By Ryan Naraine
October 26, 2006
The Metasploit Project plans to add 802.11 (Wi-Fi) exploits to a new
version of its point-and-click attack tool, a move that simplifies the
way wireless drivers and devices are exploited.
The controversial open-source project, created and maintained by HD
Moore, of Austin, Texas, has added a new exploit class that allows
modules to send raw 802.11 frames at one of the most vulnerable parts of
the operating system.
In recent months, there has been an increase in public awareness around
the severity of wireless driver flaws. At the August 2006 Black Hat
Briefings in Las Vegas, researchers David Maynor and Jon "Johnny Cache"
Ellch showed off a new technique for breaking into computers via Wi-Fi
driver vulnerabilities on Windows and Mac systems.
The Black Hat demo pushed several vendorsIntel, Apple and Toshibato
release patches and prompted Microsoft to invite Ellch to its internal
BlueHat security conference to explain the risks to Redmond executives
According to Moore, Metasploit 3 will integrate kernel-mode payloads to
allow users to use existing user-mode payloads for both kernel and
Because the framework provides an easy-to-use interface for connecting
vulnerabilities to actual payloads, this Metasploit gives users an
avenue to target the most sensitive part of the operating system.
Moore told eWEEK he is collaborating with Ellch on an actual 802.11
exploit. The plan is to use Ellch's LORCON (Loss of Radio Connectivity)
hacking tool to send exploits at Wi-Fi bugs that are haunting widely
used devices and computers.
"Right now, this only supports the Linux platform, but we are planning
for Windows support very soon," Moore explained.
Moore shrugged off criticisms that Metasploit gives black hat hackers
all the tools needed to launch attacks, insisting that the target market
can be broken into three categories.
"[This is for] penetration testers and network administrators that want
to demonstrate the impact of an unpatched wireless vulnerability," he
Moore said security researchers looking for an easy way to investigate
wireless device and driver vulnerabilities can also find value in the
code, which can also be used to develop "fuzzers" for discovering new
Fuzzers, or fuzz testers, are used to pinpoint security vulnerabilities
by sending random input to an application. If the program contains a
vulnerability that leads to an exception, crash or server error,
researchers can parse the results of the test to pinpoint the cause of
Moore, who works as director of security research at BreakingPoint
Systems, in Austin, Texas, said security solution developers can also
use the new Metasploit capabilities to perform QA (quality assurance)
tests on their products.
"Depending on my available free time, we should have some working and
useful demonstrations of this within a week," he said.
"We're close to completing work on injecting code into the Windows
kernel in a way that causes it to run a standard Metasploit payload
without crashing the target system," he explained.
"We need at least one solid example of a wireless driver exploit that
can be used to demonstrate the system," he added.
This is where Ellch's expertise comes in.
"[Johnny] has a number of these that would work, but one in particular
is both reliable and easy to demonstrate. He demonstrated [it] at the
Microsoft BlueHat conference and we're waiting for his ho-head before
adding the exploit code to the public source repository," Moore said.
Ellch confirmed his code was being used in the Metasploit refresh, but
declined an eWEEK request to comment on the extent of his involvement.
Widely regarded as an authority on wireless security issues, Ellch
believes the 802.11 link-layer wireless protocol is an "overly
complicated" protocol that has not been implemented securely by many
However, during his recent trip to Microsoft's Redmond campus for
BlueHat, he sad he was happy to see the software vendor paying serious
attention to Wi-Fi bugs.
"They have already re-implemented many tools similar to my own and are
actively finding bugs in other vendors' device drivers that they don't
necessarily have access to the code for. I can't imagine a more serious
response," Ellch said in an interview with eWEEK.
Visit the InfoSec News store!