SILICA User`s Manual Feb 2011
Contents
1. Download and Execute URL OK Illustration 1 ARP Proxy Protection If ticked this option will only scan hosts with a unique IP lt gt MAC address pair If more than one hosts with the same MAC address is found then only the last IP encountered will be scanned and added to the list This is useful when associating with Hotel Airport or other networks which do ARP Proxying Man in the middle run time Specifies the run time in minutes Client Side attacks If man in the middle is selected as an attack this will try to exploit the associated clients instead of capturing their traffic Download and Execute URL Downloads and executes an executable as a post action after it exploits a client This currently works only with win32 hosts MAC Filtering evasion If ticked SILICA will attempt to bypass MAC filtering set by the access point A MAC filter is defined as a list of certain MAC addresses that are allowed to be associated to the network e Automatic An attempt to automatically bypass MAC filtering will be made e Specify MAC Allows to provide a custom MAC address different of the one supplied with the device 4 Reports Configuration Tab This section provides a way to configure how the reports are stored and what kind of post action result the user wants to see in the report Prefix Reports The final report names will be prefixed with the string provided in the textbox area Also the title of the final HTML will ha2. 20 08 18 43 2011 EPIGRAM 802 11n Athero 34 EF 44 AB 34 74 9 conferenceRoom aabbccddeeff Thu Jan 20 08 18 21 2011 2Wire 00 0D 97 63 DA D7 84dBm 7 TKIP AES CCM lt hidden gt Network Probe 8 26 2011 Tropos Networks 00 0D 97 17 8A 99 16 87dBm 7 None AP Beach Attack 8 27 2011 Tropos Networks v 00 0D 97 A7 7C AB 16 87dBm 7 None AP City_WiFi Man in the middle R 8 27 2011 Tropos Networks 70 F1 A1 7B 98 AA 25 80dBm Client Edit SSID 8 24 2011 Tropos Networks 7C C5 37 7A DD 4C 22 82dBm Client Nels ems 18 2011 Tropos Networks 00 24 2B FF E5 75 26 79dBm Client Edit Key 8 27 2011 Tropos Networks 00 22 FB 02 F9 AA 25 80dBm Client Set LEAP 8 27 2011 Tropos Networks gt 00 0D 97 B7 D7 D1 18 85dBm 7 None AP Beach Thu Jan 20 08 18 27 2011 Tropos Networks 00 0F CC 34 47 DB 10 92dBm 6 WEP AP 951063412 001122334455 Thu Jan 20 08 18 22 2011 Netopia 00 0D 97 23 7B 5D 16 87dBm 7 WPA TKIP AES CCM AP 802 1X lt hidden gt Thu Jan 20 08 18 26 2011 Tropos Networks 00 12 17 A2 E7 C7 6 95dBm 6 WEP AP LEAP corporate user password Thu Jan 20 08 18 21 2011 BROADCOM Session successfully saved to home silicau CANVAS SILICA Resources marketing_session Resume Clear hosts Collapse Illustration 6 Main wireless window General Overview This is the main window for all operations It Shows information about hosts such as MAC Signal levels Encryption type Vendors etc It further allows you to see what wireless clients are associated
3. are associated to them without interrupting the flow of network collection This is useful if there are many hosts being displayed on the list Passive session hijacking Node Listing Session Network Listing Cookie Viewer CLIENT IP ADDRESS 192 168 20 177 www facebook com GET HTTP 1 1 Host www facebook com Send this request User Agent Mozilla 5 0 Macintosh U Intel Mac OS X 10 6 en US rv 1 9 2 13 Gecko 20101203 Firefox 3 6 13 Accept text html application xhtml xml application xml q 0 9 q 0 8 Delete all cookies from browser Accept Language en us en q 0 5 Accept Encoding gzip deflate Clone MAC Accept Charset ISO 8859 1 utf 8 q 0 7 q 0 7 Keep Alive 115 Connection keep alive Cookie datr FOF9TPhdycnHYAQ7B 1 zbVF6 lsd _YLGK reg_fb_gate http 3A 2F 2Fwww facebook com 2F reg_fb_ref http 3A 2F 2Fwww facebook com 2F wd 994x625 gt twitter com import cookie into browser Copy to clipboard gt mail google com gt mail yahoo com gt www youtube com gt ad g doubleclick net gt dynamicads g doubleclick net gt en us start3 mozilla com gt www google com Collecting cookies Expand Illustration 7 Passive session hijacking Actively listens for cookies over the air and creates a list that allows the user to directly enter a web session This may work with popular networks such as facebook twitter gmail etc Cookies are captured over the air passively This is less intrusive than man
4. to a host As shown in Illustration 6 clicking the triangle by a network expands a list of associated clients to it By checking the vendor and the type a lot can be determined For example if a client has Client AP this means the client is also bridge but acts as an access point aswell If the main window remains running hosts will appear colored In their default state they are all black That means all hosts are active If it s blue green and gray accordingly that indicates that the last sign of life seen from such a network was minutes to days ago Blue being the closest and the gray meaning it s probably a dead host client It must be further noted that the last seen column indicates when was the last time it saw activity from a specific host Actions When you right click on a host a dynamic menu will be built Depending on the capabilities of the host different actions will be available For example a host that we have discovered the key for will have more actions available to a hidden network that we don t know the SSID for The more progress is made into finding details about a host the more actions are available 10 Buttons Resume Pause allows the user to pause resume the network collection in order to execute other tasks or rellocate positions Clear hosts Clicking this will clear out the display of the found hosts and pause the scan Expand Collapse Allows the user to expand all the hosts and see what clients
5. A are Attack reports Reports that start with SILICA are wireless reports and will have a list of the networks found and any encryption keys recovered during scanning These reports can be copied using standard Linux copy commands you will want to make sure you also copy the header gif and immunity css files which are referenced by the reports Feedback and Support Immunity s SILICA developers are committed to your satisfaction Please do not hesitate to contact the SILICA team silica immunityinc com p 212 534 0857 f 917 591 1850 1130 Washington Ave 8 Floor Miami Beach FL 33139 16
6. Immunity SILICA User s Manual SILICA User s Manual Feb 2011 SILICA IMMUNITY S Successfully started node listener IMMUNITY Introduction Immunity SILICA is a unique penetration testing and assessment solution for wireless networks SILICA offers many features that open source utilities or other commercial wireless assessment tools do not Automation SILICA has a one button interface for many of the actions you will want to do during your assessment including WEP cracking Reporting SILICA will produce HTML reports of its scanning for later perusal Attack SILICA has ready to use exploit modules from Immunity s CANVAS platform integrated into the attack and recon process This means not only do you know there is a crackable network available but you have screenshots or password hashes from the vulnerable machines on that network all at the push of a button Startup SILICA does not require any setup or install Simply plug in the USB drive into your computer make sure the BIOS is configured as boot able and let it load Once the license has been accepted SILICA will start and offer you the SILICA GUI Make sure the card is inserted into the Express Card PCMCIA or USB slot and the antennas are plugged in If you notice low signal levels you may try plugging in the antenna into the other slot Configuration Prior to initiating a scan a user can use SILICA s configuration dialog to fin
7. LICA features and may introduce functionality fixes Updates are announced on the SILICA email list If you are not subscribed to the list contact Immunity In order to perform an update an Internet connection must be available To update please follow the following steps in order 1 Load SILICA 2 Connect an ethernet cable with an internet connection 3 Load up wicd top right and make sure the ethernet connection is active with internet 4 Click on the update button 5 Exit and Restart SILICA The most common mistake when updating is to enable your network connection before you have started SILICA SILICA OS uee START STOP PREFERENCES UPDATE 62 Download update files 0 Osignal Downloading update data 11240 13838 kb Illustration 10 SILICA update 14 Stopping a Scan By clicking the stop button the scan will terminate at the next available stopping point saving a report This process may take a while to complete as SILICA has to wait for all the running threads to stop cleanly Once the scan completes the status bar will change indicating that the scan was stopped 15 Viewing SILICA Reports To view the results of a scan open the Reports folder by clicking the Reports icon on your desktop Once clicked a listing of reports in that directory will be loaded Double click any of these to view them Reports starting with VA are probe reports wheras reports starting with M
8. e tune scan options Click the preferences button to invoke the configuration dialog Once this is done a popup window displaying the available options will appear in the screen Scan This configuration tab allows users to select a method that SILICA will use to perform a scan Attack Mode Attempts to break shares etc into remote machines in a network a i Passive Session Hijacking MITM Mode Actively infects hosts Allows the user to capture in the network via arp poisoning andcookies passively without intercepts any traffic between the associating to a network and router and the active hosts i replay them and hijack into web Network Probe Performs sessions information gathering of the remote network such as identifying the operating system extracting underlying details from the hosts finding open Discover key Will attempt to recover the wireless key of the remote network The encryption methods currently supported are WPA1 2 LEAP WEP 64 128 Network Configuration Tab Configuring various network options allows the user to fine tune the way the selected scan works Reports Netwark IP Sense Node Lookup Sniffer Wireless Cracking Key Recovery ARP Proxying protection MAC Filter evasion Automated Specify MAC Manin the middle run time minutes 10 r Client Side attacks Java Deserialize2 RMIConnectionimpl Java HsbParser getSoundBank CVE 2009 3867 Microsoft NET CAS Type Verfication MS09 061
9. in the middle because there is no poisoning involved or interaction with the clients 11 Key Recovery Reports Network IP Sense Node Lookup Sniffer Wireless Cracking Ke Recovery Offline Recovery Wordlist Generator Silica Pickle None re Wordlist None SSID AP CLIENT Recover Key Illustration 8 Key recovery This configuration menu is split into two main categories One is geared towards creating word lists that will assist into recovering a encryption key and the other one to run a recovery attempt Key Recovery As illustrated above it takes a pickle file which is a previously captured handshake and a word list which is used to brute force the key Once those are loaded it populates the SSID AP and CLIENT fields This detects automatically if the handshake is LEAP WPA and recovers the key 12 Reports Network IF Sense Node Lookup Sniffer Wireless Cracking Key Recovery Offline Recovery Wordlist Generator Password Type Phone Number ark Code 305 Output File Name mywordlist txt Generate Wordlist Illustration 9 Word list generator Word list generator This allows the user to create a phone number list of passwords if it s in an area code of interest or a numbered list The output stores the results on the specified file to be used later by the offline cracker 13 Immunity SILICA User s Manual Updating Updating SILICA adds new exploits to the unit updates SI
10. local IP through those Reports Network oes Node Lookup Sniffer Wireless Cracking Key Recovery DHCP Client DHCP Server Useful For Ad hoc ARP Force Discovery Slow Network sense if no DHCP server OK Illustration 3 Ipsense configuration Wireless Cracking Different options that can be used to adjust the way a WEP is recovered Two byte error correction This option will check the key fora two adjacent key byte errors and correct them Rank table deduction correction Corrects up to one keybyte corrections made from the probability algorithm ARP Packets to capture This numerical value indicates the threshold of packets to use for the probability cracking algorithm Perform deauthentication If selected SILICA will automatically try to disconnect clients when trying to recover a key It s highly recommended that this option remains enabled Reports Network IP Sense Node Lookup Sniffer Wireless Cracking Key Recovery Two byte error correction 7 Rank table deduction correction 120000 amp Perform deauthentication OK Illustration 4 Wireless cracking configuration WPA Cracking Cracking WPA 1 and 2 networks with SILICA is a similar process to WEP cracking in the sense that it s fully automated However WPA networks have a much harder encryption and so SILICA is limited to brute forcing a password LEAP Cracking Recovering LEAP credentials is an automated process and is cur
11. rently supported by SILICA It will automatically detect for active clients on the network and disconnect them to capture a handshake Once this is done the user id and password will be saved in the report file The code automatically senses if the network is Open WEP or LEAP WEP authentication Optionally it can be set manually before the scan is initiated WEP Cracking Similar as above WEP cracking is fully automated using the discover key option That will attempt to get a 64 or 128bit key from the remote host if it finds an associated client Node Lookup This configuration tab provides access to allow GPS selection Reports Network IP Sense LEN ni Sniffer Wireless Cracking Key Recovery GPS Requires USB NMEA receiver Ok Illustration 5 Node lookup configuration GPS In this section of the configuration you may also modify the GPS integration This requires a USB configured device to be attached on the machine that SILICA is running on SILICA will automatically see if one exists and will capture the coordinates longitude latitude and will add it in the reports Wireless Window Node Listing Session Network Listing Cookie Viewer BSSID Quality Signal Channel Encryption Cipher Type Auth ESSID Recovered Key Last Seen Vendor 00 24 93 7B AC 20 11 91dBm 6 WPA AES CCM AP PSK Retail90 secret key Thu Jan 20 08 18 20 2011 Motorola 68 7F 74 76 AC 21 47 62dBm 8 WPA AES CCM TKIP AP WPS ON lt hidden gt Thu Jan
12. ve that identification string Screenshot Password hashes If the attack scan type is selected these options will become available in the reports tab Selecting either of the two will allow presentation of different evidence The user can select between a screengrab or a listing of the password hashes Dump WIFI keys Allows users to capture wireless keys from the Wireless Zero Configuration service Get browser info Gets information from the browser if it can Get outlook address book Gets information from the outlook address book Repani Network IP Sense Node Lookup Sniffer Wireless Cracking Key Recovery Post Exploitation 7 Get Password Hashes 7 Grab Screenshot Dump WIFI Keys Get Browser Info Get Outlook Address Book Prefix Reports Clear Reports Clear Logs Ok Illustration 2 Report configuration IP Sense Configuration Tab These options provide different methods that SILICA will use to get or assign IP address from to the remote end DHCP Client Allows a client to get an IP using a DHCP client method DHCP Server Allows SILICA to act as a server and lease IP s to potential clients This is useful for Ad Hoc networks with automatic configuration ARP Force Allows SILICA to use an ARP brute forcing method in the known local subnet ranges hoping to get back a reply from a host Network sense This is a useful option that provides a stealthy way to passively listen for packets and try to sense the
Download Pdf Manuals
Related Search