Penetration testing firm Immunity has started shipping Silica, a wireless handheld pen-testing device capable of finding — and exploiting — security vulnerabilities.
The palm-sized PDA tucked away in Justine Aitel’s pocketbook just might be the most scary device on display at this year’s RSA security conference. [See Ryan Naraine’s report.] Aitel is roaming the hallways here with Silica, a portable hacking device that can search for and join 802.11 (Wi-Fi) access points, scan other connections for open ports, and automatically launch code execution exploits from a built-in exploit platform.
Silica is the brainchild of Aitel’s Immunity Inc., a 10-employee penetration testing outfit operating out of Miami Beach, Florida. It runs a customized version of CANVAS, the company’s flagship point-and-click attack tool that features hundreds of exploits, an automated exploitation system, and an exploit development framework.
Silica now runs on the Nokia 770 but Immunity plans to expand the range of supported devices.
Silica runs a customized installation of Debian/Linux running kernel 2.6.16 with preemptive scheduling.
Currently Silica supports 802.11 (Wi-Fi). The product roadmap calls for support for Bluetooth wireless connections and Ethernet via USB.
Once a network connection is established with a wireless access point, the user can use the touch-screen interface to launch Silica.
Silica scans for available Wi-Fi networks, then connects and starts scanning for vulnerable targets.
Available networks can be scanned in two modes — Attack mode or the “prompt before scan” mode. Both can be enabled at the same time.
The user can manually confirm the use of “attack node,” which fires exploits at vulnerable targets on the wireless network.
The application comes with a three-button user interface: Scan, Stop and Update.
A progress bar should display what is happening on the device. Optionally, the user may check the two bottom status boxes to find out more details about the scan. \r\n
\r\n\r\nSee also: Ryan Naraine’s report from RSA 2007, Wi-Fi hacking, with a handheld PDA.
