Search This Blog

Monday, April 28, 2008

Smart Sniffing on Windows Mobile

Peace be upon you

how are you Guys? sorry for the long absence, today I am getting a very "Evil" thing, actually I will not use it in evil, I will just demonstrate how this thing works and how it can be harmful, What I am talking about is something I named "Smart Sniffing",

What does "Smart Sniffing" means?
It means when the "Hacker" or "Intruder" sniff s/he will not sniff everything, why s/he would do that, for many reason, in our case, the Intruder will need to have just a few pieces of information, not all of it, let us have more details, our sample will be on windows mobile.

First of all you will need to have some tools to start in this operation,
  1. WinPCap for Windows CE.
  2. Windows mobile device to start your development and tests.
  3. Hotmail account.
Let us see what we have now, WinPcap is a free library that is use to capture network packets, well now you have all what is going in and out, for Windows CE version it is little tough but it is not impossible, then you will start watching what is going on, packets going out and packets coming in, now after you have accomplish your first step, let us move to the next step.

You will start looking in the packets for anything related to the password and user name, in the requests that go out from the device to certain server, there is Post requests, that what you are going to rip, if this trick didn't work for many reason on of them, the site uses some kind of SSL (Secure Socket Layer) so you can do something better than ripping the User name and password, you can rip the Session ID, there is too many ways to get what you want, after you have done with this step, the intruder notification step comes.

After you have done extracting the data you want from the packets and it is ready to be used by the Intruder, it will be sent simply and smooth by many ways, it can be sent through SMS, why I said that because may be the user uses some kind of "Firewall" and it will be easily to detect the what the application trying to send,of course the user will know that mobile sent SMS from the bill but the issue here is that the intruder get the piece of information as fast as possible, you can try to dig more and send what you want in sneaky way, like forcing the Internet Explorer to send it as encoded Query String.

What I have just said may seem to be evil but it is just Proof of concept that what ever "Smart Guys"say about mobile and its security, you have to be careful for the application you install on your device, also you have to be careful and try to notice everything on your screen, because there is always eye on you, may be you can't see it but be sure that this eye exist,all you have to do just be careful and try to keep your data as much as you can.

I have seen that before that some kind of Trojan was installed in X company PCs, the Trojan was working like virus, it wasn't detected by the anti-virus, the Trojan was so simple it was just graping the file names and send it to some e-mail Address, of course the Administrator was useless he didn't do anything to protect his company, anyways, don't rely that someone will protect you from any kind of attacks, also rememebr you may ask the wrong person for help so you have to do "Security" related things by your self.

Message to Developers, as you can see nothing is protected by default you have to protect your client as much as you can, it is your client, it is the reason of you raising, so try to keep your client safe, even after your death your work should be protected as much as possible, so you have to read about Encryption, Secure Systems, have certificate, learn the penetration test requirement and do it your self, read about secure code, ... etc
this topic is endless, all you have to do is just sake and be honest because such thing is really need very deep honesty, I am saying that because some how I am client and I hope to be protected.

I forgot to put some links :)
writing secure code
Secure Socket Layer
MSDN Writing Secure Code
WinPcap for Windows CE


I am sorry for the long post, may be I am over reacting but in the matter of fact and as I can see everything a round us is threated and we should be careful, that's all what I meant by this post, I put the idea, it is very simple but it can be used, also similar ideas used to have PC before and for sure there is people working on it now, as long as there is evil we should take care of our selves,

Thanks for your time.

BR
Ahmed Essam

10 comments:

Anonymous said...

the idea is interesting but it could be more interesting if packet sniffing was used to sniff the wireless network traffic instead the of the same device
simply because if all what you wanted is to access a password protected account and u had access to the device you could simply just install a keylogger instead of the hassle of using packet sniffing
plus the damage will be more dangerous, imagine a guy stepping into a company with a unprotected wifi network and sniffs everything and log it on his pocket pc and leaves
and by the way, you don't need to sniff specific packets, you can just sniff them all and filter them later, ethereal can do that for you

Unknown said...

You could just download Airscanner's sniffer have this power in about two minutes :) Included are filtering options that allow you to focus on the 'important' stuff...

Ahmed Essam said...

Peace be upon you

Fady:
Look the Key logger is consumed idea, plus the target is different, the target here is to summarize the information and have what is useful to the intruder, some times key logger doesn't give accurate information also the Pocket PC as all about styles and user may not use the keyboard, because most of the sites do many things to help the user like having shortcuts for the written words, plus there is always "Auto Complete" running on the Pocket PC, so the Key logger is totally unsuitable for this case.

Seth: Airscanner is like packet sniffer but on your device which is useless in most of the cases, it is only useful in certain cases 'for self usage', what I am talking about is deep more than that, it is like having similar application on victim device and have just summary of what is going on, summary which enable you to hack into device user accounts on web or enterprise application that is related to business secrets.

I hope that you got my point

BR
Ahmed Essam

Anonymous said...

seems like u didn't fully understand my comment, please read it again, i wasn't saying that keylogging is better

Ahmed Essam said...

I read what you have wrote fady, anyone can pick packets from the air so what is the big deal, even with simple encryption it may take hours to crack the password using "AirCrack" and stuff like that, it will only work if you have 100% free of encryption Wi-Fi spots, which is not everywhere, in some cases you will never be able to get the what in the air.

Also in some cases you will not be able to reach to some spots, u can only get what you can see, what I am talking about here is something on the device that gives you information about the user who is using now, which means u can have at the moment control on the things which he uses, + the target is not sniffing everything going on the air, you just want specific piece of information from that use not tons of NEED to analysis data.

thanks for your comments.





Seth: "I am sorry I miss understand the AirScanner Sniffer"

Anonymous said...

analyzing the sniffed data isn't hard as u think
most modern packet sniffers now have filters that are more than efficient, one of them is the one seth mentioned

if you mean deceiving a user to install a software that contains your packet sniffer i.e a trojan, then in the end you will need the foul to run the trojan
so if you manage to find that foul, mostly you will have better and easier ways to obtain his passwords than installing a full blown packet sniffer on his device

in the end, i think using a packet sniffer to sniff the network traffic of a single device that it's installed on is obsolete, simply because if you can install a packet sniffer on the victim's device, then you can install anything else, one of my suggestions was a key logger or any software that captures the user input and store it

Ahmed Essam said...

Most of guys install "UNSIGNED" application which means you can put what ever you want on it, most of users do n't even know what does Signed application means, so the Fools who will run the Trojan are every where, most of spy where doesn't installed on the user saying "Hi Mr.User we are hacking your mobile, please accept me to do my job, OH by the way I will work what ever it takes, have a nice day"

things never goes that way, you can simple go to any forum, download any application, attach your stuff to it, and put it pack with new name, "Application XYZ free and cracked" once it is installed you can do what every you want to do, Most of mobile malware do so,

What I meant here, which no one gets until now, you need to have some kind of key to get into simple place, this trick will help you to do so, this is for the evil side,
for the good side, what I meant is to take care and keep track with your clients, for example, manage your web application to handle user logins in safe way, make your own session ID generator stuff like that,

I never meant to hack someone and theft him until he get broke, all I mean that most of mobile application that I have seen doesn't apply many security issues fixes, good cracker can reach to many things that you would not ever imagine,

Packet Sniffing is Ok and great, but it will never gives you what it is needed to have someone with the richness that this trick provides.

I hope that you get my point, what you are talking about is different style of hacking, at the end this depends on the hacker :D and how they would use all of this stuff

also I forgot to mention that there is so many ways to secure the wireless network, + it is some time hard to break the keys of the wireless packets.

may be if you are lucky, you manage to hack it.

Thanks for your time

BR
Ahmed Essam

Anonymous said...

wither you are going to put the "Hi Mr. User ..." message or not, in the end u will need a fool to run it

bottom line is i think this technique is obsolete, use any sort of user input capture instead, it won't just give u the session ids and cookies it will give u the password in plain text, which is the "important" stuff ;)

Ahmed Essam said...

Peace be upon you

Hi Guys, I have downloaded and tried the Airscanner Sniffer, as I expected it doesn't scan anything going in the air, as far as I know there is hardware capabilities that must be in the Wireless chip, which is not exist in normal laptop built-in Wi-Fi modules, so the idea of Airscanner is not valid anymore, there is solutions but I am not sure if it is working for mobile or not, may be there is versions for something like AirPCap.

Thanks for you contributions :)

BR
Ahmed Essam

Anonymous said...

hello brother ahmed,

how are you? i hope that you are doing fine and everything is going well.

My name is Mehmet and I tried to e-mail you about a problem I have and it is rather confidential.

Is it possible if I could somehow get your e-mail so I could e-mail you?

I will be coming back to you tomorrow if it possible.

My kindest regards brother.

Mehmet