May 11th, 2009
UPDATE: Unfortunately, this method of anti-DNS pinning does not work quite as we had observed in the lab. As it happens, browsers (IE and FF), if given multiple IP addresses in a DNS response, will always try a private IP address first, regardless of the order in which the IP addresses are listed in the DNS response. If all of the IP addresses in the response are private IPs, then the browser will try them in order (which is why this technique worked during our lab testing, since all of our lab IPs were non-routable). Unfortunately, this prevents the use of this attack as we had previously described. It can still be used in some circumstances, such as an internal attacker attempting to leverage IP-based ACLs, or it can be used to give an external attacker access to Web services running on the localhost (such as CUPS, or bittorrent clients). We’re leaving all of our original post below as even these limited scenarios may be useful attack vectors; in the mean time, we’re going back to the drawing board to examine more traditional anti-DNS pinning attacks.
Read the rest of this entry »
May 11th, 2009
Over the past year, a lot of vulnerabilities have been found in various home routers, and it should be noted that almost all SOHO routers are vulnerable to CSRF attacks. By combining CSRF with authentication bypass vulnerabilities or default logins, an attacker can modify practically any router setting s/he desires. However, the crux of CSRF is that while it can be used to force the browser to make requests, the attacker’s code can’t view the response from these requests thanks to the browser’s same-domain policy.
We’ve already talked about our hardware-based attacks against WiFi-Protected Setup, but even without physical access to the router, WPS can still be leveraged by an attacker to gain access to a secured wireless network. Why try to crack a 60-character WPA2 key when you can run a phishing attack and force the router to give you the key instead? It’s as simple as creating an HTML image tag.
Read the rest of this entry »
May 11th, 2009
It used to be that building a hardware back door into a router was a difficult, resource-intensive task that only the most skilled hardware hacker would dare to undertake, but thanks to a new feature prevalent to nearly all new SOHO routers, just about anyone can build such a back door.
This new feature is called WiFi-Protected Setup. WPS is a standard designed to ease the distribution of strong WPA/WPA2 encryption keys. Anyone who has tried to enter a 60-character WPA key into a Wii will immediately appreciate WPS; when you want to add a new client to your wireless network, you simply push a button on the router, push a button on the client (clients typically have “soft” buttons), and the two will negotiate an 802.11 EAP session which the router uses to securely send the network encryption key to the client.
Unfortunately, along with this ease-of-use, WPS brings a whole new threat into SOHO router networks: physical attacks. Physical tampering with a router used to mean some malicious person bringing in a laptop, plugging it into the router, and trying to brute force the router login. But now, an attacker can install a simple hardware back door which activates WPS at a specified interval. In fact, in some cases this can be done with nothing more than a stick of gum.
Read the rest of this entry »
May 9th, 2009
We just finished our talk at ChicagoCon, and it was awesome! We’re posting the slides up here for those of you who couldn’t make it to the con. A quick overview of our talk:
Our presentation focuses on SOHO router security, specifically, exploiting router vulnerabilities to gain direct access to the internal WiFi network without having to crack encryption keys.
We discuss various methods of router reconnaissance, including some new tools that we’ve written specifically for this purpose, how to obtain WPA keys using simple HTML img tags, and how to own the WiFi network remotely using anti-DNS pinning attacks.
We even throw in some hardware hacks, describing how to implant a hardware backdoor into a router’s WPA encryption using nothing more than a stick of gum or a simple $8 circuit.
Download the slides here!
Papers conference wifi
April 29th, 2009
We’re just now putting the finishing touches on our presentation for the ChicagoCon 2009s security conference coming up next week. We will be discussing some of the “more serious issues” that we mentioned when we released our Hacking SOHO Routers paper late last year. In addition to releasing some new tools, our presentation topics include router reconnaissance, alternative attacks against WPA/WEP encryption, and how to hack a router with a stick of gum.
As always, there are going to be a lot of other great talks there too; tickets are still available and are only $100 for the conference, so if you’re going to be in the Chicago area May 8th and 9th, we hope you’ll stop by!
chicagocon, EthicalHacker, hacking, Routers
November 3rd, 2008
In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program’s API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons, including debugging, reverse engineering, and hacking (in all interpretations of the word).
While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:
- It is relatively simple to implement.
- It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
- While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application’s working directory.
- We can intercept any API call without modifying the target (either on disk or in memory) or any system files.
The full article has been posted on EthicalHacker.net and milw0rm.com.
reverse engineering, windows
