Содержание статьи
Admit that "Wireless Internet in every home" is a very attractive slogan. It
sounds great when your ISP, which granted a dial-up access 5 years ago, deploys
a big WiFi infrastructure throughout the whole city (or at least in its center)
just in a few days. It would sound like a fools dream came true and now you can
enjoy fast internet connection while sitting in McDonald's and mopping up
another macfresh. But when you look closer you realize that it can’t happen all
that way because ISP (and all its customers thereafter) information security
leaves a lot to be desired. In order not to make unsubstantiated statements I
suggest your attention a case of an informal audit of the newly born wireless
network and who knows, maybe you will realize its credibility having bitter
experience with your provider.
Let’s agree in advance: in order to observe etiquette and not to embarrass my
ISP, I will not name specific sites and brands. Moreover, the law was not
violated and the audit was made using own honestly purchased accounts only. The
purpose of this article is not to tarnish the company’s honor but to show
general weak points of WiFi infrastructure, which can be certainly found in WiFi
networks of largest providers.
First disappointment
So, let’s get back to marketing. Imagine a large Russian million-plus city
which became full of advertising slogans like: "Wireless, fast and convenient
Internet access", "Enjoy the Web in your favorite cafe”, etc. When your city
offers such opportunity you want to implement it immediately. After all, you
must agree that it’s convenient to sit in some cafe with your faithful laptop-
friend and talk through ICQ on some urgent matters.
But after I got a series of disconnects I felt that first disappointment
experience. And not even because the broadband connection is weak, but because
of re-authorization was not required when re-connecting (even after 10 minutes
of connect).
What the hell is that? It means I pay for the Internet access and the ISP
doesn’t even care about my security (all my sessions are theoretically available
to be accessed by some other people when I break the connection and leave the
place!). I decided to sniff the network a bit in order to check my assumptions
after I got that “surprise”.
I didn’t sniff that large list of cafe visitor’s notebooks (who were
connected to the same wireless ISP) as I’m a girl who abides the law. Instead, I
invited a friend with a laptop :). He bought me a cup of coffee and started
imitating a frantic Internet activity (he launched ICQ, entered a social network,
checked his mail, etc.).
Sniff and ... strangle!
In order not to waste time, I launched the WireShark and started to monitor
the perimeter. Among all the data package traffic I immediately saw the SSL
protocol “handshake” on the provider’s website...
By the way, do you know how the authentication of connection is done? First,
the client connects to the insecure WEP/WPA-point. After he turns the browser
and enters any web site he is redirected to the ISP login page. There he enters
his personal login and password details (which are resolved by sending
SMS-message to some specific number) and then, apparently, a rule is created on
the router. That specific rule allows that specific user to get the Internet
connection.
So, after I passed that SSL-encrypted authentication I saw absolutely
unencrypted password and mail details from VKontakte social network, some
slightly XORed ICQ passwords (which can easily be decrypted with an Ufasoft
Sniffer or InterCepter software) and also some indecent porn sites links (my
friend is not a shy one... :). I don’t mention all other network clients (I have
filtered them on IP-address in order not to violate the law).
But as they say, if you want something bad you can (and should!) violate some
things a little (just to expand the horizons :). It is easy to spoof if you know
all IP and MAC-addresses of the perimeter users (they can be recognized by
ARP-messages analysis).
ISP web site states that you should “Log out” from authorization web site
before disconnecting from the network, otherwise your account will be available
to connect for some time after you close the connection. This is just what we
need, because not every user will bother with that :).
So, we will substitute the MAC address of your wireless adapter with the
neighbor's MAC doing it with a help of a nice MAC address changing software
which is "MACChange" (you can also do it manually, it depends on one’s taste).
Do not forget to assign his IP too. Now try to connect the network. Lo and
behold! It appears that ISP allows as the DHCP-addressing so the
Static-addressing. So, you can enjoy the pleasures of wireless Internet
absolutely for free! Or I’d rather say for someone else's expense!
And what if..?
Well, now if we have already violated the law now let’s try to deepen and
broaden our experience for the sake of experiment. What else can we do to show
all those wireless network weak points? A thought about fake access point
MitM-attack comes to my mind, but it can’t be done within the cafe location.
To do that we have to have several components: a web server, an access point
and a laptop for tests.
So I had to go back home and look through the dusty shelves for some old
DIR-300 and configure it as DHCP-server. I’ve also identified the access point
SSID the same as operators.
I chose a compact and convenient "Small HTTP Server" as a web server. Many
words have been said about that software. I like it because of convenient
interface and a pretty wide functionality despite of very small size.
Set up the WEB-server and DNS-server, so when the user will try to enter any
Web page he’ll be directed to HTML-page which looks like ISP web site login page.
Now create a PHP script which will save all entered form information in a
separate .txt file.
<?php
$filename = 'S:\home\localhost\www\info.txt';
$a = $_GET['login'];
$b = $_GET['password'];
$somecontent = " -- Login - \n".$a." --Password - \n".$b." -- \n";
if (is_writable($filename))
if (!$handle = fopen($filename, 'r+')) {
echo " Cannot open the file ($filename)";
exit;
}
if (!fwrite($handle, $somecontent)) {
echo " Unable to write to the ($filename) file ";
exit;
}
else{echo " ";}
echo "Written ($somecontent) to the ($filename) file";
fclose($handle);
} else {
echo "File $filename is not writable ";
}
?>
The fake is ready to be used. Now let’s run it!
MitM in action
The plan of stealing login details for wireless network access is as follows:
user activates one’s Wi-Fi adapter and tries to connect to the wireless network.
In the list of available wireless networks he sees the fake access point with
the same SSID as ISP has. The system makes it to go first, because it has better
signal then operator’s does. User connects to your fake access point and enters
your browser and goes to the fake login page respectively. This page has an
interface which is similar to the ISP login interface. User enters one’s login
details in the appropriate fields with suspecting nothing bad. At last, when
user clicks the "Enter" button he activates the PHP-script which stores all user
typed data to a text file on your server. User will stay with no internet
connection (and, of course, without one’s login and password 🙂 - editor's note).
Let’s try to login to a fake access point in order not to lose sight of some
details. Fill in login details and press "Enter". Nothing happens further.
That’s the way the regular user think. Meanwhile, our script had already done
its dirty little business and all login details are already stored on the server.
Now let’s open the txt file and see its contents. Voila! Here are the data we’ve
typed and there’s a surprise! Someone had already connected to our fake access
point and now there are a couple of real logins and passwords you can use to log
into your SIP real wireless network. Even SSL-authorization does not prevent the
theft of login details in such case.
The patient is likely alive than dead
What can I say? The worst thing is that more than a half wireless networks of
the country work according to a similar authentication scheme (I know at least
four big million-plus cities). And no one can guarantee the users legitimacy. In
this case service owners almost never warn their customers about the
vulnerability of their data and the risks of personal information to be stolen.
They all are eager to increase one’s profits while neglecting all security
methods. Providing higher security level will reduce the data rate and
complicate the process of customer equipment setting up.
So finally, I want to give a good advice to all of you, guys: pay attention
to the access point you connect to and do not send any important information
through any unprotected networks (or use the VPN-connection) because it can lead
to some fatal consequences.
Warning
Warning! The information is presented strictly in the interest of education!
Neither the author nor editors are responsible for any actions you might
undertake!