Friday, February 09, 2007

Security Testing PDA Tool Hacks All WiFi

The palm-sized PDA tucked away in Justine Aitel's pocketbook just might be the most scary device on display at this year's RSA security conference. Aitel is roaming the hallways here with Silica, a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform. Image Credit: ZDNet/CNET Networks, Inc.

Security Testing PDA Tool Hacks All WiFi

Introduced at this year’s RSA Security Conference (Feb. 5-8, 2007 - Moscone Center, San Francisco), a pen testing tool produced by Immunity Inc. (a penetration testing company based in Miami Beach, Florida) offers covert wireless network hacking through the use of a PDA handheld computer.

Penetration testing (pen test) is a process by which a test of a network's vulnerabilities by having an authorized individual actually attempt to break into (exploit) the network.

The tester may undertake several methods, workarounds, and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, attacking more sensitive areas of the network.

Security experts recommend that an annual penetration test be undertaken as a supplement to a more frequent automated security scan.

What Immunity Inc. has been able to do is deliver a tool that automates the process of hacking into 802.11 (WiFi) access points and can be taken and used anywhere, anytime without drawing suspicion to the person using the device.

Excerpts from ZDNet “Tracking the hackers” blog post -

Wi-Fi hacking, with a handheld PDA
By Ryan Naraine - ZDNet @ 11:10 pm, February 6th, 2007

SAN FRANCISCO - The palm-sized PDA tucked away in Justine Aitel's pocketbook just might be the most scary device on display at this year's RSA security conference.

Aitel is roaming the hallways here with Silica, a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform.
Silica is the brainchild of Aitel's Immunity Inc., a 10-employee penetration testing outfit operating out of Miami Beach, Florida. It runs a customized version of CANVAS, the company's flagship point-and-click attack tool that features hundreds of exploits, an automated exploitation system, and an exploit development framework.

Immunity uses the Nokia 770 Internet Tablet in the first version of Silica but Aitel says it can be customized for a wide range of hardware devices. You start it, run a scan, connect, run your exploit, get an HTML report of what was done. Image Credit: ZDNet/CNET Networks, Inc.

Running a customized installation of Debian/Linux running kernel 2.6.16, Silica comes with a touch-screen interface featuring three prominent buttons — "Scan," "Stop," "Update Silica."
----
The idea is to give pen testers a tool to launch exploits wirelessly in the most covert fashion. At startup, Silica offers the user the option to scan for available open Wi-Fi networks. Once a network is found, the device connects (much like a laptop at Starbucks) and asks the user if it should simply scan for vulnerable/open ports or launch actual exploits from CANVAS.

Whenever CANVAS is updated with new exploits — typically once a month — Silica automatically gets an update to ensure all the newest attack code is available for mobile pen testing. (Penetration testing is used to evaluate the security of a computer system or network by simulating an attack by malicious hackers. Pen testers typically assume the position of the attacker, carrying out active exploitation of known security flaws to search for weaknesses in the target system).

Immunity uses the Nokia 770 Internet Tablet in the first version of Silica but Aitel says it can be customized for a wide range of hardware devices. "We wanted to make it touch screen, so you can actually use a stylus, launch a scan in attack mode, then stick it in your pocket while you run your exploits," Aitel explained. "It's aimed at the non-technical user interested in doing drive-by pen-tests. You start it, run a scan, connect, run your exploit, get an HTML report of what was done."

During a brief demo, Aitel used a stylus to manually click through the options to show how frighteningly easy an exploit can be sent to a vulnerable computer connected to a Wi-Fi network.
----
Some examples of places Silica can be used:

* Tell Silica to scan every machine on every wireless network for file shares and download anything of interest to the device. Then just put it in your suit pocket and walk through your target's office space.

* Tell Silica to actively penetrate any machines it can target (with any of Immunity CANVAS's exploits) and have all successfully penetrated machines connect via HTTP/DNS to an external listening port.

* Mail Silica to a target's CEO, then let it turn on and hack anything it can as it sits on the desk.

* Have the device conduct MITM (man-in-the-middle) attacks against computers connected to a wireless network
.
Read All>>

While all wireless networks utilize the wireless security standard known as WPA2, the wireless networks with the most access points installed in business locations that show the greatest “exploit” vulnerability are those based on a Cisco or Symbol Technologies (Motorola) network schematic where some of the wireless access points may not be properly integrated into the network systems security scheme.

Other network schemes like the type employed by Aruba Wireless Networks mobile edge technology are less vulnerable because Aruba is the only company that offers both modular data center mobility controllers as well as fixed-configuration branch office solutions.

The mobile edge uses wireless networks, both for voice and data, wherever wireless can be used. Image Credit: Aruba Wireless Networks

As Aruba Wireless Networks states from their website about mobile edge technology:

The mobile edge uses wireless networks, both for voice and data, wherever wireless can be used. Inside enterprise facilities, high-performance and highly-reliable wireless LANs are deployed to provide dense coverage. In homes, hotel rooms, other companies, and wherever Internet-connected Ethernet ports are available, portable wireless access points provide secure connectivity back to the nearest enterprise facility. Finally, at public wireless hotspots, client software provides a secure link to the nearest mobile edge location.

The first step in any wireless deployment is to get control of the wireless that is already there. This may mean existing enterprise access points, wireless-enabled client devices, and especially rogue APs. Rogue APs - access points that are installed by the users but are not under the control of IT - are incredibly dangerous to an organization because they allow outsiders to bypass network security mechanisms and obtain direct access to an internal network.

A wireless intrusion detection system (WIDS) can be deployed to combat Rouge APs using a small number of sensors placed throughout a building. These sensors continuously scan the air and the wired network looking for rogue APs, unauthorized wireless devices, and mis-configured devices. When these threats are found, the WIDS automatically blocks them while notifying the network administrator.
Reference Here>>

And this from the Linux community via Ziff Davis CIO Insight -

Linux Hackers Tackle Wi-Fi Hassles
By Steven J. Vaughan-Nichols - February 8, 2007

When it comes to troublesome Linux peripherals, Wi-Fi takes the cake. Sparked by the Portland Project's efforts to bring standardization to the Linux desktop, the Linux wireless developer community tackled this problem at its second Linux Wireless Summit last month in London.


The Summit was scheduled as a followup to the January IEEE 802 standards committee meeting, which, among other issues, moved a step closer to making 802.11n a real IEEE standard. As a result of this timing, participants at the Linux Wi-Fi meeting included kernel developers and vendor representatives from Intel, Broadcom, Devicescape, MontaVista and Nokia.

Once there, according to Stephen Hemminger, Linux Wireless Summit co-coordinator and a Linux software developer at the Linux Foundation, the attendees had a very productive meeting.

Still, it's been slow going in some critical areas of Linux and Wi-Fi, according to John Linville, the Linux wireless software maintainer. In particular, Linville reported that development work is proceeding too slowly on a new 802.11 stack (d80211), and with a new Wi-Fi API (cfg80211), "development is even slower." Hemminger described the cfg80211 as "a good start but there are no user interface tools (the iproute2 equivalent of iwconfig)."
Read All>>

No comments:

Post a Comment