Wireless hack,Wifi hack & security

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigations.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

The Fix: here

Originally, this was going to be one 4hr class, but Jeff had something come up so he could not cover WEP/WPA cracking, and my section took so long that Brian never got a chance to present his material on DD-WRT. I’m hoping to get them back to do a part 2 of this video. In this section I cover the basics of WiFi, good chipsets, open file shares, monitor mode, war driving tools, testing injection, deauth attacks and the evil twin attack. Some of this comes out as kind of a stream of consciousness, but hopefully you can find some useful nuggets from irongeek dump of what I’ve learned about 802.11a/b/g/n hacking. As far as classes goes this is the mostly complicated one irongeek team had setup, and for a wireless class Brian and his partner had to run a lot of wires.
Security Slides can be found here

Right click and download from here:
http://www.archive.org/download/802.11-wireless-security-part-1-louisville-issa/801.11-Wireless-Security-Class-part-1.wmv

Size:1.9 GB Runtime: 3:28:37 Codec: WMV

A quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:
GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a
Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0
When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.
Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.

The attack works like this:

*Malware loads the router’s index page and glean the salt generated by the router.
*The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
*The malware sends the hash to the post_login.xml page.
*The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
*The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.

MoocherHunter – Detect & Track Rogue Wifi Users:

MoocherHunter™ identifies the location of an 802.11-based wireless moocher or hacker by the traffic they send across the network. If they want to mooch from you or use your wireless network for illegal purposes (e.g. warez downloading or illegal filesharing), then they have no choice but to reveal themselves by sending traffic across in order to accomplish their objectives. MoocherHunter™ enables the owner of the wireless network to detect traffic from this unauthorized wireless client (using either MoocherHunter™’s Passive or Active mode) and enables the owner, armed with a laptop and directional antenna, to isolate and track down the source.

Because it is not based on fixed or statically-positioned hardware, MoocherHunter™ allows the user to move freely and walk towards the actual geographical location of the moocher/hacker. In residential and commercial multi-tenant building field trials held in Singapore in March 2008, MoocherHunter™ allowed a single trained operator to geo-locate a wireless moocher with a geographical positional accuracy of as little as 2 meters within an average of 30 minutes.

You can download OSWA Assistant here to get MoocherHunter:
oswa-assistant.iso

The Recent Mass infection is through a vector I really don’t understand, see as though you can legitimately download Windows 7 from Microsoft.

I guess people just prefer BitTorrent downloads to HTTP downloads, and whoever had this smart idea capitalized on that.

Microsoft should perhaps do something about that and put out a legitimate BitTorrent copy. I guess the problem is updates, once it’s out there and people are seeding it’s out there for good and it’s not necessarily the latest build.

A Trojan buried within counterfeit copies of Windows 7 RC was used to build a botnet of compromised PCs.

The tactic emerged after researchers from security firm Damballa shut down the command and control servers used to control the system, reckoned to have drafted thousands of Windows PCs into its compromised ranks.
More about the Worm
Trend micro blog

A Good to have pdf for cracking 104 bit WEP key
pdf

Wellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco based cards are supported. It is the easiest to use Linux scanning tool. No card configuration has to be done anymore. The whole look and feel is pretty self-explaining. It can discover networks (BSS/IBSS), and detects ESSID broadcasting or non-broadcasting networks and their WEP capabilities and the manufacturer automatically. DHCP and ARP traffic are decoded and displayed to give you further information about the networks. An ethereal/tcpdump-compatible dumpfile and an Application savefile will be automaticly created. Using a supported GPS device and the gpsd you can track the location of the discovered networks
more

WVE is the source for in-depth information on wireless vulnerabilities. It provides a standardized nomenclature for Vulnerabilities in wireless protocols and products, and the Exploits which take advantage of these vulnerabilities. It is also a database or catalog of these vulnerabilties and exploits.
more abt WVE