Wifizoo - Wireless Auditing Made Easy (With Pictures!)
Introduction & Features
Wifizoo is a fun tool written by Hernan Ochoa from Core Security. It passively monitors the wireless network and collects the following information:
- A list of SSIDS (access points that are beaconing)
- BSSID->Clients Graph - This produces some really interesting output, as its based on destination BSSID (so sometimes you may get a BSSID from an AP that is out of range, and from a client that is within range?). Its interesting to see some client MAC addresses with connections to all of the BSSIDs in the area...
- Probe requests - All probe requests by clients are logged by source mac address and SSID. A list is kept for future reference :)
- Cookies - Ala Hamster, all cookies are collected off the network and then placed on a web page. Clicking on a cookie sets Wifizoo's proxy server to use that cookie. Set your browser to the Wifizoo proxy, then click the "Jump To.." link for that cookie in Wifizoo, and well, you know, pwnage.
- "other" information - Ala Dsniff/Ferret, POP3, FTP, and SMTP data are collected. Of course, having dnsiff installed doesn't hurt :)
Hernan and I corresponded about Wifizoo, here are some of his additional comments (He seems like a happy pen tester, he uses lots of smileys in his email :)
wifizoo is not linux dependant, some people ask me this sometimes. if you have python2.4,scapy (which means you also have libpcap and its python wrapper) it should work on other platforms. I actually made it work a few days ago on osx with the built-in airport extreme card on my x86 imac using the wlt1 interface, although sthg is VERY wrong and after a few moments osx freezes completely and you have to reboot. not my fault :) but something interesting to take a look at...
is important to remember, of course, that the tool at the moment grabs information from OPEN wireless networks ONLY. if the network is encrypted, it won't work. This is sthg I get asked a lot too :) . I'm working to add the capability of decrypting WEP traffic in the future (if you have the key, of course :)
You must have the following:
- A wireless card (I'm using an Ubiquiti Atheros card)
- Linux drivers that support monitor mode (I'm using madwifi-ng on Debian Etch)
- Python & Scapy
- Graphviz to generate the graphs
The initial setup in Debain:
1) Install the kernel & madwifi sources and headers:
aptitude install linux-source-2.6.18 madwifi-source linux-headers-$(uname -r)
2) Setup kernel source directory and build madwifi:
ln -s /usr/src/linux-source-2.6.18 /usr/src/linux cd /usr/src/modules/madwifi make make install modprobe ath_pci
3) Setup your card for monitor mode:
wlanconfig ath create wlandev wifi0 wlanmode monitor
This gave me an ath1 interface in monitor mode.
4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):
aptitude install kismet
5) Get Wifizoo and "install":
wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz tar zxvf wifizoo_v1.2.tgz cd wifizoo_v1.2
6) You then need to modify the source to use the correct interface:
vi wifizoo.py - conf.iface = 'rausb0' + conf.iface = 'ath1'
7) Configure Kismet and run it first!
vi /etc/kismet/kismet.conf source=madwifi_ag,wifi0,ubiquiti
Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it. Or, you could use a channel hopping script.
8) Run wifizoo:
$ python wifizoo.py WifiZoo v1.2, complains to Hernan Ochoa (email@example.com) Waiting... Launching Web Interface.. WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ... WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
Stories Of Interest
Pidgin Remote DoS - [Paul] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash. Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days. Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM. Even web browser and web-based exploits are cool, but you still have to get the user to click on something. If I am in a chat channel or on IM, you just need to send me a message and I am pwned.
TJX Offers Settlement - [Larry] - They also owned up to how they got hacked - poor encryption on wireless networks. The obviously haven't been listening to our podcast, because we've been ramming this down your throat for some time.
Citrix Low-Tech Hacking - [Paul] - Hacking without exploits is great, and thats my new catch phrase. All these people patching everything, running IPS, A/V, and what not makes it a little harder to run traditional exploits (I did say a "little"). This is a great example of how to use your Google hacking skills (okay, its a simple query "ext:ica") and find Citrix servers. Looking into this file reveals that we can run a program or command, and if the server is anonymous, change the command to "cmd.exe". Sweet! Instant command shell!
There is nothing important here - [Larry] - I wanted to reiterate the need for user education, so that your users/customers/mom doesn't fall for the "I don't need this, I have nothing important" argument. Everyone needs to practice defense in depth, even if you don't think it applies to you - Just because server A doesn;t have any important data on it, it can still be used as a launch pad for attacks on other networks, as well as your own - even against machines that DO have important data.
Firewall-1 is full of holes - [Paul] - I did not have time to read the 200+ page report, however, reports say it looks legit. Many of the attacks appear to be buffer overflows in local commands, which sounds like it would require access to the firewall already. However, its how they found these exploits that is scary, "According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation". So like, passing a large parameter to a command triggers a buffer overflow, sweet! If its that easy, where are other holes lurking?
Airdefense M520 DoS (and more) - [Larry] - This seems like the perfect opportunity for an attacker to utilize this DoS condition to effectively neuter the ability to monitor for wireless attacks. compare this to someone being able to D0S your Snort box, and slip attacks by either undetected, or if they are detected not allow you to see details.
Protecting Mobile users - ideas? - [Paul] - Chris is right, we need to protect our mobile users. However, traditional methods such as logging on with user privs, A/V, anti-spyware, and firewalls just aren't enough. Malware is too smart, and users are too dumb. We almost need to wipe mobile users machines on a regular basis, and keep the data separate and protected. It would be a neat experiment, store all your data on an encrypted thumbdrive, then your machine gets wiped everytime you come back to the office... I know, I am the "Mad Security Geek".
A nice healthy SQL Injection Exploit - [Paul] - A notice to all companies producing web applications, when a vulnerability is found in your product, take down your demo site. [Larry] - I'll give you something nice and healthy to inject.
RFP Emerges, Speaks about disclosure - [Paul] - According to RFP, testing someone else's web site is a no-no. Quote: "NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. " Whoa. This could go either way. I've seen some people be happy that you found a vuln in their web site, and I can definitely see it going the other way. Thoughts? Oh, and where has RFP been since 2003 anyway? BTW, check out some podcasts from Microsoft.
DHS mailing list oops - [Larry] - A mailing list reply to all has potentially revealed a number of individuals that consider them part of the DHS security community, and some of the info may have been classified - names, phone numbers, and so on. Just goes to show, that if you put anything in front of the public, you need to design, configure and audit/test appropriately - especially dealing with sensitive info.
iPhone "bricking" and hacking - [Paul] - A bit off-topic, but some ppl are wondering why their iPhones are bricked once they apply a firmware update to a hacked phone. Just an example, OpenWrt can potentially brick due to an upgrade, but I would still like to know more about how the iPhone works (my understanding is that there is firmware on the modem and a separate OS for the rest?). Martin seems convinced that Apple did this on purpose, however, it could be just an artifact of hacking and firmware upgrades. Why would they only brick phones with the anySIM program and not all hacks?
PGP Whole disk backdoor - [Larry] - PGP has a "back door" (a what now?) so that the machine with it installed and disks encrypted can boot without using the boot time password. Sure I can see that this would be valuable - it only works one time, so it would be great in support organizations where patches are deployed that require a reboot. Hmmh, the big thing is that it is not documented (or poorly at that). PGP claims that this feature exists in their competitor's products...
Cisco Call Manager SQL Injection and XSS - [Paul] - These vulnerabilities exist in the login page, hence you do not need to be authenticated. The SQL one is interesting, "An attacker could exploit the SQL injection vulnerability to read a single value from the database. Several successful attacks could disclose information about the database, information such as user names and passwords, and information from call records such as the time calls are placed and the numbers dialed. This vulnerability cannot be used to alter or delete call record information from the database." Niiiiiice! Extracting call records, that could be interesting...
Default passwords net $1M in profit - [Larry] - Scan network. Find routers that deliver VOIP with default passwords. Re-sell 10 million minutes at discounted rates. Profit! The guy that did this is now in prison for the next two years, and only made $20K for his efforts. He claims that remote administration with default or easy passwords was his success story. My advice: Create a policy for strong passwords, have devices use multiple factor authentication (TACACS/AAA maybe?) and test the hell out of all of the possibilities. Enforce the policy. Because one smaller VOIP telco didn't, they went out of business from this attacker.
Pwning the Axis Camera - [Paul] - A slew of vulnerabilities exist here, many of which are persistant XSS, which allows the attacker to redirect the video of the camera. So, instead of seeing Female Ninjas rob the store you see an empty store with the clerk picking their nose. Sweeeet. [Larry] - More on XSS and CSRF - this time with Axis IP cameras - one of the most popular. I can think of a number of places where it may be beneficial for an attacker to want access to a camera so that it could be hijacked...