WPA was hit hard these days by a rumor of a new threat called ‘Hole 196’.

The hole would allow GTK (Group Temporal Key) spoofing forcing users to send the rogue AP their private key information leading to a awesome no-footprinted (medium is over air!) man-in-the-middle attacks.

To understand transient keys over WPA, Md Sohail Ahmad from AirTight said:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard. (…) Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

The solution would be some kind of GTK signing so it could be validated though the endpoint (holding the PTK) protecting itself from this spoof attack.

The discussion now is around if it is really a flaw/threat or is just another shenanigan from AirTight to gain attention from venture fundings, but it seems (this time) to be a legitimate issue.

I’ve read on Bruce that a new service called “WPA Cracker“. The service consists into brute-forcing your WPA keys with (a rich and huge database of) dictionary attacks, in many languages on their cracking-cluster of several machines.

Back in 2008, Chad Perrin has discussed that cloud computing could be used to distributed cracking / bruteforcing. Some projects have managed that like Free Rainbow Tables (DistRTGen @ Boinc).

The Church of WiFi maintains a huge database of WPA Rainbow Tables but the caveat is that keys are salted with the network’s SSID.

Yes, the Church Of Wifi has put a large rainbow table collection online. However, there are a few ways in which this collection has not met our needs. The first is that since each handshake is salted with the ESSID of the network, you have to build a unique set of rainbow tables for each network that you’d potentially like to audit. The Church Of Wifi has gone to heroic efforts to build tables for the 1000 most popular ESSIDs, but we find that this is often not enough. If someone has enabled WPA encryption on their wireless network, chances are that they’ve changed their ESSID to something that’s not very common as well.

Additionally, since they had to build so many sets, they had to limit the size of their dictionary in order to keep the resulting tables manageable. We feel that 1,000,000 words is really not large enough to do a comprehensive search, and that the way the dictionary was constructed discounts some of the specifics for WPA network password requirements. WPA Cracker provides a service that can crack the PSK of a network with any ESSID, using a dictionary that is several orders of magnitude larger.

From WPA Cracker’s FAQ on “Aren’t there Rainbow Tables?”

That’s a good approach since keys tend to have a fixed size (or better, users tend to make them the least necessary to attend the requisites) so you don’t spend computational power trying password that wouldn’t fit them.

WPA Cracker may not be a threat at all, since even with a huge cluster it’s limited do dictionary attacks. If you use a dictionary password, you deserve to be cracked.

Microsoft disclosed a zero-day flaw on Windows Shell on Friday and Stuxnet (W32.Stuxnet) is already exploiting it to gain access to SCADA systems through its attack vector.

Since SCADA systems are updated mainly by CDs or pen drives, the attack vector fits as a glove. The malware targets Siemens’ Simatic WinCC software and intends to steal information like projects schematics and upload them to an external website.

From CNet:

Once the malware locates the data it is looking for it encodes it and attempts to upload it to a remote server. The malware waits for a response from the server, which may contain more commands, he said.

Along with the data steal, Stuxnet also provides a trojan backdoor aiming Siemens services and a rootkit (to hide it from the system).

Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens’ Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system’s Microsoft SQL database. The password has been available on the Internet for several years, according to Wired’s Threat Level blog.

Sophos has also released a video on YouTube showing a SCADA system compromised by Stuxnet.

The spreading is done by using stolen/spoofed signed digital certificates:

The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan–RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos. (Sophos has posted a video showing how a computer is infected on YouTube.) It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.

Adding to this scenario, SCADA admins are not able to change the default password because it would break up software apart.

SCADA systems rely on the fact of being unplugged from networks and as Schneier said, “would YOU like to be the guy that breaks all installed systems controlling valves and such by adding security that nobody demands?”.

It seems that SCADA will demand closer attention from now on since I agree with other professionals that doubts that this is the first SCADA malware.

Ettercap is a great tool for MITM poisoning and sniffing. Everyone on Infosec should have played with it (or Cain) at least once.

Man-In-The-Middle

MITM attacks are pretty easy to perform on a local network but the tools tend to crash a LOT. Cain (Windows) is a little more stable than Ettercap but I prefer it over Cain because it doesn’t spoof SSL that I consider too loud depending on the attack. NOTE: Ettercap runs better on text mode.

Filters

Well, another nice feature of Ettercap are its filters. You can do lot of stuff while playing with them. The nicest toy I’ve found to play around so far is content rewriting (but I think custom packet injection can be even funnier). Irongeek has played with Ettercap Filters in the past to rewrite img tags.

Sniffing while MITM

Sniffing plaintext passwords are just easy. Either Cain and Ettercap are built to detect common strings containing passwords but SSL has made this kind of sniffing impossible and many sites are using it at least for the login processes.

So while we wait for the super-quantum-computers to break 256-bit AES encryption, we may consider avoiding SSL for the period we’re sniffing so I’ve thought that filters could be perfect for that.

What would define where the login form data will be sent? The form‘s action field. So if I can interfere in the HTTP response I can send the login data ANYWHERE.

I’ve decided to just downgrade the SSL because I always tend to make the least noise I can (because we don’t want to get caught by the forensics, do we?). I could redirect the request to a specially crafted site or so but it would be much more noticeable.

What if SSL is required on server-side

No problem, SSL on server-side can be a requirement but by the time the server complains, data was already sent over in plain-text. :)

Getting things done

You can get my filter on my github page.

Just run the attack with the filter (assuming router is 192.168.0.1 and victim is 192.168.0.100):

You should see the following output:

And your victim will no longer receive (nor send) any https string anymore.

Quick note about request / response filtering

Sometimes you may have to comment one leg (request / response) out of the filtering or you will get redirection loops (like while tampering Facebook connections). Also, if the request is already under https, you won’t be able to filter it. The beauty of this attack is disallowing your victim to escape your domain to a secure zone.

HTH!

Today a friend introduced me that great tool called Ninite. It’s a batch-installer which comes with the most popular Windows FOSS available in the wild and saves you from downloading and manually installing them.

Ninite also skips installation screens (and their EULA) and it’s perfect when you must setup several stations or you have constantly some station setup to do. Although Ninite ISN’T a configuration management tool but it is a good time-saver for smaller environments.

Ninite Pro Account gets it’s a little smarter: Downloads software according to your processor architecture and system language, say ‘No’ to toolbars, offline installation and some other goodies.

It maybe a solution while we still wait for Puppet to support Windows stations, being a good FOSS initiative to great market tools like Lumension’s Endpoint Manage Security Suite.

The Center for Internet Security has some great papers on security benchmark for many OS (All flavours of Windows, Linux and Solaris) and applications (Apache, MSSQL, MySQL, Oracle etc).

The papers are available to download at their CIS Resources Download.

CIS has also a great audit tool called the “CIS-CAT (Configuration Audit Tool) Benchmark Tool” that is SCAP-Validated as a Federal Desktop Core Configuration (FDCC) scanner tool by NIST and is in its wonderful NCP low-level benchmark repository.

Have fun!

Just read it on Slashdot that FBI failed to break encryption of Daniel Dantas’s hard drives.

Daniel Dantas is a brazillian banker involved in financial frauds caught by the federal police in July 2008. The 5 hard drives siezed by the Federal Police at his apartment were cyphered with the top-notch AES encryption algorithm with a 256-bit key. Two softwares were used to manage the encryption and one of them was the widely used and known open-source tool TrueCrypt.

These drives keep secrets that can fully compromise the financial fraud and bury Dantas and other involved in jail for a long time. Both agencies (FBI and NIC) failed to crack Dantas’ key. They tried bruteforce attacks for over 5 months but didn’t achieved success.

According to G1 (Brazillian news site)

According to the report, the fed only requested help from USA in early 2009, after experts from the National Institute of Criminology (INC) failed to decode the passwords on the hard drives. The government has no legal instrument to compel the manufacturer of the American encryption system or Dantas to give the access codes.

Since the data on drives can bury Dantas, I think that he won’t be giving away the key. Since it’s a 64-character length key, I don’t think that he had it memorized. I even wonder that has been destroyed.

Just for fun, I used the Mandylion Labs Brute-force attack estimator and got to the following scenario: If 100.000 machines where used in the brute force it would still take 6,42E+106 years (sorry, no room for such zeroes) to crack the password.

Keep trying, feds! I wish you best luck (or get a $5 wrench)!

Here’s a good online password generator from PcTools that generates passwords based on various parameters such as password length; letters, numbers, special characters inclusion; hability to exclude similar characters etc.

Good to have bookmarked! There’s also desktop version (Windows) of the password generator in the “Password Utilities” software provided by PcTools.

One good practice is to disable your SSID broadcast so you don’t show up on the victims list. Although this doesn’t make you completely invisible, it does aid reducing ease of location. (Networks can still be located by BSSIDs).

MDK3 was written by ASPj to bruteforce network SSIDs (even with wordlists).

Tape has done some testings around and described it all on his blog post. It has some videos too of the attack in progress on a 3-character-lenght SSID.

MDK3 version 6 is already available with the latest release of BackTrack 4 on /pentest/wireless/mdk3.

The Church of Wi-Fi has some SSID wordlists available at their website.

Good cracking!

ARP poisoning is a technique quite simple to be applied and allows traffic to be sniffer over a switched network. It can be used to sniff the connection on-the-fly and capture plain-text password or hashes. ARP poison also allows combination with other attacks such as DNS spoof and packet filters in order to deploy client side exploits transparently.

This attack can only be performed from the local network because ARP packets aren’t routed so you can’t hop between LANs but it can be performed from any machine on the same network so it is a serious concern when dealing with unhappy employees, interns and industrial espionage. It is even a greater concern if you have public (or WEP encrypted) WIFI access in the same network (terrible mistake).

Countermeasures

ARP can’t really be blocked because they resolve IP addresses to MAC addresses. ARP packets must flow thru the network (unless you have ALL your MAC addresses statically configured) so machine can talk to each other. ARP doesn’t verify the requests and responses so any machine is able to respond to an ARP request in behalf of another machine making all traffic pass thru him. This is the ARP poison attack and is one of the most popular MITM techninques.

Subnetting

A well designed network is effective against several attacks, including and ARP poison attack. Since ARP packets can’t be routed the attack is retained at the local network so you may consider break your network into smaller subnets (VLANs). Note that attack still can be escalated if a machine that communicates to other lans is compromised.

Encryption

Encrypted traffic can be sniffed but can’t be understood. IPSec is feasible too but you can secure your services under SSL so you don’t need to encrypt all your network traffic that could slow down your network.

Static ARPs

You may write your ARP tables statically so it doesn’t need to be updated via requests and responses. This can be tough to manage so you might consider issuing this to login scripts or other configuration management software. Its like maintaining an hosts file.

Inline IDSs and ARP watchers

Using an inline IDS within your routers may early detect ARP storms and isolate the attacker. Some software may be put to watch ARP tables for changes. One ARP watch solution under UNIX systems is arpalert.

These presentations from May 8th, 2010 performed on the Brown Hotel in Louisville, Kentucky. on exploiting with the Metasploit framework has an tremendous value. Its from this month, still fresh! Its 7 hours of presentations, it takes a while to finish (I took almost a week! phew!) but its totally worth it!

It starts with Adrian “Irongeek” Crenshaw introducing Metasploit exploiting a Windows box via msfweb and msfconsole. Pretty neat.

Pwrcycle shows a good SYN scanning configuration on nmap with best practices for stealth using Decoys and taking advantage of fragmentation over IPS/IDSs. He also describes database (sqlite) integration on MSF and importing nmap scan results (XML). Pwrcycle also talks a little about db_autopwn that automatically exploits the target based on their open ports (from nmap scan). Quite kiddie and stealthless (as pwncycle itself mentions on the video), but funny tough.

Another great topic handed by pwncycle is Pivoting, the technique of jumping through machines to escalate your privileges. You go from a restricted environment to a more-featured on, on the compromised machine network and account privileges.

One that is very very exciting is Elliott “Nullthreat” Cutright that introduces stack overflow on a live demo (that was really cool) of a step-by-step basic example using an outdated version of tftpd for Windows (plugged on a debugger) while spawning the calc.exe.

On a great overview on the Meterpreter, Metasploit’s meta-interpreter payload, Martin “PureHate” Bos shows the advanced features you can easily achieve without tons of Assembly hacking like file transfers, hash dumping, and forth. It also mentions the capability of restoring de MAC (access, more specifically) times from a file. Forensics experts, go crazy! He also talks about psexec and event log clearing. Excellent!

This video introduces lots of concepts on post-exploitation like process migration, trace cleanup and even injecting the encoded (shikata ga nai polymorphic encoding, to avoid detection from AVs) meterpreter into executables to create backdoors (the creation of a persistent meterpreter backdoor is also covered). Martin also briefly shows Metasploit Experss, that is a portable Metasploit version.

David “ReL1K” Kennedy opens his talk showing how language packs may influence the exploit since it changes memory locations and then proceeds to the opensource python-driven metasploit-integrated Social-Engineering Framework that exploits our weakest link in security: the human element.

Exploitation is done by spoofing (cloning) websites (that is excelent paired with Ettercap’s dns_spoof), spoofing Meterpreter Java Applet signature or by exploiting serious browser flaws like the Aurora Memory Corruption (used as example in video) within the Metasploit integration.

David also talks about using commom services’ ports to bypass egress filtering and exploiting SQL Server vulnerabilities with Metasploit and FastTrack.

Videos can be watched online at Adrian’s website. The videos can also be downloaded in a better quality (files ~ 500MB).

Awesome!