From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 148 - April 9, 2009

  • Training event in Southern N. E.! SANS@Home/Community - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM use the discount code "PaulDotCom" for a 10% savings - Click here to register now!
  • April 30th - PaulDotCom Security Weekly Special Edition - Episode 150 - We start recording/streaming at 12PM EDT and don't stop until midnight! Call lines will be open! Beer will be spilled and IRC members will be denigrated! Everyone should tune in and participate in the big event!

Episode Media


Special Guest: T. Robert Wyatt

With us is T.Rob Wyatt, a Senior Managing Consultant working within the IBM Software Services for WebSphere (ISSW) team. T.Rob will be speaking about WebSphere MQ (WMQ), a commercial messaging product by IBM. WMQ provides a universal messaging backbone for SOA connectivity on distributed platforms to connect commercial IT systems.

Store and Forward Messages - T.Rob's Blog

Getting Started with WMQ links

Tech Segment: Simultaneous Sniffing of Multiple 802.11b Channels with Kismet [Larry]

Ahhh, Kismet, a wireless tool that we all know and love. Kismet does all that lovely network information gathering (amongst other things) by passively sniffing the air waiting for things to happen. As we know, 802.11b networks are made up of 11 channels here in the US (and up to 14 channels in other countries). So, how exactly does Kismet find stuff on all 11 channels at the same time? I thought that the 802.11b wireless cards could only tune in to one channel at a time you ask? Yes, you are right! Kismet (and other wireless tools) get around this by "channel hopping". Channel hopping, or switching channels, is when a wireless card and driver only tune into a channel for a predetermined amount of time, then hop to the next. It will continue to do this until it cycles through through all 11 channels.

The problem with channel hopping is similar to when you watch TV. You tune in to Lost on channel 6, but want to see the ballgame on channel 11. So, you tune in to channel 11 to get the score of ballgame (Red Sox btw), but guess what you are missing on channel 6? Lost. This is not good! This is also the same thing that happens during channel hopping; when you dwell on a single channel, you miss what is happening on the other 10 (or 13) channels. We need to find a way to avoid channel hopping. But Larry, each radio can only tune in to 1 channel at a time, how do we get around that? Well grasshopper, we implement 11 separate radios and fix each one to it's own channel. We can configure Kismet to make this happen. The inspiration here is the Janus project, but for my needs this was too expensive, not completely portable, and required dedicated hardware.

I've chosen to do so with 11 D-Link DWL-G122 USB wireless adapters based on the Realtek 2500 chipset. Sure, I don't have 11 USB ports on my laptop, so I've used a few cascaded USB hubs to attach them. This cascading provides the added benefit of placing the antenna away from each other in order to prevent attenuation and other issues associated with having the radios to close to each other. I probably could have used fewer hubs as the ports were to close together for the cards wireless cards. The addition of some USB extender cables could also resolve this problem.

A note about USB power requirements: This configuration with extra hubs and 11 wireless adapters does cause an issue with power availability on the USB bus. I am overloading it, but fortunately not all laptops are created equal. This setup was able to get enough power on my Dell XPS generations 1 and 2, and on my older Macbook Pro. On my EEE 1000 however, I couldn't support more than 9 wireless adapters and 5 hubs. Adding more than that caused the wireless adapters to come up for Kismet, draw too much power and then shut down. When the adapter shut down, kismet sees them as no longer available capture sources and exits. DOH So here's how to make it work:

Edit your kismet.conf to include all of your wireless cards as follows:


We'll note that there are 11 lines with the source of rt2500 (the D-Link chipset), a wireless interface (as determined by linux), and a unique name. I like to give a short unique name, base on what they are (in this case channel number). You'll also note that I have several extra sources defined as well; I define each card as I use it, leave it there and enable it with the enablesources directive as shown below. Each source we want to enable is defined in the kismet.conf as a comma separated list of the unique names:


Another option is to specify which sources we want to enable on the command line when we start Kismet with the -C flag. This will override the kismet.conf settings:

sudo kismet -C ch1,ch2,ch3,ch4,ch5,ch6,ch7,ch8,ch9,ch10,ch11

See why I like those short logical names? We also need to configure kismet.conf to assign a channel to each adapter. If we don't, each card will channel hop, so we can use the sourcechannel directive to fix each card to a channel. The sourcechannel directive (for this purpose) takes colon separated arguments, the unique capture source name and the channel:


The above example sets each uniquely named source to a separate channel. Yet another reason for descriptive names: source ch1 listens on channel 1. While we are editing our kismet.conf we should disable channel hopping. We use the channelhop directive for this:


I like to leave channel hopping enabled by default, that way when I use a single card, or a different card they automatically hop. We can still set channel hopping to disabled with the -X flag from the command line:

sudo kismet -X -C ch1,ch2,ch3,ch4,ch5,ch6,ch7,ch8,ch9,ch10,ch11

Save your kismet.conf and start Kismet! You'll now be listening on all 11 802.11b channels.

But wait, there's more!

Larry, didn't you say that in some countries there were additional channels, up to 14? So what happened to channels 12, 13 and 14? Most drivers and or firmware for wireless adapters sold in the US don't allow us to have access to the upper, restricted channels to keep up safe from ourselves and from breaking the law. However, I've found an inexpensive alternative in the Linksys WRT54GL. These units are sold worldwide and have the same chipset and driver. The extra channels are enabled by a few parameters.

Please note, broadcasting on the additional channels may be illegal in your jurisdiction. Same thing for listening. I'm not a world wide legal expert here, so use at your own risk, and check with your local laws. Don't say we didn't warn you. From this point on the black helicopters and Suburbans are your problem.

We can add the additional channels with 3 Linksys WRT54GL routers loaded with OpenWRT whiterussian. (I know, the older version. Older but stable.) Once you have OpenWRT on your devices, set unique IP addresses, installed the wl and kismet_drone packages, we can configure them as drones on channels 12, 13 and 14!

On each drone, set the country code in NVRAM to enable all 14 channels on the wireless radio:

nvram set wl0_country_code=All
nvram commit

We now need to edit the kismet.conf on each drone to specify the capture source and give it a unique name. Cycle once through each drone specifying each missing channel, incrementing by one:


We also need to specify the hosts that are allowed to connect to the drone over IP via the allowedhosts directive. The IPs may be different depending on your network configuration, but this will allow the 192.168.1 network to connect:


Before we start Kismet on the drone, we need to do a few things in order to make sure the interface is up, and we're listening appropriately (yes, you can script it):

/sbin/ifconfig eth1 up
/usr/sbin/wl ap 0
/usr/sbin/wl passive 1
/usr/sbin/wl promisc 1
/usr/sbin/wl monitor 1

We also need to set the channel for the interface manually. Kismet has issues with the sourcechannels directive on the WRT54GL:

/sbin/iwconfig eth1 channel 12

Make sure that on each drone you increment the channel number by one to cover channels 12, 13 and 14! Now we can start kismet on each drone, and we'll force channel hopping to be disabled just in case:

kismet_server -X -f /etc/kismet/kismet.conf

On our laptop with the other 11 wireless adapters, we just need to add the additional drone sources to the kismet.conf (your IPs may vary):


Then update our enabled sources in the kismet.conf, or add them to the command line enable. Now we have all 14 channels!

Stories For Discussion

  1. You can buy anything - [Larry] - While we don't talk about credit card fraud technology, I think that this is important to note. Security through obscurity, or by using something that would be difficult for a determined attacker to compromise is not a method for security. Why? If you have something of value, someone will be determined enough to get it. Eventually the security method that you used will have enough vulnerabilities pervasively available to make it insecure.
  2. XP support runs out... - [Larry] - Oh, this could get interesting. No more bug fixes in XP (security fixes, yes until 2014), unless you pay for additional support. For 63% of all internet connected computers... So, do you think that there will be some bugs that won;t be classified as security fixes that can lead to getting you owned?
  3. Who turned out the lights? - [Larry] - We're hearing reports all over the place about the "grid" being hacked, and having the ability to destroy or shut it down. The thoughts are that the attackers exploited windows boxes that control the SCADA systems. Well, duh. But of course, the installers, developers and resellers of these systems are all security pros when it comes to windows, right? They don't need to be,because every one of these systems will be installed in an air-gapped network, right? Here's more...
  4. Remember porn dialers? - [Larry] - They are making a resurgence. On mobile phones. While this case isn't completely illegal as it has an EULA, it makes no mention of it dialing premium rate international numbers. Ouch.
  5. Hunting the Ghost - [Larry] - An interesting look into information gathering and reconnaissance for some folks hunting down the GhostNet hacker. This must have taken some time, but this is some great info for gathering information during recon phases.
  6. Practice Makes Perfect - [PaulDotCom] - Irongeek has put together a vulnerable web application called "mutillidae". I like the goals too, implement the OWASP top 10 vulnerabilities (some would say features?) in a PHP web app. This is great practice to test and experiment with all of the web app testing tools, free, open source, or commercial.
  7. Wireshark 1.0.7 Released - [PaulDotCom] - Don't get me wrong, I think Wireshark is really cool and even "neato". Its had some problems with the protocol dissectors, well okay they are pretty much swiss cheese when it comes to vulnerabiliies. This makes me worried, and even more worries when people use Live CD distros with old versions of Wireshark. It think its cool they will have an OS X version too, and I like the features, such as 802.11 header information, filtering, and VoIP playback. However, I'm a big fan of tcpdump, use it all the time. You can write filtersand do neat stuff with it. I took the SANS GCIA back when it was taught by Stephen/Judy/Marty, and since then I have been in love with tcpdump. You too should take the same class with the equally as exception instructor Mike Poor, and become one with your packet/command line foo. I have to say that throughout my career, I make almost daily usage of these skills, no GUI required.
  8. Nessus Version 4 Released - [PaulDotCom] - I've been playing with this for a while now, and its totally awesome. Much faster (multi-threading, same engine on all platforms, 64-bit support), and the new reporting engine rocks. XSLT is really powerful and I've already begun to customize reports. Use the power of filters and XSLT stylesheets!
  9. No More Fre Bugs - [PaulDotCom] - Holy disclosure debate batman! So here's the thing, should independent researchers just give vulnerabilities and exploits back to vendors? I mean on one hand, they spend time and resources finding, exploiting, and reporting bugs back to the vendor. What if they stopped? Would the vendors care or would they be happy that no one is reporting all these bugs? Should all the vendors pay into a large pot o money, controlled by CERT, that pays researchers for bugs? Is that like communism? I can see both sides of this and I think the partthat bothers me the most is that some vendors don't seem to care about their own vulnerabilities! Why don't vendors hire these really smart people to find holes in their products? Well, certainly economics come into play, and there is not enought ROI, so now we're right back where we started. Like Charles Miller says, so how can we break the cycle?
  10. All You Need Is FTP Account Credentials - [PaulDotCom] - Paul Mcartney's web site got hacked. How's they do it? They stole FTP credentials, logged into the site, and added some Javascript to infect visitors. Sexy eh? This is a battle I am familiar with. You can havethe most security web site in the world, written in VI even, with just straight HTML. However, its only as secure as the web developer's credentials. For example, if the web admin logs in from home over FTP, could be game over if their machine is infected by a bot, or there is another bot nearby with the ability to sniff that traffic, or someone gained access to network gear and sniffed traffic. You should be using SSH, with private/public key trusts, protected with pasphrases. That STILL doesn't help the compromised admin/developer workstation, so in the end we come back to user education, policy, and the "softer" side of information security, which ironically, is a lot harder to implement.
  11. Public Cell Phones Are "Dirty" - [PaulDotCom - I love how they did not harden the phone and left their username and password accessible.

Other Stories for Discussion

  1. How to leverage one social site to trick users on another - [MikeP] - A step by step guide on assuming other folks identities.
  2. Cyberspies Penetrate U.S. Power Grid, Leave Software That Could Disrupt System - [RandallK] - Fox News reports that cyberspies have penetrated the U.S. power grid and left behind software to later cause disruption in the system.
  3. Cool Segway - [PaulDotCom] - I just thought this was neat!
  4. Break In Case Of Zombies - [PaulDotCom] - Too funny!