WiFi traffic hijacking-any page can be poisoned!

WiFi traffic hijacking-any page can be poisoned!
Everyone knows that Wi-Fi in public places is very poor, but it is not clear how poor it is. Most people think that it will be okay if they do not go to QQ or log on to the website account. There should be no relationship between reading news novels or anything.

Indeed, the news page does not contain any sensitive account information. Even if the data is transmitted in plain text, Hacker can only sniff the news and valuable information you have read.

However, it seems too passive to sniff the rabbit. Since we can take the initiative to control the traffic, why use this weak method?

--------------------------------------------------

In the previous article "transforming a laptop into a wireless router-a small test of cell phone packet capture", we talked about how to intercept Wi-Fi traffic and launch a wider range of attacks.

Today, we use an old technology to create a clever time-machine prototype, so that our scripts can run in the future. Even if we only read a few novel webpages today, we can release our code when we open other websites in the next few days or even weeks.

The intrusion is no longer limited by time and space, and thus can be cursed for a long time!

　　

　　

(Full graph link: http://www.bkjia.com/uploads/allimg/140916/0402413092-0.png)

　　

The principle is actually very simple. I believe you will understand it after reading the figure.

1. When someone connects to the AP we created, his fate is in our hands!

2 ~ 5. When he accesses any website, our Web proxy can insert a script code in it. Of course, this is not the code of the general advertisement, but the script file used by the major websites.

6 ~ 7. Everything is under our control. We are not returning real script library files. In fact, it is a waste of bandwidth to pre-load so many files at a time ~We only return a small "pile file" so that he can load the real file when opening the webpage in the future. In addition, we can add additional scripts in this "pile file". Because these script libraries usually have a long cache time, as long as the user clears the cache, always read this file from the local cache!

8 ~ 12. Even if the user leaves the public place, common script files have been infected and cached. As long as you log on to our pre-infected website one day, the script will be awakened through time and space!

From this point of view, as long as the implementation of step 1, almost all of the subsequent steps are logical!

　　

However, not all users are white-haired users. There are still many high-performance users who will not easily connect to public wifi without a password. In fact, many restaurants and coffee shops use public passwords for wifi.

In this case, we need an AP with a higher power, and set the SSID and password exactly the same as that of the coffee --According to the wifi connection policy, the same hotspot names will give priority to better signal selection.. If the password is the same, they can smoothly connect to our AP. As a result, our hot spots are like the Touchstone, attracting all new users, so we can take full control of them ~~~

　　

However, this is not the final difficulty. Finding the longest cached script resources for each website is the top priority.

In fact, the cache time alone is far from enough --Many files have been cached for a long time, but they are updated frequently.. The most common is the Script URL with a timestamp or hash value. They change one URL for almost three or two days, but there is a long cache time, which is obviously not desirable. Therefore, we needCache TimeAndLast modification timeTo measure itsStability.

To facilitate searching for highly stable resources from various websites, we use PhantomJS for automated analysis. PhantomJS is a Webkit browser without an interface. It simulates Website access and saves us a lot of system resources.

We can listen to the page. onResourceReceived event to obtain the response data of all resource requests. As mentioned earlier, the cache time is a necessary condition and the modification time is a sufficient condition. The modification time indicates that the resource does not change frequently. You can use it with confidence!

First, we can filter out the resources that cache very short, and the resources that expire soon will not be useful. Then, they are sorted by the last modification time, and finally several resources with optimal stability are selected for each site.

Code implementation is simple:

Https://raw.github.com/EtherDream/closurether/master/tool/cache-sniffer/sniffer.js

We will test several commonly used websites (url.txt ):

 

www.hao123.comwww.taobao.comwww.renren.comwww.kaixin001.comwww.baidu.comwww.baidu.com/s?wd=sstieba.baidu.commap.baidu.comweibo.comwww.sina.com.cnwww.mop.comwww.tianya.cnbbs.tianya.cnwww.youku.comuser.qzone.qq.comqzone.qq.comwww.163.commail.163.comwww.126.comwww.sohu.com

 

Based on the returned data (-not modified for several days/+ cached for several days), each site has many script files that have not been modified for a long time.

E:\NodeJS\closurether\tool\cache-sniffer>phantomjs sniffer.js == www.hao123.com ====================-2 / +360        http://s0.hao123img.com/res/js/track.js?381633 == www.taobao.com ====================-497 / +3650        http://a.tbcdn.cn/apps/med/other/p4p/p4p_show_link.js?rd=20120305.js-229 / +3650        http://a.tbcdn.cn/apps/matrix-mission/feedback/feedback.js-178 / +3650        http://a.tbcdn.cn/s/kissy/gallery/??offline/1.0/index-min.js?t=20130701201313 == www.renren.com ====================-631 / +365        http://s.xnimg.cn/a12023/jspro/beacon.js-491 / +365        http://s.xnimg.cn/n/apps/photo/modules/seed/photoSeed.js?r=1373879537560-454 / +365        http://s.xnimg.cn/a36267/js/register/register-xn6207-v6.js == www.kaixin001.com ====================-737 / +365        http://s.kaixin001.com.cn/js/core/ScrollObserver-000179b73.js-732 / +365        http://s.kaixin001.com.cn/js/core/Geometry-0001de487.js-715 / +365        http://s.kaixin001.com.cn/js/core/cookie/Cookie-0001f6c85.js == tieba.baidu.com ====================-40 / +30        http://static.tieba.baidu.com/tb/pms/wpo.pda.js?v=2.8-20 / +3600        http://img.baidu.com/hunter/tiebamonkey.min.20130625.js-18 / +30        http://tb1.bdstatic.com/tb/static-common/js/tb_ui_ac13f64f.js == weibo.com ====================-40 / +15        http://js.t.sinajs.cn/t5/register/js/page/login/index.js?version=201307151712 == map.baidu.com ====================-238 / +3600        http://img.baidu.com/hunter/map.js?st=-15902-53 / +365        http://webmap1.map.bdimg.com/monitor/pdc_jfjmuk.js-5 / +365        http://webmap1.map.bdimg.com/initmap_gn34ay.js == www.tianya.cn ====================-12 / +30        http://static.tianyaui.com/global/ty/TY.js == user.qzone.qq.com ====================-7 / +7        http://imgcache.qq.com/ptlogin/ver/10034/js/h_login_11.js?max_age=604800&ptui_identifier=000E0133918D62675822E216CC1D89FE3A9C1A8B432218E564A3DD6F0B == www.163.com ====================-716 / +7        http://l.bst.126.net/rsc/js/jquery-1.6.2.min.js-297 / +90        http://img2.126.net/ntesrich/auto/adbox/adbox-v1.1.2-120705.js-83 / +90        http://img2.126.net/ntesrich/auto/indexU/fcbox-index-v1.0.0-130422.js == www.sohu.com ====================-42 / +90        http://js.sohu.com/pv/pvclick1211071116.js-42 / +90        http://js.sohu.com/pv/spv1209061800.js == www.mop.com ====================-969 / +299        http://mopimg.cn/openjs/jquery-1.4.4.min.js-458 / +299        http://mopimg.cn/dc/tj.js-396 / +299        http://mopimg.cn/tj/dcq.js == bbs.tianya.cn ====================-301 / +30        http://static.tianyaui.com/global/ty/stat/stat_20080313.js?_=1373879558250-38 / +30        http://static.tianyaui.com/global/lite/js/lite-all.js?v=201306250800-27 / +30        http://static.tianyaui.com/global/lite/js/bbs/bbs.js?v=201306250800 DONE!

Good. With this data, we can implement our plan!

The next article will introduce how to use NodeJS to build this plan.