WiFi traffic hijacking-any page can be poisoned!

Everyone knows that Wi-Fi in public places is very poor, but it is not clear how poor it is. Most people think that it will be okay if they do not go to QQ or log on to the website account. There should be no relationship between reading news novels or anything.

Indeed, the news page does not contain any sensitive account information. Even if the data is transmitted in plain text, hacker can only sniff the news and valuable information you have read.

However, it seems too passive to sniff the rabbit. Since we can take the initiative to control the traffic, why use this weak method?

--------------------------------------------------

In the previous article "transforming a laptop into a wireless router-a small test of cell phone packet capture", we talked about how to intercept Wi-Fi traffic and launch a wider range of attacks.

Today, we use an old technology to create a clever time-machine prototype. This allows our scripts to run in the future without being limited by time and space. This can cause excessive cursing!

　　

　　

(Full graph link: http://images.cnitblog.com/blog/273626/201306/26213334-97186026e3b948db928704244c6cb830.png)

　　

The principle is actually very simple. I believe you will understand it after reading the figure.

1. When someone connects to the AP we created, his fate is in our hands!

2 ~ 5. When he accesses any website, our web proxy can insert a script code in it. Of course, this is not the code of the general advertisement, but the general script library of each major website.

6 ~ 7. Everything is under our control. We are not returning real script library files. In fact, it is a waste of bandwidth to pre-load so many files at a time ~We only return a small "pile file" so that it can load the real file during actual operation. In addition, we can add additional scripts in this "pile file". Because these script libraries usually have a long cache time, as long as the user clears the cache, always read this file from the local cache!

8 ~ 12. Even if the user leaves the public place, common script files have been infected and cached. As long as you log on to our pre-infected website one day, the script will be awakened through time and space!

From this point of view, as long as the implementation of step 1, almost all of the subsequent steps are logical!

　　

However, not all users are white-haired users. There are still many high-performance users who will not easily connect to public WiFi without a password. In fact, many restaurants and coffee shops use public passwords for WiFi.

In this case, we need an AP with a higher power, and set the SSID and password exactly the same as that of the coffee --According to the WiFi connection policy, the same hotspot names will give priority to better signal selection.. If the password is the same, they can smoothly connect to our AP. As a result, our hot spots are like the Touchstone, attracting all new users, so we can take full control of them ~~~

　　

However, this is not the final difficulty. Finding the longest cached script resources for each website is the top priority.

In fact, the cache time alone is far from enough --Many files have been cached for a long time, but they are updated frequently.. The most common is the Script URL with a timestamp or hash value. They change one URL for almost three or two days, but there is a long cache time, which is obviously not desirable. Therefore, we needCache TimeAndLast modification timeTo measure itsStability.

To facilitate searching for highly stable resources from various websites, we use phantomjs for automated analysis. Phantomjs is a WebKit browser without an interface. It simulates Website access and saves us a lot of system resources.

We can listen to the page. onresourcereceived event to obtain the response data of all resource requests. As mentioned earlier, the cache time is a necessary condition and the modification time is a sufficient condition. The modification time indicates that the resource does not change frequently. You can use it with confidence!

First, we can filter out the resources that cache very short, and the resources that expire soon will not be useful. Then, they are sorted by the last modification time, and finally several resources with optimal stability are selected for each site.

Code implementation is simple (sniffer. JS ):

VaR min_stable_day = 2, min_cache_day = 7, max_item = 2, path_url = 'url.txt ', path_save = '.. /.. /asset/list.txt '; var webpage = require ('webpage'), FS = require ('fs'); var site = [], site_res = {}, used = {}; // load the list of websites with the specified cache. // (FS. read (path_url) + ''). split ('\ n '). foreach (function (line) {line = line. trim (); If (! Line | line. substr (0, 1) = '#') {return;} site. push (line) ;}); function go (URL) {var page = webpage. create (), result = site_res [url] | (site_res [url] = []); function ms2day (tick) {return ~~ (Tick/(24*3600*1000);} page. onresourcereceived = function (response) {If (response. URL in used) {return;} used [response. url] = true; If (! /\. Js $ | \. js \? /I. test (response. URL) {return;} var last, now, exp; var sec; var I, headers = response. headers; for (I = headers. length-1; I> = 0; -- I) {var header = headers [I]; Switch (header. name. tolowercase () {Case 'date': Now = new date (header. value); break; Case 'expires': EXP = new date (header. value); break; Case 'last-modified': Last = new date (header. value); break ;}} if (! Exp |! Last) return; If (! Now) Now = new date (); var daystable = ms2day (now-last); var daycached = ms2day (exp-now); If (daystable <min_stable_day | daycached <min_cache_day) {return;} result. push ({URL: response. URL, cache: daycached, stable: daystable}) ;}; function CB (Status) {If (TID! =-1) {cleartimeout (TID);} // sort and display // If (result. length> 0) {result. sort (function (a, B) {return. stable-B. stable}); If (result. length> max_item) {result. length = max_item;} console. log ('=', URL, '====================='); For (VAR I = 0; I <result. length; I ++) {var res = Result [I]; console. log (-res. stable + '/+' + Res. cache + '\ t \ t' + Res. URL);} console. log ('');}//// Breadth-first merge // If (++ done = site. length) {var loop, merge = []; do {loop = false; For (var k in site_res) {var E = site_res [K]. pop (); If (e) {loop = true; merge. push (E. URL. split ('//') [1]) ;}} while (loop); FS. write (path_save, merge. join ('\ n'); console. log ('done! ') ;}} Var tid = setTimeout (function () {page. close (); tid =-1; CB () ;}, 60*1000); page. open ('HTTP: // '+ URL, CB);} var done = 0; function start () {for (VAR I = 0; I <site. length; I ++) {setTimeout (function (URL) {go (URL);}, 2000 * I, site [I]) ;}} start ();

View code

 

We will test several commonly used websites (url.txt ):

www.hao123.comwww.taobao.comwww.renren.comwww.kaixin001.comwww.baidu.comwww.baidu.com/s?wd=sstieba.baidu.commap.baidu.comweibo.comwww.sina.com.cnwww.mop.comwww.tianya.cnbbs.tianya.cnwww.youku.comuser.qzone.qq.comqzone.qq.comwww.163.commail.163.comwww.126.comwww.sohu.com

View code

Based on the returned data (-a few days without modification/+ a few days of cache), the resource modification time is far shorter than the cache time, but there are still a few available.

$ phantomjs sniffer.js== www.hao123.com ====================-5 / +360               http://s0.hao123img.com/v3/Mr/T0/gh/sn/61/6/hao123.js-92 / +360              http://s0.hao123img.com/res/js/track.js?380890== www.taobao.com ====================-6 / +3650              http://a.tbcdn.cn/s/kissy/gallery/??search-suggest/1.0/index-min.js,search-suggest/1.0/plugin/history-min.js,search-suggest/1.0/plugin/local-query-min.js,search-suggest/1.0/plugin/storage-min.js,search-suggest/1.0/plugin/tab-min.js,search-suggest/1.0/plugin/telephone-min.js?t=20130606190449-6 / +3650              http://a.tbcdn.cn/s/kissy/1.3.0/??node-min.js,dom/base-min.js,event/dom/base-min.js,event/base-min.js,event/dom/focusin-min.js,anim-min.js,event/custom-min.js,switchable-min.js,cookie-min.js,ajax-min.js,json-min.js,rich-base-min.js,base-min.js,combobox-min.js,component/base-min.js,menu-min.js,component/extension-min.js,xtemplate/facade-min.js,xtemplate/runtime-min.js,xtemplate/compiler-min.js?t=20130606190449== www.kaixin001.com ====================-14 / +365              http://s.kaixin001.com.cn/js/apps/reg/ARegister-00100c612.js-80 / +365              http://s.kaixin001.com.cn/js/core/media/MediaBox-0002a9159.js== www.baidu.com ====================-5 / +3650              http://s1.bdstatic.com/r/www/cache/static/user/js/u_75caac89.js-5 / +3650              http://s1.bdstatic.com/r/www/cache/static/global/js/home_f949edf5.js== www.baidu.com/s?wd=ss ====================-5 / +3650              http://s1.bdstatic.com/r/www/cache/static/global/js/common_7fd3f7db.js== www.renren.com ====================-7 / +365               http://s.xnimg.cn/a56656/n/core/base-all2.js-88 / +365              http://s.xnimg.cn/a53726/n/apps/login/login-v6.js== tieba.baidu.com ====================-4 / +30                http://tb1.bdstatic.com/tb/static-spage/component/feed_data/feed_data_c51ac7ba.js-8 / +30                http://tb1.bdstatic.com/tb/static-common/js/tb_ui_ac13f64f.js== map.baidu.com ====================-7 / +365               http://webmap1.map.bdimg.com/init_0gj0re.js-8 / +365               http://webmap2.map.bdimg.com/main_hntng4.js== weibo.com ====================-9 / +15                http://js.t.sinajs.cn/t5/register/js/page/login/index.js?version=201306141810-30 / +15               http://js1.t.sinajs.cn/t4/apps/publicity/static/wbad.js?version=201306141810== www.sina.com.cn ====================-141 / +223             http://i2.sinaimg.cn/jslib/modules2/sina/util/1.0.5/util.js-169 / +203             http://i2.sinaimg.cn/jslib/modules2/seajs/1.3.0/sea.js== www.mop.com ====================-365 / +300             http://mopimg.cn/tj/dcq.js-427 / +300             http://mopimg.cn/dc/tj.js== www.tianya.cn ====================-38 / +29               http://static.tianyaui.com/global/ty/TY.js== bbs.tianya.cn ====================-7 / +29                http://static.tianyaui.com/global/lite/js/lite-all.js?v=201306070836-15 / +25               http://static.tianyaui.com/global/lite/js/bbs/bbs.js?v=201306070836== user.qzone.qq.com ====================-31 / +7                http://imgcache.qq.com/ptlogin/ver/10031/js/h_login_11.js?max_age=604800&ptui_identifier=000D29EE4BA374D65D39E3C1BB890C8E500256813D2C4E549471141C== www.163.com ====================-32 / +90               http://img2.126.net/ntesrich/auto/indexU/dlbox-index-v1.0.1-130506.js-51 / +90               http://img2.126.net/ntesrich/auto/indexU/fcbox-index-v1.0.0-130422.js== www.sohu.com ====================-42 / +90               http://js.sohu.com/pv/pvclick1211071116.js-42 / +90               http://js.sohu.com/pv/spv1209061800.jsDONE!

　　

Good. With this data, we can implement our plan!

The next article will introduce how to use nodejs to build this plan.