AOH :: ISN-3196.HTM

Wi-Fi Exploits Coming to Metasploit

Wi-Fi Exploits Coming to Metasploit
Wi-Fi Exploits Coming to Metasploit,1895,2040914,00.asp 

By Ryan Naraine
October 26, 2006

The Metasploit Project plans to add 802.11 (Wi-Fi) exploits to a new 
version of its point-and-click attack tool, a move that simplifies the 
way wireless drivers and devices are exploited.

The controversial open-source project, created and maintained by HD 
Moore, of Austin, Texas, has added a new exploit class that allows 
modules to send raw 802.11 frames at one of the most vulnerable parts of 
the operating system.

In recent months, there has been an increase in public awareness around 
the severity of wireless driver flaws. At the August 2006 Black Hat 
Briefings in Las Vegas, researchers David Maynor and Jon "Johnny Cache" 
Ellch showed off a new technique for breaking into computers via Wi-Fi 
driver vulnerabilities on Windows and Mac systems.

The Black Hat demo pushed several vendorsIntel, Apple and Toshibato 
release patches and prompted Microsoft to invite Ellch to its internal 
BlueHat security conference to explain the risks to Redmond executives 
and employees.

According to Moore, Metasploit 3 will integrate kernel-mode payloads to 
allow users to use existing user-mode payloads for both kernel and 
non-kernel exploits.

Because the framework provides an easy-to-use interface for connecting 
vulnerabilities to actual payloads, this Metasploit gives users an 
avenue to target the most sensitive part of the operating system.

Moore told eWEEK he is collaborating with Ellch on an actual 802.11 
exploit. The plan is to use Ellch's LORCON (Loss of Radio Connectivity) 
hacking tool to send exploits at Wi-Fi bugs that are haunting widely 
used devices and computers.

"Right now, this only supports the Linux platform, but we are planning 
for Windows support very soon," Moore explained.

Moore shrugged off criticisms that Metasploit gives black hat hackers 
all the tools needed to launch attacks, insisting that the target market 
can be broken into three categories.

"[This is for] penetration testers and network administrators that want 
to demonstrate the impact of an unpatched wireless vulnerability," he 

Moore said security researchers looking for an easy way to investigate 
wireless device and driver vulnerabilities can also find value in the 
code, which can also be used to develop "fuzzers" for discovering new 

Fuzzers, or fuzz testers, are used to pinpoint security vulnerabilities 
by sending random input to an application. If the program contains a 
vulnerability that leads to an exception, crash or server error, 
researchers can parse the results of the test to pinpoint the cause of 
the crash.

Moore, who works as director of security research at BreakingPoint 
Systems, in Austin, Texas, said security solution developers can also 
use the new Metasploit capabilities to perform QA (quality assurance) 
tests on their products.

"Depending on my available free time, we should have some working and 
useful demonstrations of this within a week," he said.

"We're close to completing work on injecting code into the Windows 
kernel in a way that causes it to run a standard Metasploit payload 
without crashing the target system," he explained.

"We need at least one solid example of a wireless driver exploit that 
can be used to demonstrate the system," he added.

This is where Ellch's expertise comes in.

"[Johnny] has a number of these that would work, but one in particular 
is both reliable and easy to demonstrate. He demonstrated [it] at the 
Microsoft BlueHat conference and we're waiting for his ho-head before 
adding the exploit code to the public source repository," Moore said.

Ellch confirmed his code was being used in the Metasploit refresh, but 
declined an eWEEK request to comment on the extent of his involvement.

Widely regarded as an authority on wireless security issues, Ellch 
believes the 802.11 link-layer wireless protocol is an "overly 
complicated" protocol that has not been implemented securely by many 

However, during his recent trip to Microsoft's Redmond campus for 
BlueHat, he sad he was happy to see the software vendor paying serious 
attention to Wi-Fi bugs.

"They have already re-implemented many tools similar to my own and are 
actively finding bugs in other vendors' device drivers that they don't 
necessarily have access to the code for. I can't imagine a more serious 
response," Ellch said in an interview with eWEEK.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods