Interpreting Android penetration artifact DroidSheep to view ARP spoofing attacks
About DroidSheep
DroidSheepIt is a security testing tool on the Android platform and can be used for security testing such as web session hijacking. It can listen to HTTP packets transmitted wirelessly and extract the session ID.
About ARP spoofing attacks
Address Resolution Protocol (ARP) is an Address Resolution Protocol that converts an IP Address into a physical Address. LAN communication uses MAC addresses as the house number. We use ARP to attack hosts.
Test Environment
Mx4 (detector)
android-d92b72c70cc30a44 192.168.0.3 38:bc:1a:b8:97:98
Xiaomi (attacker)
android-7469d8f8181f48dd 192.168.0.4 c4:6a:b7:ff:90:36
Gateway
C:\Users\iruo>arp-aInterface:192.168.0.5 --- 0x3 Internet Address Physical Address Type 192.168.0.1 c0-a0-bb-ba-90-ae dynamic
ARP spoofing attack test
Enable DroidSheep spoofing and hijack sessions
Wireshark packet capture
The attacker sends an arp spoofing packet, 192.168.0.1 at 90: 36, and gateway spoofing. This is because the victim (LAPTOP) will modify its arp cache when receiving the arp packet.
Log on to Baidu
Therefore, using public WiFI is still very dangerous. Maybe you have modified your Weibo profile picture by listening to a song while drinking coffee.
Defense
1. Android mobile phone firewall droidsheep guard. When an attack is detected, a prompt box is displayed and wifi is disabled.
2. software such as computer client 360 arpfirewall
3. Use a VPN Tunnel
4. vro binds the MAC address
Continue analysis
Session management defects include fixed Session Fixation, Cookie spoofing, and Hijacka Session hijacking. Which method does DroidSheep use? Next we will continue the analysis.
1. session hijacking
Developers often forget the complexity and randomness of integration when developing their own session IDs. These factors are required for security. When a user logs on, the Session generates a Session ID, which is stored in a field of the client Cookie. We can register many accounts and see the regular use of brute force cracking sessions. In Wengoat, J-Baah is used to predict the WEAKID value. Of course, this is done under the condition that the Cookie is simple and regular, and it is almost impossible to deal with complicated cookies.
14499-140539097039114500-1405390970##1##14501-1405390970500
2. Cookie Spoofing
By using the remember me function, the cookie information is saved locally. You do not need to enter a password after passing cookie authentication. However, if a cookie is intercepted, attackers can bypass password verification for attacks. Generally, XSS cross-site attacks are used to obtain the cookie.
3. Fixed sessions
The server uses the unique Session ID of each user to confirm its validity. If the user has logged on and does not have to re-verify the authorization, when he logs on to the application system again, his Session ID is still considered legal. In some programs
The Session ID is passed in the GET-REQUEST. This is the starting point of the attack.
An attacker can use a selected Session ID to send a hyperlink to the victim. For example, there is a prepared email, which looks like an official email from the application administrator.If the victim clicks this link and the victim logs on to the system with the ID specified by the attacker, the attacker can directly access the page with the same ID as the victim without authorization.
Webgoat case Column
1. Add a spoofing Link
<span class="tag"><a<span class="pln"> <span class="atn">href<span class="pun">=<span class="atv">http://192.168.19.128/WebGoat/attack?Screen=16&menu=1700<span class="pln">&<span class="atn">SID<span class="pun">=<span class="atv">ruo<span class="pln"> <span class="tag">><span class="pln"> Goat HillsFinancial<span class="tag"></a>
2. The victim clicks the link to log in.
Jane/tarzan
3. Session theft
http://192.168.19.128/WebGoat/attack?Screen=16&menu=1700&SID=NOVALIDSESSION
Replace with & SID = ruo
PHP demo
Set php. ini to accept the value of PHPSESSID passed in by get.
session.use_only_cookies= 0,session.use_trans_sid= 1
Or Add code
ini_set'session.use_trans_sid',0);
Set the session page and create session_id
Fixation.php<span class="pun"><?<span class="pln">php session_start<span class="pun">();<span class="pln"> $_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;]<span class="pln"> <span class="pun">=<span class="pln"> <span class="pun">&#<span class="lit">039<span class="pun">;<span class="pln">ruo<span class="pun">&#<span class="lit">039<span class="pun">;;<span class="pun">?>
To view the $ _ SESSION value, attackers cannot view the username value without PHPSESSID.
Show.php<span class="pun"><?<span class="pln">php session_start<span class="pun">();<span class="pln"> <span class="kwd">if<span class="pln"> <span class="pun">(<span class="pln">isset<span class="pun">(<span class="pln">$_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;]))<span class="pln"> <span class="pun">{<span class="pln"> echo $_SESSION<span class="pun">[&#<span class="lit">039<span class="pun">;<span class="pln">username<span class="pun">&#<span class="lit">039<span class="pun">;];<span class="pln"> <span class="pun">}<span class="pun">?>
1. spoofing links sent by attackers
<span class="tag"><a<span class="pln"> <span class="atn">href<span class="pun">=<span class="atv">http://www.ruos.org/Fixation.php?PHPSESSID=1234<span class="tag">></a>
After the victim accesses the link, set PHPSESSID to 1234.
2. Attackers can use this PHPSESSID to access the page to restore the created session.
http://www.bkjia.com/show.php? PHPSESSID=1234
Return to DroidSheep, and we will send the intercepted information by email (Export via email ).
After firebug's attempt to delete the cookie, we found that BDUSS is the authentication field, and we added the intercepted cookie to refresh and then logged on.
[Cookie: domain: baidu. compath:/BDUSS = VjZ0RiWjQ2aE1QbFkzM ----------------------- I am a mosaic ~ DFRzP3RUZD;]
ARP spoofing is a mature attack method for LAN. For example, common cyber law enforcement officers and 360 of software such as roommate speed limiting are mostly based on spoofing.
However, this can also change the diversity of spoofing methods. After simple spoofing is implemented, the user name and password will be intercepted using the data forwarded by sniffer. You need to perform NAT forwarding without notice, form a man-in-the-middle attack.
ARP spoofing has many network packets, which are unstable and easy to be backtracked. In this case, you can use DNS to inject viruses.