A few months ago I left my position at Aruba Networks to pursue a new career path.  My good friends at InGuardians (formerly Intelguardians) Ed Skoudis and Mike Poor offered me a position working with such a great team that I couldn't pass it up.  Now I work with a brilliant group performing security consulting services and research for a wide cross-section of customers.  I couldn't be happier.

While at InGuardians, I've been doing research on the Windows Vista wireless stack.  With NDIS 6.0, Vista has exposed a tremendous number of OID's to developers, and provides a number of built-in tools that almost make Vista wireless a pleasure to work with (almost).  Besides the new programmatic features accessible for wireless-enabled applications, Vista has also standardized a lot of the Independent Hardware Vendor (IHV) functionality that was widely disparate in the XP world.  With both standardized driver interfaces and new accessible programming interfaces, Vista becomes very attractive as a wireless research platform.

My first foray into Vista wireless research is a paper published by my new employer titled "Vista Wireless Power Tools for the Penetration Tester".  The basic concept is that, as a penetration tester who has compromised a Vista host, we can use the built-in Vista features and some benign add-ons to exploit wireless networks remotely.  Written in the format of the classic tome "Unix Power Tools", Vista Wireless Power Tools demonstrates that the Vista wireless stack has a lot of benefit, not only for new applications and simplified troubleshooting for end-users, but also for a penetration tester wanting to establish network backdoors, discover new networks to attack and exploit wireless vulnerabilities.

With the paper comes a couple of tools: VistaRFMON which allows you to enable or disable IEEE 802.11 monitor mode on Vista, and nm2lp, which converts a NetMon 3.2 wireless packet capture to libpcap format.

As always, comments, questions and concerns are always welcome.  Thanks!

-Josh