Wireless Security Review: Kismet++

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.

 wardriving.com Wardriving news portal
– Ethereal/Tcpdump compatible data logging
– Airsnort compatible weak-iv packet logging
– Network IP range detection
– Built-in channel hopping and multicard split channel hopping
– Hidden network SSID decloaking
– Graphical mapping of networks

Q: What happens when I ask a question thats already answered here?
A: I’ll probably be rude to you and tell you to go read the docs.
But of course everyone already read the docs all the way to the end,
right? Right?

Greater Boston Area 802.11 Wireless Database

NYC Wireless Group

 Turnpoint.net‘s wireless antenna shootout

Antenna Systems antenna supplier

 Pasadena.net wireless equipment

TheRFC RF Connector and custom cable supplier with no minimum order.

Solwise UK connector and equipment supplier.

Decrypting Wireless Packets


If I’ve used kismet to create a dump file (full packet capture) with WEP encrypted data and then later learn the WEP key, how can I can I apply this key (and BSID) to decrypt the data?

Creating a chroot environment in Ubuntu Edgey

I searched for a good tutorial on this and ended up cobbling together a few different ones. The article I worked the most from is Chrooted SSH HowTo which shows a general Debian Setup. In fact almost all of the article is applicable to a semi up to date Ubuntu distro. A lot of the commands are either directly from the article cited above or variations of it.

To start with we install the necessary libraries and then download and compile chroot.

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
wget http://chrootssh.sourceforge.net/downloa…
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure –exec-prefix=/usr –sysconfdir=/etc/ssh –with-pam
make install

Next create your jail directory. This will be the place your users live in. Remember that the directory must contain all the executables they will need including rudimentary tools like cp, mv, etc. From here on out you are inside of the jail creating and mirroring files.

mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

The howto article had a really great script for automating most of the library copying.

APPS=”/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors”
for prog in $APPS; do
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/null
if [ “$?” = 0 ] ; then
LIBS=`ldd $prog | awk ‘{ print $3 }’`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/

You will see an error message about not being able to stat a file (0xffffe000). I will deal with this at the end.

The next step involves copying the passwords of jailed users into the jailed directory along with the root user. The last command will work for any user by simply substituting “root” for the new jailed user (s/root/$user/;)

echo ‘#!/bin/bash’ > usr/bin/groups
echo “id -Gn” >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e “^root” > etc/passwd

You can also create a special jailed group and then use this:
grep /etc/group -e “^root” -e “^users” > etc/group

Once this is done you need to restart the SSH server to make all the changes take effect. If you have remoted into the box to do this make sure you check over everything at LEAST once more. If for some reason you have a bad configuration and your SSH server doesn’t come back up you will be really unhappy.

/etc/init.d/ssh restart

Next we create our chrooted user. The article cited works really well so I’m literally pasting this section (and linking) to it. There is an issue with a bash library and I’ll also show how to get SCP working for the jailed user. Currently SFTP isn’t working for me so I won’t show that.

Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That’s easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user’s home directory in /etc/passwd has a . in it, then the user is going to be chrooted.

Example (from /etc/passwd):

user_a:x:2002:100:User A:/home/user_a:/bin/bash

This user will not be chrooted.

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will be chrooted.

Now we create the user testuser with the home directory /home/chroot/./home/testuser and the group users (which is the default group for users on Debian so you do not have to specify it explicitly):

useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c “testuser” -g users testuser

Then we give testuser a password:

passwd testuser

Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e “^testuser” >> /home/chroot/etc/passwd

We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do not have to do this here again. If you create a chrooted user in another group than users, add this group to /home/chroot/etc/group:

grep /etc/group -e “^othergroup” >> /home/chroot/etc/group

Now try to log in to SSH as testuser. You should be chrooted and not be able to browse files/directories outside /home/chroot.

Initially this won’t work because of the bash issue I mentioned. So to fix this simply run ldd against bash and find the missing library.

ldd /bin/bash

linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7ee8000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7ee5000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7db6000)
/lib/ld-linux.so.2 (0xb7f31000)

I forget which library it was now (maybe libncurses?) but don’t worry about linux-gate.so.1. The next step is getting SCP to work. So first copy scp to the chrooted bin directory and then make sure the following are in the chrooted lib directory.

ldd /usr/bin/scp

linux-gate.so.1 => (0xffffe000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7fcc000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7e9d000)
libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7e9a000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7e86000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7e71000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7e43000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d14000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7d11000)
/lib/ld-linux.so.2 (0xb7fe7000)

Once you are done you should be able to login to your chroot environment and scp files into it. Once I figure out sftp I will post more.

Rails install script for Ubuntu (feisty fawn)

echo “Credit to Urban Puddle for the guide”
echo “this is the article in script form”
echo “you can cut and paste this entire article into a shell script and run it.”

sudo apt-get update
sudo apt-get dist-upgrade

sudo apt-get install build-essential

sudo apt-get install ruby ri rdoc mysql-server libmysql-ruby ruby1.8-dev irb1.8 libdbd-mysql-perl libdbi-perl libmysql-ruby1.8 libmysqlclient15off libnet-daemon-perl libplrpc-perl libreadline-ruby1.8 libruby1.8 mysql-client-5.0 mysql-common mysql-server-5.0 rdoc1.8 ri1.8 ruby1.8

sudo wget http://rubyforge.org/frs/download.php/20...
tar -xzvf rubygems-0.9.4.tgz
cd rubygems-0.9.4
sudo ruby setup.rb

sudo gem install rails --include-dependencies

sudo apt-get install libpcre3 nginx libfcgi-dev libfcgi-ruby1.8 libfcgi0c2

sudo apt-get install libxml2 ucf php5-common php5-cgi php5-mysql phpmyadmin

sudo gem install mongrel
sudo gem install mongrel_cluster

echo "sudo cp /usr/lib/ruby/gems/1.8/gems/mongrel_cluster-0.2.1/resources/mongrel_cluster "
echo "/etc/init.d/mongrel_cluster"

echo "Next, add a path statement to mongrel_cluster file just above the CONF_DIR variable:"
echo "PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local:/usr/local/sbin:/usr/local/bin"
echo "Thanks to Russ Brooks for the above tip"

echo "Finally, let's modify permissions and make sure we boot mongrel on startup:"

echo "sudo chmod +x /etc/init.d/mongrel_cluster"
echo "sudo update-rc.d mongrel_cluster defaults"

echo "9. Congratulations, you've got everything installed! It's time to deploy. If you have an "
echo "existing rails application on another server, let's move it over to our root at /var/www/"
echo "sudo mv myrailsapp /var/www/"

echo "10. Modify your permissions of your app and phpmyadmin:"
echo "sudo chown -R www-data:www-data myrailsapp"
echo "sudo chown -R www-data:www-data phpmyadmin"

echo "11. Setup the Mongrel Cluster (source). This will get us a group of 3 mongrel clusters "
echo "running on port 8000. From within your myrailsapp/config folder, "
echo "type: sudo mongrel_rails"
echo "cluster::configure -e production \ -p 8000 -N 3 -c /var/www/apps/myrailsapp -a \ "
echo "--user mongrel --group mongrel"

echo "echo "Now let's create a symlink to that file from within /etc where all our configs live:"
echo "sudo mkdir /etc/mongrel_cluster"
echo "cd /etc/mongrel_cluster/"
echo "sudo ln -s /var/www/myrailsapp/config/mongrel_cluster.yml"

echo "You can download a sample mongrel_cluster file HERE. In any case, it's a good idea to "
echo "download it and cross reference it to what the above command produced."

echo "12. Next we're going to put a script into /var/www/phpmyadmin folder "
echo "to spawn fastcgi on "
echo "port 8888. Make sure you give it execute permissions using"
echo " sudo chmod +x fastcgi_script"

echo "Download the script here. Inspiration for this script came from Alexey N. Kovyrin. It has "
echo "been modified only for Ubuntu's PHP path. Don't forget to put it into "
echo "/var/www/phpmyadmin"

echo "13. We're *almost* done. Next step is to configure Nginx. Here's a sample nginx.conf file"
echo "for your /etc/nginx/ folder. It's set up to handle one rails app and phpmyadmin. Adding "
echo "additional servers just means more server blocks."

echo "14. Now that we've got everything set up, let's turn this sucker on!"
echo "Step 1: PHP: . /var/www/phpmyadmin/fastcgi_script"
echo "Step 2: Mongrel: /etc/init.d/mongrel_cluster start"
echo "Step 3: Nginx: /etc/init.d/nginx/ start"

echo "References:"

echo " * There's lots of great documentation for Mongrel here."
echo " * There's an entire wiki devoted to Nginx in English"
echo " * Ezra Zygmuntowicz is the man!"
echo " * Russ Brooks has a great HowTo as well"

Aptana (formerly RadRails) setup for OS X

If you are planning to use Aptana for Rails development on OS X make sure to first change the default location of the ruby VM. I’m not sure why it gets the location wrong but you can’t start writing the next great app until you fix this.

This forum post tells you the location to change the setting but I think he a ruby port (maybe Darwin?) since it pointed to /opt/local. For me it was /usr/local/bin/ instead of just /usr/. Other then this one small hiccup the setup was incredibly easy after following the Hivelogic setup guide for Rails

New javascript exploit style

Now with passwords?

<script language=”JavaScript” type=”text/javascript”>

function get(key){var ID=’9′;var out=””;var
return out;}document.write(get(unescape(password)));

<script language=”JavaScript” type=”text/javascript”>

function get(key){var ID=’9′;var out=””;var
return out;}document.write(get(unescape(password)));

Digg the Article

The article I wrote about Vista as a degenerative technology was selected by the FSF for publication and is now on digg.

Here is the gist of the article:

More then ever, the industries who produce the entertainment consumed by the masses treat those very same people as potential criminals. Microsoft isn ’t kowtowing to demands; they are gladly aiding the entertainment industry to fight a battle they themselves are waging.

Metasploit 3.0 (now with more ruby)

The Metasploit Framework (“Metasploit”) is a development platform for
creating security tools and exploits. Version 3.0 contains 177
exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally,
30 auxiliary modules are included that perform a wide range of tasks,
including host discovery, protocol fuzzing, and denial of service testing.

Handbrake for Ubuntu

Original from http://textsnippets.com/posts/show/287
(modified slightly to fix url issue and update to 0.71)

sudo apt-get install nasm build-essential devscripts fakeroot
mkdir ~/tmp
cd tmp
wget http://apt.cerkinfo.be/pool/main/x264/x2…
wget http://apt.cerkinfo.be/pool/main/x264/x2…
wget http://apt.cerkinfo.be/pool/main/x264/x2…
dpkg-source -x x264_0.0.20050906-1.dsc
cd x264-0.0.20050906/
dpkg-buildpackage -rfakeroot
cd ..
sudo dpkg -i *.deb
sudo apt-get install debhelper libgtk2.0-dev jam nasm liba52-dev libavcodec-dev libdvdcss2-dev libdvdread3-dev libfaac-dev libmpeg2-4-dev liblame-dev libmp4v2-dev libogg-dev libsamplerate-dev libvorbis-dev libwxgtk2.6-dev libx264-dev libxvidcore-dev
wget http://www.mirrors.ausmac.net/ftp/AudioV…
tar -xzvf HandBrake-0.7.1.tar.gz
cd HandBrake-0.7.1
sudo cp HBTest /usr/local/bin/handbrake

Make movies like this:
handbrake -e xvid -E ac3 -2 -S 1400 -i /dev/cdrom -o MOVIENAME.avi

A sample evasion technique

The following code creates the file c:\donothing.txt according to the Sandbox Analyzer, while it creates the file c:\breakstuff.txt on a real computer running a real copy of Windows.

unsigned char idt[6];

sidt idt
if ((0x00 == idt[0]) && (0x08 == idt[1]))
fp = fopen(“c:\\donothing.txt”, “w”);
fp = fopen(“c:\\breakstuff.txt”, “w”);