dadaniel | # 1 | 2013-01-31, 23:42 | Report

the n9 as an evil access point #mitm



Prelude: I used it in all these tools for development and privat use, e.g. you shouldn't use it in a coffee-shop, call your hotspot "Free-Wifi" and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff ...

... my train of thought was - how can I sniff whatever it's transmitted through my stock wifi-hotspot (joikuspot) ...

... so here's a guideline of what I got working and how it works:

mitm

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:

I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!

1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?

1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer - you can dump nearly all traffic with this tool ...

tcpxtract is a tool to rebuild data from tcpdump-pcap files...

let's install the packages [and dependencies]:

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

now fire up the wifi hotspot, connect with a client and let the magic begin:

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don't convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client ... tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

it looks like this.

I LIKE!


2. ngrep

ngrep is a very powerful tool as well - you can analyze traffic live...

I'm going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

here's ngrep_1.45.ds2-9_armel [from debian repository]

now fire up the wifi hotspot, connect with a client and let the magic begin [again ]:

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 ... from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

... What it doesn't do is capturing htaccess logins, I use dsniff for it.


3. dsniff

dsniff? - omg, it's awesome! it includes:

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here's dsniff_2.4b1+debian-18_armel

whooop! - should be working now

dsniff itself is very simple to use - it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] ... again I got segment faults when listening on wlan0.


4. sslstrip?

sslstrip strips down your https connections to http ...

... I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection - I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode "manual") - deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn't use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won't show up in the properties of Joikuspot. - Maybe that's why it doesn't take the proxy settings from the APN ... anyway, I'm still working on a workaround!

Here's sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

... I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it's not a very efficient and elegant way to work, so I won't explain it)

cheers!

---

Last edited by dadaniel; 2013-01-31 at 23:48.

Arie | # 2 | 2013-02-01, 04:20 | Report

This is an awesome Post... Why are people overlooking it?

dadaniel | # 3 | 2013-02-01, 09:43 | Report

thanks ... maybe because it's not an "app" :P

soryuuha | # 4 | 2013-02-01, 10:21 | Report

packet sniffer tool on n9 whoa :shock:

need to know if this will work on stock kernel :<

dadaniel | # 5 | 2013-02-01, 11:41 | Report

It 'should' work, but I would try it with inception/opensh - these tools don't need any kernel based modules.

Give it a try and tell me about it

cheers

kskoda | # 6 | 2013-03-01, 07:53 | Report

How did you activate proxy?

www.rzr.online.fr | # 7 | 2013-03-01, 08:06 | Report

added dante and sslstrip to shared repo ... dsc link for others are welcome too

---

Last edited by www.rzr.online.fr; 2013-03-01 at 20:47.

coderus | # 8 | 2013-03-01, 08:40 | Report

checked dante-client, not working. configured /etc/dante.conf, started socksify /usr/bin/grob -> process freezed and nothing happened

www.rzr.online.fr | # 9 | 2013-03-01, 20:19 | Report

thx for reporting ,feel free to branch it from obs and fix it

added dsniff among others ...

apt-get install tcpdump tcpxtract ngrep ssldump


Please check everything is there and confirm it is usable

---

Last edited by www.rzr.online.fr; 2013-03-03 at 14:22.