billyblaxsta
-
Posts
71 -
Joined
-
Last visited
-
Days Won
1
Posts posted by billyblaxsta
-
-
Here is an interesting article from 2005: http://www.wired.com/politics/security/news/2005/07/68370
"It can also let someone read the e-mail of guests who use web mail through the TV, putting business travelers at risk of corporate espionage. And it can allow an intruder to add or delete charges on a hotel guest's bill or watch pornographic films and other premium content on their hotel TV without paying for it."
Does anyone still read e-mail though the TV (in hotels)? Does this facility even exit?
-
Hi,
I have a couple of questions about Firesheep.
AIUI, it works when - although the logon is HTTPS - the cookie sent by the server immediately after the logon is finished is sent through HTTP. Therefore, Firesheep is defeated by constant HTTPS (as can happen in Gmail and Facebook for example).
What I do not understand having read (http://codebutler.com/firesheep) is whether the Firesheep user is operating as a MITM in order to obtain the session cookie. In the episode (http://hak5.org/episodes/episode-906) it looks as if Shannon is using Cain to ARPspoof Darren before using Firesheep. However, there is no mention of ARPspoofing on the coder's site and instead he says "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Is this really the situation? Why would a cookie be sent to anyone on the wireless network rather than to the actual client who has just logged in? And, therefore, how exactly does Firesheep obtain the session cookie?
Thanks.
-
a) No, it shows the IP-MAC ARP cache for the machine it was ran on. It likely reflects a list of actively spoofed hosts as well as other hosts (gateway, etc.) that it is not spoofing.
B) imcomplete means it cannot perform a proper ARP transaction, meaning the host may not be up any longer or it is showing an entry that has not yet completed and is in timeout countdown.
c) It may be filtered by the AP itself. This would be more common in WIPS, isolated networks, or a separate WLAN network. It may also be that some machines have MAC addresses assigned manually and get granted other access because of that (very unlikely though, IMHO).
OK. Thanks. So for point A) you are saying the ARP cache is both spoofed and non-spoofed machines? Because obviously the gateway is not being spoofed but is included in the table.
I am not quite sure what you mean in point C. I don't think there is any filtering going on. It's just that some machines in that list are wireless clients while others have very similar MAC addresses to the MAC of the AP to which I was connected. Maybe they are other APs? Would that be a viable interpretation?
-
Doesn't sound too "Hypothetical"
It was done on my friend's office network with his permission. So it's not hypothetical in one sense but it's hypothetical inasmuch as it's not an actual attack.
I would still like to know the answers.
-
Is there a rough number of computers one can arpspoof by broadcasting your MAC as the router before the whole network collapses?
I realise this depends on the attackers computer so let's just say an average laptop - nothing special.
Any personal experiences of arpspoofing multiple computers would be appreciated.
-
Hello,
Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is:
? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0
? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0
? (192.168.3.239) at <incomplete> on wlan0
? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0
nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway
? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0
? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0
? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0
Three questions.
a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct?
B) What does <incomplete> signify - why is there no MAC?
c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines?
Thanks.
-
If someone was arpspoofing a network and someone else came along and also started arpspoofing the very same network would both parties be competing for the traffic or would something else weird happen?
-
Try this!!!!!
<?php $myFile = "hello.txt"; $xxx = ($_POST['variable1']); $yyy = ($_POST['variable2']); $stuff = $xxx ."--". $yyy; $filed = fopen($myFile, 'w') or die("can't open file"); fwrite($filed, $stuff); fclose($filed); } ?>Thanks - that worked great. I just had to add an '{' before the $xxx
I'm just wondering how to add to the hello.txt file each time a new xxx and yyy variable is entered in the text boxes. At the moment hello.txt overwrites the previous entry with the newer ones.
-
I am on the sixth floor and I note that clients looking for networks (which are not in my building) sometimes connect to the Fon.
Presumably - the reason I am the strongest signal - is because the AP they are looking for is not in the vicinity hence I am the strongest.
-
This is something I have been confused about for some time.
Take a major company. It's employees have john_smith@company.com (for example).
But what I don't really understand is where the employees login to access their e-mails. How would a person who doesn't work for the company find out?
I know you can try exchange, mail, webmail (etc) .company.com but if they do not work then what? Of course, the company may use a third party service.
I am just wondering how you would find out where people login to for example the BBC, or NBC, or CNN, or any major company?
-
There are lots of public hotspots which charge a fee. One UK example is BT Openzone (http://www.btopenzone.com/) They must cover most of the country.
What I would be interested to know is how can these hotspots prevent ARPspoofing? They must surely be an attractive target especially at places like airports and train stations.
Or do the owners of such commercial companies not care? Perhaps nothing can be done?
-
Thank you - that was a most illuminating response.
-
My knowledge of PHP is basically nonexistent (yes I am embarrassed about this) which is why this script does not work.
I want to take two variables (variable1 and variable2) submitted by a client and then have the file (hello.txt) saved on the host.
But nothing saves. If I add some HTML redirect script then it will redirect to that page - but, as mentioned, nothing saves onto the host.
<?php
$xxx = ($_POST['variable1']);
$yyy = ($_POST['variable2']);
$stuff = $xxx . " -- " . $yyy;
$filed = @fopen("hello.txt", "a+");
@fwrite($filed, "$stuff");
@fclose($filed);
}
?>
[some HTML redirect code here]
-
I'd say so, usually internet cafes would have their own portal. But not sure if it would be a "Point Of Sale credit-card system" or one where you have to pay first and then they would supply you with a userID and password.
I need to be more clear. I didn't mean an internet cafe just a regular cafe or resturant where you can pay with a credit or debit card via a terminal.
I'm just wondering what else a WPA2 could be for if not the point of sale terminal.
-
We know that the Jasager pretends to be the unencrypted SSID that the client is trying to connect to.
But - what I am wondering - is why would the client connect to the Jasager when the client will no doubt receive a response from the genuine AP.
In other words: what factors are important in ensuring that the client connects to the Jasager rather than its real AP? (I am assuming we have an unencrypted network).
Would not the power of the Jasager be less than a (perhaps nearer) real AP for example?
-
Quite often when I am in a cafe or restaurant and I look the the available wireless networks on my BlackBerry there will be something like: NAME_OF_CAFE which will be a WPA(2) Personal.
Since I doubt this is for the cafe staff to have fun with am I correct to assume that it will be the Point Of Sale credit-card system?
Thanks.
-
Hello,
I am wondering how computer security is different to say 10 or 5 years ago. I am not talking about the days of X.25 networks but a bit more recently. Obviously the popularity of wifi is new.
But - for the people who have been around for a few years - what are the big differences to say 2000 or 2005?
Thanks.
-
Well, I imagine you could look in wireshark to see who is flooding arp packets on the network. This person would be impersonating the router and end devices who would normally answer the arp reply. If you know the routers MAC but see messages saying "tell x.x.x.x. who has x.x.x.x" constantly and its mac saying this is always the same but not the router or any known workstation, that is your culprit.
When a normal arp goes out, a workstation tries to reach a specific IP. If it doesn't know the MAC address, it sends a broadcast arp, which hits every station on the lan, forwarded by the router to all end devices. The end device will reply with its IP and MAC and the router will send this back to the requester. If however only 1 device is answering for everyone, then that device is more than likely the arp spoofer, since each device will answer for itself, someone else answering for everyone is the spoofer.
You can run "arp -a" in windows to see what is in your own table. If the gateway listed has a different mac address than what the router is supposed to have, that is the spoofing attackers MAC address. For this reason alone, I add static arp entries in my desktop machine, so nothing can spoof it. You can do the same thing on all workstations, *nix or windows based. For windows Vista and later, you have to use the NETSH command. In XP, 2000 and 2003, you use the arp -s command.
Thanks for the information. So let's say that the sysadmin says: "I see that 192.168.1.100 at MAC address 00:21:34:8C:7A:DD is pretending to be the router. I know he is somewhere in the building but I can see 50 people using their laptops."
How could the sysadmin find the person?
-
Anyone who has ever used Kismet will know that there are a lot of "cloaked" or <ssid 0> networks out there. Some are open, some have WEP, and some WPA.
Using a tool like Kismon (http://www.salecker.org/software/kismon/en) one can put the MACs in order so it becomes obvious that <ssid 0> is actually affiliated with nameofcompany_guest since the MACs are so similar.
Is it possible to find out what the name of the <ssid 0> is since (I assume) it is impossible to even think about connecting without the name?
Thanks.
-
Its possible, but not easily unless the numnuts doing the deauths was sitting in the vicinity. If it were someone outside the building and not sitting right near the victims, you would need some tools to triangulate the source, such as spectrum analyzers and a way to map the MAC address, like kismet and a GPS - http://wirelessdefence.org/Contents/Kismet%20Wireless%20Mapping.htm
http://searchsecurity.techtarget.com/feature/Hunting-for-rogue-wireless-devices
Thanks for the links - the searchsecurity looks most interesting. However, it seems to be referring to "rogue APs". If you were using Jasager or similar then indeed you would be a rogue AP.
But what if you were a client just sending out arpspoofing packets and not trying to be an AP?
-
Imagine that Alex is sitting in a cafe or library or train and is ARPspoofing or transmitting any kind of "negative" packets (such as deauthentication packets).
If the network administrator noticed that the MAC of the router has changed or that clients were being deauthenticated from the AP then could he successfully trace the source of the packets? And, if so, how?
Thanks - I have been curious about this for a while!
-
Hello,
It is clear there are a number of limitations to Jasager (such as clients that require encryption will never receive an IP from the Pineapple).
Even with clients that are searching for "open" networks it seems that a number of factors need to work in order to have any success.
I have a very simple question:
Is the Jasager a Proof Of Concept or is it something that people reading this have actually had real-world success with? For example: clients connect to the Jasager (assuming they are connected to their desired network) and people enter their webmail login details?
Thanks.
-
Thanks guys - I understand a bit more now.
I see the point about how distance is not relevant since - as long as you are on the LAN - you are broadcasting the message that you are the router to all clients.
Let's take a "hypothetical".
Alex is the ARPspoofer and is in a cafe where he can see Bob and Carly surfing the Net. He has already Arpspoofed and is using SSL Strip. He can see both logging in to various webmails and suchlike but for some reason he only is getting the SSL login details for Bob.
He knows there is only one router IP in that building so it cannot be that Carly is on a different subnet.
What could be happening? The only thing that I can think of is that this is not an ARPspoofing issue but a SSL Strip issue and for some reason SSL Strip does not properly work (perhaps because too much traffic is going through Alex's machine considering he is broadcasting the ARPspoof).
Might there be other causes why Carly's logins are not recorded?
-
Not between the 2 options but its a HUGE difference from when I first received the pineapple...
http://forums.hak5.org/index.php?showtopic=20750&pid=183290&st=0entry183290
Check the second post for a good link.
Duplicate Mac Addresses?
in Security
Posted
AIUI in theory two duplicate MAC addresses on the same network will have cause problems.
Imagine, for example, that for a pay wireless service, a user spoofs his MAC address to appear the same as that of a paying user to get free service (with the client MAC information obtained from airodump-ng).
What might happen in reality (rather than in theory) considering there are now two IPs that share one MAC?
Thanks.