November 24th, 2014

Hash Tables 2

As previously discussed, wicrawl uses a custom hash table to keep track of who we hear talking on the radio while we’re sniffing. 
In the 802.11 spec, each radio transmitter on the media has an EUI-48 address which it uses to identify itself when transmitting.  When we see those, we use the Jenkins hash to squash the 6 bytes of hardware address down to 4 bytes, since wicrawl usually runs on 32-bit computers and it’s a lot faster to deal with 32-bit numbers than 48-bit ones. 

The key to the hash table is that we use something called modulo arithmetic to index the hash table with the results of the hash function.  Remember how to do division?  With whole numbers, the results of a division have two parts: the quotient and the remainder.  With modulo arithmetic, we throw away the quotient and keep the remainder.  Here’s how this works in the discovery engine: let’s say that we have a hash table size of 8.  If the hash of some MAC address is 17, we divide 17 / 8 = 2 remainder 1.  Since we throw away the quotient, we only use the remainder 1 to index the table.

This is great, because we don’t have to search the whole table to find the entry for our MAC address.  No matter how big the table gets, it takes the same number of steps to figure out what index our data is at: it’s a constant-time search algorithm.  

Now, there is the possibility that two MAC addresses will return the same hash result, and we call this a collision.  In the discovery engine, we deal with this by hanging a linked list of database entries off of each hash table entry.  With the default hash table settings, you can scan up to about a thousand APs before these linked lists get longer than a few entries on average.  If people start reporting they’re doing that kind of thing, we can implement the next level of scalability: we double the size of the hash table.  This is a very time-consuming operation because you have to re-insert all the entries in the hash table, which can hang the discovery engine for several milliseconds.  Although this doesn’t sound like much, remember that wardrivers sometimes only have a second or two of bidirectional connectivity to the APs they’re scanning, and any delays will affect the ability of wardrivers to crawl APs they see.

The solution is to grow the hash table in the background, and add any new entries to both the old and new tables as they come in.  When the insert queue goes empty, you do a pointer swap to make the new table the “official” table, and delete the old one in the background.

As an aside, I grabbed the implementation we used from the Linux kernel.  In there, the hash routine is used for the Linux kernel’s rather nice neighbor table facility that’s available to any network protocol that needs to keep track of peers (which is basically all of them).  Other BSD-derived stacks like NT and Solaris have the IP stack married to the Ethernet part of things, so the code to keep track of peers isn’t easily available to be used by other protocols you might want to run.  BSD zealots might say that the fully-factored approach Linux uses is slower, but the numbers don’t seem to back this up.




I guess today is “tools” day at MRL. Here is another tool I ran across recently that I think is useful. Wyd is a modular potential password generator that can generate a wordlist from multiple sources. For example you can dump a website, and use that as input, or just scan a hard-drive in a forensics case to find content for the list. It currently knows about a few different file types (html, .doc, .pdf. .ppt, etc). I created a module for it that will scan jpg images for exif data that can be used as a source. I submitted it to the maintainers, so maybe it will end up in one of the next releases.

OWASP Sprajax

Just shortly after I had complained about AJAX assessment tools, I found that OWASP has also started a new project called Sprajax which aims to “assess the security of AJAX-enabled applications“. Despite having formed only less than a month ago, they already have a download available. One cool thing that I see is that they actually try to determine which framework the site is using in order to tune the tests accordingly. Now if they’d only port away from the .net framework so I wouldn’t have to use VMware just to test it out (users are never happy, ;).

OWASP Pantera Web Assessment Project

This looks like a promising new project for doing web app assessments. I haven’t tried it yet, but it sounds like they’ve been working on it for a while. It’s based on SPIKE proxy which means that they at least started off from a good place, :). What I’d really like to see implemented is some infrastructure for dealing with some of the difficulties that arise from using and assessing AJAX. I haven’t seen these addressed well in even the commercial scanners that I’ve tested. There was a very good talk at Toorcon on Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 which covered lots of problems with some of the common AJAX frameworks, and also showed that not all of them are easy to fix (or assess).

ps. Speaking of new tools, nessus released 3.0.4 today.

metasploit 2.7

As seen on a bunch of mailing lists, metasploit 2.7 has been released. On a related note, maybe we’ll have to create a metasploit plugin for wicrawl, now that wi-fi exploits are coming to Metasploit. It’s on the list of thigns to do anyway, but this definitely makes it more interesting.

The Metasploit Framework is an advanced open-source exploit development platform. The 2.7 release includes three user interfaces, 157 exploits and 76 payloads.The Framework will run on any modern operating system that has a working Perl interpreter. The Windows installer includes a slimmed-down version of the Cygwin environment.

Windows users are encouraged to update as soon as possible. A number of improvements were made that should make the Windows experience a little less painful and a lot more reliable. All updates to 2.6 have been rolled into 2.7, along with some new exploits and minor features.

This release is available from the web site:
– Unix:
– Win32:

The latest version can be pulled directly from Subversion:
$ svn co

A demonstration of the msfweb interface is running live from:

This may be the LAST 2.x version of the Metasploit Framework. All development resources are now being applied to version 3.0. More information about version 3.0 can be found online at:

Exploit modules designed for the 2.2 through 2.6 releases should maintain compatibility with 2.7. If you run into any problems using older modules with this release, please let us know.

Credit Card RFID Vulnerabilities

This looks like an interesting paper published recently about the vulnerabilities in RFID chips found in newer credit cards . It sounds like the issues are fairly serious — all card tested were found susceptible to privacy leakage and relay attacks, and some of them can be “skimmed, and replayed at will”. These can be combined with “cross-contamination attacks” by encoding related data to the magstripe of the same card.

I personally never saw the point of these RFID CC’s. I guess I don’t get the difference between swiping your card <10cm away vs. swiping the magstripe directly. Is there some other grand use case for these that justifies the risks involved?

Happy Hackiversary MRL!

        Fellow Hackers, Slackers, and Code-crackers:

On Friday October 20th at 7pm PST we will be holding our monthly
official Midnight Research Labs meeting.

                Happy Hackiversary MRL!!!

One year ago, we held the first "official" MRL meeting.  We had a
couple unofficial MRL meetings before that, but this marks the
anniversary of the first planned/scheduled/announced meeting.  I
think we've come a long way in the last year, and this last month
things have started to really take off.  Thanks to everyone for
making MRL something to be part of (*sniff* *sniff* memories!).

On to the main event!

This month Mike (drifter) will be giving a mini-presentation on
VOIP technologies, and he'll also have a demo on caller-id

For the hands on part of the evening we'll be putting together
home-brew biquad 802.11 antennas.  If you want me to purchase
materials for you, let me know ASAP, it's only going to be about
<$10 a person for all materials.  It's about as simple as putting
together a cantenna, but it looks a whole lot cooler, ;)

In addition to the MRL hackiversary, we'll be celebrating the
wicrawl and SEAT releases which have occurred since the last MRL

As always, anyone with cool toys, or interesting project ideas,
bring them along.

Light refreshments, pizza and beer will be served.

        Phase 0x0: Bootstrapping
          - Greetings and welcome
          - MRL updates and status
          - MRL projects update
        Phase 0x1: Initialization
          - VOIP mini-preso from Mike
          - Biquad antenna construction
          - Hackiversary
        Phase 0x2: Local exploits
          - Food
          - Off topic tools, toys and other shiny things -- If anyone
            has any interesting to show off or play with, please bring
          - Whatever till whenever -- This is the more social
            part of the event.  People are invited to stay and
            hack and have a couple drinks till whenever this
            phase is no longer self-sustaining, =)

This week in MRL

Sorry for the lack of updates, we’ve been pretty busy with wicrawl and catching up with life after Toorcon and Security Opus. We had a great time at both conventions, and the presentations went well (at least I think they did, :).

We had a pretty great week so far for wicrawl. Our friend Eliot at posted on wicrawl and the toorcon presentation which he edited very well and posted the whole video on the new netscape video site. (Thanks Eliot, :)

We also got mentioned as the “tool of the week” from the very cool security podcast We met Twitchy and Joe at Toorcon, and I guess they actually remembered us afterwards, :). Anyway, give it a listen here, it’s worth putting on the podcast queue.

Also, we got a posting on Wi-Fi Net News, which I’ve linked to a few times in the past. If you’re keeping up on wi-fi developments, it’s a good blog to read (I’ve been reading it for a while now).

That’s it for now! Hope to see everyone Friday.

wicrawl updates

A few updates for wicrawl:

– First, we released a new package for wicrawl 0.3a that fixes some build issues in the previous release.

– I also added a new plugin based on pickupline which tries to bypass captive proxies by spoofing an already authenticated MAC/IP address pair.

— There is a new wicrawl-users mailing list for any wicrawl users. I expect it will be pretty low traffic, but if you have any questions, or if you just want updates, please feel free to subscribe.

Please let us know how it’s working for you, especially if you’re having any issues with it.


SEAT Release 0.1a

Today we are releasing another project at MRL: SEAT Version 0.1 Alpha. You can download it here. To learn more about the tool, please visit official SEAT page for detailed documentation and instructional videos here. My personal thanks to entire MRL group for continued support and invaluable advise during the development of the tool, you rock!

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS