Ethical Hacking
Ethical hacking is a term that sometimes strikes the nerves of many companies and employers. Some say that hacking is not and can not be ethical. On the contriere, it can be. Some companies will pay for pen testers to come out and find security vulnerbilites. The reason i speak of this term of “Ethical Hacking” is due to the fact that i am taking a class for my CEH certifacation. I paid $450 for a $3000 class. So i got pretty dang lucky and now im takin a class on how to become a hacker. The class so far has been a reveiw of the stuff i have learned from my current professor Dan. But i suspect that the class will change drastically this up comming Wednesday when we start to actually attack our networks. We are using VMware with about 4 or 5 different OS running through VMware. VMware is the freakin shizit. So we use those virtual machines as our targets on the network. I hope that i learn from this class and that it is worth $3000. I plan on being a security professional in the near future. ANy way to the point, i will be posting tools, info and many othe tutorials/labs so that people can learn about ethical hacking just like i have. Thats as soon as i have learned how to add files to wordpress. Bare with me as i learn this dang wordpress situation…
And You Shall Know Me By The Trail of Bits
KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.
KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for ‘linksys’, it is ‘linksys’ to them (even while it may be ‘tmobile’ to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.
Thanks to some great work by HD Moore, KARMA now lives on in the modern era as Karmetasploit. Karmetasploit is an integration of parts of KARMA and its ideas into the Metasploit framework. Karmetasploit is your best option for running KARMA these days but the original KARMA software written by Dino Dai Zovi and Shane Macaulay is also available below. For an in-depth description of the KARMA attacks against wireless clients, see the whitepaper and presentations below.
Docs:
- Karmetasploit documentation
- “Attacking Automatic Wireless Network Selection”, Dino A. Dai Zovi and Shane Macaulay.
- Technical Whitepaper [PDF]
- Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop
- CNET News.com story mentioning our KARMA demo @ Microsoft’s Blue Hat summit
- Legacy KARMA README
- KARMA HOWTO at WirelessDefence.org
Presentations:
- All Your Layer Are Belong To Us
PacSec.JP 2004, November 2004, Tokyo, Japan.
[ slides ] - All Your Layer Are Belong To Us
CanSecWest/core05, May 2005, Vancouver, Canada.
[ slides ] - Attacking Automatic Wireless Network Selection
IEEE Information Assurance Workshop, June 2005, West Point, NY.
[ slides ]
Software:
- Lagacy Karma Snapshot (20060124)
- Karma 0.4 CanSecWest/core05 Alpha Release
- Karma 0.3 Microsoft BlueHat Alpha Release
- Karma 0.2 Immunity NYC Security Shindig Alpha Release
- Karma 0.1 PACSEC Alpha Release
Enumeration
Nmap (”Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.Nmap is …
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
- Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
- Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials. Find them in multiple languages here.
- Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list.
- Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
- Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.