Dec 09

ISACA Review: Hacking Exposed Wireless 2nd Edition

Hacking Exposed Wireless 2nd Edition CoverA special thanks to Horst Karin for posting a great review of my new book, Hacking Exposed Wireless 2nd Edition on the ISACA website.

If you haven’t already checked it out, you can browse the book through Amazon’s Page Viewer. For the first time in print, we provided an in-depth coverage of attacking and exploiting WiFi as well as ZigBee, Bluetooth and DECT technology in the approachable and understandable Hacking Exposed style.

Be sure to check out our companion website to grab the online content and associated files for download.


Aug 06

GIAC GAWN Ethical Hacking Wireless Testing Aid

David Cash, one of my fabulous Ethical Hacking Wireless students in my SANS vLive! class, has been diligently working every week to maintain a comprehensive index and table of contents for all 6 days of course material. Not only is he a whiz at pwning wireless, he’s pretty good at indexing, too.

David agreed to share this resource with his fellow students as a GIAC GAWN testing aid. For the GIAC exam for the Ethical Hacking Wireless class (GAWN), you are able to bring in any printed resource to the testing center. This includes all your books, hand-written notes, reams of whatever you printed from Wikipedia, etc.

With this resource, you’ll be able to leverage your time answering questions more effectively. Organized by day/module/page#, this is a must-have resource for anyone taking the GAWN exam.

My sincere thanks to David for putting this resource together, and for being an awesome student in the vLive! SEC617 class. You can download the index material here.


NB: This index will be useful for anyone taking the exam who has *already* taken the class on the date this note is posted (8/6/2010). Students taking the class after this date will get an updated version of the course with new material, making the topic references inaccurate. Thanks!

Aug 03

Reflections on “hole196”

Last week at BlackHat, AirTight Networks security analyst Md Sohail Ahmad presented his findings on a vulnerability dubbed “hole196”. Affecting WPA/WPA2 Enterprise networks, this issue allows an authenticated user to manipulate other clients on the network to establish ARP spoofing attacks, to impersonate data frames from the AP or to create a DoS attack against other users. This is all through leveraging a key shared among all of the authorized clients in a wireless LAN known as the Group Temporal Key (GTK). The “hole196” bit refers to page 196 of the IEEE 802.11-2007 specification indicating that the GTK does not prevent packet forgery attacks (from an insider).

The BlackHat presentation slides were distributed on the BlackHat conference CD, and since the slides lack any kind of a copyright notice, I think it’s OK for me to mirror them here.

Initially, this flaw had some people concerned, since an early article published by Network World and Joanie Wexler indicated:

Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

If this attack could get a client to reveal their PTK, even requiring that the attack start from an insider perspective, then I’d be coding up an exploit tool instead of writing this post. This, however, appears to be a misquote by Wexler, or a misunderstanding by Ahmad. No-one has clarified this quote as far as I have seen.

The truth behind this issue is that, well, it’s a non-issue for most organizations. Instead of mounting an ARP spoofing attack to implement a man-in-the-middle (which a wired IDS could detect), it can be done using this technique within the encrypted wireless network, evading network IDS detection. The best way to detect this attack is through a wireless IDS, of which AirTight is a leading vendor (“Yay, Capitalism!”).

When significant wireless attacks emerge, I call my customers to remind them that I do get let out of my cave every now and then, and to help them understand their exposure to the attack. I don’t believe “hole196” falls into the category of significant wireless attack, so it’s back to the cave I go.

For a 2nd perspective, and an excellent technical write-up, please see Glenn Fleishman’s article over at Ars Technica. In the meantime, contact me with any questions/concerns/comments.


Aug 01

Evading IPS/IDS with TCP Checksum Forgery

Judy Novak, one of my early mentors and good friends, has posted an excellent article at on manipulating IPS/IDS with TCP checksum forgeries. She also details the effect of this crafty manipulation to Snort with great examples you can use on your own IPS/IDS.

TCP Checksum Forgery Example

Check out her article, and also check out the Scapy class she wrote for the SANS Institute. If you want to be a packet ninja, mastering Scapy with Judy will get you there fast.


Jun 07

WiMAX Network Scanning Work-in-Progress

I’m in Baltimore this week teaching Ethical Hacking Wireless. We’re having a lot of fun, and since we’re in Baltimore, it’s a good opportunity to spend some time with WiMAX and the Clear (Sprint) network here.

Motorola Clear CPEi-725

I stopped off at Best Buy a few hours ago and picked up a Motorola WiMAX Clear modem (CPEi 725) for US$90. A little while later, I whipped up a tool to use it for scanning WiMAX networks in the area, shown below.

BS ID                   RSSI    Sector ID       NAP ID  Freq.
 0x000002012136          -86     0x36            0x02    2.56150 GHz
 0x000002000034          -75     0x34            0x02    2.54150 GHz
 0x0000020000e4          -76     0xe4            0x02    2.54150 GHz

BS ID                   RSSI    Sector ID       NAP ID  Freq.
 0x000002011ca5          -85     0xa5            0x02    2.65700 GHz
 0x000002000034          -72     0x34            0x02    2.54150 GHz
 0x000002000014          -84     0x14            0x02    2.56150 GHz
 0x000002000088          -90     0x88            0x02    2.55150 GHz
 0x0000020000e4          -76     0xe4            0x02    2.54150 GHz
 0x000002000094          -86     0x94            0x02    2.65700 GHz
 0x0000020000b2          -87     0xb2            0x02    2.66700 GHz

More to come.


May 10

Maximum Overdrive Redux?

Last night at SANS SecWest 2010 in San Diego I gave a presentation I’ve been working on called “Maximum Overdrive Redux”, looking at exploiting embedded and smart hardware systems.  We started off with the AC/DC Video from the 1986 Stephen King movie about how machines take over and start killing people, eventually manipulating them into human pawns.

Maximum Overdrive "Happy Toys" Truck

This movie was pretty bad, and Stephen King is even quoted as saying “I was coked out of my head” during direction.  As a result, it became a cult classic, and I thought it was a pretty good analogy for what we’re seeing with the increased reliance, interconnectivity, and physical-world access in embedded systems.

I made four critical points in the presentation:

  • Tools for exploiting embedded systems are available and getting better;
  • Embedded systems are becoming more interconnected;
  • Vendors are widely overlooking the security of embedded platforms;
  • Attackers can leverage flaws in embedded systems to exploit the physical world.

I backed up these points by looking at attacks against smart card parking meters, home area networks, Internet-connected vehicle control systems, Verizon MiFi devices, the SHODAN Computer Search Engine, NIBE Heat Pumps and more.  I’ve posted the slides in the Presentations  section.

Comments, questions, concerns? Please drop me a note.  Thanks! -Josh

Feb 03

MiFi Config Hack

In my previous post, I wrote about a method to exploit the default password selection on Verizon MiFi devices.  As a MiFi user, I’m also interested in other ways I can manipulate the device.

The configuration settings for the MiFi are fairly straightforward, and some users have pointed out that there are additional settings that can be applied via a customized config file (browse to Advanced -> Config File -> Download File then edit and upload).  However, the MiFi also has a hidden advanced configuration page accessible at that is not otherwise linked on the administrative pages.

Hidden MiFi Configuration Page

Hidden MiFi Configuration Page

On this page we are able to set a variety of options not accessible with the default management interface:

  • Leverage WEP as an encryption and authentication mechanism (yay!);
  • Increase the number of simultaneous stations allowed to share the MiFi WLAN at any given time;
  • Adjust the transmit power level of the WLAN interface for more range or longer battery life;
  • Manipulate other wireless settings very few people understand and even fewer care about.

These changes have been available by manually editing the config.xml file previously, but now you can do it without all the hassle of XML+notepad.