SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for April, 2011

Wardriving is not a crime

Monday, April 25th, 2011

Ethics are something which cannot be forced upon someone. They just happen. They result from you as an individual, your environment, and well, anything that influences you. Media, like the news, music, sitcoms, movies, and such can all have a deep effect on the psychology that goes into ethics and what decisions you as an individual make.

Imagine you walk through a bar where people are all yelling at the bartender like so:

man: “RTS!?”
bartender: “CTS!”
man: “I would like a drink, here is my credit card number! 1234-1234-1234-1234!! Sec code: 123!! expiration: 11-12!!!”
bartender: “ACK!”

and this is how drinks are ordered in the bar. Well, you may think to yourself, why are these people okay with yelling their cred card numbers? Well, what about the people who run the bar? They are okay with the customers yelling it out loud too? Well. I wouldn’t. I would go somewhere else. But imagine if they where yelling in different languages you could understand. They knew you couldn’t understand because you’re a dumb fat American. But with a dictionary, or a few classes, you could understand the language just fine. it’s not like the language is a secret.

What if you went into the bar with a tape recorder. you recorded everything for about 1 hour and left. You paid for classes in what ever languages you recognize don the tape. You then decifered the languages and were able to “hear” the credit card information of each customer. <-- You did nothing illegal up to this point. That is, unless there's a huge sign on the wall in the bar that says "no tape recorders." But then, what if you were blind? you relied on your senses to "hear" the communications only. This is similar to wardriving to an extent. The act of wardriving usually entails a lot of movement though, hence the "driving" part. You wouldn't really "hear" enough data to get a lot of credit card numbers, or even tell what language those people are speaking. The key to deciphering what language is being used comes from statistically analyzing 40 to 250 thousand words, minimum.

To make this analogy more realistic, let's say every person had a megaphone in their hands and used it to speak the credit card information in their native language (which you don't understand yet.) Now, you don't have to enter the building with the tape recorder, you can just sit outside. Well, because wireless mediums are shared, and most access points and network data can actually be "heard" from outside of the building - you are seriously not breaking any laws yet, no matter if there is a "no tape recorders in building" or if you were blind. Well, I guess if you were loitering in the back alley, or trespassing onto the bar's lawn, you would be busted.

With this in mind, read this article: ComputerWorld:Wardriving

“WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005.”

VeriZon’s own Actiontec routers STILL to this day come preloaded with WEP.

Here is the key statement:

“Because WEP’s encryption can be cracked using easy-to-find tools, even unsophisticated hackers can break into WEP networks and mine them for data.”

I retweeted this over the weekend and realised that you don’t necessarily have to “break into … networks” to get this data. The data is there. WEP’s IV, or initialization vector used for the PRGA keystream during RC4 is transmitted in plain text. So, here’s another example to get your gears going:

I can watch my neighbors (I don’t I assure you) as they watch Netflix for 15 seconds to 1 minute in HD and produce enough Data packets with Initialization Vectors to crack the key offline. No intrusion needed. Now, what if after they watch Netflix, or during that time, one of their computers running Thunderbird transmits a plain text password for IMAP or POP? Whoops, I can now see that using Wireshark and putting their key into the settings for packet decryption.

Another quote:

“…got many of the card numbers by wardriving retailers including TJX Companies, OfficeMax and Barnes & Noble”

This is where our bartender comes in. He owns the place and he was told by security standards officials (we’ll call them the PCI compliance people) to not use the megaphone / different language technique. But to use a far more secure technique called “WPA2″

What these people did wrong was misuse the data. The distributed it, abused, or sold it. That’s completely unethical. The fact that wireless signals go all over the place in 3 dimensions is not a flaw either. It’s how RF works with the dipole antennas. If your equipment is tool old to process the cipher block code (CCMP) used by WPA2 and you need to use WEP, use a weaker antenna. One that is directional to the receiver. Not one that will broadcast outdoors. What Google did in the past, wardriving and seeing your information wasn’t illegal either. In fact, they told everyone that they saw the data to teach them to not use unencrypted networks! And they got in trouble over it!!

“They confessed that emails, passwords and other sensitive public data had been collected by the fleet of cars from unsecure wireless networks.”

You can limit your libpcap based sniffing application to only capture beacon frames if you want too!

~Douglas.

“HACKING EXPOSED – Wireless 2nd edition” advice for newbies

Wednesday, April 20th, 2011

Well, I didn’t read this all the way through. I read through about one half of the book and realized there were too many errors and some things stated are just plain false. In fact, I saw so many, that I just started using post-it notes to bookmark them and maybe email the author, publisher or editor. Here, I will list just a few:

Page 83 – The number of packets sent by Aireplay-ng for de-authentication attacks does not vary with the driver. 128 packets are sent for each number of attempts you specify. 64 packets go to the client and 64 packets go to the AP itself. If the victim client is communicating to the AP, say, watching Netflix in HD, the packet count reported by Aireplay-ng will, obviously, be higher that 64.

Page 89 – the diagram – “airplay” most likely means “Aireplay-ng” and if you cannot gather more packets with your adapter, you should first determine that you have a strong enough RX/PWR signal to the AP before just giving up and blaming the driver.

Page 96 – another diagram – Again, do not assume your driver is “broken” before checking your power levels. There are a lot of factors like, free space path loss, attenuation from things blocking the Fresnal zone, multi-path destructive interference, etc.

Page 98 – “Airomon-ng” ?? is that supposed to mean Airodump-ng?

Chapter 6 is about exploiting an Apple computer. Whoopie. If you are new to the subject, enough to need a book like this, concentrate on attacking the networks first. Wireless penetration testing is a well crafted art. The more hands on experience you get, the better. Read up as much as you can on the 802.11 protocol analyzer Airodump-ng. Furthermore, remote exploiting and exploitation attacks with, say an evil AP, and routing, etc, would require better knowledge of computer penetration testing, which is also a well crafted art. Choose one and get good at it first before advancing into the next. It will only benefit you!

Pages 270 to 470 are all useless. They explain Bluetooth and other RF “hacking” methods, which are generally far too expensive to pull off and not practical at all. I wouldn’t recommend this book to newbies of the subject. There are a lot of typo’s in the commands, the information is mostly not useful and sometimes too much. This will only confuse newbies.

From my experience on the subject, I noticed that newbies are always fascinated and confused by antennas. This book’s small section on antennas is perfectly inadequate for a newbie. Antennas are an amazing scientific phenomena, which truly deserve a book of their own. I will list a few books which better describe how they transmit and receive.

If anyone really wants good advice on becoming more familiar with wireless “hacking” please read this extensive documentation: Aircrack-NG:Docs
and possibly consider buying the CWSP (Certified Wireless Security Professional) book from Sybex && CWNP: Amazon:CWSP Also, an older (2005) O’reilly book about 802.11 networks provides a good look at the protocol and even RF analysis. Amazon:O’reilly 802.11 The CWNA, and O’reilly books provide good coverage on antenna functionality.

~Douglas.

Metasploit Tshirt Contest

Monday, April 18th, 2011

Well, I made an entry into the contest and some people actually liked it! So head over to: http://blog.rapid7.com/?p=6156 and make a vote! You don’t necessarily have to vote for my entry (Which is #44) but it would be nice! If I win, for some reason, I am giving the winnings over to http://johnny.ihackstuff.com/ :)

It’s so fitting, I mean think about it! To vote you can post it to your Twitter account with the hash tag: I’m voting for Metasploit T-shirt design #[number]! http://bit.ly/e4wsPt #metasploitswag

CatchmeNG – WEPd – WEAKERTHAN 3.6

Thursday, April 14th, 2011

WEAKERTHAN 3.6 BETA

Alright, now that I have more time, I am re-publishing the page for WEAKERTHAN. Lately, the most problems I have been trying to resolve via a massive amount of Emails are from Airbase-NG+WPA Phishing attack, RTL8187 will never work in VMWare, and now some have trouble using Catchme-NG the WEP ARP-replay attack countermeasure. I would recommend to those using VMWare and an ALFA, or other RTL8187 device to try VirtualBox from Oracle for your virtualization needs. Some have been trying to install WEAKERTHAN to a USB drive with persistence. I am really not sire how to do this, even after a lot of research. If someone finds a solution, I would be grateful and share it here on the weblog. You can’t simply install it to a USB drive, as the boot load timing is different and you will get a “cannot find linux.whatever” error, when trying to boot from it.

Catchme-NG WEPd

WEPd was meant as a small effort to stop someone from cracking your static WEP key. A lot of institutions still use WEP due to old hardware, slower processors, monetary, and even space requirements for newer equipment. CCMP requires a bit more horsepower than the older pre-RSA encryption types. What Catchme-NG WEPd does, is send de-authentication packets as soon as it “see’s” a wireless attacker. Now, if you are using 40bit WEP static keys, you may really want to consider upgrading your equipment, or simply your encryption settings. Usually, in the lab, I can break 40bit WEP with only about 6,000 to 9,000 ARP packets. Now, if you are streaming HD video over your WLAN, an attacker only has to listen to your packets with a WLAN protocol analyzer, such as Airodump-ng. It takes far longer to obtain the key, since the Aircrack-PTW attack relies on ARP, which are not the packets used for streaming HD video on Netflix :P

Either way, WEP is extremely flawed. It’s not the ARP replay that is the flaw, it’s the whole stream encryption process, including it’s weak CRC integrity check.

An ARP packet is a multicast, or broadcast, packet that gets sent out of and to every port on the WLAN/LAN. What I do is “listen” on any port, usually any Ethernet port, for more than 20 ARP requests each second. Most networks, unless improperly configured, should not experience such a flood of ARP traffic. ARP simply asks all machines “who has the IP X.X.X.X?” ARP doesn’t get ACK, or acknowledged. Usually, only the MAC address who was assigned the IP in question will respond. To listen, I use tcpdump. Like most libpcap-based software, tcpdump has a funky buffer to STDOUT, or /dev/stdout. In fact, it’s not buffered at all. This means you cannot simply grep the output from tcpdump. No, you have to tell tcpdump to buffer the lines, then you can pipe it’s output.

tcpdump -vl -i wlan5 -e arp 1>output.txt

What’s even stranger about this, is that you cannot re-pipe the new output. Yeah, so:

tcpdump -vl -i wlan5 -e arp 1>/dev/stdout | grep -E '((([0-9a-f]){2}):){5}([0-9a-f]){2}'

wouldn’t work. ??? I tried redirecting everything to /dev/stdout, but nothing came through.

Anyways, this file is then opened and line-counted by Perl. If Perl see’s more than 20 lines, it grabs the MAC address of the attacker and starts Aireplay-ng from the Aircrack-ng suite. Now, this will only prevent the attacker for a small amount of time, unless you continue to deauthenticate him/her. In doing so, if they spoofed a normal user’s MAC address, you would be denying the normal users his/her service.

DoS attacks are incredibly non-intuitive on RF/WiFi. It’s only an annoyance. There’s no real way I know of, for defeating those attacks. First of all, signal jammers are pretty powerful and upping your power to “speak over” the jammers is limited due to the FCC. Second, management frames are unencrypted, so anyone can write a simple libpcap-based packet injector to take arguments and inject de-authentication packets. On the other side of security, they are great for making someone connect to your Airbase-ng/WPA-Phishing VAP. :)

MIC Michael Integrity Check

About 6 or 7 months after I thought this up and wrote the code, I was studying for CWSP and realized that TKIP had such a countermeasure in place already! This is called the MIC, or Michael Integrity Check. Pre-RSA (WEP) encryption methods relied on CRC, or cyclic redundancy checks, which were incredibly vulnerable to bit-flipping attacks. When a MIC failure is detected a counter starts in the AP, and the failure is logged. This countermeasure measures how many MIC failures there are within 60 seconds. If only 2 are detected, the AP shuts down for 60 seconds and re-keys the temporary keys to the clients, to deter brute force attacks. Not a great way to counter measure, but somewhat effective. Here is a whitepaper explaining MIC weaknesses from Motorola, and Here is one from Martin Beck on Enhanced TKIP MIC Attacks that you might want to read up on.

~Douglas.

Drained.

Monday, April 4th, 2011

Sorry, I removed the WEAKERTHAN project page until further notice.