Friday, October 31, 2014

Aircrack-ng 1.2 Release candidate 1

Here is the first release candidate. I was wrong about saying there would be a fourth beta in the post of the previous release. There is exactly 7 month after the last beta. There will be most likely another one then the final release in the next few month.

Updating is highly recommend as this contains a lot of bug fixes and improvements as well as security fixes (CVE-2014-8321, CVE-2014-8322, CVE-2014-8323 and CVE-2014-8324). More details can be found in the blog.

Changelog:
  • Airodump-ng should be able to parse the canonical oui file.
  • Airodump-ng: Fixed GPS stack overflow.
  • Airodump-ng: Fixed stopping cleanly with Ctrl-C.
  • Airmon-zc: better handling for when modules are not available (incomplete)
  • Airmon-zc: users can now start the monitor interface again to change channels
  • Airmon-zc: update to use ip instead of ifconfig if available.
  • Airmon-zc: better handling of devices without pci bus
  • Aireplay-ng: Fixed tcp_test stack overflow.
  • OSdep: Fixed libnl detection. Also avoid detection on non Linux systems.
  • OSdep: Fixed segmentation fault that happens with a malicious server.
  • Besside-ng: Add regular expression matching for the SSID.
  • Buddy-ng: Fixed segmentation fault.
  • Makefile: Fixed 'commands commence before first target' error when building Aircrack-ng.
  • Fixed segfault when changing the optimization when compiling with gcc thanks to Ramiro Polla.
  • Removed airdriver-ng (outdated and not meant for today's kernels)
  • Added gitignore file.
  • Fixed build issues on other compilers by using stdint.h types.
  • Updating installation file and added pkg-config as a requirement.
  • Various small fixes and improvements.

Tuesday, June 10, 2014

Comcast xfinitywifi and hidden wifi network

Recently, on twitter, I talked about Comcast and their xfinitywifi network. Here is the full story

If you have Comcast and a recent modem from them such as one of those, it creates by default a wireless network called xfinitywifi (if it doesn't now, it will do it soon). So that other people with Comcast can login to it and have Internet access when they are traveling.

It's a pretty good idea since it does not use any of your bandwidth (based on what they say and Slashdot had a story today from the Houston Chronicle) but it could slow down your wireless network since it is on the same channel. However, I really don't like the way they implemented it: it is enabled by default and you can only disable when logging on your account online, there is not a single mention of it in the modem configuration. It's also a bad idea because you can easily fake it to steal credentials (it's an Open network, no encryption).

Unfortunately, I had to spend quite a lot of time with their tech/customer service to figure out and get it disabled (their first attempt to disable it failed). And they will try to convince you to leave it. I knew they have access to the cable modem and they can reset/upgrade the firmware. What's really worrying is that they can access all the settings of the modem, including the wireless settings and they could tell me what my WiFi settings were. They might also be able to access your network.

Moving on. Another issue I mentioned to their tech was that there was another wireless network along xfinitywifi and my personal network. A hidden network with the same security settings as my personal network (or it's just a coincidence I use the same settings as them). The MAC address is also very similar to the one of your modem. What changes is the first byte.
As of now (last time I spoke to them was 2 or 3 week ago at least), this hidden network is still there and I have absolutely no idea what that network is. So, I'll disable the wireless on the modem and have another AP between the modem and my network. Here is a picture of the network (let me know if you'd like a PCAP).



Does anybody knows what that hidden wireless network is for? Comcast hasn't responded yet to that question on twitter.

Sunday, June 8, 2014

Custom trac+svn or GitHub (or other alternative)

Recently, I had a small discussion about moving to GitHub (or another similar solution) on IRC. The subject has come up several times (and I thought several times about it) and I'd like to have a more opinions about it.

I'm really tempted to move it since it might decrease cost a little bit and most importantly, it will decrease the amount of maintenance I have to do. However, I have some concerns and I'm open to new ideas.

I like GitHub since it has most of the features of (a base) trac (and I don't need more than that). User management is built-in, as well as anti-spam. There is a big community around it and we can do continuous integration (using Travis CI). And I don't have to spend time cleaning up the spam, updating the server (and making sure it's secure; I guess GitHub have security measures).

Here is what I don't like with GitHub:
  1. You don't have control of your code anymore.
  2. One way thing: you can import trac (tickets and stuff) to GitHub but I never heard of tools to back that up
  3. You depend on them: if they're down, you'll have to wait for their stuff to come back up. If they get hacked, you might be in trouble. They can close your project; If you guys remember WhatsApp, a few days before it was bought by Facebook, GitHub received DCMA letters and had to close a bunch of projects that were related to WhatsApp (or API library).
  4. You need an account to create a bug report.
 However, the cons can be somehow alleviated:
  1. Hosting my own git repository and syncing to GitHub (as well as other GitHub alternatives)
  2. If there is no tool to back up GitHub, I might develop one (and open source it) or pay somebody to create one.
  3. Using multiple services. We could have GitHub as main the main location and using other services as back-up (read-only). If GitHub gets down, we can switch any other to read-write. However, we'll need a software to do the sync (and it also depends on the back-up program in the previous point.
  4. If they don't have an account: Accept bug reports by email and/or have people post in the forum (you don't need an account to post) and I take care of adding them to GitHub.

So, here are my questions:
  1. What is your opinion about using GitHub (and git) for Aircrack-ng instead of trac+svn?
  2. What are the alternative to GitHub (free, hosted)? If you've used it, please give me your opinion about it. I'm also willing to pay a few dollars a month if there is a serious one.
  3. What are the installable (to your own server) alternatives to GitHub. It's better if it's free/open source but I don't mind paying if the solution is good.
Here is what I found (and heard about): GitLab (to install, as backup, using gitlab-mirrors), BitBucket, Gitorious, Kiln. However, I need more feedback about them.

As I get feedback, I'll update the post.

Wednesday, April 16, 2014

Anti-virus issues and open letter to Anti-virus

Anti-viruses have a bright side and a dark side.

Well, Antivirus are like baby sitters, they prevent dangerous thing happening to your computer. In a certain light, it's a good thing but when you grow up (in this case, know how to use computers safely and want to use security tools), that baby sitter becomes more an annoyance.

What I mean is that most security tools are flagged by anti viruses and Aircrack-ng isn't an exception. Sometimes, they just flag it as 'hacktool' or 'not-a-virus' but a few of them have weird looking names and googling them doesn't even give you an answer of what it means.

I had to deal with a lot of stuff because of that:

  • Emails from people telling me their antivirus detected aircrack-ng as a virus and I had to tell them it's perfectly safe and their antivirus is wrong
  • Yahoo who has or had a safe page system using MacAfee. It was telling Aircrack-ng website wasn't safe despite all messages saying it's perfectly safe
  • VIPR anti-virus who was removing links to Aircrack-ng.org because they thought it wasn't safe.
  • And a few other things I don't even remember. Here is one I just found in the forum

It hasn't been a problem until now because my hosting provider uses a service from C-Sirt.org to do online scanning of files to make sure there's no virus. In most cases, they are right but there is always an exception. The problem is that they think their system is perfect as you can see when they talk about false positive:


At first, I was surprised and took their incident seriously. I started checking the MD5 and SHA1 of the file (which haven't changed), submitted files to virustotal.com. That's where I saw why they think Aircrack-ng is a virus. As you can see, some of them give a name that will make you freak out (and using google to find out what that means gives you NOTHING) but most of them don't detect or clearly see it as Aircrack-ng.

I emailed the guy behind C-Sirt.org. Unfortunately, his english is more than approximate and if I understand correctly what he tells me, I should simply contact all anti-viruses and ask them to remove Aircrack-ng from their definitions so that his algorithm won't flag it as a virus anymore.
Well, I would be more than happy to do so but my experience with first line customer service is not successful so I doubt it will work out.

Back to my provider. Even though I've been a customer for more than 6 years, they blindly trust C-Sirt.org and wrongfully shut down one of my server where they thought the file was (and I'm still having issues getting it back up) and threatened to shut down my hosting where I told them where the file is because of a mistake in C-Sirt (due to antiviruses definitions). I tried to convince them without any success and I'll gladly show you the emails if you guys want (as well as the single email I got from C-Sirt.org).


So, Anti-virus vendors, please be smarter nannys. I'm ok with you flagging viruses but flagging security tools, that doesn't make sense and hurt us. Please remove Aircrack-ng and other security tools from your definitions.
In the meantime, I'll just repack the file and add a password so you won't be able to scan it and it won't be wrongfully flagged.
And if you're not planning to take it off your definition, I've got a request to add another well know security tool who's using Aircrack-ng: Core Impact. They even submit a new attack for Aircrack-ng which gives you a good reason (and a proof that it's not a virus) to take it off your definitions.