Rick, a little off topic here, but we were talking about the exploit and
the best way to protect against attacks. I agree with your point on
being hacked at public hotspots, that requires protection beyond a
firewall like one of our products (or common sense). Even the best
hacker needs to connect TO the victims PC to pull certificates for the
network he's hacking (that's how you get around WPA-enterprise).
Stealing someone's password means nothing if he's using WPA-enterprise
at work, it's just the first step in the hack.
The recent BlackHat hack makes the victims pc connect to its gateway or
malicous PC. A good firewall, unless disabled (too much shellcode for
802.11), should(*note*) protect against simple versions of the attack.
Here's how a 'friend of mine' does it
http://i46.photobucket.com/albums/f131/nicks2k/pentesters_laptop.jpg
1. RawGlue/Karma, grab probing stations
2. Route traffic over EvDO connection (or real hotspot)
3. Sniff traffic, capture passwords.
4. Use captures passwords to connect to machine
5. Once connected, pull certificates, administrator password, etc
6. Hacker can now connect to victims enterprise network with password
and cert.
Now firewalls have definitely made the following more difficult, but not
impossible. So I'm not saying firewalls are the silver bullet of
security, but I definitely suggest adding that layer of security making
it harder for the novice hacker.
The new attack would, theoretically, bypass most firewalls since its
making an outbound connection. So it makes it hard to protect against
this type of attack (unless you restrict outbound connections). And 10:1
most people allow full access to the ndiswrapper.
I route all my traffic over a vpn when I connect to a hotspot and make
sure to monitor the vpn and traffic route with our client product. A
little over the top but definitely secure. That way you can be sure not
to be exploited.
Rick, I'm not trying to start a flame war, I just wanted to educate the
group on some free protection they could use. Y'know I do this stuff
every day :-P
my 1c
ps Check out my new project, it does everything I said above
automatically :-P
http://i46.photobucket.com/albums/f131/nicks2k/DSC00166.jpg
http://i46.photobucket.com/albums/f131/nicks2k/DSC00165.jpg
http://i46.photobucket.com/albums/f131/nicks2k/DSC00167.jpg
-----Original Message-----
From: Richard Farina [mailto:r.farina (at) adelphia (dot) net [email concealed]]
Sent: Monday, August 21, 2006 11:25 PM
To: Wireless Security
Subject: Re: BlackHat Wireless Driver Hack
Nico D wrote:
> The exploit they used goes after the freebsd version of ndiswrapper on
> the macbooks. The cards they used just need to be able to pass packets
> un-stripped to the ndiswrapper so that they can exploit
buffer-overflows
> in the daemon. Essentially this can be done on any OS and some cards.
It
> was probably just easier to use a MAC since the source for the
> ndiswrapper is public (AFAIK).
>
> Protection? Well just keep yourself from getting to layer 3 with the
> attacker. Stay off unencrypted hotspots and make sure you have a good
> firewall running. Also make sure that you clear out your preferred
> SSID's in the wireless zero configurator so that you're not vulnerable
> to probing station attack (phishing).
>
>
Nico-
I feel like I've been bashing you a lot lately, I really mean no offense
by it... that being said....
Exactly what good do you think a firewall does against a driver hack?
What hands the packets to the firewall, oh, it must be the driver,
hence, you are hacked before you get to the firewall. Unencrypted
hotspots... if it is a public hotspot then everyone knows the key, I
fail to see much security there.... And Windows Wireless Zero
Configurator... let us just stay away from that all together, the bugs
in that thing are so impressive.
> Thats just my 2c.
>
I'm taking one of your pennies...
-Rick Farina
> On Sun, 2006-08-20 at 08:23 -0300, Ronaldo Vasconcellos wrote:
>
>> Some news on this subject, folks. From SecureWorks [1] site:
>>
>> "This video presentation at Black Hat demonstrates vulnerabilities
found
>> in wireless device drivers. Although an Apple MacBook was used as the
demo
>> platform, it was exploited through a third-party wireless device
driver -
>> not the original wireless device driver that ships with the MacBook.
As
>> part of a responsible disclosure policy, we are not disclosing the
name of
>> the third-party wireless device driver until a patch is available."
>>
>> Brian Krebs has some posts on this vulnerability, including an
interesting
>> part [2]:
>>
>> "Indeed, as I reported earlier, in his hotel room on the eve of that
>> presentation, Maynor showed me a live demo of him exploiting the
built-in
>> Macbook drivers to break into the machine from another laptop --
without
>> a third party card plugged in."
>>
>> Well, who's got the truth? :-)
>>
>> Ronaldo
>>
>> [1] SecureWorks - Black Hat Coverage
>> http://www.secureworks.com/newsandevents/blackhatcoverage.html
>>
>> [2] Update on the Apple Macbook Claims
>>
http://blog.washingtonpost.com/securityfix/2006/08/update_on_the_apple_m
wireless-hack/
>>
>> Wi-Fi Exploit Not an Apple Problem, Company Says
>> http://wifinetnews.com/archives/006873.html
>>
>> The Black Hat Wireless Exploit Interview, Verbatim
>>
http://blog.washingtonpost.com/securityfix/2006/08/the_macbook_wireless_
exploit_i.html
>>
>> On Wed, 9 Aug 2006, Paul Asadoorian wrote:
>>
>>
>>> Date: Wed, 9 Aug 2006 15:52:26 -0400
>>> From: Paul Asadoorian <paul (at) pauldotcom (dot) com [email concealed]>
>>> To: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
>>> Cc: wifisec (at) securityfocus (dot) com [email concealed]
>>> Subject: Re: BlackHat Wireless Driver Hack
>>>
>>> I also though that the following article had an interesting
perspective:
>>>
>>> http://software.newsforge.com/article.pl?sid=06/08/08/1351256
>>>
>>> I am left with more questions than answers on this one, and the
"holy
>>> war" of operating systems helps to cloud the real issues.
>>>
>>> For now, my EVDO card and retractable network cable are my friends
and I
>>> leave my wireless adapter disabled.
>>>
>
>
the best way to protect against attacks. I agree with your point on
being hacked at public hotspots, that requires protection beyond a
firewall like one of our products (or common sense). Even the best
hacker needs to connect TO the victims PC to pull certificates for the
network he's hacking (that's how you get around WPA-enterprise).
Stealing someone's password means nothing if he's using WPA-enterprise
at work, it's just the first step in the hack.
The recent BlackHat hack makes the victims pc connect to its gateway or
malicous PC. A good firewall, unless disabled (too much shellcode for
802.11), should(*note*) protect against simple versions of the attack.
Here's how a 'friend of mine' does it
http://i46.photobucket.com/albums/f131/nicks2k/pentesters_laptop.jpg
1. RawGlue/Karma, grab probing stations
2. Route traffic over EvDO connection (or real hotspot)
3. Sniff traffic, capture passwords.
4. Use captures passwords to connect to machine
5. Once connected, pull certificates, administrator password, etc
6. Hacker can now connect to victims enterprise network with password
and cert.
Now firewalls have definitely made the following more difficult, but not
impossible. So I'm not saying firewalls are the silver bullet of
security, but I definitely suggest adding that layer of security making
it harder for the novice hacker.
The new attack would, theoretically, bypass most firewalls since its
making an outbound connection. So it makes it hard to protect against
this type of attack (unless you restrict outbound connections). And 10:1
most people allow full access to the ndiswrapper.
I route all my traffic over a vpn when I connect to a hotspot and make
sure to monitor the vpn and traffic route with our client product. A
little over the top but definitely secure. That way you can be sure not
to be exploited.
Rick, I'm not trying to start a flame war, I just wanted to educate the
group on some free protection they could use. Y'know I do this stuff
every day :-P
my 1c
ps Check out my new project, it does everything I said above
automatically :-P
http://i46.photobucket.com/albums/f131/nicks2k/DSC00166.jpg
http://i46.photobucket.com/albums/f131/nicks2k/DSC00165.jpg
http://i46.photobucket.com/albums/f131/nicks2k/DSC00167.jpg
-----Original Message-----
From: Richard Farina [mailto:r.farina (at) adelphia (dot) net [email concealed]]
Sent: Monday, August 21, 2006 11:25 PM
To: Wireless Security
Subject: Re: BlackHat Wireless Driver Hack
Nico D wrote:
> The exploit they used goes after the freebsd version of ndiswrapper on
> the macbooks. The cards they used just need to be able to pass packets
> un-stripped to the ndiswrapper so that they can exploit
buffer-overflows
> in the daemon. Essentially this can be done on any OS and some cards.
It
> was probably just easier to use a MAC since the source for the
> ndiswrapper is public (AFAIK).
>
> Protection? Well just keep yourself from getting to layer 3 with the
> attacker. Stay off unencrypted hotspots and make sure you have a good
> firewall running. Also make sure that you clear out your preferred
> SSID's in the wireless zero configurator so that you're not vulnerable
> to probing station attack (phishing).
>
>
Nico-
I feel like I've been bashing you a lot lately, I really mean no offense
by it... that being said....
Exactly what good do you think a firewall does against a driver hack?
What hands the packets to the firewall, oh, it must be the driver,
hence, you are hacked before you get to the firewall. Unencrypted
hotspots... if it is a public hotspot then everyone knows the key, I
fail to see much security there.... And Windows Wireless Zero
Configurator... let us just stay away from that all together, the bugs
in that thing are so impressive.
> Thats just my 2c.
>
I'm taking one of your pennies...
-Rick Farina
> On Sun, 2006-08-20 at 08:23 -0300, Ronaldo Vasconcellos wrote:
>
>> Some news on this subject, folks. From SecureWorks [1] site:
>>
>> "This video presentation at Black Hat demonstrates vulnerabilities
found
>> in wireless device drivers. Although an Apple MacBook was used as the
demo
>> platform, it was exploited through a third-party wireless device
driver -
>> not the original wireless device driver that ships with the MacBook.
As
>> part of a responsible disclosure policy, we are not disclosing the
name of
>> the third-party wireless device driver until a patch is available."
>>
>> Brian Krebs has some posts on this vulnerability, including an
interesting
>> part [2]:
>>
>> "Indeed, as I reported earlier, in his hotel room on the eve of that
>> presentation, Maynor showed me a live demo of him exploiting the
built-in
>> Macbook drivers to break into the machine from another laptop --
without
>> a third party card plugged in."
>>
>> Well, who's got the truth? :-)
>>
>> Ronaldo
>>
>> [1] SecureWorks - Black Hat Coverage
>> http://www.secureworks.com/newsandevents/blackhatcoverage.html
>>
>> [2] Update on the Apple Macbook Claims
>>
http://blog.washingtonpost.com/securityfix/2006/08/update_on_the_apple_m
acbook_cl.html
>>
>> SecureWorks admits to falsifying MacBook wireless hack
>>
http://www.tuaw.com/2006/08/18/secureworks-admits-to-falsifying-macbook-
wireless-hack/
>>
>> Wi-Fi Exploit Not an Apple Problem, Company Says
>> http://wifinetnews.com/archives/006873.html
>>
>> The Black Hat Wireless Exploit Interview, Verbatim
>>
http://blog.washingtonpost.com/securityfix/2006/08/the_macbook_wireless_
exploit_i.html
>>
>> On Wed, 9 Aug 2006, Paul Asadoorian wrote:
>>
>>
>>> Date: Wed, 9 Aug 2006 15:52:26 -0400
>>> From: Paul Asadoorian <paul (at) pauldotcom (dot) com [email concealed]>
>>> To: Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
>>> Cc: wifisec (at) securityfocus (dot) com [email concealed]
>>> Subject: Re: BlackHat Wireless Driver Hack
>>>
>>> I also though that the following article had an interesting
perspective:
>>>
>>> http://software.newsforge.com/article.pl?sid=06/08/08/1351256
>>>
>>> I am left with more questions than answers on this one, and the
"holy
>>> war" of operating systems helps to cloud the real issues.
>>>
>>> For now, my EVDO card and retractable network cable are my friends
and I
>>> leave my wireless adapter disabled.
>>>
>
>
[ reply ]