-
March 8th, 2007, 07:04 PM
#1
Junior Member
Playing back wireless traffic
I don't understand why it's possible to play back captured wireless traffic and get access to any web mail account. There seems to be some kind of fundamental flaw at work here.
-
March 8th, 2007, 11:36 PM
#2
The flaw is probably the users not changing default passwords, not using strong passwords and not using strong encryption.
-
March 9th, 2007, 01:18 AM
#3
Nihil, as usual, has hit this right on the head... the flaw is not necessarily in the technology... it is in the way people use the technology... Routers, by default ship without encryption enabled... and most people never bother to switch it on. So it is trivial for an unauthorized user to sniff the wireless traffic and capture all kinds of information.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
March 9th, 2007, 10:43 AM
#4
well, aren't a lot of logins encrypted at the browser these days anyway?
I know for sure my i-banking login is sent encrypted, reasonably sure my yahoo account is although I haven't used it in ages and I don't care about my hotmail, its mostly spam.
Something a lot of people forget with wireless. Even IF they break the WEP/WPA or whatever you use, most sites use 128bit encryption anyway. So all really sensetive data ends up double encrypted.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
-
March 10th, 2007, 11:09 AM
#5
If the web mail account uses HTTPS, you're safe.
Otherwise, you're probably at risk.
Open wifi networks are easy to intercept from some distance away - this makes them very risky. If you're using an open wifi network (for some reason) you should be mindful of this and not log on to any non-HTTPS site which requires a password etc.
Unfortunately some sites (possibly including AO) may use cookies to remember who you are - if you even *visit* such a site over HTTP on an open wifi connection, your account may be compromised.
Slarty
-
March 11th, 2007, 06:17 AM
#6
AO is not encrypted... this is something I have never understood... the password is sent in plaintext...
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
March 12th, 2007, 12:20 PM
#7
Junior Member
ssl doesn't seem to matter
It's a playback of wireless traffic which provides access to any web mail account, and it appears to work even if the account password or hash is protected by SSL. I don't think it is an MITM attack since the traffic is pulled out of the air.
Seems like a fundamental flaw in web authentication. I can't see how this could be though. Very confused.
-
March 12th, 2007, 03:54 PM
#8
Either you are making unreasonable assumptions, or you will need to provide much more detail........... like how the hell do you know:
1. It is a playback of wireless traffic
2. It doesn't matter if you are encrypted
3. The traffic is pulled out of the air
Huh?
So far you have described nothing that couldn't be explained by a simple keylogger
-
March 12th, 2007, 08:24 PM
#9
Junior Member
saw it done
I guess because I saw it done.
What I saw was that the traffic was pulled out of the air using Kismet under the Backtrack Live CD booted on a laptop. The .dump file was saved to USB. The same laptop was then booted into Windows XP and a Windows program was run against the traffic, first to convert it from 802.11 to a .pcap file, and the same Windows program then provided full access to every account accessed via 802.11.
There was no keylogger involved. There was no access at all to the machines that originally accessed the accounts.
I am really now completely mystified by this whole thing. The password hashes under the accessed accounts are encrypted via SSL.
-
March 13th, 2007, 09:38 AM
#10
it sounds a lot like what they are doing here is replaying the traffic from a successful login like listening in to a spoken password. You hear it, you reproduce it. However given what I know of authentication protocols, surely the time stamp would be off. Also, good protocols have a random number and session ID assigned to them and those would be wrong indicating that it was a recording of a previous handshake not a new, live, one.
Where did you see this?
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
Similar Threads
-
By Nokia in forum The Security Tutorials Forum
Replies: 0
Last Post: October 23rd, 2006, 04:58 PM
-
By Tiger Shark in forum The Security Tutorials Forum
Replies: 13
Last Post: August 12th, 2004, 09:35 PM
-
By SDK in forum AntiOnline's General Chit Chat
Replies: 0
Last Post: May 12th, 2004, 04:02 PM
-
By mathgirl32 in forum IDS & Scanner Discussions
Replies: 10
Last Post: February 3rd, 2003, 07:20 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|