After I rooted my HTC Incredible I started doing searches in the market for interesting things. I found some neat wireless utilities, I found a file manager that lets you browse SMB fileshares on the lan (NEAT.), I found a packetsniffer, and some more interesting tools.

The light came on over my head when I realized “Wait, a packet sniffer AND a wireless access point? .. can .. I sniff.. the wifi with this?!”. As it turns out the answer is yes – it takes some fenagling, and if you do it in the wrong order one application stomps the other (I’ve already written the author of the packet capture application about this but have not gotten a response yet).

Here is a quick walkthrough on how to turn an HTC Incredible into a rogue wireless access point:

1. Root the phone. This can be done by visiting http://unrevoked.com/recovery/, downloading the app, and running it.
2. Once the phone is rooted, go to the market, and install the wifi tether application: Be aware though, that with the HTC incredible there are additional steps to get this application to work (see their wiki page: http://code.google.com/p/android-wifi-tether/)

   

3. Install the packet capture application. This also will need additional steps after the installation. (http://sites.google.com/site/androidarts/packet-sniffer)
4. Once you have the packet sniffer installed, configure it to log to a file instead of a sql database. I wasn’t able to find the actual database this thing logs to, but the text file appears right at the root of the sdcard. It looks just like the ‘live’ output though, which I don’t think is a proper format. It doesn’t log raw traffic at all.
5. Don’t start the sniffer or wifi tether yet – they must be configured beforehand.
6. Go back to wifi-tether and configure the SSID. Name it something which will attract people in search of free wifi. Linksys. Dlink. Netgear. 2WIRE858. The SSID of a target network, perhaps. Again, do not turn on tethering here yet.
7. Open up the packet sniffer again, and go to the ‘wifi capture’ section, then enable the capture, and if you’d like, enable logging packets to the screen.
8. Hit the phones ‘home’ button to exit without stopping the packet capture tool, and re-open the wifi tethering tool. Once in the tethering tool, enable tethering.
9. Hit home again, and go re open the packet capture tool. If anybody connects, wifi tether will tell you in the status bar at the top of the display, and you will start seeing arp traffic and dhcp traffic scroll in the live feed window as you would with any other packet sniffer.
   

There are several caveats to this though:

1. This tool appears to not capture raw packets. You can do this from a terminal using TCPdump if you feel so inclined – the packet capture tool installation instructions have you install a new version of tcpdump. You should be able to use this to capture raw traffic and not just clear text
2. Packet capture has to be running before wifi tether – if you try to do it the other way around wifi tether will hang and you’ll have to kill it.
3. This will also capture all the traffic from your phone to the internet, so if you’re trying to do a bunch of stuff on your phone while running a rogue access point, it will  muddy your results.

This has been a fairly simple howto – you creative types will easily be able to find more interesting things to do with this.

My wishlist after figuring this out? – An app that acts like airodump – I want to see clients probing for networks so that I can “give them what they want”. I also want this packet capture tool to log raw data, not just plaintext stuff.  Now that this is possible, I wish for tools like drifnet, dsniff, and others of that sort to become available on the android platform. The objective here would be to use this during a pen test as a tool to capture data, then bring it back to the labs for analysis.

Language can be used for a lot more than simply convincing a part time employee to let you have more access than you should somewhere – Language can be used to full on exploit “memory corruption” in the mind. The use of the right language is powerful enough to overwrite peoples memories if even temporarily.

Below I’ve linked some information pertinent to the techniques employed when language is the tool used to achieve things like memory corruption, buffer overflows, execution of arbitrary code – except on people. In particular, pay attention to the cognitive biases – see if you think any of them apply to you

Then combine the cognitive biases with things like NLP anchoring and subliminal suggestion and you quickly end up with a recipe for gaining someones trust, convincing them to give you access somewhere or to something, or telling you secrets – all without having to don a fedex uniform and pretend you’re someone else. You can even have someone give you their phone and car keys – willingly.

Language is a very very powerful tool and put in the hands of information security professionals (or attackers) it becomes even more weaponized.

Apologies for the videos that wont embed – if you click through you can view them on their youtube page.

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!

I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ‘security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:

You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?

I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.

Recently I was asked to “find someone”. There was an individual being abusive and one of the people on the receiving end came to me asking for my help. This abusive individual was hiding their identity by way of a pseudonym, a separate email address, separate blog and other means of distancing their alter ego from their real one.

I had a feeling that the subject was not a technical person, having read through some of the blog posts and articles they wrote. This person had a lot to say and didn’t care about the damage their words did. The subject frequented political blogs and basically dropped bombs on people. One of the things they said one day crossed the line.

My client gave me a few leads: an email address, a couple blog posts.. that was it. Not too much to go on.

I hit google like anybody would have done, and started searching about for any clues that could potentially uproot some juicy info. I ended up finding a twitter feed, and a little while later a wordpress 2.6.5 blog.

I raised an eyebrow. Wow. 2.6.5? TODAY? when 2.8 is out? This person is not detail oriented, and clearly has no idea how significant being that out of date is. This was a pretty big clue. I started perusing around the blog and found outright that this blog was a fresh install, with just a simple theme slapped over it and no actual content.

“Perfect” I thought. “This person is likely to have not even read that ’10 ways to secure wordpress’ blogpost I ran across a while back”

Certainly enough, wp-content/themes was browsable, and so was wp-content/plugins. Fairly slim pickings though, a couple of different themes which didn’t yield any data, akismet and hello.php in the plugins dir.

I clicked hello.php, being not entirely certain what it was for (I’d tried to look up its purpose before but either I don’t remember or I couldn’t find a real valid purpose) and I was presented with a PHP error. It looked something like this:

Fatal error: Call to undefined function add_action() in /home/<subjects twitter nick>/<subjects domain>/wp-content/plugins/hello.php on line 61

Bingo! I immediately recognized the twitter nick as one I’d seen before, and this person was well known for being very, shall we say ‘verbal’ about their political views and had no remorse for their actions. I read a few of this persons blog posts on their personal blog, and compared the writing style to that of the subject I was approached about. The were congruent. Same writing style, same words used etc.

The abusive individual who was trying to hide their identity made a mistake. They thought that directory names on their webhost didnt matter, so they could just use something familiar. I’m sure the username/password combination they used on the blog was the same for a handful of other things they use as well. Either that, or the directory name didn’t even cross their minds – to setup an account somewhere and leave NO TRACE of who they really were. This person was far too concerned with stirring the pot and making trouble to even consider actually thinking twice about how badly they wanted their identity kept a secret. Another big tell was that this persons alter twitter account and their real twitter account didn’t follow eachother, but they followed HUNDREDS of other peripheral people and organizations with the same political alignments and interests. Both identities lived in the same city. It would be a stretch to think that they follow the same few hundred people and have never heard of eachother.

I prepared an email for my client stating what I had found, and where, and citing some examples.

Case closed!

That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see refreshsd.org for details, or see the meetup group.
Here is my proposed curriculum:

Basic networking
- How do computers talk?
- what is a packet?
- whats IN a packet?

clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-driftnet
-dsniff
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
changing dns

Hope to see you all there!

All that being said – I like to be clever. I like to use ingenuity to do basically what everyone else does but put a fancy little twist on it. Historically when someone is looking for a job, they will hit some job search sites like monster and dice and then send their resume to people – never knowing if it gets seen with human eyes, or ever gets any attention. Who knows? Does your resume even get read? If it does, how soon? Wouldnt it be nice to see the time correlation between when you sent your resume to someone and when they actually looked at it – or even if they looked at it at all?

I put my resumes in a public place – not publically linked, but I send the url to people directly – that way when someone goes to look at them I have records in my apache logs. For example, one quick grep command gives me these results: (notice I’m only grepping for December 8th and 9th)

grep resumes atenlabs.com.access.log | egrep ’08\/Dec|09\/Dec’ | egrep -i ‘pdf|doc’

75.212.202.71 – - [08/Dec/2008:15:32:51 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.1″ 200 112865 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)”

75.212.202.71 – - [08/Dec/2008:15:33:42 -0800] “GET /resumes/dan-resume-2008b.pdf HTTP/1.1″ 200 118460 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)”

75.212.202.71 – - [08/Dec/2008:15:34:23 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.1″ 304 – “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)”

75.212.202.71 – - [08/Dec/2008:15:35:16 -0800] “GET /resumes/dan-resume-2008-msword.doc HTTP/1.1″ 200 43008 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)”

75.212.202.71 – - [08/Dec/2008:15:35:23 -0800] “HEAD /resumes/dan-resume-2008-msword.doc HTTP/1.1″ 200 – “-” “Microsoft Office Existence Discovery”

75.212.202.71 – - [08/Dec/2008:15:36:54 -0800] “GET /resumes/dan-resume-2008b.doc HTTP/1.1″ 200 31232 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)”

75.212.202.71 – - [08/Dec/2008:15:36:58 -0800] “HEAD /resumes/dan-resume-2008b.doc HTTP/1.1″ 200 – “-” “Microsoft Office Existence Discovery”

64.128.15.194 – - [08/Dec/2008:18:50:52 -0800] “GET /resumes/dan-resume-2008-msword.doc HTTP/1.1″ 200 43008 “http://www.atenlabs.com/resumes/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13″

64.128.15.194 – - [08/Dec/2008:19:15:04 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.1″ 200 112865 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1; .NET CLR 3.0.04506.648)”

70.179.4.41 – - [08/Dec/2008:23:24:37 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.1″ 200 112865 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)”

70.179.4.41 – - [09/Dec/2008:00:15:28 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.1″ 200 112865 “http://www.atenlabs.com/resumes/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)”

67.202.54.191 – - [09/Dec/2008:04:42:00 -0800] “GET /resumes/dan-resume-2008-business.pdf HTTP/1.0″ 200 2330 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”

67.202.54.191 – - [09/Dec/2008:04:42:24 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.0″ 200 112865 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)

Interesting – I can see the dates and times of when people clicked on things in the /resumes directory. I can see that my resumes are getting crawled – which may or may not be a good thing – and I can see that the same users are viewing both my business resume and my technical resume.

Lets take this a step further..

grep resumes atenlabs.com.access.log | egrep ’08\/Dec|09\/Dec’ | cut -d” ” -f1 | sort -u

204.14.152.106
64.128.15.194
67.202.54.191
70.179.4.41
75.212.202.71
97.113.157.234

Awesome, I can see unique IPs that viewed my resume in the last two days – but .. who are they? We can find this out too:

for i in `grep resumes atenlabs.com.access.log | egrep ’08\/Dec|09\/Dec’ | cut -d” ” -f1 | sort -u`; do host $i; done

Host 106.152.14.204.in-addr.arpa. not found: 3(NXDOMAIN)
194.15.128.64.in-addr.arpa domain name pointer corp1.referentia.com.
191.54.202.67.in-addr.arpa domain name pointer ec2-67-202-54-191.compute-1.amazonaws.com.
41.4.179.70.in-addr.arpa domain name pointer ip70-179-4-41.sd.sd.cox.net.
71.202.212.75.in-addr.arpa domain name pointer 71.sub-75-212-202.myvzw.com.
234.157.113.97.in-addr.arpa domain name pointer 97-113-157-234.tukw.qwest.net.

Even better! I can see that Referentia, a company that had a very attractive posting has viewed my resume. Good! I sent them my resume TODAY (the 9th) and they viewed it today – perhaps this is a clue that my cover page is doing its job nicely! I can also see that some ‘home’ ip addresses have clicked on my resumes, qwest.net, which I don’t think exists in San Diego, and a myvzw address which is a verizon wireless connection (someone on a laptop, perhaps? Or tethered to a phone..). The ec2 amazon connection sort of worries me – why is an amazon ec2 instance touching my resume? Let’s find out some more info..

grep 67.202.54.191 atenlabs.com.access.log

67.202.54.191 – - [08/Dec/2008:04:18:24 -0800] “GET /robots.txt HTTP/1.0″ 200 36 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:04:18:24 -0800] “GET /resumes/ HTTP/1.0″ 200 1281 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:20:56:13 -0800] “GET /robots.txt HTTP/1.0″ 200 36 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:20:56:14 -0800] “GET /resumes/?C=D;O=A HTTP/1.0″ 200 1691 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:20:56:20 -0800] “GET /resumes/?C=M;O=A HTTP/1.0″ 200 1691 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:20:56:26 -0800] “GET /resumes/?C=N;O=D HTTP/1.0″ 200 1691 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [08/Dec/2008:20:57:14 -0800] “GET /resumes/?C=S;O=A HTTP/1.0″ 200 1691 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [09/Dec/2008:04:42:00 -0800] “GET /resumes/dan-resume-2008-business.pdf HTTP/1.0″ 200 2330 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”
67.202.54.191 – - [09/Dec/2008:04:42:24 -0800] “GET /resumes/dan-resume-2008.pdf HTTP/1.0″ 200 112865 “-” “ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)”

Well thats worrysome – I have personal information in those resumes and I don’t want them to be spidered and put into some search engine, so I’ve gone ahead and added ‘ia_archiver’ to my robots.txt to disallow alexa from touching my resumes. This means that someone who I’ve given my link to has put it into some system. I’ll have to refine my practices more.

Using this methodology you can do things like create reports to see how many of the people you’ve sent your link out to have actually viewed your resume, how many people ignore it and other bits of information that you otherwise would never be able to see.

I plan on writing a little script that will report back how many unique ips have viewed my resume in “the last 5 minutes”, and how many total views there were total in the last five minute, then use that script to create a cacti graph – My current quandry is how to grep a log for “the last five minutes worth of hits”. Rest assured when I get my head wrapped around it, that graph will be added to http://home.thaumatocracy.com/work

Some of the attendees ended up asking lots of questions so the ‘flow’ I had envisioned sort of went out the window – but I’d much rather have people interested and actively asking me questions: It shows interest. I’d rather have interest then have them all silent while I blather on and on.

We all ended up at my place afterwards and I was giving short demos on MITM dns tomfoolery, rewriting all queries for microsoft.com to linux.com, and doing SSL MITM attacks against hotmail using ettercap. Pretty fun stuff!

I’ll be holding the class again for anybody that missed it the first time and wants to have it again, but I haven’t chosen a date yet.

If you’re interested in a date, please leave a comment! I’d like to hold the class when more people can attend.

Here is a brief list of subjects I intend to touch on:

• Networking and host/laptop/workstation configurations, and tools
• Local Firewalls
• Running Services
• Apps to manage inbound and outbound traffic
• Transmitting data: encrypted versus clear text
• Differences between WPA and WEP
• .. and some live examples!

Hope to see everyone there!