Dec 09

ISACA Review: Hacking Exposed Wireless 2nd Edition

Hacking Exposed Wireless 2nd Edition CoverA special thanks to Horst Karin for posting a great review of my new book, Hacking Exposed Wireless 2nd Edition on the ISACA website.

If you haven’t already checked it out, you can browse the book through Amazon’s Page Viewer. For the first time in print, we provided an in-depth coverage of attacking and exploiting WiFi as well as ZigBee, Bluetooth and DECT technology in the approachable and understandable Hacking Exposed style.

Be sure to check out our companion website to grab the online content and associated files for download.

-Josh

Aug 04

Bluetooth and OS Language Pack Correlation

sp-esperanto1The Bluetooth Service Discovery Protocol (SDP) is used to publish and enumerate the services of a Bluetooth device. Through SDP, your mobile phone knows that your Mac accepts file transfers or can extend your wired network over Bluetooth, for example.

We can enumerate the SDP information for a given device with the Linux command “sdptool”:

$ sdptool records 00:1D:25:EC:47:86

Service Name: FTP
Service RecHandle: 0x10002
Service Class ID List:
  "OBEX File Transfer" (0x1106)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 2
  "OBEX" (0x0008)
Language Base Attr List:
  code_ISO639: 0x656e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "OBEX File Transfer" (0x1106)
    Version: 0x0100

This output shows us that the target is publishing the OBEX File Transfer service (the target is a Windows Mobile phone). The developer who implemented this profile gave it the service name “FTP”, which is what you would see in a typical GUI interface to identify this service.

Notice the data following the Language Base Attribute List, “code_ISO639″. This field is referring to ISO specification 639:1988 (E/F), used to denote a 2-letter code for the language used to denote human-readable fields associated with this service. This language code will often correspond to the language pack on the host operating system. In this example, the value 0x656e corresponds corresponds to the hexadecimal equivalent of the ASCII letters “en”, denoting the English language used on this system.

I find this information very useful since it helps me in selecting the right exploit for the target, using my two favorite penetration testing tools, the Metasploit Framework and Core IMPACT.

I’ve modified the ISO specification to also include the hexadecimal values for the language code, making it easy to interpret the output from sdptool, available Projects section.

If anyone finds the language code 0x656f, please drop me a note.

-Josh

Jul 28

Special Evening Webcast on Kismet Newcore Thursday!

On Thursday night at 7pm EDT (4pm PDT) I’ll be giving a special evening webcast called “Budget Wireless Assessment using Kismet-Newcore“. I delivered this content at the SANS Denver conference a few weeks ago, but several people have contacted me complaining that they wanted to get in on the new features Kismet has to offer including plugins, new security framework, the new user interface, integrated graph views and more.

For example, did you know that Kismet Newcore has the ability to apply fine-grained channel hopping controls, allowing you to easily configure Kismet to spend more time on commonly used channels (such as channels 1, 6 and 11)? This allows you to focus the data collection process while not missing any AP’s that might on uncommon channels.

Kismet Newcore Channel Configuation

Kismet Newcore Channel Configuation

The webcast will use the SANS vLive! (formerly @Home) setup based on Elluminate. This software gives me the ability to do live demonstrations during the webcast with a Q+A interface and the ability for viewers to ask questions during the session.

What’s more, attendees will get a 10% discount code off my upcoming Ethical Hacking Wireless course, delivered in manageable 3-hour chunks once a week for 12 weeks, starting September 7th. More information on the Ethical Hacking Wireless vLive! course is available at http://www.sans.org/athome/details.php?nid=19608.

Sign up for the webcast today! https://www.sans.org/webcasts/show.php?webcastid=92713

-Josh