 |
| |
| |
|
Who's Online |
|
We have 36 guests online |
|
| |
|
|
 |
|
EH-Net
|
|
May 24, 2013, 04:54:45 AM
|
 Show Posts
|
|
Pages: [1]
|
|
1
|
EH-Net / Special Events / Re: Q&A for Pen Testing Perfect Storm Part III: Network Reconstructive Surgery
|
on: March 30, 2009, 04:42:37 PM
|
You mentioned off-hand during the 'Ghost in the AP' portion of the webcast, that cloaking or hiding SSIDs should not be done any more. Now I've heard this explanation before, but you do it much better than I do. So could you quickly recap why it is now a common practice not to cloak, even though it had been the way of the world for quite some time?
The problem with SSID cloaking is that you force your client systems to constantly ask every AP they see "Are you my mother?" (queue the Dr. Seuss book ... SNORT!) If you cloak the SSID of your work AP and the user is stuck in Terminal C of O'Hare Airport*, they are constantly sending out probe requests with the cloaked SSID. A friend made the analogy to a military officer. The officer is lost, and he is looking for his military base. He asks everyplace he sees "Are you my military base?", "Are you?" Eventually, someone will say "yes", which we otherwise would call Karmetasploit ( http://trac.metasploit.com/wiki/Karmetasploit). Other reasons SSID cloaking doesn't make sense: 1. It provides no security. As any Kismet user will tell you, watching a legitimate user login to the AP discloses the SSID. 2. It leads to user confusion. Users who can't find their wireless network are 18 times as prone to click on "Free Public WiFi" or any other nonsense SSID they come across (I read that statistic in the Journal of Clinical Neuroscience). 3. Users call your helpdesk more. If they need special shared information about the SSID, they are going to call your helpdesk all that much more. I found it was better to make friends with the helpdesk people than ... enemies. I wrote a short article about this topic a few years ago for Network World which states similar points with more penache than I can muster at the moment: http://www.networkworld.com/columnists/2007/030507-wireless-security.htmlThanks to all who attended the webcast! -Josh * The best place to eat in O'Hare Airport is a take-out place in the K concourse called "Burrito Beach". You'll thank me for it. If you know of a place in the C concourse where there are more than a handful of working electrical outlets for public use, please let me know and I think kindly of you often! |
|
|
|
|
3
|
EH-Net / Special Events / Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I
|
on: October 21, 2008, 01:20:53 PM
|
Also, Have any of you had good success using the techniques discribed yesterday using BeEF over a bluetooth access point that uses more of a PPPoE Model??? or is it more geared towards standard 802ABGX related?  I seldom find Bluetooth AP's using the RFCOMM, PPP or Bluetooth Network Encapsulation Protocol (BNEP). Most of my experience with Bluetooth AP's has not been in manipulating clients using the device, but in leveraging it as a network access mechanism that escapes 802.11 rogue AP identification. It's probably not common to find users leveraging a Bluetooth AP for wireless connectivity due to the greater cost associated with the hardware and the relative popularity of 802.11. However, that doesn't mean there aren't other uses for Bluetooth AP's...  Thanks, -Josh |
|
|
|
|
4
|
Ethical Hacking Discussions and Related Certifications / Hardware / Re: BackTrack Problem . please help in solving this problem
|
on: October 15, 2008, 08:00:38 PM
|
first of all , i installed my backtrack on a flash card and made it executable but when i boot from the flash or from the cd of the backtrack
backtrack successfully installed but the display is not complete ,backtrack display screen is not fully occupying the screen , i have black screen on the four directions with the backtrack screen nearly in the middle
We use the BT3 CD in my SANS Ethical Hacking Wireless course. During labs, sometimes people will have problems getting X running properly. Something I've learned that can work is to kill X Windows (press Ctrl+Alt+Backspace), then from the shell prompt, run: X -config This will autoconfigure X and give you a simple window manager. Press Ctrl+Alt+Backspace to kill this simple window manager. IIRC, this step will write a new configuration file as /etc/X11/xorg.conf.new (or similar; read the output on the screen when you kill X). I move this file over the default xorg.conf file: mv /etc/X11/xorg.conf.new /etc/X11/xorg.conf Then run "startx". NOTE: If this works (I hope it does), you'll have to repeat these steps each time you boot. Open a bug on the Backtrack Wiki if this solves the problem to let them know. Best of luck, -Josh |
|
|
|
|
6
|
EH-Net / Special Events / Re: Available Online
|
on: October 15, 2008, 07:48:22 PM
|
Unfortunately I was only able to make it until the last half of the presentation and I was wondering if it will be available online again for people to watch (such as the Pentest Ninjitsu series). Thanks in advance.
No worries, you can catch the recorded version. Visit: https://www.sans.org/webcasts/show.php?webcastid=91601And click "Click here to register for this webcast."; you'll need to fill in a form but you can de-select "share this information with the sponsor". -Josh |
|
|
|
|
7
|
Ethical Hacking Discussions and Related Certifications / Wireless / Re: Testing WPA PassPhrase Strength, how long is long enough.
|
on: October 15, 2008, 02:47:33 PM
|
Question to those who do regular Wireless Pen Tests, when do you decide to throw in the towel when it comes to WPA based attacks, and is this predefined contractually with the client?
Certainly, this depends on the negotiated terms and goals of the engagement with the customer. I have a few dictionaries I'll try and have pre-established mechanisms to accelerate the testing process (using nVidia GPU's, available hosts and FPGA's), and I'll run that to completion for a test. The reason I ask is that, obviously you have the dictionary and brute force attacks, and as you can sniff the handshake and then work offline you really do have forever to test various rainbow tables, keyword lists and other techniques, but when do you decide enough is enough, and you will happily tell your client based on the techniques used the choice of passphrase in use is acceptable.
Determining if the passphrase choice is acceptable requires more evaluation than just what you can determine from a penetration test. I try to work out with the client what the resources would be of a potential adversary ($1,000? $10,000? $1,000,000?) and then use math to figure out how long it would take to figure out the selected passphrase (usually, this is by ignoring the entropy of the selected passphrase, and just using the character selection and length of the passphrase, factoring in probability). Of course you could simply review the passphrase if they offered it to you and make a judgement call on how likely it would appear in someones lists when attacking, but that would kinda defeat the Wireless Pen Test.
For me, PSK's aren't acceptable in anything by the environments of least risk (perhaps a guest network, or a home network with little to no valuable resources). It's less about being able to brute-force the PSK, and more about how the PSK (or derived PMK) is stored on each and every workstation. I can use a combined pen-test approach to leverage physical security with wireless attacks and a tool like Aircrack-ng's WZCOOK to extract a PMK which is shared by all the other usrers on the network, all without having to resort to dictionary attacks. Good post. -Josh |
|
|
|
|
9
|
EH-Net / Special Events / Re: Q&A for Pen Testing Perfect Storm Webcast Series: Part I
|
on: October 15, 2008, 02:37:29 PM
|
There was a tool mentioned on the 'Using XSS to pivot' slide... it was briefly mentioned about comparing administrative interface fingerprints (or something similar). Can you post a link/name of that tool or maybe a brief rundown of what it does if I misunderstood?
Yokoso!, by Kevin Johnson, et al, release imminent, to be available at http://sourceforge.net/projects/yokoso/. Yokoso! is a tool to identify the administrative interfaces used through fingerprinting techniques. This can be helpful to sort through the page history of a browser controlled by a pen-tester to identify valuable targets to exploit (e.g. previously logged-in administrative pages). -Josh |
|
|
|
|
Loading...
|
|
|
|
News Items and General Discussion About EH-Net : ÌÀÃÀÇÈÍ ÌÎÄÍÎÉ ÎÄÅÆÄÛ APPLE-FASHION!
