Research

Vista Wireless Power Tools for the Penetration Tester“, December 16, 2008, Joshua Wright
Published by InGuardians, Inc.

Summary: With the advent of NDIS 6, Microsoft has exposed new wireless functionality in Windows Vista hosts. Through this programmatic functionality, and supplied tools in Windows Vista, a compromised Vista host becomes a valuable conduit for a penetration tester, allowing them to explore and exploit nearby wireless networks, and establish network backdoors for unrestricted access to internal networks. This paper explores many of the new Vista Wireless features, from the perspective of a penetration tester.

Dispelling Common Bluetooth Misconceptions“, September 19, 2007, Joshua Wright.
Published in the SANS Technology Institute Security Laboratory.
Summary: As a decidedly “ad-hoc” technology, Bluetooth devices are often utilized within organizations, outside of the control of IT management. Few organizations recognize the threat of Bluetooth technology, often due to misconceptions in the technology, and the threats of use. This white paper will dispel several common misconceptions regarding Bluetooth technology, allowing organizations to better assess their exposure to Bluetooth threats.

Five Wireless Threats You May Not Know“, August 28, 2007, Joshua Wright.
Published in the SANS Technology Institute Security Laboratory.
Summary: Many organizations have turned to strong encryption and authentication protocols, leaving significantly deficient protocols such as WEP and LEAP behind. However, many threats are still looming that affect wireless networks, requiring an ever-present diligence in the analysis and defense of wireless networks.

802.11b Firmware-Level Attacks“, September 29, 2006, Mike Kershaw, Joshua Wright.
Summary: This paper describes a new style of DoS attack against 802.11 networks that abuses flaws in the firmware of popular 802.11 wireless cards. The impact of this attack is more damaging than other 802.11 DoS attacks, requiring as few as two packets from an attacker to deny service to all target users, often requiring a system restart to recover from the attack.

Applying Wired IDS History to Wireless IDS“, November 1, 2005, Joshua Wright.
Summary: The Wireless IDS industry is still immature, and continues to perpetuate the mistakes made by wired IDS vendor many years ago. This papers examines several flaws in wireless IDS technology that could have been avoided by learning from the mistakes of wired IDS vendors.

An Assessment of the Oracle Password Hashing Algorithm“, October 18 2005, Joshua Wright, Carlos Cid.
Published in the SANS Technology Institute Reading Room.
Summary: In this paper the authors examine the mechanism used in Oracle databases for protecting users’ passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses that can be practicaly exploited by an attacker.

Weaknesses in Wireless LAN Session Containment“, May 19, 2005, Joshua Wright.
Published by Network Magazine.
Summary: This paper describes the characteristics of wireless LAN session containment techniques used to stop an unauthorized station from connecting to a monitored access point. Using the traffic analysis techniques described in this paper, an attacker can fingerprint the type of wireless LAN intrusion detection system deployed to monitor and protect the wireless network, and potentially evade the session containment functionality altogether.

Detecting Wireless LAN MAC Address Spoofing“, January 21, 2004, Joshua Wright.
Summary: This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Through the analysis of these traces, the author identifies techniques that can be employed to detect applications that are using spoofed MAC addresses. With this information, wireless equipment manufacturers could implement anomaly based intrusion detection systems capable of identifying MAC address spoofing to alert administrators of attacks against their networks.

Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection“, November 8, 2002, Joshua Wright.
Summary: Wireless LAN discovery through the use of applications such as NetStumbler, DStumbler, Wellenreiter and others is an increasingly popular technique for network penetration. The discovery of a wireless LAN might be used for seemingly innocuous Internet access, or to be used as a “backdoor” into a network to stage an attack. This paper reviews some of the tactics used in wireless LAN network discovery and attempts to identify some of the fingerprints left by wireless LAN discovery applications, focusing on the MAC and LLC layers. This fingerprint information can then be incorporated into intrusion detection tools capable of analyzing data-link layer traffic.