...if you are using a wifi connection in a public place (or anywhere, really)

I have been trying out this tool called WifiZoo which is like a kind of Wireshark for wireless but with a bit of a cool twist. Instead of showing you a long list of packets which you would have to walk through to get a handle on what is going on, this tracks connections and basically presents you with a categorical breakdown of useful stuff.

For example, you sit down in your hotel lobby and use their wireless LAN to check your GMail account. GMail tracks who you are and your authenticated status using cookies. You log in over SSL, so there is no chance of a MITM seeing your password, but google then issue you a cookie which says "yes, I am logged in" which has a limited expiration time. The rest of your session is then in plaintext, but without the cookie you can't get into the GMail site... WifiZoo tracks HTTP sessions and grabs any cookies set. With a click of the mouse, it injects that cookie into its own built-in proxy server and presents me with the page that only you should be able to see. Clever, huh?

Its not limited to cookies and stuff though, oh no! It can track POP3 auth details, MSN conversations, FTP data, SMTP data and thats just out of the box - if you know Python you could code it to track whatever you wanted.

When combined with a tool called KISMET it will channelhop too so you can track multiple APs at once to see which is the "best" one to pay more attention to or in multi-AP configurations you can keep track of multiple users which might not be on the same AP.

Here is a screenshot:

http://www.statichiss.co.uk/wifizoo.png

Ouch!

ssh tunnel from my N810 through to my server, then using mail clients like mutt on it keeps my data sensitive data encrypted all the time..thankfully :)

you got me curioius though.. *goes off in hunt of software*

I had a little play with BacktrackII a little while ago but didn't have a clue what was going on ;D

I had a little play with BacktrackII a little while ago but didn't have a clue what was going on ;D

Yeah - I've installed all sorts of apps on my linux laptop - do I know what's going on? Do I ****! ;D

I'm just downloading Ubuntu so I can cock things up some more :D

Was going to have a play with wifizoo but can't seem to get it working :/
I'm a nix noob!

Think I'm doing this right....

james@james-laptop:~$ python /home/james/wifizoo/wifizoo.py -i eth1
WifiZoo v1.3, complains to Hernan Ochoa (hernan@gmail.com)
using interface eth1
Launching Web Interface..
WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ...
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
Waiting...
Traceback (most recent call last):
File "/home/james/wifizoo/wifizoo.py", line 121, in <module>
p = sniff(filter=None, iface=conf.iface, count=1)
File "/home/james/wifizoo/scapy.py", line 11815, in sniff
s = L2socket(type=ETH_P_ALL, *arg, **karg)
File "/home/james/wifizoo/scapy.py", line 10133, in __init__
self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
File "/usr/lib/python2.5/socket.py", line 154, in __init__
_sock = _realsocket(family, type, proto)
socket.error: (1, 'Operation not permitted')
...but I'm getting this socket error at the end.

What card do you have? You also need to be running Kismet in the background at the same time, as well as being root (tack a sudo onto the front of both this and kismet - kismet altumatically priv-drops anyways but as wifizoo is only passive you shouldn't be too much at risk :))

sh tunnel from my N810 through to my server, then using mail clients like mutt on it keeps my data sensitive data encrypted all the time..thankfully

you got me curioius though.. *goes off in hunt of software*

but if I can see all your packets, whats to stop me MITMing you? (RSA fingerprints aside)

In any case, SSH is still vulnerable to offline brute-force attacks so I could, theoretically obtain your username and password if I caught your handshake :p

What card do you have? You also need to be running Kismet in the background at the same time, as well as being root (tack a sudo onto the front of both this and kismet - kismet altumatically priv-drops anyways but as wifizoo is only passive you shouldn't be too much at risk :))



but if I can see all your packets, whats to stop me MITMing you? (RSA fingerprints aside)

In any case, SSH is still vulnerable to offline brute-force attacks so I could, theoretically obtain your username and password if I caught your handshake :p

good luck trying to get them from an passphrase protected sshkey. ;) still mitm could be used to disrupt things a bit. last years hacker conference had some bloke who used mitm style hacks with snort to replace all images on pages people were viewing with goatse

good luck trying to get them from an passphrase protected sshkey. ;) still mitm could be used to disrupt things a bit. last years hacker conference had some bloke who used mitm style hacks with snort to replace all images on pages people were viewing with goatse

Should I be concerned that the only term in there I understood was "goatse"? :o

Yeah this all sounds possible, but unless in a sensitive environment, pretty useless. It's a good toy, and a party trick, but you still need to be in the right place at the right time listening to the right people, at home with WPA/WPA2 enabled i still feel safe because there are too many other hot spots around me to have to worry about the odd person who knows enough about this to "spy" on me. I'm maybe more careful when out and about, but i very rarely use my wi-fi in cafes motorway service stations anyways. Which again are in my eyes pretty safe. A "hacker" would have to be sitting round all day, in the hope of stumbling upon something signifigant...

My point wasn't about your home access points, which whilst aren't secure outright if you aren't doing things right, the chances of someone targetting you is slim.

However, my point is extremely pertinent in McDonalds/services/hotel wifi access points - they are, by and large, completely vulnerable to attack. Anyone that believes that this stuff isnt good enough to complete a proper attack against a public access point like those is naive. In a hotel for example you have people using wifi all the time and in a motorway services you have even more people coming and going - and as it is paid for you have credit card details being broadcast left right and centre as well as other (largely unencrypted) traffic.

Rich pickings IMO :)

I'm confused as to what this enables.

So basically, were I to take a laptop and connect somewhere and you were nearby with this software, you could see everything that was coming and going to my laptop?

I've never had to divulge credit card info with t-mob hotspots... Best they get really after trouble, through the t-mob hotspot thing (some kinda vpn) and https connections is probably my gmail password, which is obviously a good starting point and yes i'd rather nobody else new that, but its not "easy" and a lot of work to find out you haven't really divulged much (no passwords on my gmail at all and i rotate passwords too). I agree if you get the right stupid business man with a business account its probably worth it. But you don'y know who you're watching... If there are 30+ people in a cafe how can you keep on top of all the possible traffic and know thats its even worth the while? Plus trying to fiddle around and crack ssl/vpn stuff? Although i understand everyone doesn't use this (:p).

I'm confused as to what this enables.

So basically, were I to take a laptop and connect somewhere and you were nearby with this software, you could see everything that was coming and going to my laptop?

Basically.. its always been the danger with wireless networks, possible to hijack under the right circumstances. Better encryption methods like WPA2 help a lot, but very few 'public' hot spots bother with these.

That's why I always use my mobile connection (3G) to do any bank orders in public places - I know this is not flawless either, but it's probably a little safer. I've almost given up on wireless now, it's ok as a convenience but networking is so much more efficient with a nice piece of copper or optical cable :D

I've never had to divulge credit card info with t-mob hotspots... Best they get really after trouble, through the t-mob hotspot thing (some kinda vpn) and https connections is probably my gmail password, which is obviously a good starting point and yes i'd rather nobody else new that, but its not "easy" and a lot of work to find out you haven't really divulged much (no passwords on my gmail at all and i rotate passwords too). I agree if you get the right stupid business man with a business account its probably worth it. But you don'y know who you're watching... If there are 30+ people in a cafe how can you keep on top of all the possible traffic and know thats its even worth the while? Plus trying to fiddle around and crack ssl/vpn stuff? Although i understand everyone doesn't use this (:p).

Some APs don't require you to pay, some do, thats all. HTTPS is vulnerable to Man In The Middle attacks and the software to do that is freely available and relatively easy to use. I could theoretically stroll into a wireless hotspot and with relative ease I could have every[/i] packet being sent through my laptop on its way to the real internet, being filtered for usernames/passwords and other useful stuff. It doesn't even need to be in realtime either, you can log all of the packets you see and run an analysis of them later.

SSL and VPN stuff is a PITA (VPN much more than SSL)but you have to remember that in a MITM attack, I don't see encrypted stuff, I see plaintext. Sadly for users, the fact that many people simply click "ok" at the first sign of an internet explorer or firefox popup window means that the only (flimsy) protection you have from "me" is just ignored.

As for the GMail thing, I don't actually get your password (unless I MITMd the start of your session, which is HTTPS) but your cookie - which is in many ways better than a password - I simply open up a browser and I am you, just like that. All the password rotation in the world can't protect you from that!

I am not the kind of person to actually put this into practice maliciously and I suppose I am more of a geek than most when it comes to things like this but honestly, it took me less than a day to get to grips with the requisite tools when I first came across them and they have got significantly easier to use since then! Some of the logic of how exactly to go about certain things is still a bit past me, I need to do more reading but any vaguely knowledgeable person with a laptop could teach themselves this in a week and scam hundreds of people.

If it wasn't too difficult/complicated/whatever to design, build and implement devices to scan cards as they are pushed into ATMs, what makes you think this is any less significant a threat?

I'm confused as to what this enables.

So basically, were I to take a laptop and connect somewhere and you were nearby with this software, you could see everything that was coming and going to my laptop?

In essence, yes. If its a public access point its even worse because they don't encrypt anything (so I wouldn't have to "identify" myself by joining the LAN). I don't particularly want to post a screenshot but I was mucking about before with my own WLAN and I noticed something was happening that shouldn't have been. Anyways, it turns out that someone around here is running a completely insecure (not even WEP) AP and I was able to see half of their traffic (obviously their wireless device didn't have the transmit power to get its packets to me, but if I moved closer I would be able to see [b]all their traffic!

But surely the cookie is useless unless you use is there and then? As you say you dont need to look at stuff in real time (in fact theres too much crap to do so surely? especially at a spot that is busy enough to warrant a decent attack). If you find something of interest from me later on how would having a cookie then (thats probably expired?) help? As you say some you pay at, and that makes sense, but i suppose i'm different i'd NEVER give out my CC over a public spot to pay for the access hence why i use t-mob :) I know for some stupid people out there (who are warned anyways) this is bad news, but for most half savy people surely this isn't a "big" problem, due to the vast amount of packets you'd have to be sniffing etc... I'm rambling now but i hope you get me?

A GMail cookie is but one specific example of how wireless users are vulnerable, and yes that particular example has to be used pretty quickly. Others like people's bank details or credit card details are a lot more useful after the fact.

A lot of people put WAY too much trust in seing that padlock at the bottom of their screens. A savvy hacker could MITM the initial SSL login page and people would trust that whilst they pay for their access they are safe. Wrong! Even a FREE access point could be vulnerable to that - you bowl up, ARP poison the entire network and present users with a genuine-looking and secure portal page asking for payment for access. You wouldn't need anything spectacular to pull that off, in fact its INCREDIBLY easy to do!

We could be here forever talking about the numerous ways that you could exploit the inherent insecurity of wireless networks and that wasn't the point of this thread - it was to give a tip-of-the-iceberg look at just what is possible in the world of wireless.

99% of people with computers aren't like "us" - they are stupid general public with no idea, and thats what you have to bear in mind!