Monday, May 4, 2009

SSL Strip on Mac OS X

After playing around with SSL Strip for a while on BackTrack 4, I decided on trying to get it up and running on my MacBook. It turns out it was actually quite easy!

First thing, is to download the SSL Strip package from Moxie Marlinspike's homepage. You can grab it from the link above.

Next, if you're using MacPorts Python 2.5, like I am, you'll need to:

sudo port install py25-socket-ssl

The MacPorts Python 2.5 port maintainer decided to split the ssl sockets modules up into a different package for some reason, so you'll need to add it as shown.

Now, you'll need to make sure your Mac is configured to do ip forwarding and make sure that the ip firewall is enabled. Use the following commands to do so:

sysctl net.inet.ip.forwarding
sysctl net.inet.ip.fw.enable

If either of those are diabled, set them like so:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

Now, your system should be set for ip forwarding and applying firewall rules.

The firewall rules can now be modified to forward all port 80 traffic to the port which SSL Strip will listen on. If you want to listen on 1234, for example, the following ipfw command will set you up:

ipfw add fwd,1234 tcp from not me to any 80

The add fwd,1234 part tells ipfw to add a new rule for forwarding traffic to on port 1234. The rest of the command is the logic which will be used to match the traffic which needs to be forwarded. The tcp obviously specifies that it will match on only TCP traffic. from not me to any makes it so that it will match any traffic which is being sent from any address other than your IP to any other IP address. If you instead use any to any I found that SSL Strip's traffic will get redirected to itself, which will cause problems. Finally, the 80 specifies that only TCP traffic destined for the HTTP port will be forwarded.

Finally, with that rule set up, all that needs to be done is to run SSL Strip.python -h shows the following options:

sslstrip 0.2 by Moxie Marlinspike
Usage: sslstrip

-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.

So, the basic python -l 1234 should get you started.

The kill session and favicon options are handy, so those are worth checking out. Also, the -a option is handy if you need to debug things or just want a dump of all traffic which is running through the proxy.

I think that's about it for all the configuring. Running and parsing the results of SSL Strip is something I'm sure you all can figure out.

Let me know if any of the above steps don't work for you. Otherwise, happy hacking, don't do anything mean and as usual, have fun!

Update 05/18/2009 -
After seeing Ivan's question, I realized I didn't provide anything on how to convince people to connect through you instead of the default gateway. Oops! Well, here's the rest:

I used arpspoof when setting up sslstrip for the first time because I'm more used to it and I also find it easier to target individual clients. Also, I think it reduces my chances of breaking connectivity on the entire LAN if my ipfw config was off.

So, what I did in my initial testing was:

arpspoof -i en1 -t

Where en1 is my Mac's AirPort adapter, is the client I'm attempting to MITM and is the address I'm spoofing which is the default gateway for my LAN.

I didn't use ettercap with sslstrip, but if I remember my ettercap correctly, you can use it to attack an entire LAN like so:

ettercap -i en1 -Tq -M arp / // -P autoadd

In this example, -Tq enables just the console interface in quiet mode, -M arp instructs ettercap to use ARP poisoning for doing the MITM, / // instructs it to poison all connections between the gateway and any other hosts on the LAN. Finally, the -P autoadd enables the autoadd plugin so that new hosts are poisoned upon connecting to the LAN. You may need to use -M arp:remote which enables ettercap to sniff remote connections, but I think you'll be fine without.

Hope this helps!

Friday, April 17, 2009

Hack a social network - Get a job

There's been lots of hoopla going around today about this Mikeyy Mooney character, and I have to say I find the whole situation incredibly irritating.

For those people who don't know, of which I doubt there are many, this 17 year-old recently hit Twitter with a series of XSS worms which move from one account to another. Just today, another one was supposedly release by him which is targeting popular users in an effort to spread faster.

The worm would post messages under your account along the lines of "Twitter, hire Mikeyy!" or "Dude, Mikeyy is the shit!". This has caused many people to wonder whether or not their account was compromised and their password stolen. Fortunately, the attack did not require stealing your credentials, so members' profiles remain safe. Or at least they will, once this worm has been eradicated.

Aside from the obvious damage of causing Twitter to spend many man-hours remediating this and correcting the vulnerability, I fear it has also damaged the InfoSec community and Web 2.0 community as a whole.

I could re-hash all of this, but I think Innismir put it very eloquently in a post on his blog:
Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.

I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people

I completely agree with him here. I also fear a rash of copycat attacks from people hoping to prove themselves as l33t and get enough cred to land jobs. I just don't understand why someone could be so foolish as to say "Hey, you know how you hijacked thousands of people accounts, without their knowledge, without their consent, and never even thought to assist the site in fixing the problem once you exploited it? That was awesome! Here... have a job!"

To me, this is nothing short of ridiculous. I've known plenty of younger kids who have asked me about hacking, said they wanted to be hackers before, and always asked, "How many people's computers have you hacked? Could you hack my friends computer for me?" I fear for kids like this. An example such as Mikeyy just what we need to push them into doing the same things in an attempt to become 'cool' and 'popular'.

I have to say, though, as someone who is in his mid-20's and has aspirations for a nice career in InfoSec, I can kind of identify with this. It can be fun to poke at sites and maybe pull some XSS or CSRF tricks on your friends. It can be good practice, and sure you can brag about how you made one of friends post 'I <3 Hannah Montana' on your favorite message board.

But, the one difference is if I ever play around like this and actually exploit something or someone before reporting it, I have existing relations with all the parties involved: web admin, tricked friends, etc. and they know me well enough to understand it was not malicious. Furthermore, when I'm done, I say "Yea, that was neat, and oh, by the way, here's how you can fix this."

Something of this magnitude, however, is utterly unacceptable no matter what your intentions. What's even sillier is that after hiring Mikeyy, Travis Rowland had the audacity to say one of the Twitter co-founders: "@biz hope u guys don't file lawsuit against him, hope u understand Mikeyy did u favor and could have compromised personal information."

I hope Twitter reads this and says to themselves, "Yea he really did us a favor! Not only did he point out a security flaw to us, but he also gave us thousands of accounts which we need to go clean up! Isn't he wonderful?" and then proceeds to take him to court in order to get reimbursed for all their time which they've wasted on cleaning up something which should have never happened in the first place.

Anyhow, I hope we see the end of this soon, and I hope the kid gets what is coming to him. I mean, this is a good start, at least if it's true that it actually happened to him, but I, for one, would like to see something a little more legal brought down upon his dumb self.

Thursday, March 26, 2009

Mozilla symbols + source in your WinDBG

After seeing the new Firefox 0-day which was announced today, I thought it would be fun to play with the PoC code.

Also, WinDBG has been becoming my debugger of choice lately, so I decided it would be nice to use that for debugging Firefox while I take a look at the exploit code.

In order to make debugging a little easier, I decided to poke around and see how I could go about getting debug symbols and source for Firefox and make it all work snazzily with WinDBG. Turns out Mozilla has these awesome pages for doing just this: symbols howto and source howto

It was actually astonishingly easy. Just typing these into your command window should be sufficient:

.sympath+ srv*c:\users\ryan\documents\symbols\firefox*
.srcpath+ srv*c:\users\ryan\documents\sources\firefox

and that's it!

Now all your sumbols and sources for this WinDBG session will be downloaded to your symbols\firefox and sources\firefox folders respectively. Of course, you'll want to replace the c:\users\ryan\documents with whatever your location is, but that's about it.

Go to it and hack you some Firefox!

Tuesday, March 24, 2009

Diffing the output of two commands

Today, while doing some server maintenance, I needed to diff the output of two different commands. To be more specified, it was actually the same command, but with different sets arguments. As an example, let's say I wanted to diff the contents of two folders, /tmp/folder1 and /tmp/folder2.

What I had done in the past was:

ls -l /tmp/folder1 > tmp.txt
ls -l /tmp/folder2 | diff tmp.txt
rm tmp.txt

Today I decided there had to be a better way to do that and set out to discover how. What I found was something that I had long forgotten about: named pipes. If you're not familiar with named pipes, check Wikipedia. For a refresher of how they work in Unix, here's an example:

mkfifo mypipe

then in two separate shells type:

ls -l > mypipe


cat < mypipe

Now, with a pipe already created, I can accomplish my task a little more quickly and efficiently:

ls -l /tmp/folder1 > mypipe&
cat ls -l /tmp/folder2 | diff < mypipe

Howevery after reading all the way through this great Linux Journal article I learned that what would work even better is the great <(...) syntax:

diff <(ls /tmp/folder1) <(ls /tmp/folder2)

This does exactly what I wanted to do without needing to create any temporary files or named pipes myself. What's happening here is that BASH creates a temporary named pipe and fills it using the output of the command between the parens.

As you can see, temporary pipes make these quick one-offs much, much easier.

Take a look at that awesome article for a peek at more awesome stuff you can do with named pipes.

I'll have to admit that I've not used named pipes much (maybe only once or twice that I can remember), but after this, I'll definitely keep my eyes peeled for more excellent piping opportunities.


Saturday, March 21, 2009

Visor is my new best friend

Okay, so maybe it isn't my new best friend, but this is the first time I've mentioned it.  I've been using Visor for quite some time now, and every time I use it I fall even more in love with the tool.

From the Visor page: "Visor provides a a systemwide terminal window accessible via a hotkey, much like the consoles found in games such as Quake."

If you love the tool QuickSilver, and feel a little nervous when you don't have quick access to a command line (I get extremely nervous, personally), then this tool might just be for you.  It's easy to install, and once running, a quick press of CTRL+` brings down your console window:

Combine this with Screen and you'll practically never need a standard Terminal window again.  I used to have two or three Terminals open at all times, now I only ever open one if I really need a full screen console.  Being able to SSH into another machine and quickly change some settings was never easier now that my console is just a keystroke away! No more CMD-Tabbing, Exposè, or excessive mouse clicking.  It's quick and easy, and a must have for Mac users who are Terminal nuts.

Check it!

Thursday, March 19, 2009

Make VMWare stop syncing your guest clock with your host

Here's a little trick which I've just sumbled upon. If you're ever doing some sort of software or malware testing and you need your VM to stick to a time far in the past or in the future and persist this through suspend, resume, reboot, etc. add these properties to your .vmx file:

tools.syncTime = FALSE
time.synchronize.continue = FALSE
time.synchronize.restore = FALSE
time.synchronize.resume.disk = FALSE
time.synchronize.shrink = FALSE = FALSE

This will pretty much prevent your VM from ever syncing its clock with your host. At first, I thought that disabling the clock sync option in VMWare tools was enough, but it turned out not to work so well. Your clocks would stay out of sync while the VM was running, but the second you suspended and resumed it or rebooted it the VM would sync. The above options will prevent that.

Also, you'll want to make sure that you disable any NTP or similar services within the guest OS so that it doesn't end up syncing with an internet time server.

I can't tell you how long I've been trying to figure this out. At some point I just gave up because I didn't think it possible.

Here's the great PDF which describes VMWare's timekeeping and where I found those options.

Cheers and happy VM-ing!

Thursday, March 5, 2009

Embedding DLLs and EXEs inside your Win32 PE

I'm re-writing some code from C# to Win32 C++ right now, and needed to access a PE which was embedded inside a .Net assembly. My first thought was to see if I could access the resource within the .Net assembly from my Win32 program. Unfortunately, it does not appear that .Net embedded resources are contained within your typical PE resource section, but are inside some .Net specific assembly resource location.

So, I figured, the embedded PE needed to be moved out of the .Net assembly and into the PE I am building with C++. So, I spent a few hours trying to figure out how to embed and access arbitrary binary data inside the PE resource section, and found this really great blog post.

After I found that, it was just a matter of minutes until I got it working with my Win32 program. Thanks, Akbar!

Tuesday, March 3, 2009

Botnet Turfwar - Zeus Crimeware Kit Vulnerability

Botnet turfwars are nothing new. People have been hijacking other peoples botnets for several years, even back in the IRC botnet days. You could easily grab a chunk of a competitors botnet if you were able to get access to their IRC channel and, after determining the command set of the bots, issue an update command pointing at your own bot.

But, with tools such as Zeus and Firepack, it may be even easier to grab a botnet and all of the stolen data which was obtained by the bots prior to you jacking another guys bots.

Dancho Danchev, in his post about a Zeus Kit vulnerability, and another, citing an example of how an actual bot master lost much of his botnet, explains how some of these new kits might open up a flood gate of botnet jacking activities.

Just like how botnets take over thousands of machines which run outdated OSes and software, competing bot masters are taking over thousands of bots on potentially hundreds of nets which are running outdated command and control servers.

Although some people would wonder why an attacker would hack another attacker, it actually makes perfect sense. The malware business is exactly that, a business. Bot masters make real $$$ by spamming or stealing information with their bots. If you can jack another dude's 100k node botnet and double your own profits, why wouldn't you?

It will be interesting to see how this trend progresses. If a certain toolkit becomes more popular, but also is poorly coded, it could lead to some very amusing battles :)

Like Excite Truck? Then check out Excitebots!

Monster Games, the company who made Excite Truck, and which my bro has been working at for some time, has finally come public with news of the next game, called Excitebots:

This is huge for me, because he's been telling me about all the fun development stories and meetings with the folks from Nintendo Japan, but I've never been privy to any of the juicy details, not even the name, until recently. All I ever new was, "It's going to be like Excite Truck, but better."

Just recently, Nintendo released their list of upcoming games. Once that happened, I finally heard word from my brother about what the games name was. It was definitely cool to hear the name after many months of not knowing. Unfortunately, though, all it was then was a name, because there still weren't any screen shots or anything.

Today, however, I saw the article in Nintendo Power. Finally, some images! I think I can say that all the waiting was worth it. I liked Excite Truck, but it didn't have all that much replayability. Excitebots, though has online play, so that should make it much more fun since you can play with your buddies online. I don't know what the online play is like, but I imagine it should be pretty cool.

Anyhow, if you like Excite Trucks, please go out and get Excitebots so my bro and his company can keep making cool games!

Check your GMail passwords

A new GMail CSRF vulnerability was announced today which allows attackers to determine and/or change a user's password.

Of course, this requires that you're logged in to GMail and that you visit a particular page which is hosting the CSRF vulnerability. This is often accomplished by sending you a link in an email, so that once you click the link, you're guaranteed to be logged in.

I think the main threats right now are that if you have an easy password, an attacker can determine what your password is pretty easily by running a few CSRF attacks against you. There is also the possibilty of someone changing your password, but that requires that they already know your password or can get you to type it in for them on the malicious web page.

Bottom line, make sure you have a secure password, and as always, be wary of emails from strangers (especially HTML emails).

Monday, February 23, 2009

Fun with Web Developer Toolbar

This isn't anything special, just something I found amusing. So anyhow, I needed to refill some meds today, and I was feeling quite lazy, so I used the web portal to place a refill.

Now, if I place the order with a person over phone, they tell me it'll be ready in half an hour. The thing that is annoying is that when I place the order through the automated phone system or through their website, it requires between an hour and a half or two hours to process the refill order.

My problem was this: I wanted the order to be ready by 5:30, but the earliest the website would let me choose was 6:00. Well, 6:00 wouldn't work for me, because I need to be out of the office at 5:30 and at home by 6:00. So, with a quick click of the Web Developer option "Convert Select Elements to Text Inputs", I was able to enter my own time, bypassing their silly check that would never have effected me if I had called them and talked to an actual person.

Thanks, Web Developer toolbar, you totally made my entirely crappy day end on a pretty decent note!

Saturday, February 21, 2009

Adobe Reader/Acrobat Vuln

Adobe just released a security bulletin (Adobe APSA09-01, US-CERT TA09-051A) regarding Adobe Reader and Adobe Acrobat versions 9.0 and earlier.  The vulnerability involves malicious JavaScript which can be embedded in a PDF document which has the ability to execute arbitrary code on your system.

In order to prevent people from getting attacked by this, current suggestions are that you disable the displaying of JavaScript in PDFs as well as disable the automatic rendering of PDFs in your browser.  If your browser is set up to display PDFs automatically, visiting a malicious website may be all that an attacker needs to install malicious software on your computer.

My recommendation is that you trash Adobe Reader altogether if you use it and get Foxit Reader.  If you use Adobe Acrobat, I believe Foxit has a version which can be used to edit PDFs as well.

I have used Foxit Reader for several years now and find it a much better replacement for your everyday PDF reading needs.  It is extremely light weight, no crappy auto-updater, has browser integration, and can be downloaded as a single executable (at least it used to be, I think it's still available this way).

Either way, be very careful when it comes to opening PDFs in coming weeks.  Adobe's current plan is to have the 9.0 versions fixed by March 11 and 8.0 fixed some time later.

Friday, February 20, 2009

I Hate Data Retention

So I'm already biased against Data Retention in general, as well as pathetic excuses for parents' lack of understanding when it comes to raising children, but this new bill being proposed is nothing short of ridiculous on both fronts.

The bill that is being proposed will require that anyone who provides access to the Internet through temporary addresses (i.e. DHCP) must log the information of anyone who connected through them for two years. This includes ISPs, businesses, hotels, coffee shops, and even your girlfriend (remember that time you set up a WRT54G with a hacked firmware on it so she could piggyback off someone else's wifi?). Okay, your girlfriend only counts if she's running her own DHCP server, but you get the point.

The bill is titled the "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act. Now I'm all for protecting kids from being exploited online, but is this really necessary?!? In my opinion, this is completely pointless. What are people with home Wi-Fi going to do? Do we set up a server to log all their traffic? Maybe log the MAC and IP of everyone who hopped on their network? What if their MAC was spoofed? If we don't log their traffic, what can a spoofed MAC tell us about that person?

What does this really accomplish? I suppose it makes people feel better, knowing that the gov't has a fool proof way of catching that guy who's luring your daughter away from the safety of a cofee shop using an untraceable MAC as well as anonymizing tools such as SSH + SOCKS or Tor + Privoxy. Oh wait, that doesn't really help, does it?

Bottom line, for you folks worried about protecting your kids: Use some f***ing parenting! Teach your kids the difference between real-life friends and people they meet in a random chat room. Remember how you told your kids "don't take condy from a stranger"? It's the same f***ing thing! Tell them it's not safe to go meet random strangers on the Internet. Make sure they understand there's no way of knowing the person is safe, just like there isn't any way of knowing that the overweight, balding, coke-bottle-bespectacled, sweatsuit wearing guy isn't really her friend.

And you know what? If your kids can't use the Internet safely for themselves, then it's YOUR responsibility to take that privelege away and only let them use it again when they FEAR AND RESPECT THAT ESCALATOR THE INTERNET! I'm sick and tired of people blaming technology for their own parenting flaws.


Thursday, February 19, 2009

More Vimp

Alright, this is probably the last post about Vimperator, then I'll go back to talking about other useless crud.

I did find some good plugins in the code repository. I'll just list those here and people can check them out too:
  • hash.js - a plugin for calculating various hashes of files on disk. Handy for verifying hashes of all your downloads for those of you who may be paranoid like myself.
  • inspector.js - gives you an easy way to insepct the DOM objects in your browser and web pages. Requires the DOM Inspector Firefox plugin.
  • reading.js - A handy way to tweet about the page which you're currently reading. Currently has no restricion on number of characters. Also doesn't do URL shrinking which I might look into adding at some point.
  • splitBrowser.js - Makes Vimperator really like Vim! :split / :vsplit in your Firefox, how freakin' cool is that?!? This does require the Split Browser plugin be added to firefox.
  • tinyurl.js - makes the current URL into a TinyURL ando yanks it to your clipboard for you
  • twitter.js - allows you to tweet from your browser.
That's it for now! Cheers!

Friday, February 13, 2009

Vimp Update

I've been playing around with Vimperator for a few days now. It still rocks, and that's for sure. Here's a list of the plugins I find useful:
  • NoScript integration
  • Firebug integration
  • MsWin is handy if you use Vimperator on a Windows box as it binds copy/cut/paste back to ctrl-c/ctrl-x/ctrl-v
  • Link-Target is kind of cool, but needs work with icon placement if possible
I also have found this script handy for my vimperatorrc file:
" This puts an RSS icon on the bottom status bar
javascript <<EOF
var feedPanel = document.createElement("statusbarpanel");
feedPanel.setAttribute("id", "feed-panel-clone");
feedPanel.firstChild.setAttribute("style", "padding: 0; max-height: 16px;");
.insertBefore(feedPanel, document.getElementById("security-button"));
That script is courtesy of teramako on the Vimperator Tips & Tricks page, so thanks, teramako for this excellent script.

Also, I highly suggest that the Vimperator.vim files be grabbed for file detection, and syntax highlighting.

So far, I've looked at all the plugins and tricks which are on their main wiki pages.

Right now, I'm going through the plugins here as well and I've found a few more plugins which are nice. After I play around with them for a while, I'll put more info up here again.


Tuesday, February 10, 2009

Vimperator rocks!

I just started using the Vimperator add-on for Firefox, and I must say that it is very cool!

For anyone who loves Vim, it makes Firefox much easier to use. It clears up lots of screen clutter and replaces it with Vim commands (e.g. :open, :addons, :preferences, etc.). It also has tab completion for bookmarks and supports bookmark keywords. For example, if you have a keyword bookmark for a Google Maps search, and you wanted to look up food around Madison, WI (where I live) you could just

:open maps food Madison, WI

You can do pretty much everything from the command line, which is awesome. I definitely have to play around with it some more. I'll post an update here if I find more cool stuff.

Also, my gratitude goes out to Andrew of Redspire for this as he brought it to my attention on Twitter.

Friday, February 6, 2009

Foxmarks is now working with Safari!

Foxmarks has finally made it to Safari. I've been waiting for this day so I can finally start using it.

My two main computers are a MacBook and an IBM ThinkPad, and I use Safari on the Mac and Firefox on the ThinkPad. I never liked using Firefox on my Mac because early versions liked to crash a bunch. With the release of Firefox 3, it worked much much better on my Mac, but I was still so used to using Safari. Because I never used Firefox on my Mac, it didn't make sense to use Foxmarks, but now I can!

I have to say, it works pretty well. It doesn't have the level of integration with Safari that it does with Firefox, but I still find it useful. It doesn't have password syncing, but that's not a problem for me because I use KeePass along with DropBox which suits me juts fine.

All in all, I'm a pretty happy camper. I would like to see it move to a Safari plugin instead of a MenuBar applet, but I'll take what I can get.

Thursday, February 5, 2009


So I just read the story of Steven K Roberts, a technogeek and a nomad. It's hard to explain his philosophy, exactly, but I must say that it is very enticing.

He has essentially combined technology with the ability to live a nomadic lifestyle. The original form of this was a bike with a solar charger and a laptop, the Winnebiko. Eventually it evolved into something much larger and more sophisticated, but inevitably, it become too large and unwieldy, making the nomadic lifestyle much more complicated.

Its something I've thought about before, but I have to admit that it would be hard for me to commit to such a thing. My ultimate goal would be to travel the world with a suitcase and a laptop. I'd just be doing whatever business I feel is appropriate, from wherever I feel comfortable.

This is something which I don't know that I'll ever do, but seeing this makes me think that it might not be that hard.

Check it out:

Sunday, February 1, 2009

BackTrack 4 - Sweet!

I just saw HDM tweet about BackTrack4. He mentioned that it was coming out soon and that it had some sweet features, so I thought I'd check it out for myself.

As a matter of fact, it does look very cool.  Some of the features I'm excited about

Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines. -- Although I don't have one of these, I hope to soon. It's good to know I won't have to struggle much to get it working

The latest mac80211 wireless injection pacthes are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional. -- I'm particularly excited about the rtl8187 enhancements because this is one of my main injection cards.

RFID support -- This will be cool for next year's Defcon and the increased focus on RFID. RFID wall of sheep, anyone?

CUDA support -- This is going to be AWESOME because BT4 already supports calculating WPA tables using CUDA out of the box. This will be a step forward from having just your CPU churn away, although it does cause issues with X right now...

For those unfamiliar with CUDA:
Link to BackTrack 4 Blog:

Kismac vs Aircrack

I've been fooling around with wireless hacking for a few years and have always found aircrack to be an awesome tool. In the past, i've used a Linux laptop with either Gentoo, Ubuntu, or Backtrack. This has always worked well for me because I only had a couple Cardbus wifi adapters, and up until now, I never had a laptop which did not have PCMCIA slots. A couple years ago, I got my Macbook and decided to see what it's capabilities were from a wifi hacking perspective. What I found, however, was not so exciting.

From what I could tell, there was no way to do packet injection with the built-in wifi. Kismac could put the card into monitor mode, though with 10.4, but once os 10.5 came out, that stopped as well. You combine those with the fact that the original developer of Kismac had to abandon the project due to new laws being passed in Germany, and that left Kismac in a somewhat sorry state.

Recently, though, I finally got around to buying a USB wifi adapter. This meant that I could finally try out Kismac since it can actually do packet injection with a variety of USB adapters. So, for the first time in two years, I grab the latest version of Kismac, fire it up, pick a network (one I'm allowed to crack, of course), and attempt to do some packet injection. This network had a small amount of client data, so I figured I'd catch an ARP packet and be able to replay it back into the network. Shortly after starting packet injection, Kismac completely crashed. I tried another two or three times on the same network with same results. Looking at the console log, I saw that it failed an assertion in the inject function of the WLAN driver: [net mode] == managed. I noticed that for some reason, the network was flopping back and forth between "tunnel" and "managed". I guess that explains the crash...

Alright, I'll pick a different network. Next best one from a power perspective doesn't have much client data on it, but what they hey, well try it anyhow. I figure if I start some injection, then perform a deauth attack, we may be able to get something. I try it out, but then... hey, I can't do the deauth while injecting, what's the deal? I can do the deauth then inject, but I can't get it to go quick enough to capture the handshake and any ARP requests by the time I click inject. Hmm... I give up, I can't work with it. I mean, the UI is great and all, it's great that you can monitor clients and have it make noises when they're active, but it just doesn't work the way I want it to.

As a comparison, I could have fired up Backtrack in VMWare Fusion, hook the USB wifi adapter up to the VM, and tried using aircrack. I know without a doubt that I could have cracked that same network, with little to no data without any problems. Simply start up airmon, try a chop chop or fragment attack until you get enough keystream, forge an ARP packet with packetforge, then begin replaying that arp packet into the network. The greatest part is, you can monitor, replay arp packets, perform deauth and fakeauth attacks ALL AT THE SAME TIME! I've done this before to get a 64-bit key in a matter of 2 or 3 minutes, and a 128-bit would only take 5-10 in these situations.

Bottom line is that Kismac looks nice, and probably works well in simple circumstances. My guess is that it might be the perfect set of training wheels for the beginning wifi hacker, but isn't practical if you want to be serious about it.

Oh well, at least I tried it :)

Tuesday, January 27, 2009


So Sonic has finally brought a restaurant to Wisconsin. And it's about time considering that I've been seeing ads on cable since I came here for college in '02.

Having family in Kansas and Oklahoma, I've had many opportunities to eat at a Sonic. Because of this, every time I saw a Sonic ad on TV it made me a little upset. Yes, I know, it is a silly thing to get upset about, but Sonic really is good food!

Anyhow, now that Sonic is finally here, it seems like the entirety of Madison is showing up there for breakfast, lunch, and dinner. Just yesterday, there was a line which was backed up all the way onto University Ave, and even went a couple blocks down University.

Today, they actually had a 'Sonic Staging Area' which was about a block away from the actual Sonic building. The staging area actually went a couple blocks down a side road and was complete with attendants which monitored the line of cars there. These poor fellows were bundled up in like 5 layers of clothes, and toting walkie-talkies to help direct traffic. It was insane!

Me and a co-worker went at 11 this morning and were like the second car in line at the staging area. We got in quickly, parked in a stall, and proceeded to chow down on some of the best fast food you can find around here.

I probably won't be going there much more until Summer, but it's nice to finally have one around here!

Sunday, January 25, 2009

Trying again

Alright, so this is blog number two... The first one went really well, so I'm trying another one. Actually, the first one sucked and everyone told me the same, so I'm giving it another go with a fresh start.

I'd really like to get this running and put meaningful information up here, but I am a person who tends to pick up new projects as quickly as I drop them. I pretty much just need to get into the habit of putting interesting crud up here and getting people to reply saying that is either interesting or pretty much just crud.

So, please, if anyone has anything interesting to say or just wants me to do something more, give me a kick in the pants and tell me to put something up here!