Shawn Merdinger gave a presentation on his personal research project covering the security of VoIP WiFi phones. For his initial investigation he is employing a “level one” methodology. These would be attacks from a low to medium skilled hacker, a hacker’s “first look” at the device: looking for open ports, finding developer left-overs, and misusing features. One thing that was common across all phones is how easily they succumb to DOS attacks. He talked about the issues with several specific phones. Many left open port 17185, which is the VxWorks database debug port. The favorite was the Clipcomm CPW-100E which provides unauthenticated access to debugging accounts letting you read call logs and even place calls, turning it into a remote listening device. You can hear Shawn talk about his project on Blue Box Podcast #13. Blue Box also has a copy of Shawn’s detailed slides. Here’s a list of the new phone security threats released a Shmoocon.

Continue reading “Shmoocon 2006: VoIP WiFi Phone Security Analysis” →

kaos.theory’s Anonym.OS was probably the most widely covered project to come out of this year’s Shmoocon. This was spurred by Wired’s article which was picked up by Slashdot, Ars, and others. Anonym.OS is a live CD based on OpenBSD 3.8 that provides anonymous internet access and aims to be usable by anyone. On the network it appears as a Windows machine to hide among the majority of internet users. The CD does several things to protect the user, starting with secure operating system. The main component is Tor, which we’ve covered before, All traffic is sent through Tor and since the disk uses local DNS look-up you don’t have to worry about DNS requests leaking. I really like this project because kaos.theory has done all of the dirty work like setting up really strict packet filter rules and forcing everything through Tor. Of course, I would have liked it even if it was just an OpenBSD live CD that used Fluxbox. The only two apps it has now are Firefox and GAIM. They are taking suggestions for what to add in the future and will probably be adding cryptographic filesystem support so that users can save safely. If they added Gimp and a hard drive install script I would be using this at every con I attended.

Continue reading “Shmoocon 2006: Anonym.OS: Security And Privacy, Everywhere You Go” →

If you payed attention to the comments on our story about a Magnetic stripe card emulator you would have seen Abend announce his Shmoocon talk. It was a pretty interesting talk about the basics of mag cards and some of the tricks employed by companies to obfuscate the data. To get the feel for the talk I suggest you listen to SploitCast #004 which features Abend as a guest. That combined with his slides and tools should give you a fine crash course in the technology. He also recommend’s Count Zero’s “A Day in the Life of a Flux Reversal“. Billy Hoffman, who did the Covert Crawler, has also worked with mag stripes and developed the program Stripe Snoop.

Continue reading “Shmoocon 2006: A Young Gentleman’s Primer On The Reading And Emulation Of Magnetic Cards” →

Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.

Raw Glue AP is designed catch probe requests from clients scanning for a preferred ESSID. It then tries to generate the appropriate probe responses to keep the client occupied.

Raw Covert was the final tool. It creates a covert channel inside of valid ACK frames. ACK frames are usually considered harmless and ignored by wireless IDS. The tool is really basic right now, there is no encryption and it doesn’t handle dropped frames.

Continue reading “Shmoocon 2006: Wi-Fi Trickery Or How To Secure, Break And Have Fun With Wi-Fi” →

The Church of WiFi gave a presentation on some of their recent projects. The first was coWPAtty, a program for brute forcing WPA-PSK. To speed up the process they created a table for pre-hashed WPA-PSK. WPA-PSK is seeded using the SSID of the router, so they grabbed the top 1000 SSIDs from Wigle.net and calculated the hashes when using a 170,000 word dictionary. Now they are able to check 18,000 keys/sec instead of just 12 keys/sec.

The next project was Evil Bastard, a custom WRT firmware. It is similar to Rogue Squadron which is a firmware designed to spoof an access point and collect user information by phishing. Evil Bastard has even more tools like Aircrack and Driftnet. It even features a “Point ‘n 0wn” interface that lets you just click on the target you want to automatically spoof.

The CoWF is also responsible for Kiswin, Kismet for Windows, which saves you from having to install Cygwin.

Continue reading “Shmoocon 2006: The Church Of Wi-Fi Presents: An Evil Bastard, A Rainbow And A Great Dane!” →

Billy Hoffman has built a site crawler that can hide its activity within normal web traffic. Crawling a website is one of the easiest ways to find exploitable pages, but the systematic nature of the crawl makes it stand out in logs. Billy set out to design a crawler that would behave like a normal web browser. It follows more popular links first (think “news”, not “legal notice”) and it doesn’t hit deep linked pages directly without first creating an appropriate Google referrer. There are tons of other tricks involved in making the crawler look “human” which you’ll find in Billy’s slides over at SPI Labs. You can also read about the talk on Wired News.

Continue reading “Shmoocon 2006: Covert Crawling: A Wolf Among Lambs” →

A common approach to analyzing malware is to turn it loose inside of a VMware session, but some malware have methods for detecting virtual machines and will refuse to run if they encounters one. Joe Stewart has developed a tool called Truman that can be used to construct a sandnet. The sandnet expands on the idea of using VMware as a sandbox. The malware runs inside of a normal OS environment not a virtual one and it interacts with what it thinks is an entire network.

This is how the setup works: You have two machines connected using a crossover network cable. Machine 1 is the server and machine 2 is the client that the malware will be run on. Machine 2 is booted via PXE into a clean Windows install (or whatever OS your malware is for). Once booted it begins watching a directory on the server for the malware’s exe. Once you copy the executable into the directory the Windows machine copies the file and executes it. After 10 minutes the Windows machine dumps its physical memory to disk and then shuts down. An image of the newly infected Windows file system is then saved. The client machine then boots into Linux for analysis of the new Windows image. Truman improves analysis speed because you don’t have to constantly reimage the client machine by hand.

The PXE server also acts as a fauxinternet for the client machine. By watching tcpdump you can see what outbound connections the malware is trying to make. To aid in this process, Truman includes several fauxservers which are just simple Perl scripts designed to act like servers. The fauxservers tell the malware exactly what it wants to hear in hopes that it will cough up logins, passwords and other useful information.

Continue reading “Shmoocon 2006: Behavioral Malware Analysis Using Sandnets” →