Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For 802.11 and bluetooth security people alike. Latest trends, attack surface issues, and prevention. How wireless security is becoming the new vector to hacking corporate websites and applications. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
fun and profit with Wlan traffic modifications
Posted by: Malkav
Date: January 09, 2008 01:12PM

i was doing a little cleaning in my bookmarks when i stumbled upon a airpwn (http://airpwn.sourceforge.net/) which is able to exchange data in surrounding wlan traffic with you own.

the creators used it to goatse everyone in defcon (i would have chosen more sensitive subjects than sex hungry nerds, like you know, anybody else), but the fact that you can basically inject *anything* lead me to the following questions.

as i know pretty much nothing on javascript beside the basic coding, i decided to get those-who-knows ®©™ (you) on the matter. let's say somebody is surfin' like hell on the interweb, and that, by pure chance, a computer with airpwn happens to inserts into the pages his visiting, could it get XHR to a distant host while not breaking the sandbox/samedomain rule ?

Options: ReplyQuote
Re: fun and profit with Wlan traffic modifications
Posted by: rsnake
Date: January 09, 2008 06:00PM

Sorta - you are still bound to the same origin policy, however there are some tricks.

If someone goes to www.abc.com but I'm really after some sensitive info on www.xyz.com I can, instead of letting them see www.abc.com, I can show them something else and deliver www.abc.com with an iframe pointing to www.xyz.com. Now, I own www.xyz.com because I'm a MITM and now I can inject my own JS on that site.

The beauty here is that lots of people think "Wow - SSL, I'm safe" well, that's only true if you're already in an SSL session. Because most people go to http before their browser is redirected to https and because I am a man in the middle, I don't have to let them redirect. That's less useful than it sounds because cookies don't work from protocol to protocol, but it's great for MITM phishing. Remember too, you can also take over their https service if you aren't afraid of giving them a little warning message. Most people ignore it anyway.

I should also point out that Dave Maynor and Rob Thomas and I have been working on this concept for some time regarding ferrit. They are doing most of the work - I'm just the coach on the sideline telling them how cool it would be to beef up airpwn for this purpose. No ETA on the version that would do this, but I haven't talked to them in a while about this (since Blackhat actually).

- RSnake
Gotta love it. http://ha.ckers.org



Edited 2 time(s). Last edit at 01/10/2008 11:23AM by rsnake.

Options: ReplyQuote
Re: fun and profit with Wlan traffic modifications
Posted by: Sixpounder
Date: January 30, 2008 02:45PM

Yes, sort of. You can actually try the combination ARP and DNS spoofing+netsed+iptables packet matching on WiFi networks.

o____o

Options: ReplyQuote


Sorry, only registered users may post in this forum.