Wifi insecurity via HTTP, Sniff, URL playback

[DNR]

------------ Rant/NFOrmative POST by DNR aka covert1 --------------------
copyright pissed away, the internet is insecure anyways..
------------


Foundstone Cookie Digger + SBC/ATTwifi CC login experiment

Whut?: to demonstrate insecure wifi/cabled communications. This can also be assembled via a packet sniffer that can replay URLs.

By:DNR/covert1 4/22/06

CC data is used in this experiment, and has been changed to protect the owner of the card.

Don't bother trying to replay the data, modifications made to disable them.

BTW, the #$%& post doublespaced the cookie data, it is easier to read in singlespace as thats the way its displayed in sniffers.
-------------

I fire up _Foundstone Cookie Digger v1.0_, and put in the URL of the site I want to go to-

a wifi pay connex website. I expect to find personal data exposed in PLAINTEXT HTTP
transmissions. You'll see why MAC address spoofing could be important. What was disappointing was this is a HTTPS server..
-------------

By Visiting the SBC/ATT wifi paysite,the webserver makes a GET request. This obtains my MAC

address of my wifi card and my IP. It can query on browser version, MS user/workgroup, and even machine type.

https://secure.sbc.com/ccform.adp?Proxy ... rnHost=nmd%

2ecaribou517%2eshelbmi%2ewayport%2enet&MacAddr=00%3a90%3a4B%3aF1%3aF9%3a75&IpAddr=192%

2e168%2e0%2e3&NduMacAddr=00%3a0D%3aED%3aE7%3a2A%

3aB6&NduPort=1&PortType=Wireless&PortDesc=AP1&UseCount=&PaymentMethod=CreditCard&ChargeAmou

nt=&Style=SBC&vsgpId=93ca659e%2d0694%2d11d9%2d953e%

2d00801e11e3aa&pVersion=2&ValidationHash=9d20de09a0175362fda9c67eff19e6e6&origDest=&ProxyHo

st=&ts=1145721953

Note:
You can read between the html coding to identify the numbers:
You can see the MAC address

>My machine's current mac and IP>

Description : Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
Phys Address: 00:90:4B:F1:F9:75
192.168.0.3

The server is also identifying the wifi access point I am likely to be using.
nmd.caribuo517.shelby.mi, if the Feds wanted to trace me, all they would have to do is come

to this Caribuo Coffee shop in Shelby, mi. This is an example of a third party host.

---------

The visitor will input their CC data and by clicking "Submit" The data input into the

webpage is sent over the network - a POST to the webserver..

<<_name and CC data_ changed of course for those criminal minded>>


Webpage POST

Cardholder=micheal+muller&CardNumber=5423256222312590&CardType=MasterCard&ExpirationMonth=0

9&ExpirationYear=2004&Cv=173&NumberOfDays=1&TaxRate=0.0&NmdId=6362&ReturnHost=d.caribou517.

shelbmi.wayport.net&MacAddr=00%3A90%3A4B%3AF1%3AF9%3A75&IpAddr=192.168.0.3&NduMacAddr=00%

3A0D%3AED%3AE7%3A2A%

3AB6&NduPort=1&PortType=Wireless&PortDesc=AP1&UseCount=1&PaymentMethod=CreditCard&ChargeAmo

unt=&Style=SBC&vsgpId=93ca659e-0694-11d9-953e-

00801e11e3aa&pVersion=2&ValidationHash=43a7b1c58ae4abc861680b043693eb&origDest=&ProxyHost=&

ts=1145721360


NOTE:
you have all the data you need to _'re-use'_ this CC number, name, exp.date, even the CCV2

number.<<again don't bother, the CC data has been changed dumbass>>

The POST data also includes the host, my MAC, my IP, and refers to a ID, a cookie planted

on my box. A 'TraceRoute' if you will,down to the location of the wifi access point

(shelby) and right to my laptop.

If data is sent in plaintext, rather than scrambled in cyphertext, it exposes the NFOmation

to anyone in the path of the user and server. No matter if you are sniffing the airwaves at

a wifi AP, or sitting on a desktop on a network segment.

------------------



Customer clicks "I agree" to TOS, webpage POST

NmdId=6362&ReturnHost=nmd.caribou517.shelbmi.wayport.net&MacAddr=00%3A90%3A4B%3AF1%3AF9%

3A75&IpAddr=192.168.0.3&NduMacAddr=00%3A0D%3AED%3AE7%3A2A%

3AB6&NduPort=1&PortType=Wireless&PortDesc=AP1&UseCount=1&PaymentMethod=CreditCard&ChargeAmo

unt=&Style=SBC&vsgpId=93ca659e-0694-11d9-953e-

00801e11e3aa&pVersion=2&ValidationHash=43a7b19c58ae4abc86d1680b043693eb&origDest=&ProxyHost

=&ts=1145722003&TaxRate=0.0&AVSStreet=&Cv=177&CurrencySymbol=%24&TimePeriod=2-

hour+block&ConnectionPeriod=2-

hour&CardType=MasterCard&ExpirationYear=2004AVSZip=&CurrencyCode=U.S.&CurrencyCodeOutput=%

28U.S.%

29&TotalAmount=3.95&Email=&Cardholder=micheal+muller&TotalTax=0.0&AmountToCharge=3.95&Expir

ationMonth=09&Price=3.95&CardNumber=5423256222312590&Country=&NumberOfDays=1&AUP=&WSIALD=&x

=344&y=9

NOTE:
Missing the expr. year and CCV #, but you still see the CC number and owner in plaintext.
Again my personal NFO exposed in Plaintext on the network.

--------------

_________The Implications of this Experiment_

With a MAC and IP, you can spoof a logged-in user, old school Session Hijacking applies

here. DoS the user and the server may never know who is who..

With PACKET SNIFFING, URL recorders (sorta like a keylogger), you can see the data that is

being transmitted, in the air as wifi RF, or on a network segment.Some are cyphertext and

might be crackable, some are Plaintext, english and a bit of HTML is the only requirement.

Criminal acts committed on networks-
Possession of the machine with the MAC address used in a crime is almost prima facie

evidence, sorta like holding a gun - the grooves in the barrel will match you back to the

crime.. But if MAC address insecurity can be proven, the Prosecutor/Legal System may not be

able to rely on a MAC address as undeniable proof..Sorta like swapping barrels on the guns,

lol.



Feel Free to discuss this with me.

DNR
Any Errors on this page is not my fault, so shut the hell up.


Data dump;ignore


Index : 3
Description : Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
Type : 6
Mtu : 1500
Speed (bps) : 11000000
Phys Address: 00:90:4B:F1:F9:75

Gateway : 192.168.0.3

[bad_brain]

um,now for real: is this SBC/ATT wifi paysite completely nuts?!
transmitting sensitive CC data in cleartext would me keep away from using this site at all! establishing the https protocol takes only a couple of minutes, this is more than ridiculous. all you would have to do is scanning for networks and once connected (we all know how easy this is, encrypted or not) sniffing the packets in promiscuous mode....cracking the validation md5 hash...and voila: all data you need for criminal activity of any kind (CC fraud, connection hijacking for example)!

do you have information about the APs of this provider, I mean, do they have own ones?
nmap -v -sS -sV -O -P0 -p0-65535 would be real interesting then, maybe you can provide a scan log (but safety first of course ) ...
if the security of these APs is as strong as the site´s one (strong like a wet paperbag in this case ) it may be even possible to harvest sensitive data of users.

real sweet post mate...

[DNR]

B_B,

I ran a few tests on this network this am, Sitting in the parking lot of a Chili's, in my Olds Intrigue. Drinking my 4xexpresso, watching traffic increase as the day wakes...I am pressed for time, so this post may be incomplete.

The short answer is the AP is likely a CISCO AP, controlled by ROmpager and working with AOLserver to manage it. The long answer? Continue below, a vomit of digital obsession.....


Some stuff here I printed as courtesy to the n00bs,read in the <<< >>>

By:DNR

+++++++++++++++++++++++++++++++++++++++

<<Netstat to verify my assigned IP and whom I am connected to for online wifi>>>

netstat -n
192.168.0.3:1075 68.248.45.189:80

192.168.0.3 = my assigned IP

68.248.45.189:80 =
Server: AOLserver/4.0.10
URL=http://www.wayport.net/">

<<<Verify that AOLserver/4.0.10 is a valid OS or faked banner>>>
<<<Checked; it's real check it out here: http://aolserver.com/ >>>

<<<lets see whats running the connection >>>>>>>>

Connections report. Created at 4/23/2006 3:59:53 PM
----------------------------------------------------------------------------------------------------
| Protocol | Local Address Port | Remote Address Port | Status | Process:PID
----------------------------------------------------------------------------------------------------

TCP 192.168.0.3 :1075 68.248.45.189 :80 ESTABLISHED svchost.exe:1100

<<<<svchost, of course, it can run some RAS stuff>>>


+++++++++++++++++++++++++++++++++++++++

<<<IP Block run on the computer I am connected to, to determine who owns the equipment>>>
<<<NFO like where the HQ <<server farm>>> is located is nice too - Plano,Texas (TX)>>>


04/23/06 11:29:39 IP block 68.248.45.189
Trying 68.248.45.189 at ARIN
Trying 68.248.45 at ARIN

OrgName: SBC Internet Services
OrgID: SIS-80
Address: 2701 W 15th St PMB 236
City: Plano
StateProv: TX
PostalCode: 75075
Country: US

NetRange: 68.248.0.0 - 68.255.255.255

++++++++++++++++++++++++++++++++++++++

Next run a traceroute to see what machines are in the path of your internet connex



04/23/06 15:55:38 Fast traceroute www.dell.com
Trace www.dell.com (143.166.83.230) ...
1 192.168.0.3 1ms 1ms 1ms TTL: 0 (No rDNS)
2 68.248.45.185 1ms 1ms 2ms TTL: 0 (No rDNS)
3 68.248.45.254 15ms 13ms 14ms TTL: 0 (adsl-68-248-45-254.dsl.sfldmi.ameritech.net ok)
4 67.38.70.242 15ms 13ms 15ms TTL: 0 (dist1-vlan60.sfldmi.ameritech.net ok)
5 151.164.43.59 13ms 14ms 14ms TTL: 0 (bb1-g10-0.sfldmi.sbcglobal.net ok)
6 151.164.43.193 15ms 14ms 13ms TTL: 0 (bb2-p8-0.sfldmi.sbcglobal.net ok)
7 151.164.43.195 19ms 19ms 21ms TTL: 0 (core2-p7-0.crchil.sbcglobal.net ok)
8 151.164.191.198 31ms 31ms 30ms TTL: 0 (core1-p4-0.crkcmo.sbcglobal.net ok)
9 151.164.241.78 33ms 31ms 31ms TTL: 0 (core2-p8-0.crkcmo.sbcglobal.net ok)
10 151.164.240.109 39ms 40ms 42ms TTL: 0 (core2-p3-0.crdltx.sbcglobal.net ok)
11 151.164.242.97 40ms 39ms 39ms TTL: 0 (core1-p1-0.crdltx.sbcglobal.net ok)
12 151.164.40.38 39ms 40ms 41ms TTL: 0 (bb1-p2-0.rcsntx.sbcglobal.net ok)
13 151.164.191.236 47ms 48ms 46ms TTL: 0 (bb2-p4-0.austtx.sbcglobal.net ok)
14 151.164.191.197 45ms 47ms 47ms TTL: 0 (ded3-g7-3-0.austtx.sbcglobal.net ok)
15 70.252.25.110 45ms 48ms 47ms TTL: 0 (Dell-USA-1121452.cust-rtr.swbell.net ok)
16 10.180.74.10 49ms 48ms 51ms TTL: 0 (No rDNS)
17 10.180.82.90 47ms 48ms 47ms TTL: 0 (No rDNS)
18 143.166.72.22 48ms 48ms 55ms TTL: 0 (auspc1fwecom102e2-outside.us.dell.com ok)
19 143.166.83.230 48ms 46ms 49ms TTL:238 (www.dell.com ok)



<<<<<<<<I picked anyURL/IP for the tracert, all thats really important are the first few IPs. >>>>>
<<<< #1 is my machine's IP >>>
<<<<Following the tracert, you can see the ATT/SBC network carried my packet all the way to Austin, Texas before handing it off to Dell's Network (www.dell.com)>>>
<<<68.248.45.254 (adsl-68-248-45-254.dsl.sfldmi.ameritech.net ok) could be the actual 'internet connection' the AP (wifi access point),dsl=direct subscriber line>>>

<<<<The thing that is suprising, the machine that I connect to is not listed 68.248.45.189 >>>

++++++++++++++++++++++

Port scan of the machine I connect to

//edited ports closed //


Address : 68.248.45.189
Name : not resolved

Port 139 (netbios-ssn) ... Ok ! Send data. Wait incoming data .. no data.
Port 80 (http-www) ... Ok ! Send data. Wait incoming data ..
Server: AOLserver/4.0.10
Port 22 (ssh) ... Ok ! Send data. Wait incoming data .. data received.
SSH-2.0-OpenSSH_3.7.1p2
3 (of 36) open port(s) detected

<<<Three ports indicate they are open, but the smart sysadmin has removed/disabled daemon banners, except for SSH port 22>>

Since I need to figure out what is IP 68.248.45.185? So I'll port scan it too

Address : 68.248.45.185

Port 80 (http-www) ... Ok ! Send data. Wait incoming data .. no data. Connection closed by remote host.
04/23/06 16:48:20 Browsing http://68.248.45.185/
Fetching http://68.248.45.185/ ...
HEAD / HTTP/1.1Host: 68.248.45.185Connection: closeReferer: www.suckbutt.comUser-Agent: Mozilla/4.x (TuringOS; Turing

Machine; 0.0)HTTP/1.1 200 OKContent-Type: text/xmlCache-Control: no-cacheExpires: Thu, 26 Oct 1995 00:00:00 GMTContent-

Length: 3911Server: Allegro-Software-RomPager/4.03Connection: close

Port 23 (telnet) ... Ok ! Send data. Wait incoming data .. data received.
name:
2 (of 36) open port(s) detected

<<< No banner for telnet but we got one on port 80, it leaks the OS Allegro-Software-RomPager/4.03 >>>
<<<So I search for NFO on RomPAger...>>>>>
http://www.allegrosoft.com/
http://www.allegrosoft.com/rpproduct.html
http://www.allegrosoft.com/managing.html

Rompager is a utility to control a device, remotely.

++++++++++++++++++++++++++

You asked about Nmap, and it did not return much results as far as port scans and OS fingerprinting as I did with several

tools.

I am tired. more on this later, perhaps someone can point out important details or a direction for me to go..

DNR

++++++++++++++++++++++

[bad_brain]

<<<<The thing that is suprising, the machine that I connect to is not listed 68.248.45.189 >>>

ah,I see what you mean....that´s pretty strange...

hmm...well,it´s pretty late at night here too now, but the first thing that came to my mind was: maybe a bastion network architecture?
I mean, your box has a private network IP, the private area would only supply the authentification to be connected with the public area (internet) then....
I have to think about this again when I had some sleep....later...