Culver City (CA) - We’ve all heard about the pitfalls of unencrypted wireless connections, but yet thousands of people still obliviously surf the web and check emails on vulnerable Wi-Fi networks and public hotspots.  A couple of months ago we wrote about the ‘Point and Click’ Gmail hacking techniques demonstrated at the Blackhat and Defcon computer security conventions, but for many people simply reading about a hack isn’t enough.  In this article and accompanying video, we’ll teach you have to perform the same attack and you’ll probably be very surprised at how easy it can be done.

Wirelessly hacking Gmail and more ...

Video of attack in action in Culver City California

Other TG Daily videos

Before we get into the rest of the article, we want to thank Robert Graham, founder and CEO of Errata Security, for showing us the “sidejacking” attack at this year’s BlackHat computer security convention.  His sidejacking term referred to the way his two programs, “Ferret” and “Hamster”, are used in sniffing and replaying cookies.  The freely downloadable programs don’t directly attack passwords or computers to access webpages and emails, rather they compromise the wireless network itself.  You can read Graham’s sidejacking blog post here.

As with any hacking tutorial, some people will undoubtedly say we are facilitating illegal activity, but we think the benefit gained from this article will far outweigh any malicious use.  The vast majority of people know that open wireless networks are dangerous, but no one has ever given them an “in your face” demonstration.  It’s quite a sobering experience to see how easily your search terms and Google emails can be capture and we hope this article will spur businesses and home owners to secure their networks.

Also, these types of attacks on wireless networks have been going on for years because there have been automated sniffer tools available.  Graham’s ferret and hamster tool basically do the same thing, but in a much more user friendly way.

Of course, our wonderful lawyers would like us to say that attacking someone else's laptop, without their permission,would be illegal.  Therefore in this tutorial, you'll be sniffing traffic from a "victim" laptop that either you or a consenting friend or coworker own. 

Attack Overview

The victim laptop will connect to the wireless network and surf the web like usual.  The attacker will first need to scan for available networks with Kismet and then set his capture card to the same wi-fi channel as the target network.  For the purposes of the tutorial, we are assuming that the attacker doesn’t know any information about the wireless network.

Then we launch ferret program from the command line which will start sniffing for cookies that are transmitted over the network.  Hamster is started next which translates the cookie information into something your browser can understand.  Hamster also serves as an internal proxy server.

Next we start up Firefox, set up our proxy server addresses/ports and go to the http://hamster/ page.  If everything goes well, there should be IP addresses in the right pane and we can easily get a list of visited websites by clicking the vicitm’s address.

Essentially, ferret sniffs the traffic, hamster translates the traffic and Firefox views the traffic.

Knowledge needed

While the sidejacking attack is very simple, you should still have basic knowledge of wireless networks.  You will be setting up a wireless router and that means entering in an SSID, channel number and possibly other information.

You should also have basic Windows command line knowledge like changing directories, listing directory contents and typing in commands.  Don’t worry about typing in the wrong commands because you can see the exact spelling and syntax in the photo gallery pictures.

Equipment needed

Since you’ll be hacking wireless networks, a wireless router or access to an open wireless hotspot will obviously be needed.  You’ll also need two latops, one as the attacking or hacker computer and one as the “victim” laptop.

For this tutorial, we used the Airpcap USB capture stick to sniff wireless traffic.  The stick works great with the ferret and hamster tools and was the device used by Robert Graham himself at Blackhat and Defcon.  You can still do the attack if you have a wireless card that supports promiscuous mode sniffing.

Your hacking laptop will also need some other way of getting out to the Internet.  Wireless interfaces generally cannot sniff traffic and surf the net at the same time.  We used a Sprint EVDO card to access the Internet.

•    Attacking laptop – Windows 2000,XP or Vista
•    Victim laptop – Can be any OS including Linux and Macs.  Will be logging into the wireless network and surfing the internet
•    Airpcap USB capture device – Specifically we used the AirPcap Tx, but any of the AirPcap USB sticks or cards will work. 
•    EVDO card or some other way of getting to the Internet on the hacking machine

Required software

The ferret and hamster programs don’t require a lengthy install and are simply unzipped into a folder of your choice.  Put both programs in the same folder.

•    Airpcap drivers – if you are using the Cacetech Airpcap card
•    Kismet – Not really required, but you need some way of scanning for wireless channels.  When you buy the Airpcap card, a specially configured Kismet is included on the install CD.
•    Ferret – Downloaded from Robert’s Graham’s Errata Security blog
•    Hamster – Downloaded from Robert’s Graham’s Errata Security blog
•    Firefox

Read on the next page: Hacking Gmail, step by step