In one week, it's 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we're giving several sets of training courses as well as a talk this year.
Training: Hacking by Numbers - Mobile Edition
If you're in a rush, you can book here.
We created the course to share our experience testing mobile applications and platforms, and well, because lots of people asked us to. The course shows you how to test mobile platforms and installed applications for vulnerabilities. HBN Mobile provides a pretty complete and practical overview into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms (although we focus on iOS and Android). This course is mostly for existing penetration testers who are new to the mobile area looking to learn how to understand, analyse and audit applications on various mobile platforms.
For more information about the course, and to book a place, head over here.
Workshop: Malware Reverse Engineering
If we were marketing to hipsters, we'd use words like “bespoke” and “handcrafted” to describe this workshop. While it's not made out of yams, it was put together especially for 44con.
Inaki and Siavosh's workshop will cut through the black-magic often associated with reverse engineering and malware. Advanced attacks usually have some form of malware involved, and learning to pull these apart to understand the kill chain is an increasingly vital skill.
Using real malware used in attacks against large corporates, students will look at both behavioural analysis and code analysis, to determine what the malware does.
If you're keen to attend, speak to the 44con crew at the front desk on arrival.
Talk: 'Honey, I'm Home' - Hacking Zwave Home Automation Systems
Behrang and Sahand will be presenting the results of their research into smart homes on day two at 09:30am.
“Smart homes” employing a variety of home automation systems are becoming increasingly common. Heating, ventilation, security and entertainment systems are centrally controlled with a mixture of wired and wireless networking. In 2011 the UK market for home automation products was estimated at GBP 65 million, an increase of 12% on the previous year, with the US market exceeding $3 billion. Zigbee and Z-Wave wireless protocols underpin most home automation systems. Z-Wave is growing in popularity as it does not conflict with existing 2.4GHz WiFi and Bluetooth systems.
Their talk describes the Z-Wave protocol and a number of weaknesses, including how to build a low-cost attack kit to perform packet capture and injection, along with potential attacks on the AES crypto implementation. Bottom line: they can walk up to a house, disable security sensors, then open the front door. LIKE A BOSS
We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol security. The paper introduces our Z-Wave packet interception and injection toolkit (Z-Force) that was used to analyze the security layer of Z-Wave protocol stack and discover the implementation details of the frame encryption, data origin authentication and key establishment process. We developed the Z-Force module to perform security tests against the implementation of the Z-Wave security layer in encrypted home automation devices such as a door locks. The paper describes the details of a critical vulnerability discovered in a Z-Wave door lock that could enable an attacker to remotely take full control of the target device without knowledge of the network encryption key. The Z-Force download archive contains the GUI program and two radio firmware files for the receiver and transmitter TI CC1110 boards.
This research will also be presented at 44Con 2013 in London next month, followed by the release of Z-Force source code and US frequency support (908.4 MHz) in the firmware.
Link to conference page and paper: http://research.sensepost.com/conferences/2013/bh_zwave
Link to Z-Force project and download page: http://research.sensepost.com/tools/embedded/zforce
One of the things we try and get across in our training - is that pen-testing requires out of the box thinking. It's also about solving puzzles and making things work the way you want them to. It's about identifying the small vulnerabilities (which are often easy to spot), and trying to leverage them into something useful. A key process we strive to do at SensePost, when performing these penetration tests, is about having fun.
However, since we're not presenting our HBN Combat course at BlackHat this year, we thought we'd treat people to a nice, mind-boggling challenge prior to BlackHat. Furthermore, instead of opting for the normal crypto or reversing-type challenges which seem to have become the norm, we thought we'd make it an infrastructure challenge for once. In other words, people get to compromise real, live boxen. We've also made it real-world, this is something you might be faced with when performing a infrastructure test.
You've been tasked with performing an infrastructure assessment against ACME Bank. You've fired up your favorite foot printing tool, run through the usual intelligence gathering methodology and noticed they seem to have a minute Internet footprint. So small, in fact, that the only entry point you have is what appears to be a router at 220.127.116.11.
Obtain access to a host on the internal network and put your name on the wall of fame. The first name on the wall wins.
If one takes a quick glimpse at the target, it will be obvious that the person who makes the first break is probably going to be able to control what other people do (with great power comes great responsibility). Also, there is probably a relatively high chance of people inadvertently blocking themselves off from the target. As such, the challenge is going to be reset to "factory default" at 04h00 MT every day.
We've created a very cool SensePost Blackhat USA 2013 t-shirt and this is limited edition to SensePost staff only, but for the person who gets the first name on the wall, we think you deserve your own.
Have fun, happy haxoring, and hope to see you all at BlackHat.
We're excited to be presenting our Hacking By Numbers Combat course again at Black Hat USA this year. SensePost's resident German haxor dude Georg-Christian Pranschke will be presenting this year's course. Combat fits in right at the top of our course offerings. No messing about, this really is the course where your sole aim is to pwn as much of the infrastructure and applications as possible. It is for the security professional looking to hone their skill-set, or to think like those in Unit 61398. There are a few assumptions though:
These targets come from real life assessments we've faced at SensePost, it's about as real as you can get without having to do the report at the end of it. How it works is that candidates are presented with a specific goal. If the presenter is feeling generous at the time, they may even get a description of the technology. After that, they'll have time to solve the puzzle. Afterwards, there will be a discussion about the failings, takeaways and alternate approaches adopted by the class. The latter is normally fascinating as (as anybody in the industry knows), there are virtually a limitless number of different ways to solve specific problems. This means that even the instructor gets to learn a couple of new tricks (we also have prizes for those who teach them enough new tricks).
In 2012, Combat underwent a massive rework and we presented a virtually new course which went down excellently. We're aiming to do the same this year, and to make it the best Combat course ever. So if you're interested in spending two days' worth of intense thinking solving some fairly unique puzzles and shelling boxen, join us for HBN Combat at BlackHat USA.
When doing wireless assessments, I end up generating a ton of different scripts for various things that I thought it would be worth sharing. I'm going to try write some of them up. This is the first one on decrypting WPA/2 PSK traffic. The second will cover some tricks/scripts for rogue access-points. If you are keen on learn further techniques or advancing your wifi hacking knowledge/capability as a whole, please check out the course Hacking by Numbers: Unplugged, I'll be teaching at BlackHat Las Vegas soon.
When hackers find a WPA/2 network using a pre-shared key, the first thing they try and do most times, is to capture enough of the 4-way handshake to attempt to brute force the pairwise master key (PMK, or just the pre-shared key PSK). But, this often takes a very long time. If you employ other routes to find the key (say a client-side compromise) that can still take some time. Once you have the key, you can of course associate to the network and perform your layer 2 hackery. However, if you had been capturing traffic from the beginning, you would now be in a position to decrypt that traffic for analysis, rather than having to waste time by only starting your capture now. You can use the airdecap-ng tool from the aircrack-ng suite to do this:
airdecap-ng -b <BSSID of target network> -e <ESSID of target network> -p <WPA passphrase> <input pcap file>
However, because the WPA 4-way handshake generates a unique temporary key (pairwise temporal key PTK) every time a station associates, you need to have captured the two bits of random data shared between the station and the AP (the authenticator nonce and supplicant nonce) for that handshake to be able to initialise your crypto with the same data. What this means, is that if you didn't capture a handshake for the start of a WPA/2 session, then you won't be able to decrypt the traffic, even if you have the key.
So, the trick is to de-auth all users from the AP and start capturing right at the beginning. This can be done quite simply using aireplay-ng:
aireplay-ng --deauth=5 -e <ESSID>
Although, broadcast de-auth's aren't always as successful as a targeted one, where you spoof a directed deauth packet claiming to come from the AP and targeting a specific station. I often use airodump-ng to dump a list of associated stations to a csv file (with --output-format csv), then use some grep/cut-fu to excise their MAC addresses. I then pass that to aireplay-ng with:
cat <list of associated station MACs>.txt | xargs -n1 -I% aireplay-ng --deauth=5 -e <ESSID> -c % mon0
This tends to work a bit better, as I've seen some devices which appear to ignore a broadcast de-auth. This will make sure you capture the handshake so airdecap can decrypt the traffic you capture. Any further legitimate disconnects and re-auths will be captured by you, so you shouldn't need to run the de-auth again.