Defense: Sidejacking, subversive wireless

Karmetasploit is a fun little toy, and I think I've got it working well -- and then some. The details of that project will be revealed later this week, hopefully. Let's just say that with a La Fonera router and a laptop, I found a way to leverage metasploit (and a few other fun tools) into a very powerful subversive wireless setup.

It's pretty much a running gag. If you see Surbo from i-Hacked in the room (and sometimes even if you don't), you shouldn't bother powering on any of your wireless toys. He almost certainly has an eeePC hiding somewhere ready to rope you into his rogue wireless network and has metasploit armed and ready to steal your session IDs.

Sidejacking happens when you allow a session-id cookie to go across the wire in the clear. A third-party gets the session ID cookie (using metasploit, hamster & ferret, Wifizoo or other tools like them) and then proceeds to import the cookie into their browser, whereupon they have access to the account the session-id belongs to.

Usually, these exploits happen due to sniffing (open Wifi, wired ethernet to a hub, ARP poisoning, Arp table flooding) but the other way they occur is through subversive wireless, I.e. Karma.

In a nutshell, Karma listens for probe requests from wireless clients and immediately begins broadcasting that SSID. It effectively ropes all new wireless clients in who aren't already associated to an existing network. When you combine Karma and Metasploit together, you end up with a rogue Access point that has the following traits:

  • Will associate to any SSID
  • Assigns a default route to the address Metasploit is listening on.
  • Runs a fake DNS server that points all domain names to the Metasploit IP
  • Launches several fake servers to gather passwords, cookies and other authentication information
  • In the case of Karmetasploit, it launches a page with many iframes so it gathers cookies for an entire list of popular sites.
So, when Thunderbird or Outlook try to connect to mail.yourcompany.com, they end up going to Metasploit. And when they hand off your username and password, Metasploit logs it in the database. Same thing goes for your cookies.

While showing a team-mate of mine how easy and devastating these tools are, we started coming up with ways to defend ourselves. Most are pretty obvious.

  • Set your browser to clear the cache, any saved passwords and all cookies every time you close it.
  • Always close all of your browser windows (and thus, get rid of all cookies and passwords) before closing the lid to your laptop or going out and about with your mobile device.
  • If possible, make sure your wireless adapter is not configured to automatically join wireless networks.
  • If you normally connect to an encrypted wireless network, but see one with the same name that's not encrypted, it may (or may not) be a rogue access point.
  • While out-and-about, it may be wise to tunnel sensitive traffic, or just wait until you get to a trusted network in order to conduct your business affairs.
  • Use sites that utilize SSL for everything, and be very, very cautious of tools such as SSLStrip.
Keep in mind a few other things:
  • Anyone can set up an open wireless hotspot and sniff the traffic from it.
  • The ubiquity of WiFi makes rogue hotspots easy to hide. It's not hard to make it look like it belongs to the hotel or coffee shop next door.
  • Some of the most dangerous access points show no sign of being rigged. You can get online, do your stuff, and leave without knowing someone was watching.
I'll post a bit more about my latest adventures from the attack side of things later this week.

blog comments powered by Disqus