Culver City (CA) - We’ve all heard about the pitfalls of unencrypted wireless connections, but yet thousands of people still obliviously surf the web and check emails on vulnerable Wi-Fi networks and public hotspots. A couple of months ago we wrote about the ‘Point and Click’ Gmail hacking techniques demonstrated at the Blackhat and Defcon computer security conventions, but for many people simply reading about a hack isn’t enough. In this article and accompanying video, we’ll teach you have to perform the same attack and you’ll probably be very surprised at how easy it can be done.
Before we get into the rest of the article, we want to thank Robert Graham, founder and CEO of Errata Security, for showing us the “sidejacking” attack at this year’s BlackHat computer security convention. His sidejacking term referred to the way his two programs, “Ferret” and “Hamster”, are used in sniffing and replaying cookies. The freely downloadable programs don’t directly attack passwords or computers to access webpages and emails, rather they compromise the wireless network itself. You can read Graham’s sidejacking blog post here.
As with any hacking tutorial, some people will undoubtedly say we are facilitating illegal activity, but we think the benefit gained from this article will far outweigh any malicious use. The vast majority of people know that open wireless networks are dangerous, but no one has ever given them an “in your face” demonstration. It’s quite a sobering experience to see how easily your search terms and Google emails can be capture and we hope this article will spur businesses and home owners to secure their networks.
Also, these types of attacks on wireless networks have been going on for years because there have been automated sniffer tools available. Graham’s ferret and hamster tool basically do the same thing, but in a much more user friendly way.
Of course, our wonderful lawyers would like us to say that attacking someone else's laptop, without their permission,would be illegal. Therefore in this tutorial, you'll be sniffing traffic from a "victim" laptop that either you or a consenting friend or coworker own.
The victim laptop will connect to the wireless network and surf the web like usual. The attacker will first need to scan for available networks with Kismet and then set his capture card to the same wi-fi channel as the target network. For the purposes of the tutorial, we are assuming that the attacker doesn’t know any information about the wireless network.
Then we launch ferret program from the command line which will start sniffing for cookies that are transmitted over the network. Hamster is started next which translates the cookie information into something your browser can understand. Hamster also serves as an internal proxy server.
Next we start up Firefox, set up our proxy server addresses/ports and go to the http://hamster/ page. If everything goes well, there should be IP addresses in the right pane and we can easily get a list of visited websites by clicking the vicitm’s address.
Essentially, ferret sniffs the traffic, hamster translates the traffic and Firefox views the traffic.
While the sidejacking attack is very simple, you should still have basic knowledge of wireless networks. You will be setting up a wireless router and that means entering in an SSID, channel number and possibly other information.
You should also have basic Windows command line knowledge like changing directories, listing directory contents and typing in commands. Don’t worry about typing in the wrong commands because you can see the exact spelling and syntax in the photo gallery pictures.
Since you’ll be hacking wireless networks, a wireless router or access to an open wireless hotspot will obviously be needed. You’ll also need two latops, one as the attacking or hacker computer and one as the “victim” laptop.
For this tutorial, we used the Airpcap USB capture stick to sniff wireless traffic. The stick works great with the ferret and hamster tools and was the device used by Robert Graham himself at Blackhat and Defcon. You can still do the attack if you have a wireless card that supports promiscuous mode sniffing.
Your hacking laptop will also need some other way of getting out to the Internet. Wireless interfaces generally cannot sniff traffic and surf the net at the same time. We used a Sprint EVDO card to access the Internet.
• Attacking laptop – Windows 2000,XP or Vista
• Victim laptop – Can be any OS including Linux and Macs. Will be logging into the wireless network and surfing the internet
• Airpcap USB capture device – Specifically we used the AirPcap Tx, but any of the AirPcap USB sticks or cards will work.
• EVDO card or some other way of getting to the Internet on the hacking machine
The ferret and hamster programs don’t require a lengthy install and are simply unzipped into a folder of your choice. Put both programs in the same folder.
• Airpcap drivers – if you are using the Cacetech Airpcap card
• Kismet – Not really required, but you need some way of scanning for wireless channels. When you buy the Airpcap card, a specially configured Kismet is included on the install CD.
• Ferret – Downloaded from Robert’s Graham’s Errata Security blog
• Hamster – Downloaded from Robert’s Graham’s Errata Security blog
Read on the next page: Hacking Gmail, step by step
Step One – Setting Up the wireless network
You can skip this step if you already have access to an open wireless network.
Configure your wireless router for channel 6 and no encryption. Verify the configuration by having the victim laptop connect to the network and surf a few webpages.
Step Two – Attacker scans for available wireless networks
Using the attacking laptop, insert the Airpcap card and start the Airpcap control panel. Set the capture type to “802.11 + Radio”. Run Kismet and you should see wireless networks. Hit “s” to sort the list and then remember the wireless network’s name and channel number.
If the victim laptop is surfing some webpages during the Kismet scan, the attacker should see the Packets counter next to the wireless network name steadily increase.
Step Three – Set up Airpcap for sniffing
Close out Kismet and go back to the Airpcap control panel. Change the Channel to the target network’s wi-fi channel – in our case it’s channel 6. Change the capture type to “802.11 Only”.
Warning – If you forget to change the capture type to 802.11 Only then ferret will not run properly.
Step Four – Launching ferret.exe
Start up your command line (Start/Run/cmd) and navigate to the folder where you’ve placed ferret and hamster. Type “ferret –W” to verify that your Airpcap card is recognized (mostly likely it will be interface number one). Start ferret by typing “ferret –i 1”. You can also type “start ferret –I 1” to automatically run the program in another window.
If you picked the right network, you should see tons of traffic streaming across the command line window.
Step Five – Launching hamster.exe
While keeping ferret open, either go back to the command line window or launch another window. Navigate back to the folder where you’ve placed ferret and hamster and type “hamster”. You can also type “start hamster” to run the program in another window.
Step Six – Verify ferret and hamster are capturing cookies
You should see a hamster.txt file now in the folder. This is where the sniffed cookies are stored and you can even double click the file to view the contents. The file is not deleted when ferret or hamster are stopped, so you can copy the file to another folder for further examination.
Step Seven – Setup and start Firefox
Navigate to the Mozilla Firefox folder and type “set MOZ_NO_REMOTE=1” and then “start firefox.exe –p”. This will bring up Firefox in profile mode and allow you to make an alternate profile.
Step Eight – Set up proxy server within Firefox
Within Firefox, go to Tools/Options/Advanced/Network and then the Settings button. Click on “Manual proxy configuration” and enter a HTTP Proxy address of 127.0.0.1 and Port 3128.
Step Nine – Fun begins, http://hamster/
Type http://hamster/ in your address bar and you should see a lists of IP addresses in the right pane. These are all the computers that ferret and hamster have scanned. You may also see computer names along with email addresses next to the IP address.
Clicking on an IP address will bring up a list of websites that the victim has surfed. You can verify this by going to popular webpages like MySpace, Slashdot and others on the victim laptop. You should see those URLs appear on the attacking laptop.
Warning: You will need to hit F5 to refresh the page because Hamster does not automatically update the IP addresses or URL information.
Step Ten – Gmail hack
On the victim laptop, log into your Gmail account. Notice that by default the Google entry page is protected, but the traffic turns to clear text after logging in.
Go to the attacking laptop, and hit F5 to refresh the Hamster webpage. Click on the victim IP address and you should see the URL http://mail.google.com/mail/ in the left pane. Click that and you have now accessed the victim’s account.
For Gmail, you can protect yourself against the sidejacking attack by running a script that forces SSL encryption or by simply by change http to https after logging into the Gmail account.
What else can you do?
We’ve discovered that the ferret and hamster tools are very good at accessing account pages on a variety of services (just so long as the pages are unencrypted). Google search terms along with auction searches (like eBay) are also easily discovered. We even found that the attack will sniff out flight search information from popular travel websites like Orbitz.
So how do you protect yourself against this attack? The first and probably most important thing is to use a protected wireless network. If you are logging into a public wireless hotspot, see if there is an option to turn on encryption. Be advised though that the attacker can still sniff your traffic, if he/she breaks the WEP or WPA key.
While testing out the attack, we were amazed at how many people name their computers with their own first and last names. People (more accurately IT departments) also like to name their computers by brand names like Dell laptop or Sony Vaio. These are all bad ideas because the Hamster page will pick those names and addresses up after only a few seconds of scanning. Granted you can easily figure out the maker of the computer by parsing out the MAC address, but why give hackers extra ammunition.
For Gmail users, you can install a Firefox script that will force Gmail to always use SSL encryption. You can download one of those scripts here.