In this video I am showing how simple moving to Cisco IBNSv2 can be using C3PL for a basic policy. If you have been working with QoS for any length of time, this will be a welcomed change. IBNSv2 uses class-maps, policy-maps, and service policies to create granular policies for 802.1X / MAB authentications, as well as “what if” scenarios.
You can purchase the full course here
Part of the new Cisco ISE Lessons – Wireless course I created for WiFi Training!
You can purchase the full course here
Today while working with a friend of mine we identified what we believed is a vulnerability with Microsoft Exchange. Here’s the scenario, let me know what you think below:)
This morning I was expecting a meeting invite to join a session, and after our scheduled meeting time had come and gone I grabbed the last meeting invite and forwarded that to the host I was expecting the new invite from and when he received it showed that he had e-mailed himself the invite with the message I had written?
In the above message Exchange shows forwarding this message as “On behalf of” which should only be possible with assigned permissions even in your own organization, let alone a completely different organization with no domain trusts configured between the two.
Below is what the message looks like when it’s received via GMAIL account, showing as from ONLY the original sender, not myself as the forwarder:)
If you expand the message again, very little indication it’s not from the original sender although if you look closely you can see via — our domain on Exchange. Again ZERO trusts were set up in order to get these permissions.
We reported this issue via the Microsoft Bug bounty program as we believe this is a major vulnerability. Having a very easy ability to impersonate anyone who sends you a meeting invite by forwarding it could allow malicious code introduction or be used with any number of Social Engineering campaigns.
When your able to forward messages “On Behalf of” implies trust that the sender is operating with permission on behalf of that user.
Microsoft has said they “reported the issue to the appropriate team, but didn’t meet their criteria for a vulnerability”. What do you think, bug, vulnerability, what definition do you use for this?
Let me know your thoughts, below.
Working on a new course with WiFi Training, Cisco ISE Lessons – Wireless. This is a teaser video from the upcoming release.
Purchase this course
Most of you already know, aside from recording new courses professionally and teaching, I have been releasing a lot of new content via WiFiTraining / My YouTube channel. I am releasing content from myself as well as our other Sr. Instructors @ WiFiTraining so it’s a great place to follow.
Here are some of the videos you’ll find there.
Here is another video from the new Rockstar Wireless Hacking course offered by https://store.wifitraining.com In this example using WP3 Captive Portal to harvest user credentials.
Notes on Configuring Monitor Mode
There are several ways to configure monitor mode on your WLAN adapter in Linux.
One of the easiest requires virtual adapter support using the aircrack-ng suite.
This put’s the adapter in Monitor mode (If the drivers + adapters support this). If your machine does not, do NOT Worry you can use these other methods below.
To put the adapter back in normal mode
airmon-ng check kill
airmon-ng start wlanX
Dump WLAN Survey data
airodump-ng (adapter name)
Using IWCONFIG
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
Using IW
IW commands are Linux based commands that are used as configuration utility for wireless devices.
IW commands also provide a connection to WLAN devices however it is not supported advance security modes (supports Non secured networks and WEP only) therefore we normally use that option for debug mode only while working without WPA supplicant.
Using IW
sudo ip link set wlan0 down
sudo iw link wlan0 set monitor none
sudo ip link set wlan0 up
sudo ip link set wlan0 down
sudo iw wlan0 set type managed
sudo ip link set wlan0 up
Option 2 for IW
sudo iw phy phy0 interface add mon0 type monitor
sudo iw dev wlan0 del
sudo ifconfig mon0 up
sudo iw dev mon0 set channel/frequency XXXX
NOTE – Before starting Monitor mode on a WLAN adapter, ensure you can see the adapter with “ifconfig” command on Linux. If the command ifconfig doesn’t work, try sudo ifconfig, and if that doesn’t work you need to install network tools (sudo apt install net-tools).
If that doesn’t work, use (sudo iwconfig), and see if you see the WLAN adapter showing there.
Check USB Adapters
If your using a USB WLAN adapter like the Comfast RTL8812AU I recommend, use the command (lsusb) and verify you see the adapter connected to your Kali machine.
Check Integrated Adapters
If your booted from a USB Kali image or performed a bare-metal install of Kali on your laptop and the WLAN adapter does not show use (lspci) to see if the adapter is seen by the kernel. If so note the adapter model, and search for kali drivers for that model. Intel WLAN chipsets usually work well when booting a laptop to Kali.
If your looking to learn Wireless Hacking / Pentesting, I wrote a course called Rockstar Wireless Networking. It’s available at https://store.wifitraining.com or you can check it out below. I also post other Wireless and Security videos on my YouTube channel https://youtube.com/user/chrisavants
A little secret professional instructors and trainers know, is there is no better way to refine and master your skills than by sharing your knowledge with others. Knowing how to do something really well is one thing, knowing how to teach others to do things really well is another altogether.
Am I saying everyone should quit their jobs and become teachers or course developers? No, I am not. You don’t have to become a full-time instructor to share your message these days. In-fact many great bloggers, course developers, authors, and even instructors do so on a part-time basis.
If you haven’t started a blog, you should. No matter what level you are at now, there are people who want to know what you know. It’s also a great way to grow your presence in the community. As a professional Author / Instructor, I am truly horrible about this. As I write professional courses about various networking, wifi, security, and cybersecurity topics, it’s just hard spending time blogging about the same stuff for free.
Are you a rockstar engineer, the go-to guy that does all the heavy lifting at your company? Consider creating a blog, content for courses, or creating a video course for a new platform we are launching in 2020!
The first time you create course content, or a course it will take you a good deal of time. It’s a natural healthy process. Much of which is actually spent refining what you know, into a coherent message that can be shared with others. This is the point far too many people “give up”, and or feel they may not be as big of a rockstar as they think.
Those that press on and get something developed may find a few extra dollars in their wallets, sometimes much more than a few. The largest takeaway, however, is a much more refined and sharper skillset at the end of the process, there is nothing like finally getting that first course out there.
The last one is important, millions of great course ideas are dead in folders on peoples hard drives who never found the time to actually bring that content into fruition. If you make the decision to take this journey, I wholeheartedly believe it’s a journey worth seeing through.
If you are an author, blogger, course developer, video course author, or you have rockstar level skills with modern technology and would like to get started developing a course, I hold regular workshops for our instructor and developer teams. If you would be interested in attending, contact me with your BIO, and what your project is.
Currently working on the new Lab Workbook for WLAN Security Professionals @WiFiTraining, and as I share some details to the community wanted to share some details about getting WLAN Pen Testing/hacking setup and working for most users or at least little things I think would be helpful to students based off issues I am seeing when students jump into labs…
A big reason students lose interest or get frustrated learning Wireless Pen-Testing is not having the proper H/W, Code, and many of my students are not familiar with Linux either.
First, if you’re not using the correct WLAN adapters, well it’s going to be quite challenging getting them working if your new at this and your not on devices that are proven to work well with the drivers and tools we use like Aircrack-NG, Hostapd, and others.
If your booting into Linux on enterprise hardware, integrated chipsets seem to work really well right off the bat for most business, enterprise vendors, and that’s because of most of these companies Lenovo, Dell, HP, ASUS (biz), are using Intel/Broadcom chipsets for their WLAN adapters. For external WLAN adapters and running Linux/Kali in a VM, finding the right USB WLAN adapter can be fun, especially looking for ones with modern 802.11 PHY support like 802.11ac, or 802.11ax.
One of my go-to WLAN adapters to use for wireless pen-testing is the Realtek RTL8812AU.
They come in two forms, the Comfast, integrated antennas. and the Yellow adapter dozens of companies rebrand and sell as just RTL8812AU (name of the chipset).
To get your adapter in 802.11 monitor mode it’s as simple as
If your looking to capture WPA handshakes, for example
Step 1 – Place the WLAN adapter in monitor mode
Step 2 – Start the capture on a specific channel (after you surveyed the area), and log the frames
When you are done with the capture.
You now have a normal WLAN interface.
There are other methods to achieve monitor mode from your WLAN adapters, will be featuring much more in detail in the new Lab Workbook for WLAN Security Professionals and CWSP at https://store.wifitraining.com
Does my WLAN adapter support Monitor Mode and Soft AP functionality, will it perform Packet Injection? Is it dual-band, and can it support the PHY level being used in my test environment?
Use the command $ iw list
root@win10k194:# iw list
Wiphy phy0
max # scan SSIDs: 9
max scan IEs length: 2304 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Supported Ciphers:
* WEP40 (00-0f-ac:1)
* WEP104 (00-0f-ac:5)
* TKIP (00-0f-ac:2)
* CCMP-128 (00-0f-ac:4)
* CMAC (00-0f-ac:6)
Available Antennas: TX 0x2 RX 0x2
Supported interface modes:
* IBSS
* managed
* AP
* monitor
Band 1:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
Bitrates (non-HT):
* 1.0 Mbps
* 2.0 Mbps
* 5.5 Mbps
* 11.0 Mbps
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm) (no IR)
* 2472 MHz [13] (20.0 dBm) (no IR)
* 2484 MHz [14] (20.0 dBm) (no IR)
Band 2:
Capabilities: 0x1a72
HT20/HT40
Static SM Power Save
RX Greenfield
RX HT20 SGI
RX HT40 SGI
RX STBC 2-streams
Max AMSDU length: 7935 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT Max RX data rate: 300 Mbps
HT TX/RX MCS rate indexes supported: 0-15
VHT Capabilities (0x03c031a2):
Max MPDU length: 11454
Supported Channel Width: neither 160 nor 80+80
short GI (80 MHz)
TX STBC
SU Beamformee
+HTC-VHT
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 867 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 867 Mbps
Bitrates (non-HT):
* 6.0 Mbps
* 9.0 Mbps
* 12.0 Mbps
* 18.0 Mbps
* 24.0 Mbps
* 36.0 Mbps
* 48.0 Mbps
* 54.0 Mbps
Frequencies:
* 5180 MHz [36] (30.0 dBm)
* 5200 MHz [40] (30.0 dBm) (no IR)
* 5220 MHz [44] (30.0 dBm) (no IR)
* 5240 MHz [48] (30.0 dBm)
* 5260 MHz [52] (30.0 dBm) (no IR)
* 5280 MHz [56] (30.0 dBm) (no IR)
* 5300 MHz [60] (30.0 dBm) (no IR)
* 5320 MHz [64] (30.0 dBm) (no IR)
* 5500 MHz [100] (30.0 dBm) (no IR)
* 5520 MHz [104] (30.0 dBm) (no IR)
* 5540 MHz [108] (30.0 dBm) (no IR)
* 5560 MHz [112] (30.0 dBm) (no IR)
* 5580 MHz [116] (30.0 dBm) (no IR)
* 5600 MHz [120] (30.0 dBm) (no IR)
* 5620 MHz [124] (30.0 dBm) (no IR)
* 5640 MHz [128] (30.0 dBm) (no IR)
* 5660 MHz [132] (30.0 dBm) (no IR)
* 5680 MHz [136] (30.0 dBm) (no IR)
* 5700 MHz [140] (30.0 dBm) (no IR)
* 5720 MHz [144] (30.0 dBm) (no IR)
* 5745 MHz [149] (30.0 dBm) (no IR)
* 5765 MHz [153] (30.0 dBm)
* 5785 MHz [157] (30.0 dBm)
* 5805 MHz [161] (30.0 dBm)
* 5825 MHz [165] (30.0 dBm) (no IR)
* 5845 MHz [169] (30.0 dBm) (no IR)
* 5865 MHz [173] (30.0 dBm)
* 5885 MHz [177] (30.0 dBm)
Supported commands:
* new_interface
* set_interface
* new_key
* start_ap
* new_station
* set_bss
* join_ibss
* set_pmksa
* del_pmksa
* flush_pmksa
* remain_on_channel
* frame
* set_channel
* connect
* disconnect
Supported TX frame types:
* IBSS: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* managed: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-client: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
* P2P-GO: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
Supported RX frame types:
* IBSS: 0xd0
* managed: 0x40 0xb0 0xd0
* AP: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
* P2P-client: 0x40 0xd0
* P2P-GO: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
WoWLAN support:
* wake up on anything (device continues operating normally)
software interface modes (can always be added):
* monitor
interface combinations are not supported
Device supports SAE with AUTHENTICATE command
Device supports scan flush.
Supported extended features: