Comments on: WiFi Ownage

By: pdp

pdp — Wed, 25 Feb 2009 10:10:57 +0000

you are right! I guess the intention was to write something that runs without too much configuration.

By: lljkrieg

lljkrieg — Tue, 24 Feb 2009 12:59:19 +0000

DNS hijacking is certainly an interesting and potentially catastrophic issue for internet users but why reinvent the wheel to exploit the results?

It is possible for an attacker controlled DNS server that supports wildcards, such as bind, to force all domains to resolve to the attacker’s web server. The web server can then proxy the real hostname and inject data into the stream, or load phishing pages for specific sites (sites which don’t allow proxies perhaps?), or launch malware, etc.

This way user HTTP requests can easily be logged and a simple script on the web server could immediately change the payload without having to worry about DNS lease length.

By: CoffeeAddict » 3 keer kloppen…

CoffeeAddict » 3 keer kloppen… — Wed, 09 Jul 2008 08:48:30 +0000

[...] Door het “nieuwe” en gapende gat in UPnP kan een slimme hacker op je router de DNS instellingen wijzigingen om naar haar eigen DNS te wijzen die mijn.postbank.nl resolved naar een perfecte look-a-like op de eigen server van onze vriendelijke hacker. De rest van de DNS requests worden keurig netjes uitbesteed zodat google ook echt google is. (Meer info hier) [...]

By: rezn

rezn — Mon, 11 Feb 2008 16:14:53 +0000

This code may be helpful in further exploring malicious DNS server creation:

http://www.dnspython.org/

By: fazed

fazed — Mon, 11 Feb 2008 01:21:36 +0000

@squid:
what is meant is that I went through both being a script kiddie and as I learned more a blackhat.

thanks for the comments everyone

@Adrian:
I was thinking about creating a more complex script which can also redirect different entered urls to different IP’s/vHost’s and let any that are not listed in this “host” file go to the correct location but this script is just a PoC.

By: Kecoak Elektronik Indonesia » Blog Archive » DNS, the betrayer!

Kecoak Elektronik Indonesia » Blog Archive » DNS, the betrayer! — Sun, 10 Feb 2008 17:23:15 +0000

[...] juga jika melihat tulisan fazed di blog GNUCITIZEN berikut ini, memainkan informasi DNS untuk menguasai WIFI connection (yeah…yeah…wifi-ownage, [...]

By: Sid

Sid — Fri, 08 Feb 2008 07:46:21 +0000

@Christopher: traffic injection attacks on WiFi work like a charm on WEP networks too, as long as you know the key. Not a big requirement after all ;)

I could have Wifitap work on a WDS link as well, with an ugly hack I’m not really proud of.

Getting back to the script, this attack is very like airpwn. This tool, demonstrated at Defcon 2004, catches HTTP requests for pictures and injects arbitrary replies. Very handy when you have… Let’s say… A JPEG or PNG buffer overflow on browser :) You can also reply “GET /” requests with a 301 or 302 that will redirect browser anywhere you want, like a metasploit loaded with whatever client side exploit you may like.

Check http://sid.rstack.org/pres/060.....reless.pdf slides 33 to 47.

By: pdp

pdp — Fri, 08 Feb 2008 07:29:45 +0000

sqid, it should have been blackhat script kiddie (no slash). And yes it makes a perfect sense. Blackhat can be used as a noun or adjective. Cheers.

By: Christopher Haney

Christopher Haney — Fri, 08 Feb 2008 03:28:48 +0000

Would this attack also work is you simply used (for example) a WRT54G with DD-WRT as a repeater and simply acted as a second access point to the WEP free AP?

By: sqid

sqid — Fri, 08 Feb 2008 01:26:14 +0000

“Sam started as a blackhat/script kiddie but soon he has learned a life lesson when he broke into a big football(soccer) leagues site. Sam did not serve any sentence but he had to pay a hefty fine. This is how he turned into a whitehat…”

You make it sounds like Gnucitizen is similar to Alcoholics Anonymous for blackhats. Also, by grouping blackhat and script-kiddie together, you make it sound like they are related to another, when, in fact, they are not. Could you give me some good reasoning on that?

By: Adrian Pastor

Adrian Pastor — Thu, 07 Feb 2008 21:14:03 +0000

@Sid – sounds interesting!.

By: Sid

Sid — Thu, 07 Feb 2008 15:48:50 +0000

I wrote 3 scripts in the same spirit aside of Wifitap that can be foudn in the same tarball:

wifiping.py is just a PoC that answers ping requests on the fly
wifiarp.py that poisons ARP requests on the fly
wifidns.py that roughly does the same as yours

Everything based on Scapy.

By: Adrian Pastor

Adrian Pastor — Thu, 07 Feb 2008 13:42:49 +0000

The script works like a charm, just tested it. The idea is that any domain names resolve to one IP address chosen by the attacker.

It’d also be useful to write a variation of the tool that only makes certain domain names resolve to the evil IP address, and simply query a public DNS server for all other IPs. For instance, maybe the attacker is only interested in poisoning http://www.trustedbank.foo and wants all other domain names to resolve to legitimate IP addresses.

By: Adrian Pastor

Adrian Pastor — Thu, 07 Feb 2008 13:30:27 +0000

That’s a quite handy script, I will play around with it later on today!