Not to long ago I was tasked with performing a wireless network penetration test for one of my clients. As expected the wireless network was pretty secure from top to bottom, however as I was working in one of conference rooms my baby-sitter requested I share my screen with some dongle so he could see what scripts and other cool stuff I was running (Pretty sure this was just to satisfy some inner nerdom or something).
So moving along I inquired as to the security of the device because why would I want to broadcast client vulnerability information out over a wireless dongle to something over the air… So I ended up getting permission to test it first because there was some level of ignorance in his certainty that it was secure from intrusions.
Needless to say the whole ordeal required me writing a bit on how that cool device you’ve been using in your corporate board room for strategic meetings and financial meetings is also streaming RTSP to my car in the parking lot with a yagi antenna.Read More
Testing against the ClickShare devices identified that the SSID is hidden. This can be overcome by de-authenticating a specific MAC address as the access point. This is accomplished by sending a broadcast over the air, mimicking the AP requesting the client disconnect. After this happens, it takes a few seconds for the client to re-authenticate to the AP with a beacon frame that includes the SSID of the AP then commences the 4-way handshake for association. During this it was possible to obtain the WPA handshake for cracking offline, however this is not needed in this case.
After identifying the hidden SSID as “CLICKSHARE-LX-102” and performing research into default credentials for authentication it was found that the WPA2 Personal PSK is default to “clickshare”. After connecting to the affected device, it appears that outbound access is not enabled, however a DHCP server leases an IP address for each device (base station, wireless dongle, and clients directly connected). Using this it was possible to identify the base station at 192.168.2.1. This host was serving multiple avenues of access, including (but not limited to) HTTP, RTSP, SSH, HTTP Proxy, SMB, LDAP.
After opening a web browser session to http://192.168.2.1 the web application requests authentication via BASIC AUTH. It was possible to authenticate as the web admin for the application with the default credentials of “admin:admin”. This allowed the attacker to download the configuration file parsed in XML and attempts to recover the root password for SSH access were performed.
Attempts to attack the client attached to the dongle were ultimately unsuccessful due to the USB dongle acting as a pass-through with no direct OS/Device communication directly to the AP. This effectively isolates machines from the unsecured LAN. In one case it was possible to perform an availability attack by sending a raw RTSP PLAY command via port 49153 using telnet. This caused the base station to believe that something is broadcasting, however even after closing the terminal it still believes a session is in place and is unable to display anything until either the session is terminated, or the device is rebooted.