THC-epassport Tool Video Released

THC has released a video of their epassport backup tool in which it is shown fooling a passport scanner in reading the chip of a card as valid passport with Elvis Presley as the owner of the passport. This kind of scary if it is used by bad guys, a couple of months ago several hundreds of the epassport chips where stolen in great Britain so the bad guys or a rogue goverment has this chips to be used for God knows what. If you have a passport with an RFID chip put it in a shilding cover or just hit it with a hammer ;-)

Metasploit 3.2 is Coming

HD Moore posted on Twitter today that Metasploit Framework is gearing toward version 3.2 very soon, in fact according to the tweet 14,000 + patches have been applied to the current code just preparing for this release. I wonder what new features and tools we will see in this great framework.

Note: had a brainfart and posted it as 3.4 my mistake.

Use of Karmetasploit Technique During a Pentest


I have been playing a lot with airbase in the lab and one if the things that I first noticed while testing this technique as specified in the karmetasploit wiki is that we are setting the machine to attack any wireless client in the area, this may have legal implications during a valid pentest and may result in criminal actions if one is not careful. There are ways to minimize this risk and this is the way I see it, first we need to assess the are and identify all AP of the client and their SSIDs this cam be done using airodump-ng:


wlanconfig ath0 destroy

airmon-ng start ath0

airodump-ng -b bg -a ath0


in the example I'm showing it running with an Atheros card. First we set the card in monitor mode then we are using the "-b" switch so we can scan both b and g and "-a" so we get only a list of only associated clients, the main reason we want associated clients is because we only want to target those that are connected to the access points of the company that we have been contracted to pentest that way we can minimize the risk of attacking the wrong target. The best time I would recommend for this reconoissance is during the early hours in the morning this is when most user will arrive at the office and turn on their laptops, preferably Mondays since it is the day that most mobile workers tend to go to the office. An example output is the following:


CH 14 ][ Elapsed: 2 mins ][ 2008-10-02 00:01 ][ WPA handshake: 00:0C:85:71:6C:2C
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:0C:85:71:6C:2C 78 98 38 0 3 11. WPA TKIP PSK target
00:30:BD:F3:3E:35 -1 0 0 0 11 -1 <length: 0>

BSSID STATION PWR Rate Lost Packets Probes
00:0C:85:71:6C:2C 00:13:E8:80:04:4F 93 11-11 0 28 target
00:0C:85:71:6C:2C 00:21:E9:B0:AC:B2 81 11- 2 50 26 target
00:0C:85:71:6C:2C 00:21:E9:A5:A2:04 79 0- 2 13 93 target,linksys,belking54g
00:30:BD:F3:3E:35 00:1C:B3:BF:61:70 38 0- 5 0 3

as we can see 3 clients are associated to the target ESSID. This are
00:13:E8:80:04:4F
00:21:E9:B0:AC:B2
00:21:E9:A5:A2:04

we place this mac addresses inside a text file one per line. We can call this file targets.txt, once we have them in the text file we will use it as a filter for airbase-ng. the command would be as follows:
airbase-ng -P -C 30 -D /root/targets.txt -e "target" -v ath0
The -P option will create a softap that will respond to all probes regardless of the ESSIDs specified, the -C option will indicate the amount of time that the ESSIDs seen will be beaconed, -D will indicate the file of mac addresses that will be used as filters for the connection and -e will specify an ESSID to broadcast by default and -v will be verbose output followed by the interface that is in monitor mode. This will generate the at0 tun interface that we will use with dhcpd and Metasploit to continue the karmetasploit attack. This same concept can be used for other types of attacks and limit those to approved targets.

One important point when conducting this type of attack against a valid target is to use powerful card with a good antenna so as to assure that your machine will be selected instead of the valid AP, I highly recommend the Ubiquity and the Alfa USB high gain with a good yagui antenna.

Tcpdump Filter for CDP

Recently on an engagement I wanted to capture only Cisco Discovery Protocol (CDP) packets so as to passively enumerate Cisco equipment and I decided to share the filter I used:

sudo tcpdump -nn -v -i en0 -s 1500 'ether[20:2] == 0x2000'
Password:
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:41:35.971435 CDPv2, ttl: 180s, checksum: 692 (unverified), length 334
Device-ID (0x01), length: 8 bytes: 'ap1.home'
Version String (0x05), length: 231 bytes:
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEB1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 20:51 by dchih
Platform (0x06), length: 26 bytes: 'cisco AIR-AP1230A-A-K9 '
Address (0x02), length: 13 bytes: IPv4 (1) 192.168.1.250
Port-ID (0x03), length: 13 bytes: 'FastEthernet0'
Capability (0x04), length: 4 bytes: (0x00000002): Transparent Bridge
Duplex (0x0b), length: 1 byte: full
power consumption (0x10), length: 2 bytes: 8.50W

I hope that it's useful to anyone who might need it during a pentest or troubleshooting a network.

Airport's and Karmetasploit

I recently had to go to several Central American countries to do some consulting work, while waiting for a connecting flight at the Panama airport I notice a wallpaper that was very familiar to me, the Backtrack3 Default wallpaper and even more familiar what was running on a terminal window, it was karmetasploit I watched for a while as the kid was gathering info from unsuspecting people, as I saw from my seat I could make passwords from tweeter account from people using their iphones, I even saw the kid saving the cookies and using them on Firefox by pasting them on a extension installed on his browser, I could see all of this since he was not being careful and putting his back to one of the walls, I was sitting right behind the kid and he didn't even noticed. So guys be careful with what your browser and machines sends automatically in wifi networks you might never know who is next to you just waiting for you to fire up your browser, a good recommendation have wireshark run on your laptop while you connect to your wireless at home and see if it is sending any info it should not be sending out, be careful out there scripkiddies are everywhere.