Skip to main content

Hacker Con WiFi Hijinx: Protecting Yourself On Potentially Hostile Networks

Also, below is an HTML version of the continents, however I may not keep it as up-to-date as a do the above pamphlets.
Contents:
        So, you're at the con and you want to use the open WiFi (802.11a,b,g,n) network to surf the web and communicate with distant friends. All fine and dandy, but keep in mind there are a lot of playful folks sharing the conference's network with you. There will be more sniffers running at a hacker/security conference than at a bloodhound convention. This pamphlet will give you tips to help you be somewhat safer while using your wireless devices on the con’s network and hopefully keep you off of the Wall of Shame (Ask at the con for its location to see if they have one).
Open File Shares
        One of the first things you should be aware of is open file shares. I’m just going to cover Microsoft Windows computers in this section, but similar problems can exist for *nix systems too (check your Samba and NFS configs). While at the con some deviant folks may run a tool like Softperfect’s NetScan to find all open Windows file shares on the local network and see which ones they can read or write to. Less technical attackers may just look in “Network Places” and see what shows up. This could be kind of embarrassing if someone happens to find a little file share on your box that has some oh-so-private pictures (It’s a con for tech geeks, look around you, do you really want to see these people naked?). Another threat is that other computers on the hotspot’s network infected with malware could be looking for a place to spread to and happen to find shares on your laptop with write permissions.
        The quickest way to find out what file shares may be available to outsiders on your Windows box is to go to the run bar, type “compmgmt.msc”, hit enter and check under the “Shared Folders” section to see what’s there (*nix guys check your smb.conf file). If you see any shares without a $ on the end of their names (normally these are just “hidden” admin shares that only system administrators can get to) you may want to check the permissions on them. However, even if you find these shares, they may not be available to everyone. A local firewall may be in place that will block access to them unless the firewall is configured to allow “File and Printer Sharing”. A more thorough way to find out what shares you may have open is to have a friend take his Windows laptop, go to the run bar and type in something along the lines of \\your-computer-name
        Obviously, change the “your-computer-name” to whatever your laptop's name is. You can find your computer’s name by right-clicking on “My Computer”, choosing “Properties” and then selecting the “Computer Name” tab. Your safest bet is to turn off file sharing if you don’t use it. Click Start->Control Panel->Network Connections, then right click on your wireless connection, choose properties and uncheck “File and Printer Sharing for Microsoft Networks” to disable it. For more information on rogue file share visit this URL:
Unneeded Services
        Many of us use our laptops for development, and as such run server software on them for testing purposes. Unfortunately this could mean unneeded services running, such as a local Web or SQL server. You may also have unneeded services running on your box because of file sharing, instant messaging, remote access or gaming software. Whatever the reason, having extra network accessible services available on your laptop adds extra attack surface that someone may exploit. Now, hopefully the services you have running on your machine are fully patched, and there are no known vulnerabilities, but you never know when someone might have a 0 day with your name on it, and it's always a good idea to lessen potential attack vectors where you can. If you are curious what TCP or UDP ports may be open on your laptop, use one of the following commands to find out:
Windows: netstat -b
*nix: lsof -i
Or better yet, download Nmap on another box and do a complete scan of your laptop with the command:
nmap -p T:0-65535,U:0-65535 yourip
If you can't turn off the service, at least make sure it is fully patched and if possible adjust the local firewall rules so that it can only be accessed from the local loopback address.
Patch Before The Con
        Since this pamphlet is being handed out at the con, this piece of advice may come too later. Make sure you patch your system BEFORE you come to the con. Tools like Ettercap and The-Middler can be used to subvert some online update processes to install malware, so it's much better to apply your patches while you are on a trusted network.
Sniffers
        Probably the biggest threat when using open WiFi networks are deviant users running sniffers on the network. Pay special attention to this section if you’re interested in avoiding identity theft where attackers use your credentials to access bank, credit and other sorts of personal accounts. Sniffers (also known as Network Analyzers) are a category of software that can look at network traffic, decode it, and give meaningful information about what kind of data is crossing a network. While sniffers have a lot of legitimate uses they are also useful tools for deviant computer users since they can be used to pull plain text passwords off a network (Basic authentication HTTP, POP3, SMTP, TELNET, FTP, etc), watch instant message conversations (AIM, Yahoo, MSN, etc), read e-mail messages or view web sites that other hotspot users are visiting. A few popular general purpose sniffers are NAI Sniffer (commercial), Wireshark (an Open Source GUI Sniffer for Linux, Windows and other platforms), TCPDump and its Windows version called WinDump. A bigger concern for users on open wireless networks would be special purpose sniffers like Cain, Ettercap and the Dsniff package that allow users to easily parse out passwords from network traffic.
        Since people have a tendency to ignore threats until they have been directly confronted with them, I’m going to explain the background of some of the common attacks. Test these on your own home network if you like, BUT NOT ON SOMEONE ELSE’S! There are a few ways attackers can sniff a wireless network, depending on their hardware. Computers on a wireless LAN act a lot like they are on an Ethernet LAN using hubs. Every computer on the LAN can see the traffic destined to others but normally they just choose to ignore it. (In reality it’s a little more complicated than that, but I want this to be an article and not a book on the intricacies of 802.11 networks) However, if a network card is put into what is known as promiscuous mode, it will not ignore traffic going to other computers and will instead look at it, allowing the user of the computer running the sniffer to see the data traveling to other computers attached to the same access point. Promiscuous mode works on pretty much any wired network card in Windows and Linux (or other Unix like Operating System), but not all wireless cards support it properly (like Intel’s Centrino 802.11g chipset know as IPW2200). If the sniffer’s card does support promiscuous mode it will have to be attached to the wireless networks WAP (Wireless Access Point) to be able to see anything. If the attacker is using *nix or Windows Vista the attacker may be able to use what is known as monitor mode if their card supports it. In monitor mode, the wireless network card listens to the raw packets in the radio waves without ever having to attach to a WAP. The nice thing about monitor mode from the attacker’s perspective is that they leave no logs of their activities since they don’t have to attach to the WAP and don’t have to send any packets on the network. Keep in mind while doing your tests that different wireless hardware works in different ways and there's a lot of flaky WiFi hardware and drivers out there so you may have a hard time getting promiscuous or monitor mode to work correctly on your specific laptop.
Man In The Middle
        A third way to capture others network traffic is to use what is known as ARP poisoning to route traffic through the attacker's laptop, allowing them to see all of the traffic passed as well as giving them a chance to modify it (I’ve seen an Ettercap script that was programmed to replace the images in web page with the image from lemonparty.org. If you don’t know what that is, you're better off not knowing). Tools like Arpspoof, Ettercap and Cain all have ARP poisoning functionality built in. The downside to ARP poisoning from the attacker's perspective is that it’s noisy (Intrusion Detection Systems [IDS] packages, ARPWatch and DecaffeinatID can easily detect it) and has a tendency to screw up a network if it’s not done right or if someone decides to ARP poison the entire network at one time. ARP poisoning’s advantages for the attacker are that it can be done in both Windows and *nix and it allows what is know as a Man-in-the-middle (MITM) attack. A Man-in-the-middle attack is where an attacker gets two or more other network members to send traffic through their computer first, then passes it on to its intended recipients. Man-in-the-middle attacks allow the attacker to “proxy” some protocols that are normally encrypted and secure (like SSL/TLS or SSH) and sniff the connection by pretending to be someone they’re not. Depending on the protocol, the user may get a warning message letting them know that the keys have changed.
        For example, if someone MITMs an SSL connection the user might see a message in their browser something like:
Firefox:

 

Microsoft Internet Explorer:


        Another way you might notice that an ARP poisoning attack is going on would be if the network slows down to a crawl and you have intermittent networking problems. However there is no guarantee that an ARP poisoning attack will noticeably affect a network from a usability stand point. The most sure fire way to detect one is with an IDS in the right location on the network.
        A fourth way an attacker may intercept your wireless traffic is to set up their own laptop as a rogue access point using a tool like Hotspotter or Karma, wait for victims to unwittingly attach to it, and sniff to their little heart’s content. Becoming the proxy for the whole network by exploiting WPAD is also fun.
Giving A Sniffer Congestion
        The best way to defend against sniffers is five fold. First, don’t visit anything important while on a con’s Wi-Fi. This includes your email, financial institutions (credit card company and bank user information pages) or any place where you have to submit confidential information like your social security or credit card numbers. Do your online shopping at home, not at the con.
        Second, when possible only use encrypted protocols (https, SSH, etc) when you are on a public network. For example, if you have to access a web page with confidential information make sure that the URL is preceded by https://. This indicates that the site is using SSL/TLS and that the data being transmitted between you and the server is encrypted (in theory, someone could be pulling a MITM attack as explained before). If you are an SSH user and you get a warning message that the host key has changed, don't connect; someone may be trying to pull off a MITM attack.
        Third, not all protocols support encryption so you may want to look into using a service that allows you to “tunnel” through unsecured networks. Tunneling works by encrypting all of the data you are sending and routing it to an intermediate server (the exit point) on a network you trust (or at least trust more than one at a hacker con) where it is unencrypted and sent on to its intended destination. A few examples of these systems are VPNs, Tor, Hamachi or SSH tunneling (all of which are topics too involved to cover here, but a quick Google search should tell you what you need to know). Using the Tor Browser Bundle (a portable version of the Firefox web browser which can be run off of a USB thumbdrive) is a convenient way to use the Tor encrypted proxy network for those too lazy to set it up on their own Windows based laptop. For those that don’t want to touch an icky Microsoft Windows box try the OpenBSD based Anonym.OS LiveCD. I feel I should also make you aware that while the previously mentioned technologies will protect you from attackers at your local hotspot, deviant computer users at the exit point of the encrypted tunnel may still be able to sniff your data. This is especially true of Tor which was designed for anonymity, not data security (Never login to critical sites over Tor).
        Many folks have access to a VPN at their place of employment which could be one good way to secure their traffic while at the conference. However, you should keep in mind that while the data in the traffic may be encrypted, an attacker could still be watching the tunnel and at least find out who you work for. It's pretty easy when they see an encrypted IPSEC or PPTP tunnel going from a host named “Adrian-Laptop” to a host named “vpn.irongeek.com” what's going on. Personally, my solution is to remote into my home network, and keep my host name generic enough so attackers hopefully don't follow me to my virtual network home. If you run the DD-WRT firmware on your home router you can enable PPTP or IPSEC and connect directly to it.
        A fourth and even better solution than the ones mentioned previously is not to use the local WiFi at all. Tether your laptop to your mobile phone's Internet connection, assuming your data plan does not make that cost prohibitive. CDMA and GSM phone networks are much harder to sniff than WiFi. If you decide to go this route turn off WiFi completely on your laptop to lessen one possible attack vector.
        Finally, use different passwords for different sites. To illustrate why it’s a bad idea to use the same password everywhere, let me give you a little theoretical scenario. Let’s say you use the same password on a web forum as you do on your bank’s web page. If someone sniffs your forum password they may then try to use it on your bank’s website, or maybe see if you use the same password for your email account. I think you get the idea.
        With a little work and knowledge you can stay relatively safe on the open WiFi network at the con. If this article has left you paranoid, or scratching your head like a monkey doing a math problem, ask a geeky friend for help. Enjoy the con.
TOOLS DESCRIBED
Softperfect’s NetScan
http://www.softperfect.com/
Tor/Tor Browser Bundle
http://www.torproject.org/
DD-WRT Router Firmware
http://www.dd-wrt.com/
Text by Irongeek http://irongeek.com, original layout by riscphree, http://riscit.info, tri-fold template by Andrew Ziem and grammar/spelling by Nancy.
Shouts to the Louisville InfoSec, PhreakNIC, Outerz0ne and Notacon conferences.
Feel free to modify this pamphlet for your conference as long as you leave the credit information and links intact.

Version 1.2

Comments

Popular posts from this blog

Как найти реального заливщика

Своего первого реального заливщика, который показал мне как можно скачать деньги в интернет с банковских счетов, я нашел случайно, когда еще трудился в Укртелекоме сменным инженером немного подрабатывая продавая трафик налево, но потом этот человек отошел от дел в связи со слишком уж скользкой ситуацией в данной сфере, и я решил поискать партнера на форумах, разместив рекламу на трёх электронных досках объявлений. Честно говоря поначалу даже был готов сразу закинуть 500 000 гривен в Гарант, но потом призадумался, а стоит ли?


Ко мне начал обращаться народ обращается разных категорий

1. Дебильная школота, которая что-то любит повтирать про свою серьезность и просит закинуть 10 000 USD им на Вебмани в качестве аванса 
2. Реальные мэны, которые льют сразу большую сумму по SWIFT без разговоров про гарантии и прочую шнягу, но после того, как им отдаёшь нал, они сразу пропадают, суть данных действий я так и не понял. зачем пропадать, если всё прошло гладко? 3. Мутные личности, берущие реквизиты …

Black Hat SEO или бот для скликивания контекстной рекламы

На днях мне стало интересно, а каким образом с точки зрения «черных» методов SEO могут быть использованы хакерские программы – например, путем генерации трафика для заинтересованных ресурсов или скликивания контекстной рекламы AdWords или Яндекс.Директ
Понятно, что увеличение числа посетителей на сайте интернет-магазина или компании, занимающейся недвижимостью, вероятнее всего положительно скажется на их доходах. Поэтому разработка подобного типа программ — вполне себе обыденное дело, и появились такие программы уже давно. По большей части таких ботов можно разделить на два класса — это различного рода Adware, которое распространяется вместе с популярными программами, или трояны, которые осуществляют более серьезную модификацию системы.  Win32/Patched.P Давай для начала рассмотрим достаточно экзотический, но от этого не менее интересный способ подмены результатов поиска в популярных поисковых сервисах Яндекс и Google, который был реализован в троянской программе Win32/Patched.P (ESET)…

Новые онлайн-игры с выводом денег

Одним из видов получения стабильного сетевого дохода является заработок в он-лайн играх, с выводом денег через электронные платежные системы, такие как Яндекс.Деньги или Webmoney или через любые другие электронные платёжные системы. Причем, способов заработать на играх в интернете существует несколько, и зарабатывать таким образом можно довольно внушительные суммы.




Как правильно играть на деньги в онлайн играх
1. Играть самому, без каких-либо денежных вложений в игру. Такой способ заработка занимает довольно много времени, а доход приносит весьма скромный. К тому же, в некоторых онлайн играх с выводом средств зарабатывать подобным способом просто невозможно, так как игры с возможностью заработать могут являться инвестиционными проектами (финансовыми онлайн играми), которые требуют обязательных минимальных вложений.


2. Играть самому, вкладывая деньги с банковской карты. Наверное, это самый оптимальный способ заработка реальных денег в онлайн играх. Сумма дохода здесь зависит от того, ско…

Залив на карту без предоплаты по SWIFT или SEPA

В последнее время наблюдается такая ситуация, что нальщиков и дропов на рынке много, а адекватных заливщиков, можно сказать, совсем нет.


Например, один мой хороший знакомый, имеющий свой собственный офшор, работает с заливщиками на условиях партнерства, предоставляя им трафик и взамен получая 20% от поведенных транзакций на свой счет в офшорном банке. Мне он рассказал по большому секрету, как такое ему удается, а начинал он как и все с малого - продажи дебетовых карт и игре на рынке FOREX.

Просто так искать Заливщиков на различных форумах, посвящённых обналу и отмыванию денег - достаточно муторное и нудное занятие, потому как после общения с десятым по счету заливщиком, начинаешь понимать, что просто так на карты и счета никто лить не будет.

Однако моему другу попался один довольно интересный вариант - Заливщик предложил сделать перевод в размере 375 000 EUR по SEPA в день предоставления готового к работе счета и активной системы Multihomed AS.



Остальные предложения были более мутные …

Чем рискуют дропы и нальщики принимая заливы на свои карты

Зам.начальника управления Следственного департамента МВД Павел Сычев рассказал о криминальном бизнесе «нальщиков»
- Глава Банка России Эльвира Набиуллина заявила о снижении объемов теневого оборота в конце 2013 года. Что показывает ваша статистика по выявлению незаконных операций?

- В последние годы объем денежных средств, выведенных в теневой сектор, увеличивался, и криминогенная обстановка ухудшалась. Проблема находится в поле зрения президента -  в декабрьском послании Федеральному Собранию, он призвал избавить нашу финансовую систему от разного рода «отмывочных контор» и так называемых «прачечных». Оперативники уже получили ориентировку на более активное выявление этих преступлений.

По уголовным делам, расследованным МВД только в первом полугодии 2013 года, проходит 145 млрд рублей, обналиченных и незаконно выведенных заграницу. Это неуплаченные налоги, незаконный бизнес, хищения, взятки. Финансовый доход посредников от этих операций составил 8 млрд рублей. Расследовано 89 таких дел …

Как работает банк со своими корреспондентами по SWIFT

Итак, наш банк имеет открытые корреспондентские счета в США (CITIBANK N.A. NEW YORK), в Европе (VTB BANK DEUTSCHLAND AG), в России (Промсвязьбанк Москва и Собинбанк Москва).



Соответственно, все расследования по платежам происходят через эти банки согласно  установленным корреспондентским отношениям с использованием соответствующих форматов SWIFT MT-195/295, MT-196/296, MT-199/299 и MT-192/292

Кроме прямых корреспондентских отношений с банками, нашим банком установлены отношения и с другими финансовыми организациями через процедуру обмена ключами, что даёт возможность использовать SWIFT-форматы МТ-195, МТ-196 и МТ-199 для проведения процедуры расследования по стандартным платежам и платежам с покрытием:

- DEUTSCHE BANK TRUST COMPANY AMERICAS USA
- COMMERZBANK AG Germany
- CITIBANK N.A. London
- CITIBANK N.A. Brussels
- BANQUE DE COMMERCE ET DE PLACEMENTS S.A. Geneva
- NORVIK BANKA JSC  LV
- ABLV BANK AS  LV

В среднем процедура расследования занимает от 3 до 14 дней (если необходимо уточнить дета…