The Insecure Wire

iKAT – Interactive Kiosk Attack Tool

nikon — Tue, 10 Jan 2012 16:07:55 +0000

I’d like to bring to your attention a tool that was posted to the full disclosure mailing list a while ago, but still useful. It is called iKAT (Interactive Kiosk Attack Tool) and allows you to exploit the local machine windows / linux from a browser web page full of nifty exploits and tools. Its very handy to browse to a site and bring up an unrestricted shell on a win32 box within seconds. There are now multiple flavors of iKAT; linux, portable, windows and photoKAT.

: iKAT in Internet Explorer 8

It also works well on those internet kiosk machines, that are all locked down usually with windows based policies

Kon-Boot – Windows password auditer and bypass – VMware support

nikon — Tue, 10 Jan 2012 16:00:28 +0000

We all have the Windows password bypass boot disks in our tool kits. I’d like to make mention of a new favourite of mine, it is called Kon-Boot which patches the loading kernel in memory and effectively bypasses the authentication mechanic. Kon-Boot supports both Linux and Windows operating systems, allow for root access on both OS’es in seconds and also privilege escalation scenarios on Windows. Kon-boot is a very nice piece of software so much so that a commercial version is available and comes in usb, floppy, cdrom based installations. It also supports VMware virtual machines.

Kon-Boot logo

OK so i may sound like an advertisement for Kon-Boot, but I’m not it’s just a really cool tool that all admins and techs should have in their tool kits. I purchased the commercial version and tested out privileged escalation in a Windows domain lab environment. You can actually impersonate users that have logged on to the system previously. This hack is really a bypass as you require physical access to the workstation and i feel it could be stopped if cached credentials are disabled on the domain.

Kon-Boot’s main purpose is to get you back into a Windows or Linux machine that you forget your password on. It does this in a neat way without the need for any injection or modification of the Operating System.

Windows tools for your 802.11 wireless arsenal

nikon — Tue, 10 Jan 2012 15:51:27 +0000

Just a quick post to share some sweet wireless tools that Ive been meaning to blog about.

Connectify is a windows 7 based wireless extensions application that makes use of the unfinished windows 7 virtual WI-FI API to allow you to turn any WI-FI adapter in windows 7 into a fully fledged access point. This is really cool for net-books and laptops as you can “tether” your mobile devices and share your current internet connection

The other tool I’d like to mention is inSSIDer, a windows based 802.11 wireless diagnostics application. Its similar to net-stumbler but it works Windows Vista, 7 and 64bit. Oh and its troubleshooting features for finding signal problems, channel interference and the likes is really good since the app is free.

Wi-Fi Protected setup cracked

nikon — Mon, 09 Jan 2012 14:39:56 +0000

A week ago Stefan a researcher from .braindump blog released a white paper detailing how to brute force WPS (Wi-Fi Protected Setup). Pretty much rendering WPS completely broken. The really scary part is with a recovered WPS pin, the attacker can then use this to brute force the WPA / WPA2 key. The team at Tactical Network Solutions have been perfecting this. They have released a tool called ‘reaver’ which capable of recovering WPA / WPA2 keys using the WPS attack withing 4 to 10 hours.

The main issue with the WPS pin strucutre, is that EAP responses are broken into two halfs allowing an attacker to derive correctness from parts of the AP responses. In fact its around 11,000 attempts, which has been proven to take around 2-5 seconds to crack the WPS pin.

Time to disable WPS, if you haven’t already

Wi-Fi Protected Setup – When poor design meets poor implementation

TNS – Reaver tool