May 10th, 2009

As you may know, we recently released our WiFinger tool for fingerprinting wireless access points. However, fingerprinting tools are only as good as their signature database, and while we have a handful of popular signatures already, we need more. So if you want to contribute to this project, one of the best ways to help is to send us pcap files of 802.11 beacon packets for access points and routers that we don’t already have in our database.

Specifically, here’s what we’ll need:

• If the access point supports WPA and/or WPS, enable both of those features. This can help us in creating more robust signatures.
• Place your wireless card in monitor mode and use Wireshark to capture the access point’s beacon packets (we only need one beacon packet, so don’t feel like you have to capture large amounts of data).
• Save the Wireshark capture and send us the pcap file along with as much information as you can about the access point (vendor, model, firmware version, hardware revision, etc).
• Send all submissions to dev [at] sourcesec.com.

community support, wifinger

May 9th, 2009

These are the Wifi-Protected Setup tools that we presented at ChicagoCon.

WPScan actively sends 802.11 probe requests to access points that advertise WPS support. It then parses out the WPS Information Element in the resulting probe response and displays the results. This is a very useful fingerprinting tool since nearly all new routers have WPS enabled by default, and most vendors will actually put the exact make, model, and version of the router in the probe response!

WPSpy is a tool to simply monitor and report changes in the WPS status of and access point. This is particularly useful if you are running some of our described attacks that leverage WPS to gain access to the WLAN.

fingerprinting, wifi, wps

May 9th, 2009

Here is one of the tools we presented at our ChicagoCon talk. It passively identifies wireless access points based on matching the Information Elements in their beacon packets against a fingerprint database. It is written in Python and uses Scapy, and has been tested in Linux.

Currently we only have a handful of signatures, so if you want to contribute to this tool, here’s what you can do:

1. Get your access point and enable WPA and WPS (if supported).
2. Capture the beacon frames that your access point is broadcasting and save them to a pcap file.
3. Send us the pcap file along with as much information about the access point as you can (make, model, firmware version, hardware revision, ESSID and BSSID).

Once we get your submission we’ll generate a signature for it and update the WiFinger database file. We think this tool has a lot of great potential, so we welcome any and all submissions – if you’ve got a router, let’s put it in there!

WiFinger can be downloaded here.

fingerprinting, Tools, wifi

April 29th, 2009

We’re just now putting the finishing touches on our presentation for the ChicagoCon 2009s security conference coming up next week. We will be discussing some of the “more serious issues” that we mentioned when we released our Hacking SOHO Routers paper late last year. In addition to releasing some new tools, our presentation topics include router reconnaissance, alternative attacks against WPA/WEP encryption, and how to hack a router with a stick of gum.

As always, there are going to be a lot of other great talks there too; tickets are still available and are only $100 for the conference, so if you’re going to be in the Chicago area May 8th and 9th, we hope you’ll stop by!

chicagocon, EthicalHacker, hacking, Routers

November 7th, 2008

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

• Interactive shell with tab completion and command history
• Passive and active discovery of UPNP devices
• Customizable MSEARCH queries (query for specific devices/services)
• Full control over application settings such as IP addresses, ports and headers
• Simple enumeration of UPNP devices, services, actions and variables
• Correlation of input/output state variables with service actions
• Ability to send actions to UPNP services/devices
• Ability to save data to file for later analysis and collaboration
• Command logging

Miranda was built on and for a Linux system and has been tested on a Linux 2.6 kernel with Python 2.5. However, since it is written in Python, most functionality should be available for any Python-supported platform. Miranda has been tested against IGDs from various vendors, including Linksys, D-Link, Belkin and ActionTec. All Python modules came installed by default on a Linux Mint 5 (Ubuntu 8.04) test system.

For more information about UPNP, visit the UPNP Forum. For information regarding UPNP vulnerabilities, see UPNP Hacks and GNUCitizen.

Download Miranda!

Code, Tools, UPNP