Wi-Fi Exploits Coming to Metasploit

bucksDrop writes "Eweek.com is reporting that the Metasploit Project will add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool. Metasploit 3 will integrate kernel-mode payloads to allow users to use existing user-mode payloads for both kernel and non-kernel exploits. Metasploit is collaborating with Jon 'Johnny Cache' Ellch and implementing it by wrapping the LORCON library."

Thanks Guys

[99BottlesOfBeerInMyF]

No really, I appreciate all the work that goes into putting this together. I'm sure privately distributed cracking tools already have some of this functionality. Maybe this will get OS vendors to pay a little more attention to wireless security. Wireless is not likely to be widely exploited mechanism for a worm, but it is still something that needs more attention.

This begs the question...

[mohjlir]

Why don't hardware vendors simply release the source to their drivers so problems like this can be squashed quickly? Of course, there is no guarantee that the white hats will find problems before the black hats do, but it exposes flaws more eyeballs.

Re:You must be a perscriber

[Dhalka226]

Language is how the majority use it, not how scholars define it.

So I guess "loose" and "lose" are now synonymous..

I just really don't agree. I'm not the kind who generally goes off on people for misusing words as long as I can understand what they're trying to say, but at the same time, words have meanings. The fact that people have no idea how to properly use those words should not change what the words mean. It should just make us exceptionally sad at the state of affairs our communications skills are in.

Incidentally, this is coming from somebody who misused the phrase "begs the question" dozens of times in his life. The difference being, when it was pointed out to me (I forget if somebody said something or I just came across the correct usage one day), I actually made a mental note of it and I have used it properly since then. It wasn't hard. Neither, as my little joke intimated, is using "lose" and "loose" properly. It just takes a little conscious effort at first, and then it will become second nature.

Personally I think we should be getting people to do that rather than pandering to them and altering the meaning of words and phrases once we reach some ignorance threshold.

Re:

[foamrotreturns]

I am very much in agreement. If the masses are allowed to dictate whatever meaning they choose for words or phrases they hear, they will slowly erode the vast variety of meanings that can be conveyed through speech and writing. If I said "That begs the question" 75 years ago, most people would realize that I was calling out the speaker for using a circular argument. Saying "That begs the question" today evokes responses like "What question?" The meaning is nearly lost. We have hundreds of thousands of simpl

Re:

[udderly]

That depends on what your definition of "is" is. Heh...just kidding.

Re:

[trewornan]

If the masses are allowed to dictate whatever meaning they choose for words or phrases they hear, they will slowly erode the vast variety of meanings that can be conveyed through speech and writing

It's not a matter of choice. Languages change over time - they always have and always will. You can argue that this is a bad thing, and you might even be right - but I guarantee you can't stop it.

If you don't like it - tough! Suck it up and stop whining.

Re:

[AbRASiON]

Anyways, I could care less about you're opinion your retarted!
p.s did you get them legos for cheap?

(Oh thank god FF2.0 marks "legos" as a spelling mistake and incase you missed it, I thoroughly agree with your post)

Re:

[SparcPlug]

...rather than pandering to them...

Based on your reasoning, you never should have come to use the word pandering in this manner.
The origins of pandering:

The plot function of Pandarus in Chaucer's and especially Shakespeare's famous works has given rise to the English words to pander, meaning to further other people's illicit amours, and a pander (in later usage a panderer), a person who does this. The strong pejorative connotations of pander apparently come less from Chaucer's well-meaning young Pandar

Re:

[onkelonkel]

This is how enormity got to mean "something really big" instead of "a crime beyond all moral boundaries".

Language defined by misuse. Usually done by lackwits in a misguided attempt to sound sophisticated, but ironically it demonstrates instead only their lack of language skills.

These things grate like fingernails on the chalkboard of my soul. Mostly they make me very sad.

Re:This begs the question...

[99BottlesOfBeerInMyF]

Why don't hardware vendors simply release the source to their drivers so problems like this can be squashed quickly?

Some of them probably will, but a lot of hardware vendors are reflexively secretive. Others, use the drivers to work around bugs in their products or are embarrassed of the shoddy quality of their code. I'd love the believe that the industry will start to demand open source drivers, but realistically, it is more likely that the OS developer community will have to account for untrusted hardware drivers by seriously re-architecting the way the kernel interacts with drivers.

Re:

[scoot80]

Why would any hardware vondor release open source drivers? So that the competition can look at them? I remember someone commenting at another thread asking that firmware for hardware be open sourced too. Hardware vendors might as well then just put all their designs up on display, pack up their stuff and go home.

Re:

[99BottlesOfBeerInMyF]

Why would any hardware vondor[sic] release open source drivers? So that the competition can look at them?

Why would IBM contribute to an open source OS? So the competition can look at it? IBM is not in the business of selling OS's and by contributing to open source they get both other companies and the open source community to share the labor costs and make a better solution for both IBM and others. Likewise, hardware vendors are not in the business of selling drivers and those drivers could benefit signi

Re:

[ehrichweiss]

I don't know why others might not release their drivers' source but I know that Broadcomm apparently can't do it for at least some of their wireless cards because they apparently can be tuned into some military-only frequencies and needless to say that's not a good thing.

Re:

[Fred_A]

More generally speaking, with a number of chipsets, you can change a number of parameters through software, notably emission power, sometimes frequency way outside of the extent of what is allowed for WiFi use (as per radio band use regulations).
This is the main reason put forward by the makers for not releasing completely open drivers. If they did their gear couldn't be certified.

Re:

[cdrguru]

The number one reason this isn't done is the difference between the hardware manufactured by the driver author and the hardware manufactured by slave labor in China is the driver. Period. The chips are nearly a commodity now. There isn't anything unique about that - it is how they are used in the software.

15-20 years ago, it is was the design of the hardware that was where the value was. Today, it is mostly the software running the hardware.

An open driver just means that they are giving away whatever va

Re:

[solevita]

The tools required for wireless worms have been available to Windows users for some time now, if you know where to look:

Wireless Weapons of Mass Destruction [netstumbler.org]

Re:

[cmdrbuzz]

Ummm, you realize that Slashcode adds a [nofollow] attribute to your HREF URLs so your comment spamming won't affect anything much.

Except make you look a little silly.

Math problem

[Anonymous Coward]

W=10.1
F=9.8
i=2673.7

What is Wi-Fi?

Re:

[richdun]

0.3i

Re:

[Anonymous Coward]

Everyone do this and pass it to your friends or you will have bad luck.

Re:Math problem

[dr.badass]

i=2673.7

With Metasploit you can make i = 4456.66

Re:

[Daxster]

Off-topic, but i = current in amperes for [electrical] engineers. So j is used. 'Course, doesn't help that i, j, and k are unit vectors..

Re:Math problem

[Grym]

My God! That'd be like 9/11 times 4.8921! We can't allow this to happen!

-Grym

Re:

[Anonymous Coward]

For those too lazy to work it out...

Wi-Fi = i(W-F) = 3673.7 ( 0.3) = 802.11

Re:

[Afecks]

Wi-Fi = 802.11 ahhh I see the joke now... humor, how quaint

So.....

[robpoe]

Do I wrap my laptop in tinfoil yet, or not?

I'm sure...

[AdmiralWeirdbeard]

...that I speak for a lot of people, based on the low response to this particular gem of posting, when i say:
*blinkblink*
WTF, mate?

Script Kiddies tools for a wide open network

[Gopal.V]

I've played around with metasploit in the past, especially their VNC payloads. The tool seems to have a high likelihood of abuse, compared to a lot of the other security tools (starting from nmap,nessus and all). Except for a couple of courtesy terminals, the tool basically gets you in and gives you a general feeling of being in control.

Canned scripts hardly ever teach you anything, especially when they work out of the box. Making them writing your own exploits is the easiest way to get a script kiddie

So where is the code? Right here.

[spinja]

Install the latest Lorcon snapshot:
$ http://www.802.11mercenary.net/lorcon/ [11mercenary.net]

Grab the latest version of metasploit 3:
$ svn co http://metasploit.com/svn/framework3/trunk/ [metasploit.com]

Compile the Metasploit Lorcon wrapper:
$ cd trunk/external/msflorcon
$ make

Plug in a support network card (I use a WPN511 with the madwifi-old driver in Gentoo)

Load the Metasploit Console (as root, since it needs raw WiFi access)
# trunk/msfconsole

Play with some of the demo modules :-)

This is an example of sending fake beacon requests to flood the Windows Wireless Network Browser:
msf > use auxiliary/dos/wireless/fakeap
msf auxiliary(fakeap) > show options

Module options:

      CHANNEL 11 yes The default channel number
      DRIVER madwifi yes The name of the wireless driver for lorcon
      INTERFACE ath0 yes The name of the wireless interface

Type the "run" command, or use "set VARIABLE VALUE" to change these options.

msf auxiliary(fakeap) >run

Re:

[towsonu2003]

sounds to me like it needs a GUI ;)

Re:

[slack_prad]

As a matter of fact, it does: a web console (but it is not that stable)

At least now we can know...

[Cid Highwind]

Hopefully now that the code is out there, someone independent (not Ellch and not a Mac blogger) will test this exploit on an out-of-the-box MacBook, and see if the hole lives up to the hype.

This explains my recent Trojan infection

[mhackarbie]

I recently removed a nasty trojan (a member of the 'Wareout' family) from my laptop, with the aid of the free Sophos Anti-Rootkit [sophos.com] and fantastic free technical support from the great folks at the spybot forums [spybot.info]. My best guess was that I got the infection when I logged into a free wifi connection at a local cafe. I saw a brief message from my antivirus software that a trojan had been detected, but afterwards, it reported nothing. After reading the eweek article, I learned that my Intel Pro/Wireless driver had

How is this a good thing?

[AaronLawrence]

Proof of concept exploits, are one thing, arguably useful. But helpfully integrating them into a tool script kiddies can use is just wrong. This is the kind of thing that makes computer security an ongoing nightmare.

Re:

[azemute]

Because acceptance of the fact that there *is* a problem is the first step on the road to solving that problem. A whole mob of scriptkiddies get their hands on this, and someone is bound to take notice. Maybe not now, but in the near future. Until that happens, and it gets some spotlight coverage, no one is going to even recognize wireless as a security threat.

Just pretending that the problem doesn't exist, doesn't make the problem go away.