After I rooted my HTC Incredible I started doing searches in the market for interesting things. I found some neat wireless utilities, I found a file manager that lets you browse SMB fileshares on the lan (NEAT.), I found a packetsniffer, and some more interesting tools.

The light came on over my head when I realized “Wait, a packet sniffer AND a wireless access point? .. can .. I sniff.. the wifi with this?!”. As it turns out the answer is yes – it takes some fenagling, and if you do it in the wrong order one application stomps the other (I’ve already written the author of the packet capture application about this but have not gotten a response yet).

Here is a quick walkthrough on how to turn an HTC Incredible into a rogue wireless access point:

1. Root the phone. This can be done by visiting http://unrevoked.com/recovery/, downloading the app, and running it.
2. Once the phone is rooted, go to the market, and install the wifi tether application: Be aware though, that with the HTC incredible there are additional steps to get this application to work (see their wiki page: http://code.google.com/p/android-wifi-tether/)

   

3. Install the packet capture application. This also will need additional steps after the installation. (http://sites.google.com/site/androidarts/packet-sniffer)
4. Once you have the packet sniffer installed, configure it to log to a file instead of a sql database. I wasn’t able to find the actual database this thing logs to, but the text file appears right at the root of the sdcard. It looks just like the ‘live’ output though, which I don’t think is a proper format. It doesn’t log raw traffic at all.
5. Don’t start the sniffer or wifi tether yet – they must be configured beforehand.
6. Go back to wifi-tether and configure the SSID. Name it something which will attract people in search of free wifi. Linksys. Dlink. Netgear. 2WIRE858. The SSID of a target network, perhaps. Again, do not turn on tethering here yet.
7. Open up the packet sniffer again, and go to the ‘wifi capture’ section, then enable the capture, and if you’d like, enable logging packets to the screen.
8. Hit the phones ‘home’ button to exit without stopping the packet capture tool, and re-open the wifi tethering tool. Once in the tethering tool, enable tethering.
9. Hit home again, and go re open the packet capture tool. If anybody connects, wifi tether will tell you in the status bar at the top of the display, and you will start seeing arp traffic and dhcp traffic scroll in the live feed window as you would with any other packet sniffer.
   

There are several caveats to this though:

1. This tool appears to not capture raw packets. You can do this from a terminal using TCPdump if you feel so inclined – the packet capture tool installation instructions have you install a new version of tcpdump. You should be able to use this to capture raw traffic and not just clear text
2. Packet capture has to be running before wifi tether – if you try to do it the other way around wifi tether will hang and you’ll have to kill it.
3. This will also capture all the traffic from your phone to the internet, so if you’re trying to do a bunch of stuff on your phone while running a rogue access point, it will  muddy your results.

This has been a fairly simple howto – you creative types will easily be able to find more interesting things to do with this.

My wishlist after figuring this out? – An app that acts like airodump – I want to see clients probing for networks so that I can “give them what they want”. I also want this packet capture tool to log raw data, not just plaintext stuff.  Now that this is possible, I wish for tools like drifnet, dsniff, and others of that sort to become available on the android platform. The objective here would be to use this during a pen test as a tool to capture data, then bring it back to the labs for analysis.

Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.

Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e

You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.

First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:

Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.

Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)

Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.

Simply browse to facebook – make sure you are not logged in:

Hit ALT-C to bring up the cookie injector dialog box:

Then paste in the cookie!

Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.

Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!

P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.

This is the charted battery usage over approximately 3 days. I learned very quickly that when you go to meetups and parties and pass around a brand new phone that very few people have everybody wants to try the same stuff on it over and over again – so the thing gets quite a workout and gets handed back to you with %20 battery left.

I’m using this app to monitor the battery and produce the data for the graph. So far it works out well – except when its not running it simply doesn’t record data, so the datapoints on the bottom of the chart make the graph look a little interesting. I’ve numbered some interesting behavior on the chart:

1. I recorded the Lost Abbey brewery tour for ~25 minutes. It consumed approximately %25 of the battery life
2. It took 3 hours and 45 minutes to charge from roughly %35 battery life to full.
3. in 40 minutes of usage I went from %80 battery to roughly %35
4. Leaving the phone overnight to cycle the battery
5. Disregard – You can see at the bottom of the chart the time jumps from ~09oo hours to ~1800 hours in one step.
6. I’d argue ‘standard’ daily usage
7. a good solid charge via my macbook
8. more standard usage

First impressions: This thing is *FAST*. I mean *FAST*. Clocked at 1ghz its very impressive. My G1 would chug and choke when opening the gallery as it tried to thumbnail all the pictures. I suspect the built-in 8 gig storage may have something to do with its I/O performance as I’m guessing the onboard flash is going to behave more quickly than an sdcard. One of the first things I love thinking about is ‘can this thing run nmap/metasploit/JtR/aircrack/etc’. As far as its ability to do that – I have every confidence that the thing could take the pepsi challenge should it arise – however I’ve almost immediately noticed I have to charge this thing 2x a day if I want to use it in any lengthy amount of time. I havent actually had it DIE on me yet, but it’ll get down to %20 or so battery before I start fiddling trying to find the charger.

Its fast, and very very capable. The camera beats the pants off the G1 camera hands down and this is a very appreciated breath of fresh air after having my G1. Only drawback is that it really does consume a lot of juice. I read in the forums that some users have been able to use batteries from other phones in the incredible successfully and extend their battery lives that way.

Interested in hacking the thing? We still don’t have root on it. What does having root mean? Tethering, overclocking, the possibility of all the wonderful linux-based tools we’re used to (nmap, metasploit, etc) and more.

Here are the forums if you want to throw your hat in the ring to get root and help the community expand the functionality of this phone.

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

• They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
• Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
• Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

From the beginning I got their “Business class” cable. It was 150/month for what I needed. The cablemodem would randomly drop its signal leaving me with no connection and customers that were down. It still does it. With no explanation from Time Warner.

The contract I signed with them was for 1 year. Within that year, they were contractually obligated to an SLA and some other things, and during that year it was pretty easy to get them on the phone, and get them to respond to issues I’ve had with their (terrible) service. Once that contract ran out, however – suddenly it was like pulling teeth to get my ‘accounts manager’ on the phone. When I did track down the guy he told me that it was someone elses job now and to go deal with them – but they were nowhere to be found either.

It’s now been just a tick over four years I’ve had this line with Time Warner. I should also explain that running a business out of my home, I had two accounts on the same physical line – a home television account (which I’ve cancelled) and the business internet account. The sad part is that apparently they have no system to keep track of these things and the installers really could care less because they’re practically anonymous.

A few months ago I cancelled my cable and took the leap to watching what I’d normally watch on TV, on sites like hulu. This saved me over 100/mo. I’ll describe what I did

• Paid my final bill (which was in excess of $200), bringing my balance to 0.
• Called Time Warner, Cancelled my cable. They told me that as long as I had the cable box, the billing would continue.
• I returned the cable box 3 days later.
• A month goes by
• I get another bill from time warner for 90 dollars.
• I call asking about the bill, wondering what it was, and the following conversation transpired:

I’m sorry sir, you still had basic cable, thats what the bill was for.

I don’t understand. Why did I still have basic cable?

I don’t know, sir. Its just what the system shows.

Does your system show that I called and cancelled my cable?

Yes, it does

So why didn’t you guys cancel my cable?

Sir, you could have plugged your tv into the wall and gotten basic cable, that’s why you were charged.

Why would I do that if I EXPLICITLY called to cancel my cable?

I don’t know sir, thats just what my system shows.

Isn’t basic cable something like 12 dollars a month?

Something like that, yes.

So how on earth could I amount a 90 dollar bill in a month with only basic cable, AFTER I’ve asked you to cancel my cable?

I don’t know sir, you’ll have to talk to someone else about it.

• Now I’m getting BOTH bills from Time Warner *AND* the collection company they’ve hocked me out to. The last time I sent someone to collections (yes, I’m a business owner too, and I’ve had to deal with people who don’t pay) the procedure was to take the money the collections people give you and let them keep what they collect from the victim. Time Warner wants me to pay them *AND* the collection agency? This is completely absurd and completely not acceptable.

The best part is that when I cancelled my television account with Time Warner they sent a truck out to disconnect the line – the same line I use for my business internet. This brought me down for a day and I was furious – I called them and again, they had pretty much nothing to say. I’ll be running this one up the flagpole, recording all my conversations with them and posting everything. I’m looking forward to posting audio of their representatives basically telling me “We’re bending you over the sink for 90 dollars, and we dont know why”.

EDIT: Also, I’ve been noticing that to their consumer market they’re offering ’24 megabit gaming service’. They have failed to explain why consumers that pay 20/mo can get nearly twice the bandwidth a business account can get, and adamantly refuse that its possible to do what their own ads are saying. I get these in the mail, you see. Against my will. I get ads from a company I already have products from, advertising to me WHAT I ALREADY OWN.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.

People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The problem here is that they advertise themselves as “technical solutions” to their clients – so the problem cascades – lots of sites/apps that go online with very very poor security which ultimately get compromised. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let “someone else” worry about it. Guys, If YOU aren’t going to worry about the safety of your own data, NO ONE ELSE WILL. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.

These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.

Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.

Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.

• Non technical people whos requirements and behavior are insecure and promote systems being rooted
• Systems with lots of various services running on them
• A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
• Commonly used software being exploited within a week of a patch.

Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:

• “Business people” like the idea of getting rid of systems administrators and IT overhead
• “Cloud Computing” does not have a security model yet
• There are no standards – this stuff is too new
• Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”

.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.

So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.

I’m not the only one, either…

http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed – Black Hat hackers mouths are beginning to water.

http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon17 “clobbering the cloud” talk. they pwned amazon ec2.

http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud (you’re not supposed to be able to get a shell on rackspace’s cloud).

So you tell me, guys – what’s it going to be?

message ends

Aten: How much of your life does Etech consume?

Brady: it consumes… I start working 10 months in advance. In some ways 14 months in advance. 10 months is the theme for the following year, its my first conference of the year, so it gets my attention. I’d like to have as many worthwhile things as possible crammed into into that time – the conference is only four days. Every facet of the conference has to be interesting. There is tech/art in the halls, events in the evenings. Its broad.

Aten: What is your background?

Brady: I have an engineering degree, worked in management, integrations – then did a friends music startup kind of like pandora which was then bought by bought by MS, done some music, worked at a google news competitor, then ended up in search as a project manager. Did evangelism/blogging sort of half product, half watching the outside world. I talked to O’Reilly and after some negotiations I ended up coming aboard.

Aten: Have you seen etech grow or shrink in the last 5 years?

Brady: Etech went up and down. This year is a down year because of the economy. We’re doing well but its a down year. When I was there in 2005 as a softie it was doing well, back in the beginning of web2.0. All the web people were coming to the con, but now that Web 2.0 can’t be considered ‘emerging technology’ anymore we’re seeing less of that crowd.

Aten: Why the move to San Jose?

Brady: Its all about venue. Moscone stomped our San Diego dates. The secret to a good conference is all about the venue. Unfortunately this year we had to end up moving our dates around due to conflicts with other conferences and we ended up in San Jose.

Aten: What sort of telemetry do you hope to gain by RFID’ing everyone up at this Etech?

Brady: I just want to see how people interact with the technology. I think that RFID .. people being able to play with it will expose them to a bit of new technology, and add a bit of joy to interacting with other people. We have this one project called pulse that’s going to be placed around Etech and people can walk up and swipe and we can get a heat map of activity around the conf, similiar people to you will get a path.. I think that will work out well.

Aten: Are you takine a cue from defcon in providing badge material that is hackable?

Brady: You can write to the tags – but these arent actually how you’ll get admittance to the conf. This is paralell to the conf badge. This is the firs ttime we’re doing it – let see what happens!

Aten: Do the prevailing winds bring the scent of more hacking?

Brady: We’re adding a room for hacking. MAKE is going to be there with tables and soldering irons, So people can do on-site … anything they want. They’ll be RFID readers for purchase, so people can build projects there!

If you do a little sleuthing, there are tons of discount codes available to get discounts on attendance for ETech! This will be my third ETech and I look forward to seeing old friends and making new ones. Come find me, I’ll buy you a beer!