLAN adapters (wlan0, wlan1) etc.
    • If you don’t see WLAN adapters, be sure the adapter is mapped if running Linux in a VM and check iwconfig, and lsusb to see if it’s seen at all.
  • $ service NetworkManager stop – case sensitive on NetworkManager
  • $ airmon-ng check killkills any processes running on the WLAN adapter
  • $ airmon-ng start wlan0 (channel) – use channel if you need to start listening on a specific channel, to use with Wireshark. ie airmon-ng start wlan0 40
  • $ airodump-ng wlan0scan’s ISM channels 1-13 looking for 802.11 management frames and dumps them to the screen. Very capable, and feature-rich tool. 
  • $ airodump-ng
    • –band a – Scan’s only 5GHz channels
    • –channelScans only a specific channel
    • –w writes what is captured to a file (-w /Desktop/captures/filename for example.
    • –help (lol, don’t forget there’s help with these tools)

If your looking to capture WPA handshakes, for example

Step 1 – Place the WLAN adapter in monitor mode

  • airmong-ng check kill
  • service NetworkManager stop
  • airmon-ng start wlan0

Step 2 – Start the capture on a specific channel (after you surveyed the area), and log the frames

  • airodump-ng -c 40 -w WPACap1 wlan0

When you are done with the capture.

  • $ arimon-ng stop wlan0
  • $ service NetworkManager start

You now have a normal WLAN interface.

There are other methods to achieve monitor mode from your WLAN adapters, will be featuring much more in detail in the new Lab Workbook for WLAN Security Professionals and CWSP at https://store.wifitraining.com

Does my WLAN adapter support Monitor Mode and Soft AP functionality, will it perform Packet Injection?  Is it dual-band, and can it support the PHY level being used in my test environment?

Use the command $ iw list

root@win10k194:# iw list
Wiphy phy0
max # scan SSIDs: 9
max scan IEs length: 2304 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CMAC (00-0f-ac:6)
Available Antennas: TX 0x2 RX 0x2
Supported interface modes:
* IBSS
* managed
* AP
* monitor
Band 1:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps
* 5.5 Mbps
* 11.0 Mbps
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm) (no IR)
* 2472 MHz [13] (20.0 dBm) (no IR)
* 2484 MHz [14] (20.0 dBm) (no IR)
Band 2:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
VHT Capabilities (0x03c031a2):
Max MPDU length: 11454
Supported Channel Width: neither 160 nor 80+80
short GI (80 MHz)
TX STBC
SU Beamformee
+HTC-VHT
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 867 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 867 Mbps
Bitrates (non-HT):
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 5180 MHz [36] (30.0 dBm)
* 5200 MHz [40] (30.0 dBm) (no IR)
* 5220 MHz [44] (30.0 dBm) (no IR)
* 5240 MHz [48] (30.0 dBm)
* 5260 MHz [52] (30.0 dBm) (no IR)
* 5280 MHz [56] (30.0 dBm) (no IR)
* 5300 MHz [60] (30.0 dBm) (no IR)
* 5320 MHz [64] (30.0 dBm) (no IR)
* 5500 MHz [100] (30.0 dBm) (no IR)
* 5520 MHz [104] (30.0 dBm) (no IR)
* 5540 MHz [108] (30.0 dBm) (no IR)
* 5560 MHz [112] (30.0 dBm) (no IR)
* 5580 MHz [116] (30.0 dBm) (no IR)
* 5600 MHz [120] (30.0 dBm) (no IR)
* 5620 MHz [124] (30.0 dBm) (no IR)
* 5640 MHz [128] (30.0 dBm) (no IR)
* 5660 MHz [132] (30.0 dBm) (no IR)
* 5680 MHz [136] (30.0 dBm) (no IR)
* 5700 MHz [140] (30.0 dBm) (no IR)
* 5720 MHz [144] (30.0 dBm) (no IR)
* 5745 MHz [149] (30.0 dBm) (no IR)
* 5765 MHz [153] (30.0 dBm)
* 5785 MHz [157] (30.0 dBm)
* 5805 MHz [161] (30.0 dBm)
* 5825 MHz [165] (30.0 dBm) (no IR)
* 5845 MHz [169] (30.0 dBm) (no IR)
* 5865 MHz [173] (30.0 dBm)
* 5885 MHz [177] (30.0 dBm)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* new_station
* set_bss
* join_ibss
* set_pmksa
* del_pmksa
* flush_pmksa
* remain_on_channel
* frame
* set_channel
* connect
* disconnect
Supported TX frame types:
* IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* IBSS: 0xd0
* managed: 0x40 0xb0 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
WoWLAN support:
* wake up on anything (device continues operating normally)
software interface modes (can always be added):
* monitor
interface combinations are not supported
Device supports SAE with AUTHENTICATE command
Device supports scan flush.
Supported extended features:

CCNAW / CCNPW / CCIEW Lab for Cheap

If your working toward a Cisco Wireless certification such as CCNAW/CCNPW or CCIEW, you will want to practice. A LOT. When it comes to building and buying lab equipment, if you know me you know I am not shy about investing in the right education or lab gear at all. That said there’s no need for senseless spending, and you also know I am big on saving and investing wisely. Why buy a 9K series controller and AP’s for $5K when a $500 investment (maybe) will do?

When it comes to practicing for certification or even building skills for the real world, nothing beats first-hand real-world experience, right? Well, having a lab at home or work where you can build, test, break, and fix dozens of deployments a day or over a weekend may actually top the charts. I always joke in my classes, what really makes us an expert is we have broken thousands of things and learned from it. Ultimately it makes us much better prepared for when shit hits the fan since we have likely seen it before.

My recommendation for building a home lab for any of the Cisco Wireless courses includes the following.

Access Points

Your going to need a few of these to work on things, ideally 3 or more. Sure you could spend up to $1K an AP here getting the new 9K series AX ap’s, or you can get my personal favorite for labs the Cisco 3500 or 3600 series for a whopping $9 bucks each on eBay. Sure the 3500 series doesn’t have 802.11ax or even 802.11ac, but it does have everything else. Want autonomous? Done! Want centralized? Done! Want SE-Connect? Want Bridge Mode? Done and well you get the picture… The same goes with Monitor mode, Rouge Detector, and the eloquently named Sniffer mode. Bottom line it does 99% of everything you want to practice learning Cisco Wireless for CHEAP. In fact here’s a box of 10 for $50

Switch

You will need at least one of these, but here again, I would recommend 2. To save you time and energy dealing with powering your AP’s, I would highly recommend you get a PoE version and to maximize this investment I would recommend a 3750X (PoE) although you can find 3750G variants a little cheaper. The 3750X is a more modern switch, just be sure to get one with IPBase or IPServices so you can terminate VLAN’s and do basic routing without needing another device.

Cisco 3750X

Server

Here’s the thing. Do you absolutely require a server to do small wireless labs? NO. However, you will need one hell of a beefy laptop to run ISE, Prime, CMX, and AD at the same time to mimic a typical network. Investing in a used server can help you light up many different scenarios quickly, and is an EASY ROI. I recommend getting a used Dell 610 or HP DL 380 G6, you can find a 1U or 2U with dual hexacore CPU, 64GB RAM, and redundant HD’s for $350 or so:) You don’t need a ton of HD space, but you do want pretty fast drives 10-15K RPM, however you don’t NEED a ton of space. 300GB or so should be fine for our purposes. Found one today 8/2019 and it was under $350:)

Be prepared….

  • They can/will be noisy.
  • They can/will generate heat.

Wireless LAN Controller (WLC)

I recommend purchasing a current controller if your budget allows. Generations ago 2106, then 2504, and now the 3504 and 9K_L give us almost the same features as their larger brothers for much less. However, this post is about building a lab on a budget and for that spending $1200 bucks on one item just won’t do. Technology evolves, and when it does many new features come out…. Or do they? Someone name for me 3 features you get with the latest 9800_L can offer you, that you couldn’t get with a 3504 or 2504 other than support for the latest APs? My guess that most of you can’t name them. It’s not that they are not there, it’s that although technology evolves, there are core technologies that take much longer to change than vendors would like. I AM NOT SAYING DONT LEARN WHAT’s NEW EITHER just don’t let some new feature be an excuse for not diving in to learn about a technology that is required for your job or a tech your passionate about. So for the WLC on a budget recommendation, I would wholeheartedly recommend a Cisco 2504 as it appears you can get them now for less than $300 US. However if that’s too steep go with a Virtual Wireless LAN Controller, you can get a 90-day eval free. If you do buy 2504 as your primary the vWLC means you can practice your Mobility Group / Domain tasks on the cheap without buying multiple controllers.

Server Applications

To round out your Cisco topology on a budget you will need Cisco ISE, Prime, and optionally CMX. Fortunately, these are all free downloads from Cisco.com with a valid service agreement. If you don’t have permissions maybe ask a colleague who does since these will be used for learning only:) You will need to deploy a VMWARE hypervisor on the server you purchased before you can deploy VM’s. Luckily VMWARE has our back with a free version you can use https://www.vmware.com/products/vsphere-hypervisor.html

Once the hypervisor is installed you will need to deploy

  • Windows 2K8 (or whichever version you like)
    • Active Directory Role
    • Certificate Authority Role
    • Create several OUs, Groups and Users
    • DHCP (Optional)
    • DNS (Installed with AD)
  • Cisco Identity Services Engine 2.4 or better
  • Cisco Prime Infrastructure 3.3 or better
  • Depending on your needs you may also want CMX, and DNA

Conclusion

Building a home lab doesn’t have to be super costly, although my personal experience is regardless of what you spend there is a SOLID ROI there. I always tell everyone “THE BEST INVESTMENT YOU CAN MAKE is IN YOURSELF”. I have built my personal career by investing in specialized/accelerated education & training and building labs. ANYTIME I WANT TO LEARN SOMETHING NEW along with specialized & accelerated training I build a lab and lab it out. It’s what I know and have been successful with. I am thankful I took out that first $7K loan out at 18yrs old those few “short” years ago to buy a couple of Cisco Routers, and Switches, and a new PC. It was my secret weapon that allowed me to earn a spot on the Network Engineering team at such a young age and was a catalyst for my career. Thanks to virtualization and the evolution of technology today you can build great labs to learn and set yourself apart without taking out the loans.