Capturing wifi traffic of one station from another

This is more of an embarrassing tale than a real how-to document. But I found this interesting enough that I don’t mind sharing it.

A couple of weeks ago I was tasked to capture wifi traffic from a device which didn’t have any capture software built in and I wondered how one would do it.

I have used sniffing tools on my Mac to passively sniff activity on access points around me. Because I’ve always tested such tools in places with dozens of access points with multiple saturated channels, I always assumed that all wifi stations ( laptops ) frequently switch channels. I also assumed that AP (Access points) which are setup to select channels automatically are designed to automatically switch channels anytime if they find a better (less noisy) frequency to provide services at.

And because of those incorrect assumption, I concluded that sniffing another wifi station would be a difficult task because it would be impossible to dynamically change the channel of a second wifi station to follow the first one to correctly sniff all the packets.

After a short discussion with a colleague I found out that most wifi stations don’t really switch AP points unless the noise to signal ratio gets too bad, and most APs never change channels once they are fully initialized.

At the end, to sniff one device, all I had to do is keep the second device close to the first one and make sure that the second one joins the same channel as the first one. For my tests I used open wifi AP which were easier to capture/decode. At this point, if your hardware is capable of promiscuous mode and you have the right software for capture, u should be able to put in a filter with the mac address of the device you want to capture to initiate the process.

Chrome Frame – How to add command line parameters

Chrome frame intentionally does stuff without getting in the way of the user. This sometimes makes things harder to debug. For example how can one debug an issue if chrome frame doesn’t even launch ? Apparently there is a flag for that. But you have to know how to enable it. Here are the steps.

  1. Make sure chrome frame is installed.
  2. We can enable startup flags for dumping debug logs using a policy called AdditionalLaunchParameters
  3. If this is just for one desktop, I recommend doing a registry edit (it can be pushed via GPO as well)
  4. Add a REG_SZ property “AdditionalLaunchParameters” to “SoftwarePoliciesGoogleChromeAdditionalLaunchParameters” with the value “–enable-logging –v=1” (also documented here and mentioned here)  [ Attachment 1 ]
  5. Next kill the IE browser and make sure chrome is also dead by checking taskmgr
  6. Restart IE and go to “gcf:about:version” and confirm that the parameters you added show up next to “Command Line:”. If this doesn’t work… skip this step and go to next step anyway.
  7. Under your “Application Data” folder (its inside “Documents and Settings”) search for a file chrome_debug.log [ Its usually in “Application DataGoogleChrome FrameUser DataIEXPLORE

Chromebooks with Openvpn on EC2

Chromebooks are perfect companions for travel. They are light, secure and one generally doesn’t have to worry about data theft in case they loose the device.  But surfing from hotels and coffee shops is another story. While most sites are in SSL, there are enough websites which are not… and even the ones which support SSL sometimes forget to use SSL connectivity for sensitive data. Which is why extensions like “HTTPS everywhere” is highly recommended.


If I could, I’d pay a few cents for extra level of privacy when using these public wifi networks. In this post I’ll document how you could quickly setup an openvpn server on EC2 instance to do exactly this for your chromebook.

Prerequisites 

  1. A working EC2 account
  2. A working key-pair (required to ssh into the EC2 instance)
  3. Chromebook with R23 or later 

Step 1 – Launch Amazon Linux AMI ( I used 32 bit for my setup.. its the cheapest). Pick all the defaults options and pay attention to which “Security Group” you would be selecting. It would most probably be called “default”

Step 2 – Edit the security group used by the instance and make sure 1194 udp is added to “inbound” port list.

Step 3 – Ssh into the EC2 instance using your key ( you could also use this extension if you have the ‘identity’ file instead of the .pem)

ssh -i my_key.pem ec2-user@ec2-75-101-188-186.compute-1.amazonaws.com

Step 4 – Add a user, set password and update the server

sudo bash 

useradd temp 

echo ‘my_password‘ | passwd temp –stdin 

yum -y update

Step 5 – Install/start openvpn server with basic options

# Install  

yum -y install openvpn

yum -y install mailx  


# Create fresh keys

mkdir -p /etc/openvpn/easy-rsa/

cp /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

cd /etc/openvpn/easy-rsa/

source vars
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”test-city”
export KEY_ORG=”Example Company”
export KEY_EMAIL=”royans@example.com”
export KEY_CN=changemenow
export KEY_NAME=changemenow
export KEY_OU=changemenow
./clean-all
./build-dh
./pkitool –initca
./pkitool –server server
./build-key-pkcs12 –pkcs12 hostname 
# Send a copy of ca cert by mail
mail -s ca.cert -a /etc/openvpn/easy-rsa/keys/ca.crt royans@example.com <
This is the cert file for this setup. Install this in the authorities tab in the chrome os device from where vpn needs to be initiated.
EOF 
# Create a server.conf file
cat > /etc/openvpn/server.conf <
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  
# This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log/proc/sys/net/ipv4/ip_forward 
verb 6
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
EOF  
#Start the service
/etc/init.d/openvpn start

    Step 6 – Setup basic source nat

    echo 1 > /proc/sys/net/ipv4/ip_forward 

    IP=`ifconfig eth0 | grep ‘inet addr’ | awk ‘{print $2}’ | cut -d’:’ -f2`  

    iptables -F; iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to $IP

    Step 7 – Install cert

    • In step 5 we sent the ca.cert to the user’s email address. The user should download that cert and install it under authorities tab of chromebook [ chrome://chrome/settings/certificates#cert ]
    • There is a known issue that new certs of this type don’t take effect until user logs out and logs in again
    • After logging in again add the new vpn
      • chrome://chrome/settings/
      • Click on “Add connection”
      • Click on “Add private network”
      • In “Server hostname:” put in the external IP address or the name of your EC2 instance. For example ec2-54-245-135-132.compute-1.amazonaws.com
      • in “Server CA certificate” you should see a new certificate called “chagemenow”
      • For Username/Password use the credentials you setup in step 4

    Step 8 – Done

      • You should be able to test by pinging www.google.com from the crosh terminal

      Certificate based authentication

        • If your goal is to setup certificate based authentication you will have to do a few extra steps
          • Along with installing ca.cert in authorities tab, you would also have to install  the hostname.p12 certificate you created in “Step 5” onto your chromebook ( look in the keys directory )
          • In “server.conf” file comment out  both of the  lines below. The first one disables PAM based authentication, and second one enables certificate based authentication.
            • plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so login
            • client-cert-not-required
          • When you specify client configuration make sure you specify both “Server CA certificate” and “User certificate”.
          • Type something into username to keep the UI satisfied… if you haven’t enabled PAM based authentication it would have no effect in the login process.

        Next steps

        • Note that this is the simplest Openvpn setup. There are many different ways you can improve on this, which I highly recommend if you plan to keep this instance running for more than a few minutes or hours.
          • You could use client certificates instead of just username/password
          • You should consider tightening firewall rules on the server  
          • If openvpn is running as root on the server, please switch it to something less privileged like ‘nobody’.
        • You should replace passwords and names I used as example above.
        • It should be trivial for someone to write a script to do this… if you do, please let me know and I’ll gladly link it from here
        • While EC2 instances costs only a few cents per hour… please do remember to shutdown when you are done, else you will get an unexpected bill at the end of the month.

        How software defined radios (SDRs) will change security

        Locks were considered very secure until the first lock pickers got their hands on it. Phone system were secure until the John Draper discovered some use for the toy whistle in Captain Crunch pack. Infact even the creators of internet didn’t think of too much security when it was initially designed.  Its the commoditization of technology which sometimes brings about the worst of all security bugs. And I believe the next round of changes are coming very soon.

        Until very recently radios were built for a purpose and they rarely did more than what it was supposed to do.   Think of them like the early computers which took a whole room and could only do only type of a job per computer. Todays computer can do all kinds of stuff and unlike the older versions, they don’t need to be rewired physically to make them do a new job. Everything is done using software.

        Wikipedia does a good job at defining what this is.

        software-defined radio system, or SDR, is a radio communication system where components that have been typically implemented in hardware (e.g. mixers,filtersamplifiersmodulators/demodulatorsdetectors, etc.) are instead implemented by means of software on a personal computer or embedded system.[1] While the concept of SDR is not new, the rapidly evolving capabilities of digital electronics render practical many processes which used to be only theoretically possible.

        A group of individuals figured out that some of the TV tuner cards can not only be reprogrammed to listen to a wider range of frequencies but could be driven entirely using software which could make it look like an all purpose radio receiver. Interestingly that USB tuner costs only about USD 20.

        PaulDotCom mentioned SDRs in one of the talks as well but he went further and pointed out that SDRs could also be used to send signals which makes it significantly more dangerous. One of the worst examples he gave was that an SDR could be reprogrammed to generate fake transponder signals. They pointed out that modern aircrafts do listen for transponder signals from other nearby aircrafts and some of them are programmed to take automatic sudden evasive measures when it detects another aircraft close by.

        The point is not that terrorists can attack airplanes this way… they could do it today by buying and reprogramming a real transponder. The point is that this technology will become so cheap that anyone would be able to do it with just a computer and a simple SDR transmitter.

        I’m not really sure how good Transponders are with respect to security.. may be it has a good secure way of authenticating the transmitter. In which case all is good. But if thats not happening today, it will change at some point when this technology becomes as easy to disrupt as DNS is today.

        Chrome: Fully sandboxed flash engine protect users

        The truth is that not everyone gets updates to chrome as soon as its released. And as its usually the case a lot of holes get discovered only after its exploited in the field. Google has finally announced a fully sandboxed flash engine which prevents the malicious code running within the flash component to fully exploit the system. It should keep you safe from unexpected security threats until an update arrives.

        Google says sandboxing is now available for Flash “with this release” of Chrome. The most recent version, Chrome 23, arrived last week, which is when the four-year-old browser received its usual dose of security fixes (14 in total), as well as a new version of Adobe Flash. 

        Yet the company today wanted to underline today that Chrome’s built-in Flash Player on Mac now uses a new plug-in architecture which runs Flash inside a sandbox that’s as strong as Chrome’s native sandbox, and “much more robust than anything else available.” This is great news for Mac users since Flash is so very widely used, and thus is a huge target for cybercriminals pushing malware. 

        Malware writers love exploiting Flash for the same reasons as they do Java: it’s a cross-platform plugin. Such an attack vector allows them to target more than one operating system, more than one browser, and thus more than one type of user. What Google is doing here is minimizing the chances that its users, namely those using Chrome, will get infected by such threats.

        Top security threats from Oracle, Adobe and Apple

        Kaspersky labs came out with its Q3 report and not surprisingly Oracle and Adobe have some of the worst holes impacting the largest number of users. What I was surprised more about was that Apple made it to that list even though Microsoft didn’t explicitly get named. The map below shows the % of users infected.

        Also found it interesting that iTunes has a lot of holes. Who would have thunk it.

        IT Threat Evolution: Q3 2012 – Securelist

        What are software defined radios ?

        I had never heard of SDRs until today. But now that I know it, I can understand why some folks are so excited about it. This is almost like a swiss army knife for the radio hackers.

        The HackRF can shift between different frequencies as easily as a computer switches between applications–It can both read and transmit signals from 100 megaherz to 6 gigaherz, including frequencies as low as the range used by FM radio up to the gigaherz frequencies used by Wifi or experimental wireless protocols for cars communicating in traffic. In between those bookends lies everything from police radio to cellular signals from AT&T; and Verizon to garage door openers–all signals that HackRF can instantaneously intercept or reproduce. 

        The point of catching exceptions

        Using Try-Catch block is a very good way to detect run-time exceptions. But one of my code reviewers recently pointed out that over using them can be dangerous. I was pointed out that I should only catch those exceptions which I understand and should correctly handle them once its caught. Catch-all try-blocks may generate less user facing errors, but could hide the more serious issues.

        Nothing else describes the danger of this way of ignoring exceptions than this post on android-ssl.org [ More details in this paper ].

        To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself.

        To be honest I haven’t see how these apps have implemented this… but based on my java/python background I’d say there is a good chance that either a flag was passed to ignore certificate errors, or a try catch block was implemented to catch+ignore all exceptions (which included valid security exceptions).

        Beast and Crime : How chrome is impacted

        One of the first discussions I noticed around TLS/SSL was in a news report last year.

        At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

        These guys came back again this year with another attack called “CRIME“. A simplified version of how this attack is executed is described here along with the plan on how chrome is going to address is.

        The problem that CRIME highlights is that sensitive cookie data and an attacker controlled path is compressed together in the same context. Cookie data makes up most of the red, uncompressed bytes in the diagram. If the path contains some cookie data, then the compressed headers will be shorter because zlib will be able to refer back to the path, rather than have to output all the literal bytes of the cookie. If you arrange things so that you can probe the contents of the cookie incrementally, then (assuming that the cookie is base64), you can extract the cookie byte-by-byte by inducing the browser to make requests.

        Data URLs and XSS injections

        I knew there were ways to embed an image into an HTML page by adding a ‘src’ to the ‘img’ tag which contained the whole base64 encoded image file. What I didn’t know is that there are ways to use similar methods to invoke javascript in context of the current page.

        For example, HTML tags like the following could be used to inject XSS into any page. Most browsers (especially chrome) do protect against this, but it may be possible to get around some of the security measures.

        “>clickme 


        PHNjcmlwdD5hbGVydChvcGVuZXIuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwpPC9zY3JpcHQ+“>clickme 

        Read this for little more background.