Jaime Blasco Blog
Attacks: Wireless Intrusion Detection Systems Testing Tool
Thu, 07 Jan 2010

To celebrate the New Year I want to share with you a simple but useful tool I wrote some time ago.

The script generates wireless packets to emulate wireless attacks with the intention of testing wireless intrusion detection systems.

At this moment it supports the following attacks:

  • Send Probe-response packets with a SSID IE tag component of length 0 (WVE-2006-0064)
  • Floods the WLAN with disassociation packets. (WVE-2005-0046)
  • Floods the WLAN with deauthentication packets. (WVE-2005-0045)
  • Floods the WLAN with deauthentication packets. (WVE-2005-0045)
  • Sends invalid deauthentication reason code
  • Sends an over-sized SSID. (WVE-2006-0071, WVE-2007-0001)
  • Sends airjack beacon packet. (WVE-2005-0018)
  • Sends an an invalid channel number in beacon frames (WVE-2006-0050)
  • Windows XP SP1 behaviour

    • To run the tool you need Scapy.

    • Source Code



    You can use the tool to test that your Ossim wireless sensor with Kismet works as you expect:

    posted at: 19:48 | path: /Attacks | permanent link to this entry | 0 comments | wireless ids,wids,attacks,wireless security, wireless attacks, wve, Wireless Vulnerabilities and Exploits



    25C3: Fake CA Certificates
    Sat, 03 Jan 2009 

    A security research team has demostrated how to use  MD5 collision to create a rogue Certificate Authority certificate
with a cluster of 200 ps3s!!
You can find all the information here
The attack take advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages 
with the same MD5 hash and affects CAs that are still using this broken hash function like rapidssl.
We can use the python port of M2Crypto to automating the process to obtain server certificates to verify 
they are still using a certificate signed with MD5:


    

    from M2Crypto import SSL

ctx = SSL.Context()
conn = SSL.Connection(ctx)
conn.connect(('www.rapidssl.com', 443))
cert = conn.get_peer_cert()
print cert.as_text()


    

    

Output:

    

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1795 (0x703)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
        Validity
            Not Before: Mar  8 15:35:33 2005 GMT
            Not After : Mar  7 15:35:33 2010 GMT
        Subject: C=US, O=GeoTrust Inc., OU=Production, CN=www.rapidssl.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bf:2b:bb:b0:a8:78:fb:8d:76:d7:14:c1:92:d8:
                    c8:cb:99:ed:a8:9e:37:e5:4f:5d:7e:06:f6:52:5e:
                    5c:4e:e8:6b:9e:22:bb:62:8b:b6:db:fe:5f:05:15:
                    79:81:5a:4c:4c:89:6c:42:77:50:ac:8d:ce:a6:1a:
                    49:21:8c:27:db:1a:79:f0:5d:fc:4d:84:8b:42:0f:
                    8e:e6:6d:74:4b:a9:1e:b3:97:38:39:ec:28:88:5e:
                    1d:7a:c9:2b:53:34:71:2c:6c:80:80:78:ed:08:c7:
                    a8:fb:70:39:76:3b:2a:bd:c4:a9:88:6c:95:95:73:
                    2a:ab:85:05:15:b8:cd:59:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 CRL Distribution Points: 
                URI:http://crl.geotrust.com/crls/ebizca1.crl

            X509v3 Authority Key Identifier: 
                keyid:4A:78:32:52:11:DB:59:16:36:5E:DF:C1:14:36:40:6A:47:7C:4C:A1

    Signature Algorithm: md5WithRSAEncryption
        49:e5:4b:7f:48:f3:d1:b6:04:f4:59:a7:63:92:f2:eb:b2:a3:
        1f:c3:31:c4:d3:54:67:9d:77:35:e2:e1:a4:84:9b:d4:91:82:
        32:6b:93:3e:d8:7e:36:66:c8:aa:5f:b8:3a:ee:2c:2c:70:97:
        66:d1:e5:0e:23:dd:04:39:a8:c8:e4:4e:bb:75:85:52:d0:cd:
        37:51:69:07:aa:25:5d:cb:60:ac:a1:98:54:4b:1e:9d:49:fe:
        fa:b1:eb:f9:c3:79:bc:84:d8:4a:2c:bf:67:de:0c:70:8d:f0:
        c3:14:6f:04:8b:9d:14:bd:e9:fd:fd:b7:6d:66:9b:bc:e5:f1:
        74:54

    

    
With this module you can easily make a tool to scan internet sites that are still using certificates 
of CAs affected (md5WithRSAEncryption).


    

    
  posted at: 16:37 | path: /Attacks | permanent link to this entry | 0 comments | 25c3, md5, encryption, broken, ssl


    		Categories

    / (34)
        Attacks/ (2)
        Exploits/ (1)
        General/ (3)
        Lua/ (1)
        Malware/ (3)
        Nessus/ (6)
            cisco/ (1)
            plugins/ (3)
        Ossim/ (9)
        Scada Security/ (2)
        Security Visualization/ (6)
            Malware/ (2)
        Vulnerability Management/ (1)


    Jaime Blasco
    (feel free to get in touch)
    • Mail
    • Linkedin
    • Twitter
    • Linkedin
    • Forums

    Friend's blogs:
    • /blog/dk
    • /blog/juanma
    • /blog/santiago
    • /blog/pablo/



    RSS



    Lecture...




    < January 2010 >
    MoTuWeThFrSaSu
         1 2 3
    4 5 6 7 8 910
    11121314151617
    18192021222324
    25262728293031



    Archives

    2010-Aug
    2010-Jul
    2010-Mar
    2010-Jan
    2009-Dec
    2009-Oct
    2009-Sep
    2009-Jul
    2009-Jun
    2009-Apr
    2009-Mar
    2009-Feb
    2009-Jan
    2008-Oct
    2008-Aug



    Tags


    Made with PyBlosxom