March 31, 2007

Sniffing Bluetooth

I noticed a new paper from Max (of mentioning that it's possible to turn those cheap USB bluetooth dongles into a working clone of commercial sniffers. This and this are samples of a commercial BT sniffer. As you may know it was believed that sniffing remote bluetooth connections (just like what we have for WiFi) is not that straight-forward (but still possible and proven ) and a _normal driver/device_ available in markets will NOT allow us to sniff other connections. Here you can read why it's hard to sniff Bluetooth. There are some commercial solutions to do that, but so far there's no free/open project making that possible. So that's why Max's piece of research is interesting. As he mentioned in his papers , the myth is solved by flashing commercial firmwares onto a normal compatible (chipset) USB dongle. Of course those vendors always tell us that their hardware and software parts are covering each other and they use something SPECIAL ! but it's not like that really ( as Max showed us ) .

I may update this entry once again...

The Week Of VISTA Bugs.

I'm sure you're now as curious as me about the upcoming event.
After nice talks on Black-Hat 2007 EU on Vista , some of mistries about Vista are well-discussed now. So researchers now have the hard parts solved and we should expect more on Vista. Few guys joined together to announce the first vista-focused vulnerability discovery week, coming as TWOVB . I can almost guess what will be announced but let's wait till they begin the show ;)

March 30, 2007

Happy New Year

I'm still alive ;)
In case of me , The new year was not that happy for some reasons but anyway let's cheer! I wish everyone a completely different new year as I expect it for myself too.

I know how bad it is to keep a blog idle, but I believe keeping blog idle is better than filling it with useless entries. To prevent blog from getting too much dusty I added a "My browsing history" section as you may have already noticed it. There you`ll see my favorites while reading other people's blogs,lists and news. This widget is really a mini copy of my shared items on Google-Reader, so if you hate my blog and just want to follow my browsing habits feel free to directly visit this link . Finally in case you're a paranoid surfer like me , don't forget to white-list "" in your NoScript or you'll miss it while watching my blog.
And yeah I love Google-Reader ! I finally came to this conclusion that it is the best choice for managing a massive list of feeds. It's portable,flexible and If you're on a low-speed link it's surprisingly bandwidth-saving while loading your long list of feeds and of course, anonymous.

March 8, 2007

BackTrack 2.0 is out.

After about 5 months of watching developers log , seems it's finally out !
Today while checking my mails I noticed new mail from Max, announcing this new ( final ) release of version 2.0 . and I was glad to see that ISSAF is finally there . After releasing v1.0 of ISSAF I had talks with Max, on joining these two projects. The idea was adopting both BackTrack and ISSAF in a way that tools in ISO and documents in ISSAF cover each other, so that all an ISSAF reader require , will be a copy of BackTrack to finish all of tests explained in ISSAF. seems it's going to happen .

For those who don't know, ISSAF is a project of OISSG , which provides a complete documentation for penetration-testing , or a so called "Assessment/Pen-test framework"and I've authored few chapters of it. I've been idle on ISSAF project after v1.0 but I hope to be able to get my hands dirty again and try to upgrade documents/tools in draft, as much as possible.

It's not all about v2.0 . I found a fantastic addition since their beta release. BackTrack finally added support of cool USB wlan devices . Here's the snip from announcement :

"By supporting the new ALFA USB hi-power devices there is now a great USB wireless dongle available which allows us to connect an external antenna and use BackTrack to attack even on my Intel Macbook or VMware"

If it's still not clear enough for you, here's what it means for me : Attach the usb device to your system , run your VMware , start your your local-hd-install of BackTrack 2.0 which has been previously installed , and enjoy the power of BackTrack on owning wireless network, while having fun with your windows based tools.
Before this, you had no chance to use wireless capabilities of BackTrack while it's working inside VMware.

I've been a fan since their early Auditor days and I've always enjoyed their works. Although I'm still using their Auditor since 2005 but I have always an up to date version of BackTrack with me. Long time ago I replaced my debian linux with a local-hd-install of Auditor and began boosting it in my own way, and it's still cool and useful in 2007 :)
You may ask why I didn't simply upgraded my local installed version to a BackTrack release? The answer is as simple as " I like Debian more than Slackware" . So I decided to keep my debian installation up2date rather than installing new slackware, and just kept upgrading/adding tools mentioned in newer releases of BackTrack.

Making a raw laptop to a pen-test station is so easy these days. All you have to do is downloading an ISO, burning it and booting it. If you don't feel comfortable with booting cd/dvd for every session and you can't sleep well while running a linux customized by someone else, there's always a "Local-HD-Install" option for you. IMO a live copy is not stable enough for a real-world pen-test, but it's just good for demonstrations, demos or using while training sessions.
It's painful to reconfigure live version every time you use it, and after all user is limited in some aspects of configurations. Yes I know we can save configs to a flash or local partition, but why making everything hard for ourself when there's chance of booting a live pen-test cd from HD, with no limitation?

Beta release of BackTrack 2 was nice experience for me. I tried to replace it with my current tool-set for a while, to be able to fuly evaluate it. And now I can say that it will cover >90% of your requirements for a complete professional pen-test session. There were few bugs and missing tools but I'm sure v2.0 is good enough to hold it for a while.

Read about more upgrades since beta release on BackTrack's page.

March 3, 2007

And now, cracking Bluetooth PIN on FPGA

Months ago , I had a post in blog ( site is now down for some reasons. try google cache ) about FPGA technology and how it's being used by both good/bad guys to own your passwords. As that post is not available now and I've no local copy I'll write a very short brief again.

After few paragraphs about goodness of FPGA & ASIC technology, I explained how and why widely used cipher algorithms are implemented on these technologies. I used OpenCiphers as a sample for software part, and random FPGA boards of PicoComputing as hardware part of scenario. As always some real-world samples was needed, so I posted about FPGA implementation of LM/NTLM released by OpenCiphers, followed by introducing pico-WEPcrack as a working FPGA based WEP cracker. Finally I finished the post with a comparison between FPGA based and PC based of cracking and shocking results, based on my own experiences and provided results in OpenCiphers page.

Now, I'm back to that old topic again, to share more interesting news.While reading about speakers of upcoming ShmooCon, a talk named " Hacking the Airwaves with FPGAs" catched my eyes. Yes it was about some real FPGA work which I've been aware of. At first glance it didn't look much interesting as it should, but hey there were some brand news in that talk : Bluetooth. those few lines were enough for me to recall previous excellent releases of OpenCiphers. So I revisited their site and, guess what ? They had two new finished projects, ready for FPGA fans. these additions were for WPA and Bluetooth PIN cracking.
WPA case was not so interesting for me, as I choose this technique for last try. I'm sure you know how to extract WPA keys out of air by packet-injection in few minutes and as there are many resources for this out there, I'm not going to make a clone ! so keep reading. anyway if you're too much excited in cracking WPA on FPGA, I can redirect you to latest versions of coWPAtty .

OpenCiphers Bluetooth PIN however, looks great again. If you've been an active member of community you already know about 23C3 , and if you've already missed this talk I must say that you really should not check it anymore, because you do NOT deserve it.
The talk provided information on latest attacks against Bluetooth technology, and how to capture Bluetooth traffic, extract PIN out of dumped captures and finally crack the PIN using offline attacks , for later use in a targeted attack against victim's bluetooth device. And these all become possible because of some implementation bugs, which is very common in most of bluetooth related vendors. Of course some tools are required for that, so BTcrack was released among the talk. Detailed how-to was also provided, but I prefer to withheld it. If you're kind of person who should know this, then you probably know where to look for this how-to ;)

Hey we lost the subject ! I was talking about cracking speed...
As you've checked presentation, you'll see that BTcrack's top speed is something around 185.000 keys per second. it means cracking a 4 _digit_ PIN in less than second , and about 20 minutes of brute-forcing for a 6 _digit_ long PIN. Note that I'm saying 4 digit keys. Although digits are the only options for many cases ( like mobile phones) but a PIN is NOT limited to digits. so above results may not be useful in a real-world attack, if victim use a PIN consisted of digits and alphabets. and victim will not going to wait for you whole of the day, to crack his PIN.
Here the magical speed of FPGA implementations comes handy , and once aging shocking for unfamiliar eyes. OpenCipher's implementation of PIN-crack, based on a single Pico's FPGA board have increased that speed to 10 millions keys per second !

Now imagine one of those portable FPGA solutions, attached to your laptop, ready to own any target in matter of seconds, no matter how smart s/he is in choosing the PIN ;)