September 18, 2007

Old WEP VS new PTW

We all know that WEP has died long ago, but we all see that it`s still being widely used. Maybe that`s because some administrators can`t imagine the risk of using it on their network. Since 2001, we've seen different implementation of attack methods on WEP , each one boosting previous method , and there are still some ways to improve it ! yes, not all of known academic attacks against WEP are implemented. The most recent attack was released on April 2007 as an academic research paper. Later original researchers of this method implemented this attack and released their proof of concept as a tool named Aircrack-PTW, which is based on famous Aircrack suit ( Aircrack project discontinued and developer moved to Aircrack-NG which is a complete rewrite of previous project ).
Depending on used old attack methods , attacker had to capture number of IVs between 500,000 to 6,000,000 based on used key length and old or new techniques . Simply listening for IVs to arrive may takes days of non-stop sniffing and over 1gig of data packets being captured. Using techniques like arp-request replay injection and other replay attacks in tools like Aireplay it's now possible to force target network ( associated clients ) to generate required number of weak IVs in few minutes. Although documented IV generation rates are very high , but in a real-world scenario and a network with inactive clients it may take more than 30 minutes to gather enough packets. There are many factors affecting the speed and efficiency of attack, which are beyond scope of this post.
The new PTW attack how ever , made this old WEP game even more cool . I remember my old tries on WEP in pen-tests , always having problem on getting enough IVs fast enough. Since release of latest attack , I hadn`t chance to test it in a real-word scenario ,as things in lab do not make me really happy.
So I finally had a target running multiple access points ,one of them still using old WEP configuration. A quick try lead to capture about 50,000 IVs and it was time to give PTW a try . This attack technique has been merged into Aircrack-ng in recent versions , so no need to use PoC code. Compared to old attacks, new one extracted the 128b key almost instantly ! great :)



As you see only ~177Mb of packets captured ,which is about 1/10 of size of captured packets require to extract key with old attacks. The only note on using new PTW attack is that you must use arp replay injection + full header packet capture ,to make clients generate IVs. PTW attack won`t success if you use IV generation techniques other than arp-replay. Sorry, I`m not going to rewrite aircrack-ng & kismet documents on how to play with them!
Btw, CAIN in windows also support arp-replay attack technique , but who's crazy enough to pay ~300$ for a AirPcap-TX while it`s possible to make everything work fine in linux with 0$ ? Are you ?

And a good news for fans of Kismet : expect a brand new release in few days. Although there would be not much for you , if you`re such a SVN guy like me . last Kismet-2007-01-R1b release had some serious bugs which are fixed now . If you follow SVN and missed kismet tree in last days, there was a mysterious bug in kismet_server , making X crash ! thanks to dragorn (the guy behind kismet ) this one is fixed too in latest svn tree.

September 14, 2007

BackTrack 3 ...

I've previously blogged a bit about BackTrack 2 , a must-have for any security auditor. I`m not going to rewrite on how and why BackTrack is perfect for assessment task and why it`s the #1 in available free/commercial live security distributions for penetration-test. If you remember I've previously noted that I use a local-install of "Auditor" which was based on Debian. things change, and mee to . I decided to move to slack and play with it for a while . So I replaced old Auditor with BackTrack2 and customized it to feet my needs. Here`s how it looks now :



Yes, that`s latest released paper of pdp on hacking web2.0 . If you you've followed my "browsing history" you've probably got it fresh.

Thanks to Max & Muts , I got chance to join BackTrack 3 and get a beta version. I`m not sure about schedule of publicly releasing first beta , but current state of work shows that it`s at least 1-2 months. wait for cool updates & upgrades , including various new tools and scripts .
I just added a complete set of tools for owning web2.0 applications, all based on FireFox. At the moment I`m trying to see if I can integrate new qKismet into a stable working state, based on latest kismet development tree. I`ve some interesting plans which are not still discussed but I hope to be able to implement them.
anything you missed in BackTrack 2 and like to see in BT3 ? shoot me a comment and I`ll try to forward to developers.
and few 0day screen-shots ...



I hope muts forgive me for leaking :p

[ Update : ]
After more than 5 hours wasting time and playing with BackTrack , Qt installation and preparing slax packages, qKismet is now showing it`s lovely interface . Just have my friendly advice and prevent compiling Qt 4.3 from source as far as you can ! it took near 4 hours on my 1.8 Dothan laptop. I`ll share the Qt-4.3.1 Slackware package as soon as I get some place to safely host it for long time.



September 12, 2007

On recent Tor exit point sniffing attempt

Probably you've heard about recent attempt on trying to extract useful information from Tor exit points traffics. The technical aspect of this attempt ( attack !? ) is well-known and even documented and is not something new. The point making it interesting is that gov people use Tor to route their traffic. The day I read this title on SANS it didn`t look much interesting to me as I`ve had the same experience but collecting different set of information from traffic and also trying to cover some encrypted channels like SSL protected stuff. Later I told myself "hey, is any .gov.ir affected by this attempt? " and guess what ? ...



Wish I could publish some of my research results too but as I`m not sure about local gov reaction I prefer to stay silent for now.
And hey, this is not the first time Iran gov is made fun of , because of their lame policies and broken infrastructures. If you follow related news, there are tons of blames against iran. I remember old BlackHat talks , exposing classified informations and maps of IT infrastructures of the country, and my personal investigations lead to even more horrible live results. But after all, who cares ?!!!

September 8, 2007

Cna yuo raed tihs?

I cdnuolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg. The phaonmneal pweor of the hmuan mnid, aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it dseno't mtaetr in waht oerdr the ltteres in a wrod are, the olny iproamtnt tihng is taht the frsit and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it whotuit a pboerlm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Azanmig huh? yaeh and I awlyas tghuhot slpeling was ipmorantt!

Defcon 15 videos now online

It maybe be interesting for those who've missed BlackHat/Defcon for any reason. I`m sure most of you have already reviewed BlackHat/Defcon papers but in some cases papers and slide-shows are not self-explaining very well . so here`s the list of talks available online thanks to Google-video. You may like to watch my favorite talk "Tactical Exploitation" as the first video. This is the short version of BlackHat talk and as Moor comments, "you can record and playback slowly" ;)

Defcon 15 videos
BlackHat US-2007 contents

thanks to mcgrewsecurity.com blog for pointing this out.

September 3, 2007

Core dump

Here's why I've been almost idle recent days .
I've just recovered from a BSOD (read Blue Screen Of...) kind of thing in my real life.
here`s the core dump of the case, for those interested in analyzing it :)

Thanks to God, non of 6 running sub-processes closed and only three of them required some hot-fixes, one being analyzed in I.C.U research-labs for 10 days crash recovery analyze! three critical security holes has been identified and successfully closed on I.C.Ued process . and me... ? I`m not sure why I`m still alive.

just to note : I`m the black one