Interpreting Android penetration artifact DroidSheep to view ARP spoofing attacks

Interpreting Android penetration artifact DroidSheep to view ARP spoofing attacks

About DroidSheep
 

DroidSheepIt is a security testing tool on the Android platform and can be used for security testing such as web session hijacking. It can listen to HTTP packets transmitted wirelessly and extract the session ID.

About ARP spoofing attacks

Address Resolution Protocol (ARP) is an Address Resolution Protocol that converts an IP Address into a physical Address. LAN communication uses MAC addresses as the house number. We use ARP to attack hosts.

Test Environment

Mx4 (detector)

android-d92b72c70cc30a44   192.168.0.3  38:bc:1a:b8:97:98

 

Xiaomi (attacker)
 

android-7469d8f8181f48dd    192.168.0.4  c4:6a:b7:ff:90:36

Gateway

C:\Users\iruo>arp-aInterface:192.168.0.5 --- 0x3  Internet Address      Physical Address      Type  192.168.0.1           c0-a0-bb-ba-90-ae     dynamic

ARP spoofing attack test

Enable DroidSheep spoofing and hijack sessions

 

Wireshark packet capture
 

The attacker sends an arp spoofing packet, 192.168.0.1 at 90: 36, and gateway spoofing. This is because the victim (LAPTOP) will modify its arp cache when receiving the arp packet.

Log on to Baidu

Therefore, using public WiFI is still very dangerous. Maybe you have modified your Weibo profile picture by listening to a song while drinking coffee.

Defense
 

 

1. Android mobile phone firewall droidsheep guard. When an attack is detected, a prompt box is displayed and wifi is disabled.

 

2. software such as computer client 360 arpfirewall
 

3. Use a VPN Tunnel

4. vro binds the MAC address

Continue analysis

Session management defects include fixed Session Fixation, Cookie spoofing, and Hijacka Session hijacking. Which method does DroidSheep use? Next we will continue the analysis.

1. session hijacking

 

Developers often forget the complexity and randomness of integration when developing their own session IDs. These factors are required for security. When a user logs on, the Session generates a Session ID, which is stored in a field of the client Cookie. We can register many accounts and see the regular use of brute force cracking sessions. In Wengoat, J-Baah is used to predict the WEAKID value. Of course, this is done under the condition that the Cookie is simple and regular, and it is almost impossible to deal with complicated cookies.

14499-140539097039114500-1405390970##1##14501-1405390970500

2. Cookie Spoofing

By using the remember me function, the cookie information is saved locally. You do not need to enter a password after passing cookie authentication. However, if a cookie is intercepted, attackers can bypass password verification for attacks. Generally, XSS cross-site attacks are used to obtain the cookie.

3. Fixed sessions

The server uses the unique Session ID of each user to confirm its validity. If the user has logged on and does not have to re-verify the authorization, when he logs on to the application system again, his Session ID is still considered legal. In some programs

The Session ID is passed in the GET-REQUEST. This is the starting point of the attack.

 

An attacker can use a selected Session ID to send a hyperlink to the victim. For example, there is a prepared email, which looks like an official email from the application administrator.If the victim clicks this link and the victim logs on to the system with the ID specified by the attacker, the attacker can directly access the page with the same ID as the victim without authorization.

Webgoat case Column

1. Add a spoofing Link

<span class="tag"><a<span class="pln"> <span class="atn">href<span class="pun">=<span class="atv">http://192.168.19.128/WebGoat/attack?Screen=16&menu=1700<span class="pln">&<span class="atn">SID<span class="pun">=<span class="atv">ruo<span class="pln"> <span class="tag">><span class="pln"> Goat HillsFinancial<span class="tag"></a>

2. The victim clicks the link to log in.

 

Jane/tarzan

3. Session theft

http://192.168.19.128/WebGoat/attack?Screen=16&menu=1700&SID=NOVALIDSESSION

Replace with & SID = ruo

PHP demo
 

Set php. ini to accept the value of PHPSESSID passed in by get.

session.use_only_cookies= 0，session.use_trans_sid= 1

 

Or Add code

ini_set'session.use_trans_sid',0);

Set the session page and create session_id

Fixation.php<span class="pun"><?<span class="pln">php  session_start<span class="pun">();<span class="pln">  $_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;]<span class="pln"> <span class="pun">=<span class="pln"> <span class="pun">&#<span class="lit">039<span class="pun">;<span class="pln">ruo<span class="pun">&#<span class="lit">039<span class="pun">;;<span class="pun">?>

To view the $ _ SESSION value, attackers cannot view the username value without PHPSESSID.

Show.php<span class="pun"><?<span class="pln">php  session_start<span class="pun">();<span class="pln">  <span class="kwd">if<span class="pln"> <span class="pun">(<span class="pln">isset<span class="pun">(<span class="pln">$_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;]))<span class="pln">  <span class="pun">{<span class="pln">    echo $_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;];<span class="pln">  <span class="pun">}<span class="pun">?>

1. spoofing links sent by attackers

<span class="tag"><a<span class="pln"> <span class="atn">href<span class="pun">=<span class="atv">http://www.ruos.org/Fixation.php?PHPSESSID=1234<span class="tag">></a>

After the victim accesses the link, set PHPSESSID to 1234.

 

2. Attackers can use this PHPSESSID to access the page to restore the created session.

http://www.bkjia.com/show.php? PHPSESSID=1234

Return to DroidSheep, and we will send the intercepted information by email (Export via email ).

After firebug's attempt to delete the cookie, we found that BDUSS is the authentication field, and we added the intercepted cookie to refresh and then logged on.
 

[Cookie: domain: baidu. compath:/BDUSS = VjZ0RiWjQ2aE1QbFkzM ----------------------- I am a mosaic ~ DFRzP3RUZD;]

 

 

ARP spoofing is a mature attack method for LAN. For example, common cyber law enforcement officers and 360 of software such as roommate speed limiting are mostly based on spoofing.

However, this can also change the diversity of spoofing methods. After simple spoofing is implemented, the user name and password will be intercepted using the data forwarded by sniffer. You need to perform NAT forwarding without notice, form a man-in-the-middle attack.

ARP spoofing has many network packets, which are unstable and easy to be backtracked. In this case, you can use DNS to inject viruses.