Discovering Rogue Wireless Access Points Using Kismet and Disposable Hardware
Larry will be discussing the details of his research and associated paper just completed for the SANS GAWN Gold certification. The paper has not yet been posted, but here are some useful links Check here for Larry's loctaion (on the SANS reading room soon):
Here are some good links from the paper:
Channel hopping script for the WRT54G originally written by Joshua Wright. The particular channel hopping pattern was determined by Joshua Wright, in currently undocumented research. This channel hopping pattern is the best option to eliminate any bleed through for adjacent channels, as 802.11b channels overlap. Design considerations is support of Joshua’s research can be found in an article by Greg Ratzel of Cirronet, Inc.
Stories for Discussion
Hot or not: Wireless card attacks - [PaulDotCom] - I don't agree with Marc, CTO of Eye, here's why: 1) His opinion is biased - Mark's company makes it money on windows vulnerabilities, which he clearly highlights in the article as being more critical 2) Wireless signals travel 125 miles and I only need to be on the same channel to execute the exploit 3) Kernel mode access to a client system is scary, unlike common malware I can now bypass any OS protections the client has in place 4) The ability to scan for and launch these attacks is being built into metasploit, so we are heading towards an attacker in China compromising a system in the US, putting an agent on it, then compromising every machine behind the firewall with a wireless card 5) Nobody applies wireless driver updates 6) There is no good way to detect this attack, WIDS is still maturing 7) Few people are even concerned about this threat, Mac users still don't believe it exists, Windows users are too busy worrying about spyware to care, and articles like Marc's don't help. [Larry] - Wow, was mark WAY off base on this one, see all of Paul's comments. It that isn't sexy and interesting, I don't know what is.
Wikipedia Hijacked to Spread Malware - [Joe] - "The German Wikipedia has recently been used to launch a virus attack. Hackers posted a link to an all alleged fix for a new version of the blaster worm. Instead, it was a link to download malicious software. They then sent e-mails advising people to update their computers and directed them to the Wikipedia article. Since Wikipedia has been gaining more trust & credibility, I can see how this would work in some cases. The page has, of course, been fixed but this is nevertheless a valuable lesson for Wikipedia users." [PaulDotCom] - See F-Secure's write-up for analysis of the malware. The trojan actually installs the patch and then drops a backdoor. Sweet! Also, the trojan uses "wikipedia-download.org", whose registration information is almost exactly the same as "wikipedia.org". Sorta slick...
Web Hacking Toolkit - [PaulDotCom] - A fabulous list of tools for web application testing. I am a big fan of Paros Proxy. I have used NTOSpider, and find it to be very thorough, and Dan is a great guy. Nikto has been around 4eva! When was the last update anyway? Whatever happened to RFP? Many tools missing, like WebScarab, but what does everyone use for web app assessments? let us know!!!
The End of Net Anonymity In Brazil - [Joe] - "The Brazilian senate is considering a bill that will make it a crime to join a chat, blog, or download from the Internet without fully identifying oneself first. If approved, it will be a crime, punishable with up to 4 years of jail time, to disseminate virus or trojans, unauthorizedly access data banks or networks and send e-mail, join chat, write a blog or download content anonymously."
Snort Wireless - [PaulDotCom] - Thought we could discuss the details of this fantastic project!
New Version Of SinFP released - [PaulDotCom] - This is a pretty cool tool for OS fingerprinting. What I like to do is while I do an Nmap & Nessus scan of my target I collect the packets, then run them through p0f or SinFP in an attempt to fingerprint them beyond what Nmap/Nessus can find. It would be neat if someone were to automate this process and auto-correlate the results between p0f, SinFP, and Nmap.
Links to WiCrawl Toorcon Presentation Video - [PaulDotCom] - We talked about this tool a few weeks back, word is that it will be included in Backtrack.
SPAM at an all time high - [Larry] - I've seen the increase. It seems that the SPAM filer guys are having a hard time keeping up, as are the AV vendors, White hat security researchers and vendors with patches. Is this a war we cannot win?
Project CowBird - [PaulDotCom] - Really cool project which takes a Linksys WMA11b (Prism2 wifi card, 10/100 Ethernet, JTAG, TV Out! , IR Remote Control , 16 MB of ram, 2 MB of flash) and turns it into a kismet drone amoung other things. Wireless mesh intrusion prevention? Cool stuff, simliar to what we are trying to do with wrt54g/s. More info http://www-jcsu.jesus.cam.ac.uk/~acw43/projects/wma11b/.
M$ teaching OEMs about Security Development Lifecycle - [Larry] - Otherwised titled, "How we Created Secure Hardware that was Hacked in Only a Few Weeks". Can you say XBOX (and 360) hacking? I'm a bit skeptical on this one.
Give Users Less Privileges? - [PaulDotCom] - We've always recommended this, UNIX adopted this model before I was born, OS X does this well, Windows sucks at it, but Vista will be better. However, does it really matter? Is priv escelation that easy?
Check Point releases "Secure Wirless Router" for Home market - [Larry] - I say "bullshit". The device looks like it has come great features: VPN Endpoint, good firewall (CheckPoint of course), IDS/IPS, gateway AV, and WPA2. Now, what home user will pay $200 for that when the $30 on sale Dlink works (without all of the security features of course). Ont eh "secure wirelss" part, there is no mention of how they secure WPA2. I can bet that it does not involve Radius, 3rd part supplicants, or any apropriate EAP type. Would anyone form ZoneLabs/CheckPoint like to send us some eval units?
Sysinternals Source Code No longer available - [PaulDotCom] - Hope you got it while you still can. Check daily dave for more info...
Fradulent You Tube video on MySpace installing Zango Cash - [Joe] - "Websense® Security LabsTM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar. When users click on the video, they are directed to a copy of the video, which is hosted on a site called "Yootube.info.""
Mac OS C fpathconf vulnerability - [PaulDotCom] - There are so many great things about the MOKB, and especially today's entry. First, this vulnerability was "fixed by FreeBSD on Tue Jun 27 23:08:36 2000 UTC (6 years, 4 months ago)."!!!!!! Also, the name "DaringWussBall" appears in the code. Nice!!!
Google Accidentally Sends Out Kama Sutra Worm - [Joe] - "Google accidentally sent out e-mail containing a mass mailing worm to about 50,000 members of an e-mail discussion list focused on its Google Video Blog"
Vista Security Guide - [PaulDotCom] - Its like 700 freakin pages!!!!
Other Stories of Interest
Rainbowcrack, Rainbow Tables, Cain & Abel - [Larry] - From Ethicalhacker and Chris Gates. What a fantastic tutorial and backgtound on rainbow table password cracking.
How to Hack an XP Admin Password - [joe] - Havent tried this yet, but if it works, its a good nugget of info to keep in your knowledge sack
WIMAX Poster - [PaulDotCom] - WiMax, the new wireless hacking frontier. Pretty cool poster detailing the protocol, I am excited to learn about and find new vulnerabilities :)
Hacking Democracy - [PaulDotCom] - Google Video of the HBO special on voting machines, etc...
WVE = CVE for Wireless Vulnerabilities - [Larry] - With all of the hububb about wireless vulnerabilityes, where is a good source to get schooled? The WVE of course!