So recently we’ve introduced you to Reaver, which shows that even WPA/WPA2-encrypted networks with strong passwords aren’t safe. Personally, I’m using a pretty expensive router (Linksys E3000) which I’ve configured manually – however, to my knowledge, the WPS-functionality cannot be disabled on any Linksys-routers at this time.
The WPS-vulnerability for WPA/WPA2 along with WEP being easily crackable without WPS tells us that actually most WiFi’s can be infiltrated by unwanted users. This leads us to another important question, which is what a hacker actually can do once he’s inside your network.
comaX has written a very good script for sniffing passwords which includes sslstripping the network (simply put, this makes https sites like Facebook come as http, allowing you to sniff the password unencrypted) and ARP cache poisoning (rerouting all traffic through your own computer, putting you as a man in the middle). We’ve already covered this script in a previous post.
A small issue I’ve encountered when doing MITM-attacks is that the running sessions (here we talk specifically of Facebook-sessions) are sometimes not terminated, which is essential since you need your victim to type in their passwords to be able to sniff it.
Here is what I do when using automated MITM-attacks to jump straight into the targets ongoing Facebook-sessions without them ever typing the password:
First of all, start Wireshark. If you’re using Backtrack it is already included, so just open a terminal window and type:
wireshark &
Select your interface that is connected to the network and start sniffing:
You should now be seeing packets dropping in. You can keep Wireshark listening as long as you like, but there will be many packets flooding the window so it’s useful to learn how to apply filters. For this specific task you will want to set the filter to only show http traffic and maybe only the traffic from and to the target:
The Facebook cookie will be inside a HTTP-packet and has a POST- or GET-tag in the info-field and will look something like this:
POST /ajax/growth/…/ HTTP/1.1
GET /ajax/presence/…/ HTTP/1.1
Here I’ve sniffed one of these packets from my own login:
If you find a packet that looks like this, select it, right-click and select “Follow TCP Stream”:
Here we can see the cookie:
Restart Firefox and open up the Cookie Manager (the icon will be in the upper right corner)
Browse to your Facebook cookie
Now you will just have to change the values in your cookie to match the cookie you sniffed:
Make sure you filled in the values correctly (without the semi-colon). Next, open up www.facebook.com and you will be logged in to the account!
The hacker now has access to your Facebook account until you logout or the cookie expires.
The beauty of this little hack is that it is not only limited to Facebook-sessions, and can be useful in many situations when you’re sniffing traffic (not only MITM-attacks). Similar methods to the ones described here can be used on virtually any site that use cookies to manage user sessions!
—————————————————————————————————-
Enjoy your cookies!
Numbers