Wireless hack,Wifi hack & security

WPA Cracker is a WiFi security compromiser in the cloud, running on a high-performance cluster. Send them a dump of captured network traffic and $35, and they will try 136 million passwords in 40 minutes, tops (for $17, they’ll run the same attack at half speed) — the same crack would take five days on a “contemporary desktop PC.” They also have an extended, 284 million word dictionary that you can run for $55 in 40 minutes. They’ll also use the same process to crack the passwords on encrypted ZIP archives.

You’re safe if your password isn’t in any dictionary, including the special dictionaries used for password cracking (these dictionaries will try random words in combination, as well as common letter-number substitutions such as “1″ for “i” and so on). The crack works on WPA and WPA2-locked networks.

Your best bet is a long, random string for a password — 64 bits of random noise will probably foil something like this for a good time to come. But good luck reading the password aloud to your visiting friend when she needs to get her laptop online.

Hmmm it only Matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196″ by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried.
Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

From there, “the malicious insider could drop traffic, drop a [denial-of-service] attack, or snoop,” Ahmad says.

The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data.
What can we do about Hole 196?

“There’s nothing in the standard to upgrade to in order to patch or fix the hole,” says Kaustubh Phanse, AirTight’s wireless architect who describes Hole 196 as a “zero-day vulnerability that creates a window of opportunity” for exploitation.

If you wanna improve your weak Wireless signals, what would you do, try this steps

1.Position your wireless router (or wireless access point) in a central location
2.Move the router off the floor and away from walls and metal objects (such as metal file cabinets)
3.Replace your router’s antenna
4.Replace your computer’s wireless network adapte
5.Add a wireless repeater
6.Change your wireless channel
7.Reduce wireless interference
8.Update your firmware or your network adapter driver
9.Pick equipment from a single vendor
10.Upgrade 802.11b devices to 802.11g
want to get in Detail please follow this
Top 10 in Detail

An Intresting Attack, rather than going after the PC/Server this one goes after the data sent by wireless devices such as the wireless keyboards sold by Microsoft, The neat thing is by using a replay attack you could also send rogue inputs to the device.But then it serves Microsoft right for using XOR encryption for the data-steams, which can very easily be broken using frequency analysis.

Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls.

Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications – or don’t encrypt them properly – can be forced to cough up sensitive communications or be forced to execute rogue commands.

It’ll be interesting to see what other kinds of devices they can successfully use this data capture technique on. Keyboards are one thing, and I’d imagine the transmission range of a wireless keyboard is fairly limited so you or the sniffing device would have to be physically near to the target.

At least Logitech seem to have stepped up the security a bit by using AES-128 for the transmission on their wireless keyboards, but the researchers say they still may be able to crack it due to the way the secret keys are exchanged.

Again most likely not an algorithm problem but an issue with the implementation.

At the CanSecWest conference in Vancouver, Dreamlab Senior Security Expert Thorsten Schroder demonstrated how Keykeriki could be used to attack wireless keyboards sold by Microsoft. The exploit worked because communications in the devices are protected by a weak form of encryption known as xor, which is trivial to break. As a result, he was able to intercept keyboard strokes as they were typed and to remotely send input that executed commands on the attached computer.

“Microsoft made it easy for us because they used their own proprietary crypto,” Schroder said. “Xor is not a very proper way to secure data.”

Even when devices employ strong cryptography, Schroder said Keykeriki may still be able to remotely send unauthorized commands using a technique known as a replay attack, in which commands sent previously are recorded and then sent again.

News time is always fun during conference season due to the fact all these interesting and new attacks and vectors are released for public consumption – generally along with code and examples.

If they can use the same techniques to own more interesting devices with more sensitive data, things could certainly get a little more heated.

BackTrack 4 Final is out and along with this release come some exciting news, updates, and developments. BackTrack 4 has been a long and steady road, with the release of a beta last year, we decided to hold off on releasing BackTrack 4 Final until it was perfected in every way shape and form.

With this release includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to all (well, most..) major bugs that we knew of. This release we received an overwhelming support from the community and we are grateful to everyone that has contributed to the success of this release.

get it from here

http://www.backtrack-linux.org/downloads/

New in this version:
Web Based Interface
Nessus 4.2 comes with a built-in web interface which lets you start your scan and analyze the results from any system which can connect to your Nessus scanner.
Enhanced Reporting
Nessus 4.2 lets you compare different scans. It also contains an improved report export format, with additional templates are being regularly distributed through the Nessus ProfessionalFeed.
Performance enhancements
Scans start quicker, plugins updates use less bandwidth, memory usage has been further reduced and the handling of network timeouts has been improved.

http://www.nessus.org/download/

Info from Offensive Security

This is it! After months of hard work, we are finally ready to present the free version of our online course – Metasploit Unleashed – Mastering the Framework. This resource will be a living, breathing Metasploit documentation entity. We will keep on updating and adding new modules and chapters as the MSF evolves.

check the entire info here

http://www.offensive-security.com/blog/offsec/free-online-information-security-training-by-offensive-security/

Multiple serious security flaws in the Google Chrome browser could expose users to code execution attacks, according to an advisory released today.

The flaws, rated “high risk,” have been addressed in Google Chrome 2.0.172.43, which is released automatically to Chrome users.

Details on the serious issues:

CVE-2009-2935 (High Severity): A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a web page to read unauthorized memory, bypassing security checks. It is possible that this could lead to disclosing unauthorized data to an attacker or allow an attacker to run arbitrary code. Technical details are being withheld until the fix is shipped to a majority of Chrome users. An attacker might be able to run arbitrary code within the Google Chrome sandbox
CVE-2009-2416 (High Severity) Pages using XML can cause a Google Chrome tab process to crash. A malicious XML payload may be able to trigger a use-after-free condition. Other tabs are unaffected. An attacker might be able to run arbitrary code within the Google Chrome sandbox.
With this update, Google Chrome will no longer connects to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site,
google explaind

It was a long time i made a vid so thaught to make on WEPBuster script

thanks for markjayson.alvarez for such a nice tool and saving our time while doing Wireless pentest.

decrypt WEP  using WEPbuster

1)download the tool here

check the project page http://code.google.com/p/wepbuster/

wget http://wepbuster.googlecode.com/files/wepbuster-1.0_beta_0.6.tgz
tar -xvf wepbuster-1.0_beta_0.6.tgz
cd wepbuster-1.0_beta
perl wepbuster

DONE

Video is here

http://blip.tv/file/2488100

note:testing should be done only if u have permissions on the AP,otherwise check ur local laws or u may come in newspapper or TV

Punter

As Another version of Defcon happens and as all kinds of spieces enter the Cyberden Cybergates , it is  also home to the world’s most hostile wired and wireless networks..

This, understandably, creates challenges for the people in DefCon’s Network Operations Center (NOC), who were tasked with keeping the networks up and running and relatively clean of malicious traffic during the four days the conference ran this year.
back stage pics .

About 10,000 hackers, crackers, feds, spies and noobs shared space on the networks this year.

The wireless network consisted of 50 wireless access points, each on its own virtual local area network, or VLAN. The NOC also set up 25 other wired VLANS to accommodate special groups, such as the security staff, speakers, journalists, and others.

The staff offered mirrored ports to anyone who wanted to access and analyze a copy of all traffic traveling on the network set up for conference attendees. This is where the Wall of Sheep organizers examined the traffic to search for log-ins and passwords traveling unencrypted on the wireless network. Once found, they projected the information onto a conference wall to raise awareness about information security.

Last year Threat Level presented the first-ever look inside the DefCon NOC. This year the NOC opened its doors for another exclusive tour of the network infrastructure that powers the convention.