Showing posts with label hamster. Show all posts
Showing posts with label hamster. Show all posts

Saturday, October 27, 2007

Errata goes to the races...

Today I spent time in the pits of the NASCAR truck series. It was a fun day, there was a minor accident, but the most surprising was the wireless access.
There were open wifi access points all over the pits. From Direct TV to access points used by reporters, it was ripe for credential theft not to mention people still using unencrypted pop3. Below are some screen shots from my iPhone running stumbler. These were collected just walking up and down the track. Sometimes people need to remember that although people who do security for a living know about these types of problems, the general public doesn't.



We should have a hamster and ferret package for the iPhone available soon.
By 4 comments: Links to this post
Labels: , , , ,

Sunday, August 05, 2007

SideJacking with Hamster

NOTE: you can download the program at http://www.erratasec.com/sidejacking.zip; make sure to read the instructions.

Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).

This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.

I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).

I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.

While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.
By 39 comments: Links to this post
Labels: , , , ,
Subscribe to: Posts (Atom)