Archive for September, 2007

httprint v301 - Web Server Fingerprinting Tool - Download

Published at September 27, 2007 in Applications, Articles and Security. Comments

I was looking through my toolbox to see what else is useful and I came across this one, httprint - the only caveat is that it’s a little out of date. It still does a good job though.

httprint is a web server fingerprinting tool.

It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.

More details on how httprint works can be found in the Introduction to HTTP fingerprinting paper. It is printer-friendly.

Main Features

Identification of web servers despite the banner string and any other obfuscation. httprint can successfully identify the underlying web servers when their headers are mangled by either patching the binary, by modules such as mod_security.c or by commercial products such as ServerMask. Click here to see an example of how httprint detects disguised servers.
Inventorying of web enabled devices such as printers, routers, switches, wireless access points, etc. Click on the sample HTML report.
Customisable web server signature database. To add new signatures, simply cut and paste the httprint output against unknown servers into the signatures text file.
Confidence Ratings. httprint now picks the best matches based on confidence ratings, derived using a fuzzy logic technique, instead of going by the highest weight. More details on the significance of confidence ratings can be found in section 8.4 of the Introduction to HTTP fingerprinting paper.
Multi-threaded engine. httprint v301 is a complete re-write, featuring a multi-threaded scanner, to process multiple hosts in parallel. This greatly saves scanning time.
SSL information gathering. httprint now gathers SSL certificate information, which helps you identify expired SSL certificates, ciphers used, certificate issuer, and other such SSL related details.
Automatic SSL detection. httprint can detect if a port is SSL enabled or not, and can automatically switch to SSL connections when needed.
Automatic traversal of HTTP 301 and 302 redirects. Many servers who have transferred their content to other servers send a default redirect response towards all HTTP requests. httprint now follows the redirection and fingerprints the new server pointed to. This feature is enabled by default and can be turned off, if needed.

You can download httprint here (version 301 released on 22/12/05):

Win32 - httprint_win32_301.zip

Linux - httprint_linux_301.zip

Technorati Tags: , , , , ,

aircrack-ptw - Fast WEP Cracking Tool for Wireless Hacking

Published at September 25, 2007 in Applications, Articles and Security. Comments

WEP is a protocol for securing wireless LANs. WEP stands for “Wired Equivalent Privacy” which means it should provide the level of protection a wired LAN has. WEP therefore uses the RC4 stream to encrypt data which is transmitted over the air, using usually a single secret key (called the root key or WEP key) of a length of 40 or 104 bit.

A history of WEP and RC4

WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir published an analysis of the RC4 stream cipher. Some time later, it was shown that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK improved the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.

In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.

The aircrack-ptw attack

The aircrack team were able to extend Klein’s attack and optimize it for usage against WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.

Countermeasures

We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.

You can download aircrack-ptw here:

aircrack-ptw-1.0.0.tar.gz

Or read more here.

Find an aircrack-ptw How To here.

Please note aircrack-ptw should be used together with the aircrack-ng toolsuite

Technorati Tags: , , , , ,

LORCON (Loss Of Radio CONnectivity) 802.11 Packet Library

Published at September 21, 2007 in Applications, Articles and Vulnerabilities & Exploits. Comments

The LORCON packet injection library provides a high level interface to transmit IEEE 802.11 packets onto a wireless medium. Written for Linux systems, this architecture simplifies the development of 802.11 packet injection through an abstraction layer, making the development of auditing and assessment tools driver- independent.

Using LORCON, developers can write tools that inject packets onto the wireless network without writing driver-specific code, simply by asking the user to identify the driver name they are currently using for a specified interface.

The project goal is to create what libradiate could have been: A generic library for injecting 802.11 frames, capable of injection via multiple driver frameworks, without forcing modification of the application code.

Nearing 1.0 public release. Once FreeBSD support is incorporated, the first full packaged release of Lorcon will be made, stay tuned!

Supported drivers:

* wlan-ng
* hostap
* airjack
* prism54
* madwifing
* madwifiold
* rtl8180
* rt2570
* rt2500
* rt73
* rt61
* zd1211rw

You can find some more information here:

LORCON Main Page

You can get the latest code from SVN here:

svn co http://802.11ninja.net/svn/lorcon/trunk

Or read more here.

Technorati Tags: , , , ,

Major Web Vulnerability Effects Yahoo, MSN, Google and More

Published at September 20, 2007 in Articles and Vulnerabilities & Exploits. Comments

I’ve seen this from quite a few sources so it seems it’s fairly legitimate, it seems all major websites have some flaws in the way they implement cookies meaning they are vulnerable to certain types of attack.

The only current solution seems to be using full time SSL or https connections full-time, if any of you use gmail you’ve probably noticed it forces all logins through https now, but reverts back to http after it’s done logging you in.

The change is due to this problem.

If you use Gmail, eBay, MySpace, or any one of dozens of other web-based services, the United States Computer Emergency Readiness Team wants you to know you’re vulnerable to a simple attack that could give an attacker complete control over your account.

Five weeks after we reported this sad reality, US CERT on Friday warned that the problem still festers. It said the world’s biggest websites have yet to fix the gaping security bug, which can bite even careful users who only log in using the secure sockets layer protocol, which is denoted by an HTTPS in the beginning of browser address window.

US CERT warned that Google, eBay, MySpace, Yahoo, and Microsoft were vulnerable, but that list is nowhere near exhaustive. Just about any banking website, online social network or other electronic forum that transmits certain types of security cookies is also susceptible.

It seems pretty serious eh? And it’s definitely related to cookies. It seems there are some workarounds which can alleviate the majority of risk but only Google has implemented them.

Not surprising eh?

The vulnerability stems from websites’ use of authentication cookies, which work much the way an ink-based hand stamp does at your favorite night club. Like the stamp, the cookie acts as assurance to sensitive web servers that the user has already been vetted by security and is authorized to tread beyond the velvet rope.

The thing is just about every website transmits these digital hand stamps in the clear, which leaves them wide open to snoops monitoring public Wi-Fi traffic or some other type of network. Once attackers have the cookie, they gain complete access to the victim’s account, and depending on the way many cookies are crafted, those privileges may continue in perpetuity - even if the victim changes the account password.

So just be careful what you are doing online and where you are storing your important data, because things might not be as secure as you assume.

If you are using Google Apps (Gmail) and Firefox you can use the CustomizeGoogle Add-on to force full-time SSL connections, I’ve done this for a long time anyway.

Source: The Register

Technorati Tags: , , , , ,

IPAudit - Network Activity Monitor with Web Interface

Published at September 18, 2007 in Applications, Articles and Security. Comments

IPAudit monitors network activity on a network by host, protocol and port. It listens to a network device in promiscuous mode, and records every connection between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them, and the port numbers (if they are communicating via udp or tcp).

IPAudit can be used to monitor network activity for a variety of purposes. It has proved useful for monitoring intrusion detection, bandwith consumption and denial of service attacks. It can be used with IPAudit-Web to provide web based network reports.

IPAudit is a free network monitoring program available and extensible under the GNU GPL.

IPAudit is a command line tool that uses the libpcap library to listen to traffic and generate data. The IPAudit-Web package includes the IPAudit binary in addition to the web interface that creates reports based on the collected data. Using the Web package is recommended, as it gives you a slick graphical interface complete with traffic charts and a search feature.

You can download IPAudit here:

IPAudit 0.95 - Latest stable version of IPAudit

Or read more here.

Technorati Tags: , , , , , ,