Dec 17

Wordlist Generation – CeWL on Ubuntu

CeWL is a custom wordlist generator written by Robin Wood. Written in Ruby, CeWL takes a target website as an argument and crawls the site for HTML, MS Office (2007 and earlier) and PDF documents. For each supported document, CeWL extracts the words, email addresses and metadata to build a wordlist.

Used with tools such as Asleap and coWPAtty, CeWL’s wordlist generation technique can be very useful, building a dictionary off words found on the target website. This often includes project names, acronyms and other content that apply specifically to the target and may be successful in a dictionary attack where standard dictionary words would not.

While I’m working on another project, I’ve departed from Gentoo to run Ubuntu 9.10. I’m looking forward to the day I can return to Gentoo, but until then, I got CeWL to run on Ubuntu without much complication:

$ sudo apt-get install exif libimage-exiftool-perl
$ sudo gem install http_configuration spider mime-types mini_exiftool rubyzip spider
$ echo "export RUBYOPT=\"rubygems\"" >>~/.bashrc
$ source ~/.bashrc
$ wget
$ tar xvfj cewl_2.2.tar.bz2
$ cd cewl
$ ./cewl.rb  --help
cewl 2.0 Robin Wood ( (

Usage: cewl [OPTION] ... URL
        --help, -h: show help
        --depth x, -d x: depth to spider to, default 2
        --min_word_length, -m: minimum word length, default 3
        --offsite, -o: let the spider visit other sites
        --write, -w file: write the output to the file
        --ua, -u user-agent: useragent to send
        --no-words, -n: don't output the wordlist
        --meta, -a: include meta data
        --email, -e: include email addresses
        --meta-temp-dir directory: the temporary directory used by exiftool when parsing files, default /tmp
        -v: verbose

        URL: The site to spider.

CeWL is one of the tools we cover in my Ethical Hacking Wireless course, running next in New Orleans on January 11-16. It’s not too late to sign up for this class, and escape the winter chill for good food and wireless hacking in New Orleans.


Dec 03

QuahogCon: We should have a raw bar.

QuahogCon is the first hacker conference to hit Rhode Island, April 23-25, 2010. Held in the fancy Hotel Providence in downtown Providence, this conference is 1/2 infosec and 1/2 hardware hacking and DIY electronics.  I’ve submitted a proposal to talk about my research on ZigBee technology which will nicely bridge both the infosec and hackware hacking side of the conference.

I’m friendly with a lot of the folks putting on this conference, and I’m looking forward to the talks and events like badge hacking.  Take a look at the QuahogCon website and consider submitting a talk. I hope to see you there!


Oct 25

Exploiting ZigBee at ToorCon 11 Slides

Yesterday I presented my findings on the security implications of the ZigBee protocol at ToorCon 11. I had a great audience and the presentation went smoothly where we looked at the basis of ZigBee technology and why ZigBee is important for embedded developers and interesting to attackers.

I also introduced a new project I’ve been working on dubbed KillerBee. KillerBee is a Python-based framework with several tools designed to exploit deficiencies in the design and implementation of ZigBee and IEEE 802.15.4 networks. The hardware I’m using with KillerBee is the AVR RZUSB stick, available from electronics resellers such as DigiKey and Mouser for $40/USD.

I’m still working on KillerBee, and it’s not quite ready for prime time yet. I’m planning on doing a full release at ShmooCon, so if you are interested in doing some hands-on ZigBee hacking at Shmoo, pick up a few RZUSB sticks and come find me at the InGuardians booth. I had a bunch of CD’s printed up and distributed at ToorCon for an early preview of KillerBee, sample packet captures, specification documentation and more. If you want to get a copy of that, please drop me a note.

In the meantime, you can grab my slides from the presentation. I’d love to hear feedback on ZigBee and what people are doing with this technology, so drop me a note and let’s chat.


Oct 21

ToorCon 11: KillerBee – Practical Zigbee Exploitation Framework

On Saturday at ToorCon 11 I’m presenting my work in designing a framework and tools to exploit and manipulate ZigBee and IEEE 802.15.4 networks. KillerBee has been about 9 months in development, written in Python, leveraging the AVR RZUSB Stick as the interface to interact with these low-power networks.

ZigBee is a interesting wireless technology, not due to any particularly innovative design mechanisms (and certainly not from a robust security perspective) but because it interfaces with the kinetic world more than any other wireless protocol I’ve run into. It would be unheard of to use WiFi as a mechanism to control gas valves in distribution mains, and you would never see Bluetooth controlling a flood release main, yet ZigBee and IEEE 802.15.4 seem to fit in with these scenarios, often with little in the way of mature security testing.

My hope is that people evaluating ZigBee and IEEE 802.15.4 technology will be able to leverage KillerBee as a platform to test third-party products (and, for vendors, to test their own products) for vulnerabilities. In my presentation on Saturday, I’ll detail several examples of how I’ve been using KillerBee for this purpose, and how you can as well.

After the conference I’ll post my slides here, so stay tuned. If you are coming to ToorCon, please be sure to stop by and say “Hi”.


Aug 04

Bluetooth and OS Language Pack Correlation

sp-esperanto1The Bluetooth Service Discovery Protocol (SDP) is used to publish and enumerate the services of a Bluetooth device. Through SDP, your mobile phone knows that your Mac accepts file transfers or can extend your wired network over Bluetooth, for example.

We can enumerate the SDP information for a given device with the Linux command “sdptool”:

$ sdptool records 00:1D:25:EC:47:86

Service Name: FTP
Service RecHandle: 0x10002
Service Class ID List:
  "OBEX File Transfer" (0x1106)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 2
  "OBEX" (0x0008)
Language Base Attr List:
  code_ISO639: 0x656e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "OBEX File Transfer" (0x1106)
    Version: 0x0100

This output shows us that the target is publishing the OBEX File Transfer service (the target is a Windows Mobile phone). The developer who implemented this profile gave it the service name “FTP”, which is what you would see in a typical GUI interface to identify this service.

Notice the data following the Language Base Attribute List, “code_ISO639”. This field is referring to ISO specification 639:1988 (E/F), used to denote a 2-letter code for the language used to denote human-readable fields associated with this service. This language code will often correspond to the language pack on the host operating system. In this example, the value 0x656e corresponds corresponds to the hexadecimal equivalent of the ASCII letters “en”, denoting the English language used on this system.

I find this information very useful since it helps me in selecting the right exploit for the target, using my two favorite penetration testing tools, the Metasploit Framework and Core IMPACT.

I’ve modified the ISO specification to also include the hexadecimal values for the language code, making it easy to interpret the output from sdptool, available Projects section.

If anyone finds the language code 0x656f, please drop me a note.


Jul 28

Special Evening Webcast on Kismet Newcore Thursday!

On Thursday night at 7pm EDT (4pm PDT) I’ll be giving a special evening webcast called “Budget Wireless Assessment using Kismet-Newcore“. I delivered this content at the SANS Denver conference a few weeks ago, but several people have contacted me complaining that they wanted to get in on the new features Kismet has to offer including plugins, new security framework, the new user interface, integrated graph views and more.

For example, did you know that Kismet Newcore has the ability to apply fine-grained channel hopping controls, allowing you to easily configure Kismet to spend more time on commonly used channels (such as channels 1, 6 and 11)? This allows you to focus the data collection process while not missing any AP’s that might on uncommon channels.

Kismet Newcore Channel Configuation

Kismet Newcore Channel Configuation

The webcast will use the SANS vLive! (formerly @Home) setup based on Elluminate. This software gives me the ability to do live demonstrations during the webcast with a Q+A interface and the ability for viewers to ask questions during the session.

What’s more, attendees will get a 10% discount code off my upcoming Ethical Hacking Wireless course, delivered in manageable 3-hour chunks once a week for 12 weeks, starting September 7th. More information on the Ethical Hacking Wireless vLive! course is available at

Sign up for the webcast today!


Jul 22

Webcast Tomorrow: Smart Grid and AMI Security Concerns

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

Tomorrow at 1pm EST Matt Carpenter (InGuardians), Walt Sikura (Industrial Defender) and I are delivering a webcast titled “Smart Grid and AMI Security Concerns” where we talk about the security challenges of the smart grid, discussing tools and techniques through which an attacker could exploit the security of the smart grid.

I’m very fortunate to get the chance to present with both Matt and Walt on a topic which I find no only fascinating but of significant importance as we roll out more and more smart grid systems in North America and throughout the world. The webcast is hosted through WebEx and you can sign up at:

We’re also planning to do this as a trilogy, where we’ll spend more time in later presentation digging in deeper into attach methodologies and defense techniques, as well as what we are doing to exploit and secure smart grid components.


Jul 11

Wireless Ethical Hacking Training at Home – Discount!

As the author and lead instructor for the SANS Ethical Hacking Wireless course, I teach at several conferences a year and at customer’s sites. Between September 2nd and November 18th, I’ll also be teaching the Ethical Hacking Wireless course through the SANS vLive program. Instead of 6 8-hour days of hardcore wireless security training, we break the course up into 12 sections; 3 hours a night once a week for 12 weeks.

The vLive program is great because you get the benefits of live instructor-lead training but in smaller, more manageable chunks. You also save your employer on travel costs. Best yet? Wireless hacking in your PJ’s on your couch.

The vLive offering is an upgrade over the old @Home system SANS has used before. You still get the demonstrations, exploits and attacks with slides and instructor Q+A, just like at a live conference. Miss a class? No problem! You’ll be able to catch the archived session at any point during the 12-week period.

To celebrate the new system, SANS is offering a 20% discount for a limited time. Visit the SANS website to sign up for SANS Ethical Hacking Wireless with vLive. The 20% discount is available until July 31, so sign-up soon.

As always, please send me a note with any questions. Thanks!


Jul 11

Wireless Privacy Loss++; Amazon Kindle

Kindle DX

Kindle DX

Fellow hacker and all-around rock-star Sherri Davidoff and I have been chatting lately about a new form of privacy loss from Amazon in the form of the Kindle.

I’m a big Kindle user, and I love having a good deal of my tech library with me on the Kindle DX when I travel. When I’m on-site with a customer and want to reference something from the Database Hacker’s Handbook, for example, I can buy and download it in a minute. The alternative is to find a Border’s, drive there, buy the book, drive somewhere else because the first store didn’t have it, drive back to the customer and waste precious on-site engagement time. With the ability to read full 8.5×11 PDF’s as well (the ZigBee-2007 PDF is keeping me busy at the moment), it’s well worth the cost of the unit.

However, it turns out that the Kindle keeps track of what you read. Presumably, this is just for synchronizing your last-read page across e-readers, but I suspect a company that recognizes the value of customer information such as Amazon wouldn’t let this be the only thing they collect about their e-book users.

Check out Sherri’s post on this topic on

Privacy loss often comes in convenient forms; TiVO cataloging each second of TV you watch and skip, the Nike+iPod leaving a RF breadcrumb trail for where you go and who you associate with and many other examples. If anyone knows what Amazon’s policy is on the information they collect about Kindle users, I’d love to hear it.

Also check out my presentation from SANS 2009 titled “Privacy Loss in a Pervasive Wireless World.”