From Security Weekly Wiki
Revision as of 21:00, 4 October 2007 by Pauldotcom (talk | contribs)
Jump to navigationJump to search

Wifizoo - Wireless Auditing Made Easy (With Pictures!)

Introduction & Features

Wifizoo is a fun tool written by Hernan Ochoa from Core Security. It passively monitors the wireless network and collects the following information:

  • A list of SSIDS (access points that are beaconing)
  • BSSID->Clients Graph - This produces some really interesting output, as its based on destination BSSID (so sometimes you may get a BSSID from an AP that is out of range, and from a client that is within range?). Its interesting to see some client MAC addresses with connections to all of the BSSIDs in the area...
  • Probe requests - All probe requests by clients are logged by source mac address and SSID. A list is kept for future reference :)
  • Cookies - Ala Hamster, all cookies are collected off the network and then placed on a web page. Clicking on a cookie sets Wifizoo's proxy server to use that cookie. Set your browser to the Wifizoo proxy, then click the "Jump To.." link for that cookie in Wifizoo, and well, you know, pwnage.
  • "other" information - Ala Dsniff/Ferret, POP3, FTP, and SMTP data are collected. Of course, having dnsiff installed doesn't hurt :)

Hernan and I corresponded about Wifizoo, here are some of his additional comments (He seems like a happy pen tester, he uses lots of smileys in his email :)

wifizoo is not linux dependant, some people ask me this sometimes. if you have python2.4,scapy (which means you also have libpcap and its python wrapper) it should work on other platforms. I actually made it work a few days ago on osx with the built-in airport extreme card on my x86 imac using the wlt1 interface, although sthg is VERY wrong and after a few moments osx freezes completely and you have to reboot. not my fault :) but something interesting to take a look at...

is important to remember, of course, that the tool at the moment grabs information from OPEN wireless networks ONLY. if the network is encrypted, it won't work. This is sthg I get asked a lot too :) . I'm working to add the capability of decrypting WEP traffic in the future (if you have the key, of course :)


You must have the following:

  • A wireless card (I'm using an Ubiquiti Atheros card)
  • Linux drivers that support monitor mode (I'm using madwifi-ng on Debian Etch)
  • Python & Scapy
  • Graphviz to generate the graphs

The initial setup in Debain:

1) Install the kernel & madwifi sources and headers:

 aptitude install linux-source-2.6.18 madwifi-source linux-headers-$(uname -r) 

2) Setup kernel source directory and build madwifi:

ln -s /usr/src/linux-source-2.6.18 /usr/src/linux
cd /usr/src/modules/madwifi
make install
modprobe ath_pci

3) Setup your card for monitor mode:

wlanconfig ath create wlandev wifi0 wlanmode monitor

This gave me an ath1 interface in monitor mode.

4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):

aptitude install kismet

5) Get Wifizoo and "install":

wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz
tar zxvf wifizoo_v1.2.tgz 
cd wifizoo_v1.2

6) You then need to modify the source to use the correct interface:

vi wifizoo.py

- conf.iface = 'rausb0'
+ conf.iface = 'ath1'

7) Configure Kismet and run it first!

vi /etc/kismet/kismet.conf


Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it. Or, you could use a channel hopping script.

8) Run wifizoo:

$ python wifizoo.py 
WifiZoo v1.2, complains to Hernan Ochoa (hernan@gmail.com)
Launching Web Interface..
WifiZoo Web GUI Serving HTTP on port 8000 ...
WifiZoo HTTP Proxy on port 8080 ...

Stories Of Interest

Pidgin Remote DoS - [PaulDotCom] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash. Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days. Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM. Even web browser and web-based exploits are cool, but you still have to get the user to click on something. If I am in a chat channel or on IM, you just need to send me a message and I am pwned.

Citrix Low-Tech Hacking - [PaulDotCom] - Hacking without exploits is great, and thats my new catch phrase. All these people patching everything, running IPS, A/V, and what not makes it a little harder to run traditional exploits (I did say a "little"). This is a great example of how to use your Google hacking skills (okay, its a simple query "ext:ica") and find Citrix servers. Looking into this file reveals that we can run a program or command, and if the server is anonymous, change the command to "cmd.exe". Sweet! Instant command shell!

Firewall-1 is full of holes - [PaulDotCom] - I did not have time to read the 200+ page report, however, reports say it looks legit. Many of the attacks appear to be buffer overflows in local commands, which sounds like it would require access to the firewall already. However, its how they found these exploits that is scary, "According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation". So like, passing a large parameter to a command triggers a buffer overflow, sweet! If its that easy, where are other holes lurking?

Protecting Mobile users - ideas? - [PaulDotCom] - Chris is right, we need to protect our mobile users. However, traditional methods such as logging on with user privs, A/V, anti-spyware, and firewalls just aren't enough. Malware is too smart, and users are too dumb. We almost need to wipe mobile users machines on a regular basis, and keep the data separate and protected. It would be a neat experiment, store all your data on an encrypted thumbdrive, then your machine gets wiped everytime you come back to the office... I know, I am the "Mad Security Geek".

A nice healthy SQL Injection Exploit - [PaulDotCom] - A notice to all companies producing web applications, when a vulnerability is found in your product, take down your demo site.

RFP Emerges, Speaks about disclosure - [PaulDotCom] - According to RFP, testing someone else's web site is a no-no. Quote: "NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. " Whoa. This could go either way. I've seen some people be happy that you found a vuln in their web site, and I can definitely see it going the other way. Thoughts? Oh, and where has RFP been since 2003 anyway? BTW, check out some podcasts from Microsoft.

iPhone "bricking" and hacking - [PaulDotCom] - A bit off-topic, but some ppl are wondering why their iPhones are bricked once they apply a firmware update to a hacked phone. Just an example, OpenWrt can potentially brick due to an upgrade, but I would still like to know more about how the iPhone works (my understanding is that there is firmware on the modem and a separate OS for the rest?). Martin seems convinced that Apple did this on purpose, however, it could be just an artifact of hacking and firmware upgrades. Why would they only brick phones with the anySIM program and not all hacks?

Cisco Call Manager SQL Injection and XSS - [PaulDotCom] - These vulnerabilities exist in the login page, hence you do not need to be authenticated. The SQL one is interesting, "An attacker could exploit the SQL injection vulnerability to read a single value from the database. Several successful attacks could disclose information about the database, information such as user names and passwords, and information from call records such as the time calls are placed and the numbers dialed. This vulnerability cannot be used to alter or delete call record information from the database." Niiiiiice! Extracting call records, that could be interesting...