Metasploit Adds Wi-Fi Exploits

802.11 attack tool will allow modules to send kernel or nonkernel exploits.

The Metasploit Project plans to add, sometime during the week of Oct. 30, 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool, a move that simplifies the way wireless drivers and devices are exploited.

The controversial open-source project, created and maintained by Austin, Texas, hacker HD Moore, has added a new exploit class that allows modules to send raw 802.11 frames at one of the most vulnerable parts of an operating system.

According to Moore, Metasploit 3 will integrate kernel-mode payloads to allow existing user-mode payloads to be used for both kernel and nonkernel exploits. Because the framework provides an easy-to-use interface for connecting vulnerabilities to actual payloads, Metasploit 3 gives users an avenue to target the most sensitive part of an operating system.

Moore told eWeek he is collaborating with independent researcher Jon "Johnny Cache" Ellch on an 802.11 exploit. The plan is to use Ellchs LORCon (Loss of Radio Connectivity) hacking tool to target exploits at Wi-Fi bugs haunting widely used devices and computers.

Moore shrugged off criticisms that Metasploit gives black-hat hackers all the tools needed to launch attacks, insisting that the target market can be broken into three categories. "[This is for] penetration testers and network administrators [who] want to demonstrate the impact of an unpatched wireless vulnerability," he said.

Moore said security researchers looking for an easy way to investigate wireless device and driver vulnerabilities can also find value in the code, which can be used to develop "fuzzers" for discovering new vulnerabilities.

Fuzzers, or fuzz testers, are used to pinpoint security vulnerabilities by sending random input to an application. If the program contains a vulnerability that leads to an exception, a crash or a server error, researchers can parse the test results to pinpoint the cause of the crash.

Moore, who serves as director of security research at BreakingPoint Systems, said security solution developers can also use the new Metasploit capabilities to perform QA (quality assurance) tests on their products.

"Depending on my available free time, we should have some working and useful demonstrations of this within a week," Moore said. "Were close to completing work on injecting code into the Windows kernel in a way that causes it to run a standard Metasploit payload without crashing the target system."

"We need at least one solid example of a wireless driver exploit that can be used to demonstrate the system," Moore said. This is where Ellchs expertise comes in.

"[Ellch] has a number of these that would work, but one in particular is both reliable and easy to demonstrate," Moore said. "He demonstrated [it] at the Microsoft BlueHat conference, and were waiting for his go-ahead before adding the exploit code to the public source repository."

Ellch confirmed that his code is being used in the Metasploit refresh but declined an eWeek request for comment on the extent of his involvement.

Ellch, widely regarded as an expert on wireless security, said he believes the 802.11 link-layer wireless protocol is "overly complicated" and has not been implemented securely by many vendors.

However, Ellch said that during his recent trip to Microsofts Redmond, Wash., campus for BlueHat, he was happy to see the software vendor paying serious attention to Wi-Fi bugs.

"They have already reimplemented many tools similar to my own and are actively finding bugs in other vendors device drivers that they dont necessarily have access to the code for," Ellch said in an interview with eWEEK. "I cant imagine a more serious response."

Point. Click. Root.

Some Metasploit background:

* What Open-source penetration-testing project and framework provides one-click access to execute exploit code against a remote target machine

* Who runs it HD Moore, director of security research at BreakingPoint Sys-tems; Matt Miller (also known as Skape); and Spoonm (a hacker who prefers to be known only by his moniker)

* Who uses it More than 90,000 unique IP addresses have used Metasploits online update system between January and October 2006, and it is widely used by security assessment companies to launch simulated hacking attacks against enterprise networks

Source: eWEEK reporting and Metasploit