Friday, December 28, 2007

Stealing Cookies with WifiZoo

The purpose of this blog post is to demonstrate the sort of thing an attacker could do just by listening to your traffic on a wireless network.

In the example below I will set my wireless card to capture cookies from a valid session between a victim and a website. The attacker is then able to easily connect to the website using the captured cookie and will automatically be logged in as the victim.

I have tested this on a number of websites including Google Mail, however, i will demonstrate this using a connection to a web forum called Binary Revolution. Please note, this is not possible due to a fault with the websites, it is possible due to unencrypted traffic. That said, I could perform the same attack on a wired network using arp-cache poisoning.


Tools

  • Kismet
  • WifiZoo
  • Firefox

The Attack

1. Using Kismet I find my target network and force it to lock onto just that channel.




2. I now use the command below to bring up my wireless interface.

ifconfig wlan0 up


3. I start Wifizoo, point my Firefox proxy settings to 127.0.0.1 port 8080 and point my browser to the wifizoo config page on http://127.0.0.1:8000




4. I now connect my LAN interface to the network, bring it up and get an IP address.

ifconfig eth0 up dhclient eth0


5. On the victim PC which is using a wireless connection I browse to an interesting site and log in.




6. Back on my evil attacker laptop I look at the cookies page In the WifiZoo webpage and see what cookies i have collected so far.



I select a cookie, click on it and I'm taken straight into the website using the victims credentials.



It really is that simple. So next time your on a public network think about what you are doing.


Conclusion

Be careful on public networks, use encryption (SSL and SSH) and VPN's where possible.


Tools used in this blog post were from the BackTrack3 security distro.

1 comment:

matt said...

This is a great post.. though I've never been able to get WifiZoo to work. I think it has something to do with it not being compatible with the new version of Scapy.

I should revisit it, though, and see if I can make it work.. it's definitely something that I need to have in my arsenal.