Jun 01

Invasion of the Mobile Phone Snatchers

Slide Title Presentation PageToday I delivered the first of a trilogy of webcasts promoting my new course with the SANS Institute “Mobile Device Security and Ethical Hacking” (Security 575). In the presentation we look at the threat of lost or stolen mobile devices, examining how an attacker can use backup tools to extract data from mobile devices, bypass PIN authentication on Apple iOS and BlackBerry devices, and how to mitigate the impact of lost devices. Check it out!

-Josh

Mar 23

Pen Test Perfect Storm 6: We Love Cisco!

Today, Kevin Johnson, Ed Skoudis and I delivered the 6th part of the Pen Test Perfect Storm Trilogy: We Love Cisco!.

In the webcast, hosted by CORE Security Technologies, we discussed attack techniques against Cisco devices, combining wireless, network and web app techniques to exploit common network architectures. Topics include:

  • Enumerating SNMP Community strings
  • Retrieving Cisco router or switch configurations over SNMP
  • History of vulnerabilities in the Cisco Wireless LAN Controller
  • Exploiting Cisco Web App interfaces with Burp Proxy and Burp Intruder
  • Exploiting Cisco Voice VLAN’s with voiphopper
  • A practical scenario, combining network, wireless and web app attack techniques

CORE is busy putting together the recording that you can download and watch at your leisure, but in the meantime you can grab the slides in the Presentations section, or directly here. All past presentations in PDF form are also available in the presentations section, or at the CORE Security Technologies webcast archive page.

Thanks to all who attended the webcast today!

-Josh

Dec 09

ISACA Review: Hacking Exposed Wireless 2nd Edition

Hacking Exposed Wireless 2nd Edition CoverA special thanks to Horst Karin for posting a great review of my new book, Hacking Exposed Wireless 2nd Edition on the ISACA website.

If you haven’t already checked it out, you can browse the book through Amazon’s Page Viewer. For the first time in print, we provided an in-depth coverage of attacking and exploiting WiFi as well as ZigBee, Bluetooth and DECT technology in the approachable and understandable Hacking Exposed style.

Be sure to check out our companion website to grab the online content and associated files for download.

-Josh

Jul 22

Webcast Tomorrow: Smart Grid and AMI Security Concerns

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

The characters, places and events described herein are entirely fictional, and any resemblance to individuals living or dead is purely coincidental, kthxbye.

Tomorrow at 1pm EST Matt Carpenter (InGuardians), Walt Sikura (Industrial Defender) and I are delivering a webcast titled “Smart Grid and AMI Security Concerns” where we talk about the security challenges of the smart grid, discussing tools and techniques through which an attacker could exploit the security of the smart grid.

I’m very fortunate to get the chance to present with both Matt and Walt on a topic which I find no only fascinating but of significant importance as we roll out more and more smart grid systems in North America and throughout the world. The webcast is hosted through WebEx and you can sign up at:

http://www.industrialdefender.com/news/webinar_smart_grid.php

We’re also planning to do this as a trilogy, where we’ll spend more time in later presentation digging in deeper into attach methodologies and defense techniques, as well as what we are doing to exploit and secure smart grid components.

-Josh

Jun 04

Cowpatty 4.5

After too much time I have posted coWPAtty 4.5 with several fixes and a couple of new features:

  • Fewer restrictions on collecting the data needed to mount an attack.  The default behavior requires all 4 frames of the 4-way handshake to mount an attack.  If you specify “-2” on the command-line, coWPAtty will only require frames 1 and 2 of the 4-way handshake to mount an attack.  More on this below.
  • Validate that the needed information is present to mount an attack, without launching the attack (the “-c” option).  This was requested by Pure Hate for an awesome project he gave me a preview on.  I’m hoping details of this project will be public soon.

The “-2” option also includes fewer restrictions for validating the content of the packet capture.  This was implemented by a patch submitted by Nathan Grennan, accommodating some AP’s that do not strictly adhere to the IEEE 802.11i/IEEE 802.11-2007 specification.

Removing the restriction of needing all 4 frames of the 4-way handshake to mount an attack has some interesting implications.  First, packet captures taken while channel hopping often miss parts of the 4-way handshake, since they can hop in the middle of the 4-way handshake exchange.  Relying on only frames 1 and 2 gives you a better chance of catching the needed data even if you are channel hopping.

coWPAtty "-2" utilization example

coWPAtty "-2" utilization example

Second, it provides the ability for an attacker to mount an attack against a client even if they aren’t within range of their target network (for example, a WPA2-PSK user is at the airport).    Consider the following illustration:

Cowpatty Attack Scenarios

Cowpatty Attack Scenarios

On the left is an example of what I consider a traditional WPA2-PSK attack.  The attacker gets within physical proximity of the target network and waits for (or coerces) the 4-way handshake between an AP and a valid client system.

On the right, however, is a less-understood attack scenario.  In the 4-way handshake, the client system authenticates first, sending a HMAC-MIC of frame 2 to the AP.  If an attacker impersonates the legitimate SSID of the network, they are able to send Frame 1 of the 4-way handshake (no authentication) and observe the HMAC-MIC of frame 2.  At frame 2, the attacker has everything they need to recover the PSK (now with cowpatty’s “-2” option).  Frame 3 fails validation by the client, but by that point, it’s too late.

In practice, I’m testing this using HostAP running on my attack workstation, but that’s not even necessary.  Simply take any SOHO AP, configure the SSID to reflect that of your vistim with any pre-shared key and observe the exchange between the victim and the imposter AP, supplying the packet capture to coWPAtty with the “-2” option.

My transition to work for InGuardians has given me a chance to spend more time on penetration tests. As a result, I’ve started to change my mind about the value of “weaponized” attack tools. If the tool isn’t reliable, works under many circumstances and flexible enough to withstand an error or two, it takes much longer to be useful, and that costs your customer more. I’m using this as a motivator to make tools more effective, capable of demonstrating a point, and thereby allowing you to providing greater value to your customer.

I’d love to hear comments and questions. Please add a comment below, or send me a note.

-Josh

May 03

Pen Test Perfect Storm Trilogy Slides

Over the last several months I had the pleasure of working with Ed Skoudis and Kevin Johnson in presenting a trilogy of webcasts titled the Pen Test Perfect Storm where we talk about techniques to combine network, web app and wireless pen testing. By combining these components of classic pen-tests, we are able to more effectively test the network for threats and dig deeper into an organization. Check out the slides and links to the webcast archives here:

Slides Webcast
The Pen Test Perfect Storm: Combining Network, Web App and Wireless Pen Test Techniques, Part I Flash Presentation with Audio
The Pen Test Perfect Storm: Client Side Mutiny, Part II Download WebEx Presentation with Audio
The Pen Test Perfect Storm: Network Reconstructive Surgery, Part III Download WebEx Presentation with Audio

Special thanks to Ed and Kevin for the chance to work with them on this series. Please drop me a note with any questions.

-Josh

Apr 11

Why Zoher Anis Rocks My Inbox

If you haven’t met Zoher Anis at a SANS conference or other popular venue, please make an effort to do so as soon as possible. Zoher is one of the most awesome guys I know, and humbles me with his new presentation “Why Joshua Wright loves Windows Vista ? And why you should be glad you’re not running it.

Zoher came up to me at the SANS 2009 Orlando conference and showed me a slide deck he made for a private audience about some of the awesome wireless stuff Microsoft added to Windows Vista. In it, he applies a lot of the Vista wireless hacks I wrote about in Vista Wireless Power Tools (for the penetration tester), and adds his own excellent Vista hacks in the process.

After I begged and pleaded, he allowed me to distribute a sanitized version on my site. For your enjoyment. Thanks Zoher!

-Josh