Difference between revisions of "Episode85"

From Security Weekly Wiki
Jump to navigationJump to search
Line 97: Line 97:
 
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
 
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
 
</pre>
 
</pre>
 +
 +
= Stories Of Interest =
 +
 +
[http://securityvulns.com/Sdocument126.html Pidgin Remote DoS] - [PaulDotCom] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash.  Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days.  Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM.  Even web browser and web-based exploits are cool, but you still have to get the user to click on something.  If I am in a chat channel or on IM, you just need to send me a message and I am pwned.

Revision as of 20:11, 4 October 2007


Wifizoo - Wireless Auditing Made Easy (With Pictures!)

Introduction & Features

Wifizoo is a fun tool written by Hernan Ochoa from Core Security. It passively monitors the wireless network and collects the following information:

  • A list of SSIDS (access points that are beaconing)
  • BSSID->Clients Graph - This produces some really interesting output, as its based on destination BSSID (so sometimes you may get a BSSID from an AP that is out of range, and from a client that is within range?). Its interesting to see some client MAC addresses with connections to all of the BSSIDs in the area...
  • Probe requests - All probe requests by clients are logged by source mac address and SSID. A list is kept for future reference :)
  • Cookies - Ala Hamster, all cookies are collected off the network and then placed on a web page. Clicking on a cookie sets Wifizoo's proxy server to use that cookie. Set your browser to the Wifizoo proxy, then click the "Jump To.." link for that cookie in Wifizoo, and well, you know, pwnage.
  • "other" information - Ala Dsniff/Ferret, POP3, FTP, and SMTP data are collected. Of course, having dnsiff installed doesn't hurt :)

Hernan and I corresponded about Wifizoo, here are some of his additional comments (He seems like a happy pen tester, he uses lots of smileys in his email :)

wifizoo is not linux dependant, some people ask me this sometimes. if you have python2.4,scapy (which means you also have libpcap and its python wrapper) it should work on other platforms. I actually made it work a few days ago on osx with the built-in airport extreme card on my x86 imac using the wlt1 interface, although sthg is VERY wrong and after a few moments osx freezes completely and you have to reboot. not my fault :) but something interesting to take a look at...

is important to remember, of course, that the tool at the moment grabs information from OPEN wireless networks ONLY. if the network is encrypted, it won't work. This is sthg I get asked a lot too :) . I'm working to add the capability of decrypting WEP traffic in the future (if you have the key, of course :)

Installation

You must have the following:

  • A wireless card (I'm using an Ubiquiti Atheros card)
  • Linux drivers that support monitor mode (I'm using madwifi-ng on Debian Etch)
  • Python & Scapy
  • Graphviz to generate the graphs

The initial setup in Debain:

1) Install the kernel & madwifi sources and headers:

 aptitude install linux-source-2.6.18 madwifi-source linux-headers-$(uname -r) 

2) Setup kernel source directory and build madwifi:

ln -s /usr/src/linux-source-2.6.18 /usr/src/linux
cd /usr/src/modules/madwifi
make
make install
modprobe ath_pci

3) Setup your card for monitor mode:

wlanconfig ath create wlandev wifi0 wlanmode monitor

This gave me an ath1 interface in monitor mode.

4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):

aptitude install kismet

5) Get Wifizoo and "install":

wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz
tar zxvf wifizoo_v1.2.tgz 
cd wifizoo_v1.2

6) You then need to modify the source to use the correct interface:

vi wifizoo.py

- conf.iface = 'rausb0'
+ conf.iface = 'ath1'

7) Configure Kismet and run it first!

vi /etc/kismet/kismet.conf

source=madwifi_ag,wifi0,ubiquiti

Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it. Or, you could use a channel hopping script.

8) Run wifizoo:

$ python wifizoo.py 
WifiZoo v1.2, complains to Hernan Ochoa (hernan@gmail.com)
Waiting...
Launching Web Interface..
WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ...
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...

Stories Of Interest

Pidgin Remote DoS - [PaulDotCom] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash. Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days. Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM. Even web browser and web-based exploits are cool, but you still have to get the user to click on something. If I am in a chat channel or on IM, you just need to send me a message and I am pwned.