tag:blogger.com,1999:blog-41845395210959512862024-03-13T08:39:19.054-07:00WiFi MafiaWireless StuffUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4184539521095951286.post-55408834030282108922012-01-23T18:22:00.000-08:002012-01-23T18:22:52.423-08:00Dumping Beacon frames using the WiFi Native APISome time ago I released wwtool that was able to do some information gathering using wireless interface that work on Windows and I promise to add some features, one of this was to dump wireless frames to a pcap file.<br />
<br />
I'm going to explain how we are able to reassemble Beacon frames using the WiFi Native API.<br />
<br />
Before starting we need first to understand what a Beacon frame has inside. On the image below we are going to see the content of this frame.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgizyC4XdeR0uRlxaDWK5nmIfS-wwvkUuK31QlacOSRX2EBkOuhYlbHwoFDLs9EAqwEKSYlXEDxPbpvVWYsC46Hh7HWFJbQxO3GyeYiM_DsP2mx4F_0-Pc-ikIclqVWytAAVAvwtQCtpQ/s1600/wireshark-beacon-frame.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgizyC4XdeR0uRlxaDWK5nmIfS-wwvkUuK31QlacOSRX2EBkOuhYlbHwoFDLs9EAqwEKSYlXEDxPbpvVWYsC46Hh7HWFJbQxO3GyeYiM_DsP2mx4F_0-Pc-ikIclqVWytAAVAvwtQCtpQ/s400/wireshark-beacon-frame.png" width="400" /></a></div><br />
<a name='more'></a><br />
To do the magic we are going to use the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms706735(v=vs.85).aspx">WlanGetNetworkBssList</a> function that retrieves a list of BSS entries of the wireless network on a given wireless interface. This BSS entries are handed to us on the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms706839(v=vs.85).aspx">WLAN_BSS_ENTRY</a> structure and we know that this information is gather through Beacon and Probe Response frames. This two frames are almost identical on their content, so we are going to treat all as Beacons because it would be almost impossible to distinguish one from other from the API.<br />
<br />
Below we can see the declaration of the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms706839(v=vs.85).aspx">WLAN_BSS_ENTRY</a> structure.<br />
<br />
<span class="Apple-style-span" style="font-family: monospace; white-space: pre;">typedef struct _WLAN_BSS_ENTRY {</span><br />
<pre>DOT11_SSID dot11Ssid;
ULONG uPhyId;
DOT11_MAC_ADDRESS dot11Bssid;
DOT11_BSS_TYPE dot11BssType;
DOT11_PHY_TYPE dot11BssPhyType;
LONG lRssi;
ULONG uLinkQuality;
BOOLEAN bInRegDomain;
USHORT usBeaconPeriod;
ULONGLONG ullTimestamp;
ULONGLONG ullHostTimestamp;
USHORT usCapabilityInformation;
ULONG ulChCenterFrequency;
WLAN_RATE_SET wlanRateSet;
ULONG ulIeOffset;
ULONG ulIeSize;
} WLAN_BSS_ENTRY, *PWLAN_BSS_ENTRY;
</pre><br />
If we compare the content of the frame from the information we can get from the Windows API, we see that we are missing some portions of the frame.<br />
<br />
We are able to assume the content of some fields and fix the value of others to reassemble the frames:<br />
<br />
<ul><li>Frame Control Version is 0x0.</li>
<li>Frame Control Type is set to Management and Subtype to Beacon.</li>
<li>Frame Control Flags are always 0x0 on Beacon and Probe Response frames.</li>
<li>Duration is always 0x0.</li>
<li>Destination is set to broadcast as on the Beacon frames.</li>
<li>Source Address is the same as the BSSID and we can get this from the WLAN_BSS_ENTRY structure.</li>
<li>Management frames couldn't be fragment, so be set fragment field to 0.</li>
<li>We set sequence number to a fixed value of 0.</li>
<li>Timestamp, beacon interval and capabilities fields are available on the WLAN_BSS_ENTRY structure.</li>
<li>We get all the information elements of the frame using the ulIeOffset and ulIeSize from the WLAN_BSS_ENTRY structure.</li>
</ul><div>Finally the only thing we are missing is to store this frames in a file using the Pcap file format (<a href="http://wiki.wireshark.org/Development/LibpcapFileFormat">http://wiki.wireshark.org/Development/LibpcapFileFormat</a>).</div><div><br />
</div><div>As we saw this is not so hard to do, and we are able to do some sort of "sniffing" with wireless interfaces on Windows platform.</div><div><br />
</div><div>To those that don't want to do all the coding I uploaded the source code to my GitHub repository(<a href="https://github.com/6e726d">https://github.com/6e726d</a>). The code can be build using Visual Studio Express Edition.<br />
<br />
And the others that only want the binary file, you can download it from <a href="https://sites.google.com/site/wifimafiablog/Native-WiFi-API-Beacon-Sniffer.zip">here</a>.</div>Unknownnoreply@blogger.com18tag:blogger.com,1999:blog-4184539521095951286.post-81790637700240399462011-11-19T06:48:00.000-08:002011-11-19T12:52:08.412-08:00wwtool v0.1wwtool (Windows Wireless Tool) is a command line utility that list available wireless network.<br />
Why to create a new tool if we already have tools like <a href="http://www.vistumbler.net/">Vistastumbler</a>.<br />
Below I wrote some of the reasons:<br />
<ul><li>Lately been playing with Windows WiFi Native API(<a href="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Abusing_the_Windows_WiFi_native_API_to_create_a_Covert_Channel">Abusing the Windows WiFi native API to create a Covert Channel</a>).</li>
<li>Wanted a command line tool (<a href="http://www.vistumbler.net/">Vistastumbler</a> is out).</li>
<li>Wanted something a little bit more flexible that netsh.</li>
</ul><div><a name='more'></a></div>Let's see the output of netsh command line tool when listing wireless networks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-nV0bRRcjSepX2DqiF3ao7qvZqfTTngbOjRVym2VTL4Us4phOoCznRdAQVS1kT7sRRqv3OHVq8tBsvN8bm-Z8M1QsoJTTMzZpSQKXurzGUnWVi2_FP-nS20Ldlf2dffvKHBLnPlBWnA/s1600/netsh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-nV0bRRcjSepX2DqiF3ao7qvZqfTTngbOjRVym2VTL4Us4phOoCznRdAQVS1kT7sRRqv3OHVq8tBsvN8bm-Z8M1QsoJTTMzZpSQKXurzGUnWVi2_FP-nS20Ldlf2dffvKHBLnPlBWnA/s320/netsh.png" width="183" /></a></div><br />
The problem is when you have a big list of networks, it would be nice to have a simpler output to see networks easily. I also think that the information provided is not enough for someone that has advance knowledge on wireless networks and wants some extra information.<br />
<br />
So the tool I wrote has two output mode for now(I thinking in adding some more that are useful when working with other wireless tools).<br />
<br />
<b>Simple Output</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLV4oJPvEdJF6q-siVt88y9CjcLVOgH2_YxTNIX2CF0DZ6bsYS3t5-zXZuXNJCVc_MhnXFFI0tf5AaR0DjI1ZBUY9URhVOwcfcJphN8VATUVbABUXzJ4Ci0BlG3iDjHvNSOk8ZHszTPA/s1600/simple.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLV4oJPvEdJF6q-siVt88y9CjcLVOgH2_YxTNIX2CF0DZ6bsYS3t5-zXZuXNJCVc_MhnXFFI0tf5AaR0DjI1ZBUY9URhVOwcfcJphN8VATUVbABUXzJ4Ci0BlG3iDjHvNSOk8ZHszTPA/s320/simple.png" width="320" /></a></div><br />
<b>Verbose Output</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXBYHSwCEDLBwZ3nZJ15R6FSNuLkMOoLWAEGrDDxEoMeMPaBlDXZYYZe5x-Fg6ZaLsyCWncCJKnokOIION5-4MUfwu01bmjLiYLpnPFzG5-1q3LNxFvYxMQQ4T0oUJdYHKpvGsPdQu6g/s1600/verbose.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXBYHSwCEDLBwZ3nZJ15R6FSNuLkMOoLWAEGrDDxEoMeMPaBlDXZYYZe5x-Fg6ZaLsyCWncCJKnokOIION5-4MUfwu01bmjLiYLpnPFzG5-1q3LNxFvYxMQQ4T0oUJdYHKpvGsPdQu6g/s320/verbose.png" width="218" /></a></div><br />
As we can see wwtool has the capability to show information elements. In this first version the tool is capable of parsing some information elements in case the tool is not able to parse the IE data it shows a hex dump of the information.<br />
<br />
<b>Features I'm working on</b><br />
<ul><li>Pcap output (yes, the tool is going to be able to dump to a pcap file beacons frames).</li>
<li>Kismet csv compatible output.</li>
<li>Keep running so it's useful when wardriving.</li>
<li>Be able to work with multiple interfaces.</li>
<li>Add some support for more IE.</li>
</ul><div><a class="hash" href="http://bit.ly/uUNRHr">Download</a></div>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-4184539521095951286.post-30827420537890191722011-03-20T21:43:00.000-07:002011-03-20T21:43:04.394-07:00When your network takes a walk<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">These days when mobile devices and notebooks are everywhere, networks are more difficult to isolate and a new problem is emerging. Nowadays it’s a common thing that companies give their employees notebooks so they can work remotely or take them when they travel. Many of these companies invest a lot of money and resources to secure their networks, but all that money and resources go to the trash the moment your network takes a walk.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Why is an attacker going to target a protected network if even the most simple information gathering could set all the alarms? Instead he could target the notebooks or mobile devices of the company, after all this devices could have sensitive information, credentials or could provide access to the protected network. After all the ‘owners’ of this devices are not careful with the security of the device outside the company, most of them connect to any network they find only to check their facebook account.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><a name='more'></a><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">In this case I will use as an example all the information I gathered from an Open Access Point of a friend of mine (after some explanation about why an open network is not a good idea my friend changed the security). Apparently my friend got a lot of people connected to his ‘linksys’ Access Point, one of this was taking his company network with him. My friend suddenly wanted to know who was using his connection, so I agree to help him find out for educational purposes.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">To find out how this guy was we will analyze all the traffic I passively could get from the device.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Probe request frames tell a lot about the owner of a device, in this case that the person connects to a lot of newtorks (possibly insecure ones). We also see a potential company network appears on the list.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaD3ArHTRDuX_8TddMA-_eLJ3p5BH_f27DIvpZTIqDEGCV4g2DIindnm_MgP2JxxkhhevVbsLYXnWMFoYoll-VdrRvidFBCK4tw5RkW1BkZeMSjA7eGe3MkobsSHJR77ePYPHpXj6pCA/s1600/00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaD3ArHTRDuX_8TddMA-_eLJ3p5BH_f27DIvpZTIqDEGCV4g2DIindnm_MgP2JxxkhhevVbsLYXnWMFoYoll-VdrRvidFBCK4tw5RkW1BkZeMSjA7eGe3MkobsSHJR77ePYPHpXj6pCA/s400/00.png" width="400" /></a></div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Using the ‘Protocol Hierarchy’ from the Statistics menu on wireshark we can have an idea of what type of traffic and what quantities we have.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX_PYQHqy0Y8GXNHNIO4ju4S0R_M2tXyjnSBAb7Fahpk3shCncTaDf6ZEGpNthCj-qWua7LcvBuH4xcCi_Zg0ialvywT0WboGFK4PJ3v98i7uRueViWGBpA3E0KPn17blDFWmkkQh9lw/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX_PYQHqy0Y8GXNHNIO4ju4S0R_M2tXyjnSBAb7Fahpk3shCncTaDf6ZEGpNthCj-qWua7LcvBuH4xcCi_Zg0ialvywT0WboGFK4PJ3v98i7uRueViWGBpA3E0KPn17blDFWmkkQh9lw/s400/01.png" width="400" /></a></div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">It’s always good to start from the beginning, so we start checking DHCP packets, it’s the first thing almost every device does when they connect to a network.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1I2jdtJxOACxPuCSQIbBOvcsJ4qzCNzBtTnNmM9g1SRZjJufpVvsvRq8d9LOehcYH9KziUHnUL88-nAoVdZLQcjxGyZIoXHTuLRfT5SsTLfzxGBslThM8jgGBBSrDGP_spEGII9GEcw/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1I2jdtJxOACxPuCSQIbBOvcsJ4qzCNzBtTnNmM9g1SRZjJufpVvsvRq8d9LOehcYH9KziUHnUL88-nAoVdZLQcjxGyZIoXHTuLRfT5SsTLfzxGBslThM8jgGBBSrDGP_spEGII9GEcw/s400/02.png" width="400" /></a></div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">From the analysis of these packets we can gather information like for example:</div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Hostname</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">IP address from the last network the device connect to</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Fully qualified domian name from the last network the device connect to</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Etc</span></span></li>
</ul><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Generally, when i analyze traffic, I continue with DNS to see what domains the device try to reach. In many cases with the first DNS queries we can deduce the device vendor or the OS. In this case we are interesting in the queries for domains related to the company.</span></span></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAdCSTeB6dgeePAg3ViwxDK41CnyDRM4HGX2Ca02xZA6EPEr1Mq6RK1EYJdcH637-T9xVIek8qbDI0K0joKMF7gfUTWye536eteFhfphZ8Hs_Aqx7RNTuUqgqiSsLMnE1AJg0XfbWcdA/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAdCSTeB6dgeePAg3ViwxDK41CnyDRM4HGX2Ca02xZA6EPEr1Mq6RK1EYJdcH637-T9xVIek8qbDI0K0joKMF7gfUTWye536eteFhfphZ8Hs_Aqx7RNTuUqgqiSsLMnE1AJg0XfbWcdA/s400/03.png" width="400" /></a></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span></div><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">As we can see on the image, we have some hostnames that are only accessible from the internal network, others that are accessible from the internet and the DNS servers from the company. In some cases we are lucky and only by reading the names we can identify some of the services the host provides.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">The next protocol we are going to analyze is NetBIOS. We could also get some interesting information from this traffic.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wLjRfERERdDhyqEcRNIuPn2z8blfZ9M-CwSirFEZiG2w5cek3EMuwln8LMonp09p-Eo1R5aA5sG5b1bRZm6bSf0rzAUhvh60bTcDEsyyADWecdIcUsurhw-IRGpCWIpBwBB47PQFOQ/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wLjRfERERdDhyqEcRNIuPn2z8blfZ9M-CwSirFEZiG2w5cek3EMuwln8LMonp09p-Eo1R5aA5sG5b1bRZm6bSf0rzAUhvh60bTcDEsyyADWecdIcUsurhw-IRGpCWIpBwBB47PQFOQ/s400/04.png" width="400" /></a></div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">In this case we could get information like the following:</div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Hostname</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">OS Major Version</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">OS Minor Version</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Domain names</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Shares</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Credentials/Hashes</span></span></li>
</ul><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">The next thing that got my attention was some SIP traffic, I’m not a VoIP expert but after checking the packets I got some information like for example:</span></span></div><div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">VoIP Server Software</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">IP address and Hostname of the VoIP server</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Username</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Hashes</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">First Name and Last Name of an employee</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Calls information</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Etc</span></span></li>
</ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBUeOyro0f2Wt8bcSGFMI2cH_rMpSGw5wwRlHoHr-gvNtS0G_kAWjVr6_2_CpHNXDI1_lALGoVEW6mNl7DI2SuQF4JY_E9ZKnQs1Fm23wMy4XAKC1U5P9MBv8XmghsCvv6T6ZFSqRoQQ/s1600/05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBUeOyro0f2Wt8bcSGFMI2cH_rMpSGw5wwRlHoHr-gvNtS0G_kAWjVr6_2_CpHNXDI1_lALGoVEW6mNl7DI2SuQF4JY_E9ZKnQs1Fm23wMy4XAKC1U5P9MBv8XmghsCvv6T6ZFSqRoQQ/s400/05.png" width="400" /></a></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span></div></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">We also have some IM traffic that could give us:</span></span></div><div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Employees email addresses (useful for client side or social engineering attacks)</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Trusted contacts (useful for client side or social engineering attacks)</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Sensitive information</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Files</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Etc</span></span></li>
</ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqJo7BSXbI9uBwhoRbI815lAZX1nWYyEe_K0QYROmPv1QSVKUsoIJH-dwFWscFdK_-bkg7xO_1H1ja4ZRsGwe1YzER6_4yqiUHqQZX0fs-NSJbiwWN3y9KqtffHvXQdOKLiCJ2qUgVnA/s1600/06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqJo7BSXbI9uBwhoRbI815lAZX1nWYyEe_K0QYROmPv1QSVKUsoIJH-dwFWscFdK_-bkg7xO_1H1ja4ZRsGwe1YzER6_4yqiUHqQZX0fs-NSJbiwWN3y9KqtffHvXQdOKLiCJ2qUgVnA/s400/06.png" width="400" /></a></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span></div></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finally, we have some HTTP traffic in this case we don’t have company information but we could get things like:</span></span></div><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span></div><div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">User Agent from browsers or 3rd party applications (useful for client side or social engineering attacks)</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Company Sites</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Social networks information (useful for client side or social engineering attacks):</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Personal Information</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Contacts</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Friends</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Etc</span></span></li>
</ul><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">In this case an information gathering got us a lot of information, but if an attacker for example does a MitM attack the consequences could be a lot worse.</div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">To sum up, we can spend a lot of money protecting the network of our company, but these days employees have to understand the security issues of handling devices from the company. It’s a common practice today to give employees mobile devices to stay connected. If your company gives mobile devices (notebooks, netbooks, tablets, cellphones, etc) or let the employees use them to connect to the internal network, be aware that your network could take a walk on the wrong neighborhood.</div></span></span></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4184539521095951286.post-28598344217407034962011-03-20T21:32:00.000-07:002011-03-20T21:32:12.918-07:00WiFi Geolocation<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">I knew about IP geolocation, but someone knowing my country is not enough to set on my paranoia alarm. One day i was having fun with an Apple iPad and when i open the Maps application y suddenly freaked out. The iPad knew my exact position, my paranoia alarm is on for sure, this was the cheap iPad so no assisted GPS here.</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">After some searches on the web I found that this was using access points as if they were cellphone towers to get my position on the globe.</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Recently Google got into some trouble<a href="http://www.bit-tech.net/news/bits/2010/05/17/google-admits-street-view-wifi-sniffing/1" style="color: #5c7a99; text-decoration: none;">[1]</a><a href="http://www.techeye.net/business/google-sued-over-snaffled-street-view-data" style="color: #5c7a99; text-decoration: none;">[2]</a> for their war driving van, aka <a href="http://en.wikipedia.org/wiki/Google_Street_View" style="color: #5c7a99; text-decoration: none;">street view</a> van.<br />
So it’s not new that companies are doing some war driving to make geolocation, but i didn’t believe this could be so accurate and up to date, I was wrong.</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">But I don’t live in the US, I’m far away from Google street view or companies doing war driving. I’m safe, aren’t I? Again wrong!! It doesn’t matter, apparently some companies are using the users to do war driving for them. I continued my search through the web and found this <a href="http://www.scribd.com/doc/34546602/apple-response-to-markey-barton" style="color: #5c7a99; text-decoration: none;">document</a>, it is the<a href="http://news.cnet.com/8301-31021_3-20010948-260.html" style="color: #5c7a99; text-decoration: none;">response of Apple to query about privacy policy changes</a>, here are some quotes:</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"></span><br />
<a name='more'></a><br />
<blockquote><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><span class="Apple-style-span" style="font-style: italic;">To provide the high quality products and services that its customers demand, Apple must have access to comprehensive location-based information. For devices running the iPhone OS versions 1.1.3 to 3.1, Apple relied on (and still relies on) databases maintained by Google and Skyhook Wireless (“Skyhook”) to provide location-based services. Beginning with the iPhone OS version 3.2 released in April 2010, Apple relies on its own databases to provide location based services and for diagnostic purposes. These databases must be updated continuously to account for, among other things, the ever-changing physical landscape, more innovative uses of mobile technology, and the increasing number of Apple’s customers. Apple always has taken great care to protect the privacy of its customers.</span></span></blockquote><blockquote><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">To provide location-based services, Apple must be able to determine quickly and precisely where a device is located. To do this, Apple maintains a secure database containing information regarding known locations of cell towers and Wi-Fi access points. The information is stored in a database accessible only by Apple and does not reveal personal information about any customer.</span></blockquote><blockquote><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">Information about nearby cell towers and Wi-Fi access points is collected and sent to Apple with the GPS coordinates of the device, if available: (1) when a customer requests current location information and (2) automatically, in some cases, to update and maintain databases with known location information. In both cases, the device collects the following anonymous information:</span></blockquote><blockquote><ul><li style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">Cell Tower Information: Apple collects information about nearby cell towers, such as the location of the tower(s), Cell IDs, and data about the strength of the </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">signal transmitted from the towers. A Cell ID refers to the unique number assigned by a cellular provider to a cell, a defined geographic area covered by a cell tower in a mobile network. Cell IDs do not provide any personal information about mobile phone users located in the cell. Location, Cell ID, and signal strength information is available to anyone with certain commercially available software.</span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">Wi-Fi Access Point Information: Apple collects information about nearby Wi-Fi access points, such as the location of the access points), Media Access Control (MAC) addresses, and data about the strength and speed of the signal transmitted by the access point(s). A MAC address (a term that does not refer to Apple products) is a unique number assigned by a manufacturer to a network adapter or network interface card (“NIC”). The address provides the means by which a computer or mobile device is able to connect to the Internet. MAC addresses do not provide any personal information about the owner of the network adapter or NIC. Anyone with a wireless network adapter or NIC can identify the MAC address of a Wi-Fi access point. Apple does not collect the user-assigned name of the Wi-Fi access point (known as the “SSID,” or service set identifier) or data being transmitted over the Wi-Fi network (known as “payload data”).</span></li>
</ul></blockquote><blockquote> <span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; font-style: italic; line-height: 20px;">First, when a customer requests current location information, the device encrypts and transmits Cell Tower and Wi-Fi Access Point Information and the device’s GPS coordinates (if available) over a secure Wi-Fi Internet connection to Apple,” For requests transmitted from devices running the iPhone OS version 3.2 or iOS 4, Apple will retrieve known locations for nearby cell towers and Wi-Fi access points from its proprietary database and transmit the information back to the device. For requests transmitted from devices running prior versions of the iPhone OS, Apple transmits-anonymously-the Cell Tower Information to Google and Wi-Fi Access Point Information to Skyhook. These providers return to Apple known locations of nearby cell towers and Wi-Fi access points, which Apple transmits back to the device. The device uses the information, along with GPS coordinates (if available), to determine its actual location. Information about the device’s actual location is not transmitted to Apple, skyhook, or Google. Nor is it transmitted to any third-party application provider, unless the customer expressly consents. Second, to help Apple update and maintain its database with known location information, Apple may also collect and transmit Cell Tower and Wi-Fi Access Point Information automatically. With one exception,” Apple automatically collects this information only (1) if the device’s location-based service capabilities are toggled to “On” and (2) the customer uses an application requiring location-based information. If both conditions are met, the device intermittently and anonymously collects Cell Tower and Wi-Fi Access Point Information from the cell towers and Wi-Fi access points that it can “see,” along with the device’s GPS coordinates, if available. This information is batched and then encrypted and transmitted to Apple over a Wi-Fi Internet connection every twelve hours (or later if the device does not have Wi-Fi Internet access at that time).</span></blockquote><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">The document is really interesting, something to read besides WiFi Geolocation.</span><br />
<br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">The Apple Geolocation DB is only useful if you have an Apple device. But as we could read on the document Apple continues to use on some devices Skyhook and Google DBs. For more information on Skyhook you could visit their</span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://www.skyhookwireless.com/" style="color: #5c7a99; text-decoration: none;">page</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">. There’s also some information on “Online Mapping Services” on</span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://www.hackingexposedwireless.com/doku.php" style="color: #5c7a99; text-decoration: none;">“Hacking Wireless Exposed – Second Edition”</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">(isbn:9780071666619).</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><br />
</span></span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">To be able to test the Google DB I created a script that let you make queries using one or many MAC addresses.</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Download the script </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://sites.google.com/site/wifimafiablog/WFGL.zip" style="color: #5c7a99; text-decoration: none;">here</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">.</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4184539521095951286.post-49375618956507393552011-03-20T21:12:00.000-07:002011-03-20T21:16:40.837-07:00Where Have You Been?<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Probe Request frames are useful to gather information from Stations. For example, analyzing Probe Request traffic could be use for the following:</div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finding potential targets for Karma attacks.</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finding Stations that had connected to other wireless networks(Hotspots, Open Networks, etc).</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finding the OS of Stations with Windows XP, searching for Probe Requests that has the SSID IE set with random binary data<a href="http://www.theta44.org/karma/aawns.pdf" style="color: #5c7a99; text-decoration: none;">[1]</a>.</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finding possible relations between Stations, through the vendor or the SSID we could find stations belonging to certain network.</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Finding rogue WAPs.</span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">Social Engineering attacks to client Stations owners.</span></span></li>
</ul><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">If your wireless network has client Stations that are vulnerable to client attacks, then the network is vulnerable.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><a name='more'></a><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">I scripted a mini tool to sniff Probe Request Frames and generate a HTML report with the information.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOTaQ_znMxmp1DDfgtGgOwh-LiDCCzC9NjH8ZFFlgf7VMoh8MFhaNg7zTrjbSZgnMCDp5l709sIZFQSWgF7d14FTwuBGk-uae0rnphmXj4hxUR2E0A-03WzUIY_16EzO6ggKpMwMuBjw/s1600/whyb-demo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOTaQ_znMxmp1DDfgtGgOwh-LiDCCzC9NjH8ZFFlgf7VMoh8MFhaNg7zTrjbSZgnMCDp5l709sIZFQSWgF7d14FTwuBGk-uae0rnphmXj4hxUR2E0A-03WzUIY_16EzO6ggKpMwMuBjw/s400/whyb-demo.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Script requirements:</div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></div><ul><li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><a href="http://www.python.org/" style="color: #5c7a99; text-decoration: none;">Python</a></span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><a href="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=PyLorcon2" style="color: #5c7a99; text-decoration: none;">PyLorcon2</a> – Get last version <a href="http://code.google.com/p/pylorcon2/" style="color: #5c7a99; text-decoration: none;">here</a></span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><a href="http://oss.coresecurity.com/projects/impacket.html" style="color: #5c7a99; text-decoration: none;">Impacket</a> – Get last version <a href="http://code.google.com/p/impacket/" style="color: #5c7a99; text-decoration: none;">here</a></span></span></li>
<li><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;"><a href="http://oss.coresecurity.com/projects/pcapy.html" style="color: #5c7a99; text-decoration: none;">Pcapy</a></span></span></li>
</ul><div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px;">The script saves information on a sqlite3 db on the report directory defined by the user. When the user stops the script pressing Ctrl+C the HTML report is generated on the report directory.</span></span></div><br />
<pre>Usage:
./WHYB.py <interface> <report name="">
Example:
./WHYB.py wlan0 2010-06-29</report></interface></pre><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">The output of the tool is something like this:</span><br />
<br />
<pre>Where Have You Been?
Press Ctrl+C to stop.
---------------------------------------------------------------
[2010-07-06 03:55:37] - 00:40:F4:XX:XX:XX - paXXXXXXXXXX
[2010-07-06 03:55:37] - 00:23:4D:XX:XX:XX - LaXXXXXXXXXX
[2010-07-06 03:55:37] - 00:24:2B:XX:XX:XX - AXXXXXXXXXX
[2010-07-06 03:55:37] - 00:24:2B:XX:XX:XX - linXXXXXXXXXX
^C
Ctrl+C caught.
Closing...</pre><br />
<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">The script is available</span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://sites.google.com/site/wifimafiablog/WHYB.zip" style="color: #5c7a99; text-decoration: none;">here</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">.</span>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-4184539521095951286.post-73330102473773535982011-03-20T21:00:00.000-07:002011-03-20T21:00:59.193-07:00WAP fingerprinting: The Wi-Fi Alliance Way<div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Fingerprinting a WAP(Wireless Access Point) to find the vendor and model is something I have always been interested in. The first way I thought of doing this was by using the</span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://standards.ieee.org/regauth/oui/oui.txt" style="color: #5c7a99; text-decoration: none;">oui.txt</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">to find the vendor of the WAP. But knowing the vendor doesn’t give us to much to work with. So one day when I was sniffing I saw some interesting beacon frames:</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi360xaLtncc7CyWmD4OgyvvLprff4fDhyKelna-HQD_2WLE9MfO-keK9GELtLBd6BSN2tQQzbIOBO4NJ1nMOfYd94Jvk3WR0PE_X5e6FJwPZbTz-Z0ij5KXdVe5yZ_hV2xNHE_jVbZ_w/s1600/beacon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi360xaLtncc7CyWmD4OgyvvLprff4fDhyKelna-HQD_2WLE9MfO-keK9GELtLBd6BSN2tQQzbIOBO4NJ1nMOfYd94Jvk3WR0PE_X5e6FJwPZbTz-Z0ij5KXdVe5yZ_hV2xNHE_jVbZ_w/s400/beacon.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: justify;"></div><a name='more'></a><br />
<div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">This frames had an IE(information element) that </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://www.wireshark.org/" style="color: #5c7a99; text-decoration: none;">Wireshark</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> called “Vendor Specific: WPS”.</span></div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"></span><br />
<div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">But what the heck is <a href="http://www.wi-fi.org/wifi-protected-setup/" style="color: #5c7a99; text-decoration: none;">WPS</a>?</span></div><div style="margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Let’s see the Wi-Fi Alliance definition:</span></div><blockquote style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><span class="Apple-style-span" style="font-style: italic;">Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Introduced by the Wi-Fi Alliance in early 2007, the program provides an industry-wide set of network setup solutions for homes and small office (SOHO) environments.</span></span></blockquote><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Later on the sniffing session, I saw that this IE was also present on probe response frames and had more information that the one on the beacon frame. This information was really interesting. As an example check out the image below:</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijhOFFB0F81UqB73lQoNcTn31x5djrJ5G1HSttAdncywsZ51Nx-cYjt7YB8LhMjUC7Kgw6_IhwpJVXpgqFQPvpHmKNz11i6XXS4Xod0gJdL4IzoFn-nQ-IheSpFTxgm_G0U4ZY7ixlKg/s1600/probeResponse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijhOFFB0F81UqB73lQoNcTn31x5djrJ5G1HSttAdncywsZ51Nx-cYjt7YB8LhMjUC7Kgw6_IhwpJVXpgqFQPvpHmKNz11i6XXS4Xod0gJdL4IzoFn-nQ-IheSpFTxgm_G0U4ZY7ixlKg/s400/probeResponse.png" width="400" /></a></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">As you can see on the image there’s a lot of useful information on the WPS IE, including the WAP serial number.</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><br />
</span></div><div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">So this ‘new’ standard is expanding and as far as I know if your WAP supports it, it will be activated by default. So fingerprinting this WAPs is pretty simple.</span></div><br />
<div style="text-align: justify;"><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">As you could guess, this way of fingerprinting has a passive way(waiting for probe response frames) or an active way(sending probe request frames).</span></div><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><div style="text-align: justify;">I created a simple script that automatically does this work for you. The script requires PyLorcon2, Pcapy and Impacket libraries. The output of the tool is something like this</div></span><br />
<span class="Apple-style-span" style="font-family: monospace; white-space: pre;">WPS Information Gathering</span><br />
<pre>Press Ctrl+C to stop.
Sniffing...
---------------------------------------------------------------
[00:23:69:4X:XX:X5] - 'XXXX' - 'Cisco-Linksys, LLC'
WPS Information
* Device Name: 'Wireless-G Router'
* Wi-Fi Protected Setup State: 'Configured'
* UUID-E: '13814XXXXXXXXXXXXXXXXXXXXXXXXXFB'
* Response Type: 'AP'
* Primary Device Type: 'Network Infrastructure - AP'
* Model Number: 'WRT54G2'
* Serial Number: 'CSV01J2XXXX4'
* Version: '1.0'
* Model Name: 'Router'
* Config Methods: 'Display, PushButton'
* Manufacturer: 'Linksys'
---------------------------------------------------------------</pre><pre></pre><pre></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; white-space: normal;">The tool is available <a href="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=WPSIG" style="color: #5c7a99; text-decoration: none;">here</a>.</span></pre>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-4184539521095951286.post-68451624707296363722011-03-20T20:42:00.000-07:002011-03-20T21:16:21.273-07:00Simple Access Point Monitor<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">This is another example of what you can do with some lines of </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://www.python.org/" style="color: #5c7a99; text-decoration: none;">Python</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> and some useful libraries like </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://oss.coresecurity.com/projects/pcapy.html" style="color: #5c7a99; text-decoration: none;">Pcapy</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">, </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://code.google.com/p/pylorcon2/" style="color: #5c7a99; text-decoration: none;">PyLorcon2</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"> and </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://code.google.com/p/impacket/" style="color: #5c7a99; text-decoration: none;">Impacket</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">.</span><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">This simple scripts monitors the management frames of a particular Access Point, showing on the console the stations who are interacting with the Access Point.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Below we can see an screenshot of the script.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAb5RD56h1A7TR6HfSCWBRgcKFeJc_41Zrper9d7MQLG1s2Gjke2IsqL4JCZebdoYzTqRQN1NsUuw4I9CvJYl4IDLkXURFyIF1Jd1LOWRYlW6jXAtQdbamzIpzpvji7g97v1MJeX4oBw/s1600/screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAb5RD56h1A7TR6HfSCWBRgcKFeJc_41Zrper9d7MQLG1s2Gjke2IsqL4JCZebdoYzTqRQN1NsUuw4I9CvJYl4IDLkXURFyIF1Jd1LOWRYlW6jXAtQdbamzIpzpvji7g97v1MJeX4oBw/s400/screenshot.png" width="400" /></a></div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><br />
</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">The download link to the complete code is below:<br />
<br />
<a href="http://sites.google.com/site/wifimafiablog/AccessPointMonitor.zip">AccessPointMonitor.zip</a></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4184539521095951286.post-65871625282855510422011-03-20T20:29:00.000-07:002011-03-20T21:15:29.709-07:00Injecting 802.11 frames with PyLorcon2 and Impacket<span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">Playing with 802.11 frames is usually a thing I do, so I need a simple and direct way to do this. And to test or make prototypes there is nothing like a scripting language. In my case this scripting language is </span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;"><a href="http://www.python.org/" style="color: #5c7a99; text-decoration: none;" target="_blank">Python</a></span><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px;">.</span><br />
<div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">The solution to my problem where a couple of libraries. <a href="http://code.google.com/p/pylorcon2/" style="color: #5c7a99; text-decoration: none;" target="_blank">PyLorcon2</a> to inject and <a href="http://code.google.com/p/impacket/" style="color: #5c7a99; text-decoration: none;" target="_blank">Impacket</a> to craft the packets.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Using this two libraries with <a href="http://www.python.org/" style="color: #5c7a99; text-decoration: none;" target="_blank">Python</a> is a really easy and clean way of doing what I need.</div><div style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">As an example the code below show us how to inject Probe Request Frames.<br />
<br />
<a name='more'></a></div><span class="Apple-style-span" style="font-family: monospace; white-space: pre;">#!/usr/bin/env python</span><br />
<pre>import sys
import random
import PyLorcon2
from impacket import dot11
from impacket.dot11 import Dot11
from impacket.dot11 import Dot11Types
from impacket.dot11 import Dot11ManagementFrame
from impacket.dot11 import Dot11ManagementProbeRequest
def getProbeRequest(src, ssid):
"Return 802.11 Probe Request Frame."
# Frame Control
frameCtrl = Dot11(FCS_at_end = False)
frameCtrl.set_version(0)
frameCtrl.set_type_n_subtype(
Dot11Types.DOT11_TYPE_MANAGEMENT_SUBTYPE_PROBE_REQUEST)
# Frame Control Flags
frameCtrl.set_fromDS(0)
frameCtrl.set_toDS(0)
frameCtrl.set_moreFrag(0)
frameCtrl.set_retry(0)
frameCtrl.set_powerManagement(0)
frameCtrl.set_moreData(0)
frameCtrl.set_protectedFrame(0)
frameCtrl.set_order(0)
# Management Frame
sequence = random.randint(0, 4096)
broadcast = [0xff, 0xff, 0xff, 0xff, 0xff, 0xff]
mngtFrame = Dot11ManagementFrame()
mngtFrame.set_duration(0)
mngtFrame.set_destination_address(broadcast)
mngtFrame.set_source_address(src)
mngtFrame.set_bssid(broadcast)
mngtFrame.set_fragment_number(0)
mngtFrame.set_sequence_number(sequence)
# Probe Request Frame
probeRequestFrame = Dot11ManagementProbeRequest()
probeRequestFrame.set_ssid(ssid)
rates = [0x82, 0x84, 0x8b, 0x96, 0x0c, 0x18, 0x30, 0x48]
probeRequestFrame.set_supported_rates(rates)
idType = dot11.DOT11_MANAGEMENT_ELEMENTS.EXT_SUPPORTED_RATES
value = "\x12\x24\x60\x6c"
probeRequestFrame._set_element(idType, value)
mngtFrame.contains(probeRequestFrame)
frameCtrl.contains(mngtFrame)
return frameCtrl.get_packet()
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage"
print " %s " % sys.argv[0]
sys.exit()
iface = sys.argv[1]
essid = sys.argv[2]
context = PyLorcon2.Context(iface)
context.open_injmon()
moniface = context.get_capiface()
src = [0x00, 0x00, 0x00, 0x11, 0x22, 0x33]
probeRequest = getProbeRequest(src, essid)
if essid == "":
essid = "broadcast"
print "Using interface %s" % iface
print "Injecting Probe Requests for '%s'." % essid
context.send_bytes(probeRequest)</pre><pre></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; white-space: normal;">The download link to the complete code is below:</span></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; white-space: normal;">
</span></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif;"><span class="Apple-style-span" style="font-size: 12px; line-height: 20px; white-space: normal;"><a href="http://sites.google.com/site/wifimafiablog/probeRequestTest.zip">probeRequestTest.zip</a></span></span></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; white-space: normal;">
</span></pre><pre><span class="Apple-style-span" style="color: #555555; font-family: Verdana, Geneva, sans-serif; font-size: 12px; line-height: 20px; white-space: normal;">
</span></pre>Unknownnoreply@blogger.com2