endellion.me.uk

Someone Else's Wireless

So there you are, computer at the ready, but your internet isn't working. Maybe it's not connected yet, maybe you don't want to pay for your own connection. Whatever the reason, you have noticed that there are one or more Wireless Access Points available that offer to connect you up for nothing. The temptation is huge...

Is it a honeypot?

After reading my pages, you must be concerned that your data traffic could fall into the hands of someone like me, or even worse! How can you ensure that the Network you're about to connect to is merely misconfigured?

One of the hallmarks of the misconfigured networks is that whoever set it up just went with the default settings for everything. Which means they probably didn't change the router passwords. To find out (in Windows), connect to the network, open a command prompt, and type "ipconfig /all" (without the "). This will give you an IP address for the gateway. Now open a web browser, and type this address into the bar on the top. Now you should get a login page or window. Try the various defaults such as admin/admin or admin/no password. There are sites on the internet that will give lists of defaults, and of course the router's manufacturer often has an instruction manual available with the defaults in it. If you can get into the router's administration pages, it is unlikely that you're being monitored by the owner of the internet connection.

Things to look out for, though, are the connection status -- if you can get to the internet, but the status page says "disconnected" there's something fishy going on. This is what you would have seen here, since the router you'd be logging into wasn't actually the real router connecting you.

Go back to the command prompt, and type "tracert google.com" or any other website of your choosing. What you ought to see here is the ISP's IP address at the second hop. If the ISP is at the third or fourth hop, and before that are local IP's, you are not in a normal domestic setup. In order to perform monitoring, another computer has to sit in between there somewhere, and likely you're going through it.

Hell is other people

Even if all the signs say that the Wireless is merely badly set up, this does not mean that nobody can see you. There may be other people connected to the network. There may even be people sniffing the network without being connected to it. Personally I can't figure out how to do this with a Windows computer, but with Lunix it is trivial with the wireless card in "monitor" mode.

This means if you log in to anything and the login is not encrypted, you've given away your password. Maybe that is the same password you are using for other services too.

Hotmail, for instance, encrypts your login (but not the email you are going to be looking at in a second, or the conversation you're wanting to have using the MSN messenger). There are many servers out there that let you log in without encryption, so if you use the same password for everything, the sniffer needs you to use that unencrypted only once to be able to get into everything else too.

SSL Certificates

Does anybody even understand all this security stuff? Imagine you want to login to your bank's website. Suddenly you get a warning saying the certificate is not valid. Now what is that all about?

If all is well, the certificate received by your browser is already installed, and no warning is given. The bank pays a great deal of money to have a valid certificate, and this certificate will be used to do end-to-end encryption of the traffic between you and them. If I am sitting in between, pretending to be your bank, trying to get your details, my certificate isn't going to be valid. This is why the warning comes up.

Having expirimented a little with the "Woman in the Middle" attack, I can tell you that far too many people go ahead and install the fake certificate anyway. After you've done that, you don't even get any warnings anymore. But to the attacker all your traffic with the bank isn't garble anymore, but perfectly good and legible web pages.

DNS

Don't think that just because it says "https://ibank.barclays.co.uk/olb/j/LoginMember.do" in your address bar, that's who you are connected to. When you're on someone else's network, all your DNS are belong to them!

One way of getting round this is by setting your own DNS server IP in the properties of your Wireless Network Connection. OpenDNS is a good source of DNS. But to redirect all DNS queries to the honeypot's own is easily done, and you wouldn't especially notice it happening.

Moral of the Story

You can never be certain that you're not being observed, but there are some indications. Even if the Wireless Access Point belongs to you, but it's not encrypted, you can't be sure that there isn't some rogue watching all you do.

Get your own internet. Only use it wired. If you must use it wirelessly, use WPA2 encryption.

Some interesting questions from readers

1. Can anyone log into wireless internet without being seen?

The answer is no, you cannot log in without being seen. What you can do without being seen is passive sniffing, but in that case you're not actually associated or "logged in."

Quick how-to: get your laptop equipped with a Lunix operating system. I always use Fedora but most people enjoy Ubuntu better. Depends on what you're used to, I suppose. Ensure that you have a wireless card that supports Lunix's "monitor" mode. Optional: install something like the airodump suite, if you want to try your hand on WEP cracking & such.

Place the wireless card into monitor mode: iwconfig ethx mode monitor where ethx is the name of your wireless interface, and bring the interface up with ifconfig ethx up. (Not ifup, if you have scripts associated with that.)

Start sniffing: tcpdump -i ethx -w filename -C 20 -s 0 where filename is the name of the file to write the capture to. "-C" will write a manageable 20MB in the file before starting on a new one, and the -s 0 option ensures the entire packet is captured.

Wait forever and a day. Watch your hard drive being consumed. You will only obtain data from open wireless access point in this way. If you want any other, you will have to obtain the key. If they haven't given you the key, it means they don't want you on their network. Ethics.

When you're done, you can use Wireshark to open the capture file. Apply the filter "tcp or udp" to ignore all the 802.11 stuff. Now you can see what they get up to on this wireless network. There's a variety of programs you can send the capture file to that will do all sorts of amazing things, like automatically pick out passwords and reconstruct visited websites.

Alternatively, get a life. I hear they're reduced at Tesco's now.

2. How to connect to someone's computer through their router

Their firewall should stop you. If they haven't got one, try connecting through SMB. Or VNC. Or RDP.

Scan the target computer for backdoor ports left by virusses. There's bound to be some sort of service accessible. Getting the passwords is another matter.