Tag Archive for 'scripting'

Verizon FiOS Wireless Security Analysis

Published on February 7, 2009 in Personal and linux. 22 Comments

Take a look at some wireless keys that I’ve collected from some Verizon FiOS installs around Tampa:

00-18-01-EA-3D-99,E3X12,6,WEP,1801349FCA
00-18-01-F0-6D-C4,NAMX2,1,WEP,18014B311F
00-18-01-F0-95-78,MWXV2,11,WEP,180149FF66
00-18-01-FD-4F-0E,R0LC7,1,WEP,1801BC5C6B
00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-18-01-FF-DF-DD,HH150,1,WEP,1F900396C5
00-1F-90-E0-B1-F8,3RA18,6,WEP,1801CDF4AF
00-1F-90-E0-B5-AC,OQ838,6,WEP,1801CF5700
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27
00-1F-90-E3-1E-90,C7WA0,6,WEP,1F9007C188
00-1F-90-E3-2E-07,DJP80,6,WEP,1F90063349
00-1F-90-E6-A7-D5,BJ2Z0,11,WEP,1F9018F797
00-1F-90-E6-D4-E3,RSHZ0,4,WEP,1F901944DB

What you are looking at here is MAC, SSID, Channel, Encryption, Key.

Notice that they are all WEP, 64bit, with 5 Alpha numeric SSID’s.

I want to emphasize that these are the defaults, and only geeks, nerds and the like change the defaults. :)

Here is a typical type of router (actiontec) that does this:

Take a real close look at two of the examples:

00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27

Notice the relationship the MAC and the key have. Let me split up the bytes for you:

00:18:01:FE:15:46   -  18:01:C1:B0:2B

Verizon, or Actiontec, or someone is setting the first byte of the 40bit key to the second byte of the MAC of the unit. And then they are setting the second byte of the key to the third byte of the MAC!

You can look on the list, and this is mostly the case, there is some overlap on the OIDs. (sometimess it is 1801, sometimes 1f90) Why is this useful? Well if you know it is a FiOS install, you have already decreased your “64bit” key to a real “40bit” key, and you already know 16 bits of it, so you only have to crack 24 bits. This is insane. This is like guessing 3 letters.

The way to use this is with the Aircrack-ng program. Capture some packets, and use the -d option to tell it what the key starts with.

aircrack-ng -d 1801 stupid-fios.cap

You will get the key in No time! Silly Verizon, you didn’t think we would notice you weren’t using constructed (not random) keys?

Have FiOS yourself? Want to share your MAC and default key in the comments? :)

Custom Arp Alerts II!

Published on August 21, 2008 in linux and sago. Comment

So I’ve found a better way to do what I did in the previous post. Instead of running a separate script to parse the arp alert logs, I have arp alert itself send the alerts! The key is this line in the arpalert.conf

action on detect = “/etc/scripts/arp-alert”

Its so simple, it just runs that script sending the information about the alert as certain arguments. With this I have more control over the formatting of arpalert messages:

In order to do this, I had to write that script, and make it executable of course. Also I had to change the running user of arpalert to root, because the “arpalert” user didn’t have permission to notify my user “kyle”. This is a much more clean solution, allowing me to make different types of alerts look different, having different timeouts and such. If you want my /etc/scripts/arp-alert you can download what I have so far here.

Custom Arp-Alerts

Published on August 20, 2008 in linux and sago. Comment

So I was looking around, and I wanted some sort of tool to allow me to be more aware about what was happening in the lower “bowels” of the network that I’m on with my laptop. So what is it that I want…

What I really want is some sort of mac-address based buddy list. One that would show my a list of the mac addresses talking on my network, and allow me to alias them. That would be cool.

I couldn’t find such program, but I found something kinda close, its called arpalert. If you are using ubuntu you can simply run “apt-get install arpalert” (I love ubuntu!)

kyle@kyle-laptop:~$ apt-cache search arpalert
arpalert – Monitor ARP changes in ethernet networks

You should edit the config file to your liking, but the main thing is the log file in /var/log/arpalert.log. I have it logging every interesting arp thing, because I find them interesting! You need to read up on it if you want to fully understand arpalert: http://www.arpalert.org/

So that is the first part. The second part is the piece that notifies you of something suspicious. Who wants to tail a log file all the time? For this I use something called “notify-send”. Try running it. If you don’t have it and you are running Ubuntu it will tell you that its part of the ”

So I was looking around, and I wanted some sort of tool to allow me to be more aware about what was happening in the lower “bowels” of the network that I’m on with my laptop. So what is it that I want…

What I really want is some sort of mac-address based buddy list. One that would show my a list of the mac addresses talking on my network, and allow me to alias them. That would be cool.

I couldn’t find such program, but I found something kinda close, its called arpalert. If you are using ubuntu you can simply run “apt-get install arpalert” (I love ubuntu!)

kyle@kyle-laptop:~$ apt-cache search arpalert
arpalert – Monitor ARP changes in ethernet networks

You should edit the config file to your liking, but the main thing is the log file in /var/log/arpalert.log. I have it logging every interesting arp thing, because I find them interesting! You need to read up on it if you want to fully understand arpalert: http://www.arpalert.org/

So that is the first part. The second part is the piece that notifies you of something suspicious. Who wants to tail a log file all the time? For this I use something called “notify-send”. Try running it. If you don’t have it and you are running Ubuntu it will tell you that its part of the “libnotify-bin” package. So you will need to run:

$ sudo apt-get install libnotify-bin

Try it! run “notify test”. A popup should show up! Simple! Now, we need a small program to put the pieces together and glue it. I want my popup when odd things happen. Here is the glue I wrote, modify at will:

tail -n 0  -F /var/log/arpalert.log | awk -W interactive ‘{print $8, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}’ |
while read heading message
do  notify-send -t 3000 — “Arp Alert” “${heading} ${message}”
done

I don’t think I’m done with it yet. (I want to make it give different time outs for different types of messages, and I want it to change the heading to something dynamic instead of the Arp Alert, but yea) So put that in a .sh and run it! Nothing may pop up! Try putting something new on the network and seeing if something shows up in the log. Its pretty easy to troubleshoot and modify to your liking.

DNS Cache Poisoning

Published on July 31, 2008 in linux and sago. Comments

Recently a DNS expert found a flaw in the way that DNS servers talk to other DNS servers to get records that allows interested parties (hackers) to insert their own records. If you need a primer: the Wikipedia link.

Well… a DNS flaw is no fun without a tool to use it. So this guy “HD Moore” wrote a program (script) that takes advantage of this and makes it relatively easy for someone to use something called Metasploit to tinker with it. Cool!

Turns out that it works, and people are fixing their DNS servers so that this can’t happen. (I fixed mine as soon as the fix was out.) But not everyone can fix their own, often they are at the mercy of their ISP’s. (Have you ever called up your ISP’s help desk and told them they need to upgrade their DNS servers to protect them against cache poisoning? Heheheh.. right)

So one day, Mr. Moore goes to google.com on his computer at work, and guess what, its not the real google.com…

The news article

Well played sir. Well played.