Specifically, here’s what we’ll need:

• If the access point supports WPA and/or WPS, enable both of those features. This can help us in creating more robust signatures.
• Place your wireless card in monitor mode and use Wireshark to capture the access point’s beacon packets (we only need one beacon packet, so don’t feel like you have to capture large amounts of data).
• Save the Wireshark capture and send us the pcap file along with as much information as you can about the access point (vendor, model, firmware version, hardware revision, etc).
• Send all submissions to dev [at] sourcesec.com.

WPScan actively sends 802.11 probe requests to access points that advertise WPS support. It then parses out the WPS Information Element in the resulting probe response and displays the results. This is a very useful fingerprinting tool since nearly all new routers have WPS enabled by default, and most vendors will actually put the exact make, model, and version of the router in the probe response!

WPSpy is a tool to simply monitor and report changes in the WPS status of and access point. This is particularly useful if you are running some of our described attacks that leverage WPS to gain access to the WLAN.

Currently we only have a handful of signatures, so if you want to contribute to this tool, here’s what you can do:

1. Get your access point and enable WPA and WPS (if supported).
2. Capture the beacon frames that your access point is broadcasting and save them to a pcap file.
3. Send us the pcap file along with as much information about the access point as you can (make, model, firmware version, hardware revision, ESSID and BSSID).

Once we get your submission we’ll generate a signature for it and update the WiFinger database file. We think this tool has a lot of great potential, so we welcome any and all submissions – if you’ve got a router, let’s put it in there!

WiFinger can be downloaded here.

As always, there are going to be a lot of other great talks there too; tickets are still available and are only $100 for the conference, so if you’re going to be in the Chicago area May 8th and 9th, we hope you’ll stop by!

• Interactive shell with tab completion and command history
• Passive and active discovery of UPNP devices
• Customizable MSEARCH queries (query for specific devices/services)
• Full control over application settings such as IP addresses, ports and headers
• Simple enumeration of UPNP devices, services, actions and variables
• Correlation of input/output state variables with service actions
• Ability to send actions to UPNP services/devices
• Ability to save data to file for later analysis and collaboration
• Command logging

Miranda was built on and for a Linux system and has been tested on a Linux 2.6 kernel with Python 2.5. However, since it is written in Python, most functionality should be available for any Python-supported platform. Miranda has been tested against IGDs from various vendors, including Linksys, D-Link, Belkin and ActionTec. All Python modules came installed by default on a Linux Mint 5 (Ubuntu 8.04) test system.

For more information about UPNP, visit the UPNP Forum. For information regarding UPNP vulnerabilities, see UPNP Hacks and GNUCitizen.

Download Miranda!