Playing back wireless traffic

[Farmikol0t]

I don't understand why it's possible to play back captured wireless traffic and get access to any web mail account. There seems to be some kind of fundamental flaw at work here.

[nihil]

The flaw is probably the users not changing default passwords, not using strong passwords and not using strong encryption.

[westin]

Nihil, as usual, has hit this right on the head... the flaw is not necessarily in the technology... it is in the way people use the technology... Routers, by default ship without encryption enabled... and most people never bother to switch it on. So it is trivial for an unauthorized user to sniff the wireless traffic and capture all kinds of information.

[Aardpsymon]

well, aren't a lot of logins encrypted at the browser these days anyway?

I know for sure my i-banking login is sent encrypted, reasonably sure my yahoo account is although I haven't used it in ages and I don't care about my hotmail, its mostly spam.

Something a lot of people forget with wireless. Even IF they break the WEP/WPA or whatever you use, most sites use 128bit encryption anyway. So all really sensetive data ends up double encrypted.

[slarty]

If the web mail account uses HTTPS, you're safe.

Otherwise, you're probably at risk.

Open wifi networks are easy to intercept from some distance away - this makes them very risky. If you're using an open wifi network (for some reason) you should be mindful of this and not log on to any non-HTTPS site which requires a password etc.

Unfortunately some sites (possibly including AO) may use cookies to remember who you are - if you even *visit* such a site over HTTP on an open wifi connection, your account may be compromised.

Slarty

[westin]

AO is not encrypted... this is something I have never understood... the password is sent in plaintext...

[Farmikol0t]

It's a playback of wireless traffic which provides access to any web mail account, and it appears to work even if the account password or hash is protected by SSL. I don't think it is an MITM attack since the traffic is pulled out of the air.

Seems like a fundamental flaw in web authentication. I can't see how this could be though. Very confused.

[nihil]

Either you are making unreasonable assumptions, or you will need to provide much more detail........... like how the hell do you know:

1. It is a playback of wireless traffic
2. It doesn't matter if you are encrypted
3. The traffic is pulled out of the air

Huh?

So far you have described nothing that couldn't be explained by a simple keylogger

[Farmikol0t]

I guess because I saw it done.

What I saw was that the traffic was pulled out of the air using Kismet under the Backtrack Live CD booted on a laptop. The .dump file was saved to USB. The same laptop was then booted into Windows XP and a Windows program was run against the traffic, first to convert it from 802.11 to a .pcap file, and the same Windows program then provided full access to every account accessed via 802.11.

There was no keylogger involved. There was no access at all to the machines that originally accessed the accounts.

I am really now completely mystified by this whole thing. The password hashes under the accessed accounts are encrypted via SSL.

[Aardpsymon]

it sounds a lot like what they are doing here is replaying the traffic from a successful login like listening in to a spoken password. You hear it, you reproduce it. However given what I know of authentication protocols, surely the time stamp would be off. Also, good protocols have a random number and session ID assigned to them and those would be wrong indicating that it was a recording of a previous handshake not a new, live, one.

Where did you see this?