Reasons for the formation of safety-traffic hijacking

Traffic hijacking, this ancient attack quiet after a period of time, and recently began to uproar. Many well-known brands of routers have burst into existence security loopholes, attracting domestic media reports. As long as the user does not change the default password, open a page or even post, the router configuration will be secretly modified. The internet became precarious overnight.

Explanation of the formation of traffic hijacking

Attack is still those kinds of attacks, the report is still the one-piece brick home reminds, so that everyone is numb. Have seen accustomed operators of all kinds of hijacking, frequent ads pop windows, we also helpless. So many years have not seen any loss, also blind eye.

In fact, it's lucky to be hijacked by carriers alone. Compared to hidden secret hackers, operators as public enterprises still have to obey the law, advertising hijacking although there is no moral integrity but there is a bottom line. This does not, can let you see the advertisement, also is reminds you, the current network is hijacked the risk, must leave a point of God; on the contrary, everything seems to be calm without exception, perhaps there is a huge spy lurking in the network, waiting for you to hook-this is not a simple advertising, but to seek the money stolen number!

Will I be hijacked?

Many people have a wrong view: only those with weak security awareness will be invaded. As long as the installation of a variety of professional firewall, system patches in time to update, all the passwords are very complex, hijacking is certainly not my turn.

Indeed, security-conscious nature is not susceptible to intrusion, but only to traditional viral Trojans. And in the face of traffic hijacking, almost everyone is equal. Network security and traditional system security are different, the network is a combination of various hardware equipment, the barrel effect is particularly obvious. Even with a god-like system, when you encounter a pig-like device, your security level is instantly lowered. Now more and more popular cheap path by, they are carrying a variety of online trading traffic, you can rest assured to use it?

Even if you believe that the system and equipment are absolutely reliable, can you rest easy? In fact, there are not many equipment problems, but there are a lot of things, is there any defects? Yes, and the most important thing is missing: the network environment.

If there is a hacker lurking in the network environment, even if there is enough professional technology, is in the difficult to escape, the enemy dark I Ming, a little inattentive will fall into the trap.

Of course, flies don't bite the seamless egg. What are the pitfalls that have caused a rift in your network environment? Too many, there are countless attacks in the past. You can even create one yourself based on the actual circumstances.

Now recall the attempted hijacking case.

Ancient times: Hub sniffing, Mac spoofing, Mac Flushing, ARP attacks, DHCP phishing, DNS hijacking, CDN intrusion

Medieval: Router weak password, router CSRF, PPPoE fishing, honeypot Agent

Industrial Age: WiFi weak password, wifi pseudo hotspot, WiFi forced disconnection, WLAN base station fishing, Hub sniffing

Hub (hub) This kind of equipment has now disappeared, even a decade ago, few people used. As an early network device, its only function is to broadcast packets: the packets received from an interface are sent to all interfaces. And do not spit the trough that small staggering bandwidth, just this forwarding rule is how unreasonable. Anyone can receive the data of the entire network environment, the privacy security is conceivable.

Explanation of the formation of traffic hijacking

The sniffer became the top weapon of that era. As long as the filter is configured, it will not take long to capture a variety of plaintext data, the user does not have any defense countermeasures.

Precautionary measures: Still in use of hurriedly throw it.

The only thing currently available for this device is bypass sniffing. Broadcast features make it easy to analyze communications from other devices, such as capturing a set-top box's packets without affecting normal communication.

MAC Spoofing

The advent of the switch gradually eliminated the hub. The switch binds the MAC address and interface, and the packet is eventually sent to only one terminal. Therefore, it is theoretically safe to configure the interface of the MAC in advance.

Explanation of the formation of traffic hijacking

However, very few people will do so, mostly to lazy, directly using the device default mode-automatic learning. The device automatically associates the source address of the package to this interface, based on a packet issued by an interface.

However, this kind of learning is not intelligent, even too rigid, any hearsay will be regarded as the truth. It is very easy for a user to send a package with a custom source MAC address, so the switch becomes a very easy object to be fooled. As long as you forge a source address, you can associate the address to your own interface to get the victim's traffic.

Explanation of the formation of traffic hijacking

However, the victim then sends out a packet, and the binding relationship is restored to its original normal. So as long as the more frequent, who will be able to compete to the MAC address of the right to receive. If you forge a gateway address, the switch mistakenly thinks that the gateway cable is plugged into your interface, and the outbound traffic in the network environment is instantly up to you.

Of course, unless you have other outbound channels, you can take the stolen data agent out, otherwise you will not be transferred to the real gateway that you defeated, hijacked users will not be able to sisu network. So the harm is not very big, but destructive very strong, can be an instant collective break network.

Precautions: Machine-fixed networks try to bind Macs and interfaces as much as possible. It seems that most Internet cafes are bundled with Macs and interfaces, greatly enhancing the security of the link layer. At the same time, separate sub-segments are partitioned as much as possible to avoid excessive broadcast environments.

The university has seen thousands of people do not divide the VLAN, with a short-circuit cable can destroy the entire network.

MAC Scour

The forwarding difference between the hub and the switch was said before. If the switch discovers a MAC address that has not yet been learned, where will the packet be sent? In order not to lose packets, it can only be broadcast to all interfaces.

Explanation of the formation of traffic hijacking

If you can disable the learning function of the switch, it will degenerate into a hub. Due to the limited hardware configuration of the switch, it is not possible to have an unlimited number of record address entries. We continue to forge non-duplicate source addresses, the record table in the switch will soon fill up, even overwrite the original learning record, the user's packet is not properly forwarded, can only broadcast to all interfaces.

Explanation of the formation of traffic hijacking

Precautions: or MAC and interface bindings. Once bound, the interface only allows a fixed source address, and the forged nature fails. Of course, a better switch has some policies that don't have an interface associated with too many MAC addresses.

Have tried at home once, to capture the user's Internet traffic in the community. But the forgery package hair too fast, ~15 million packets/second, more deadly is the wrong destination address, sent to the metropolitan Area Network access server, resulting in the staff cut off the whole half-day network ... So you have to choose a VLAN, and the actual address as the target MAC, so as not to generate a large number of data storms.

ARP attack

This attack almost all of us hear the calluses, even if they do not know the computer to install an ARP firewall security, its harm is conceivable.

Simply put, ARP is the broadcast query for an IP corresponding to the MAC address, the person with this IP back to a voice. Knowing this IP corresponds to the MAC address, you can link communication (link layer can only communicate via MAC address). If someone pretends to be a reply and grabs a normal person, the fake answer is preconceived. The IP is resolved to the wrong address, and all communication is hijacked.

Explanation of the formation of traffic hijacking

In fact, the early system has a more serious bug: directly to the user to send an ARP reply package, even if the other party never asked, the system will accept the reply, and save the records in advance. This cache-based poisoning, the hijacking success rate to a higher level.

Explanation of the formation of traffic hijacking

Precautions: This attack is so rampant that most routers have the ability to defend against ARP attacks. The client's ARP firewall is also numerous and seems to be the standard for security software. Of course, the system also supports the forced binding of IP to MAC, which can be used if necessary.

Many tutorials are used Wireshark to demonstrate, in fact, there is a software called Iris is very useful, you can modify the packet to send again, with it can easily understand the principles of various attacks. However, n years did not update the 64-bit is not supported.

DHCP Fishing

In reality, not everyone will configure the network parameters, or for convenience, let the network system automatically configured. For this purpose, the DHCP service was born.

Because there is no IP address, gateway, DNS, and so on, the network is not difficult, so first need to obtain these from DHCP. However, since there is no IP address, that is how to communicate? Obviously, you can only send to the broadcast address (255.255.255.255), and you temporarily use an invalid IP address (0.0.0.0). (In fact, the link layer of communication as long as there is a MAC address on the line, the IP address belongs to the network layer, but DHCP for some special needs to use the UDP protocol)

Because it is sent to the broadcast, the intranet environment of all users can hear. If there are more than one DHCP server, the reply is made separately; the user chooses to receive the first. Because the rules are so simple, the user has no choice.

Changeau Hacker also in the intranet also opened the DHCP service, the user received the reply package is likely to be sent by the hacker, then the user's network configuration completely resigned, do not want to be hijacked is difficult.

Precautions: If you are using a network cable, it is best to manually configure. Of course, administrators should strictly control the permissions of DHCP replies, allowing only switch-specific interfaces to be eligible to send reply packets.

As long as this type of questioning/answering mode, are faced with the risk of being impersonated. Many principles are similar.

DNS Hijacking

Just as ARP resolves IP to a MAC address, DNS is responsible for resolving the domain name to an IP address. As a network layer of services, the face of a wider range of users, of course, the risk is much greater. Once compromised, all users are unlucky. The major network accidents in recent years are all related to DNS.

Once the DNS service is controlled by hackers, user-initiated various domain name resolution, will be secretly manipulated. The normal web site is parsed into the IP of the hacker server, and the HTTP proxy has been opened in advance, the user can hardly see any flaws when they surf the internet, and the hacker gets all the traffic, and the information of various website accounts will be unobstructed.

Because of the importance of DNS servers, in reality there is usually a high level of security protection, it is not easy to invade its system. But the reality is not necessarily so selectmen, some DNS programs themselves have a design flaw, leading to hackers can control the direction of some domain names. The most notorious of these is the DNS cache poisoning.

You may have found that the domain name->ip->mac-> interface, as long as the dynamic query will be more than one link, the risk of natural increase. Flexibility and security are always not both.

Precautions: Manually set up some authoritative DNS servers, for example 8.8.8.8,4.4.4.4 will be more reliable.

DNS hijacking on the public web is rare, but the DNS hijacking of home routers is rampant. The first reported router vulnerability, the final use of the method is to modify the DNS address.

CDN intrusion

CDN can speed up everyone knows, but the principle of many people are not clear. In fact, CDN itself is a kind of DNS hijacking, but is benign.

Unlike the hacker forcing DNS to resolve the domain name to their own phishing IP, CDN is to allow DNS to actively cooperate, the domain name resolution to the neighboring server. This server also opens the HTTP proxy, which makes the user feel the CDN is not there.

However, CDN is not as greedy as hackers, hijack users all traffic, it only "hijack" the user's static resource access, for the resources previously accessed by the user, the CDN will directly from the local cache feedback to the user, so the speed has a great increase.

However, wherever there is a cache, there is a promising place. Once the CDN server is compromised, the cache files on the hard disk are in jeopardy, the webpage is injected into the script, the executable file is infected, and a large wave of zombies is coming up.

Precautions: Feel the operator is not reliable words, change a third party without accelerated DNS, may not be resolved to the CDN server.

A lot of CDN black-and-white takes, in order to save traffic not according to the routine card, more than the cache time is not updated, and even ignore the URL question mark behind, resulting in the program ape in the resource update problem on the headache unceasingly.

Router weak password

When the price of computers fell again and again, when everyone was going to buy a second, the router market was hot.

But due to the cumbersome configuration and poor user experience, there are still quite a few users who do not understand how to configure the router. 192.168.1.1 and admin/admin are almost constant for domestic routers. How many times, using this technology-less method to enter the Internet cafes or libraries of the router backstage.

If someone does a spoof of routing, or gives others a speed limit, you have to thank him for his kindness, which is not serious. If you change the DNS of the router, it will be quite serious! The DNS hijacking of the public network generally does not last long, but the router's DNS hijacking may not be aware of the years.

In fact, there are some security-conscious users who also use the default password. The reason is simple, the current router has two thresholds: one WiFi connection password, the other is the management password. A lot of people set up a complex WiFi password on the peace of mind, I can't even think of my network can not get into the backstage?

I have had this idea before, but there is always something wrong: In case the other computer or mobile phone poisoning, automatically try to use a weak password to burst into the router backstage what to do. The gates were occupied, and the walls were strong and useless.

In fact, in addition to modifying the DNS configuration, hackers have a more horrible behavior: Upgrade the router's firmware-replace it with a seemingly identical but malicious program embedded firmware! Although this is not yet popular, once popular, a large number of routers will become Pandora's box.

Precautions: Do not underestimate the password of the router, in fact, it is more important than all of your account.

The user who does not change the default password, God can not bless you ~

Router CSRF

Back to the beginning of this article, why are there so many routers that have this vulnerability? Perhaps the router's developers are too overestimating the user, think that the vast majority of users have modified the default password, so CSRF is almost impossible to produce.

In fact, the security awareness of domestic netizens is far beyond their imagination. Plus just said, only set the WiFi password and ignore the administrative password, resulting in a malicious program can sneak into the router backstage.

I did not think that the virus has actually appeared, and incredibly still WEB version!

CSRF loophole makes the virus Trojan no need. Users directly access a webpage, or even a post, the browser automatically initiates a request to the router to modify the configuration.

Because the Web page development of home-made routers is so poor, login is basically using both unsafe and ugly HTTP 401 bullets. This login only need to fill in the URL "user name: password @" to automatically pass, even if the login failed there is no hint.

Precautions: Be sure to take good care of the router password and periodically check to see if the configuration has been tampered with.

Read the router page source code will find that it is simply miserable, or even the style of the IE5 era. Router chips are procured, the kernel also has open source, so-called "independent research and development" is to do that several pages?

PPPoE Fishing

OK, don't spit slot router, the following talk about the advanced router also can not avoid things.

In addition to some large companies or schools, with fixed-line access to the Internet, individuals or small organizations will rarely use this local tyrants-level package, can only be honest dial-up internet-whether it is telecommunications, or Netcom's various pass.

Many people have a misunderstanding that dialing is the establishment of physical signals, in the absence of dial-up, point-to-point is not available. If this is the case, then how does the account password pass through when dialing? apparently not. In fact, the terminal between the time is unblocked, but no dial-up can not get IP, gateway, session and other parameters, even if forced to send packets to the gateway, although they can receive, but no authentication session is not ignored, you naturally can't access the Internet.

PPPoE, people often see this word when dialing. Point-point Protocol over Ethernet, so the name Incredibles, is the point-to-Point protocol: Users send account password authentication to the terminal (BRAS), and get Internet IP, gateway address, session and so on. And the protocol is based on Ethernet, even if the line is not, you have to find ways to encapsulate the data in.

The traditional ADSL is the Internet through the telephone line, so need a "cat" to turn Ethernet data into a telephone signal, and finally through the telecommunications switch transmission. This equipment ensures that each household is independent so that the phone signal is not tapped.

However, the subsequent rise of the various pass is not necessarily. Many dozen "gigabit to the building, hundred trillion home" broadband, is built n a residential area network, and then merged into a large metropolitan area network (man). The so-called "hundred trillion", is nothing more than dragged into your home of the network cable inserted in a 100Mbps switch downstairs.

The use of netcom know that the hundred trillion bandwidth is not fast to where, and even in some southern areas of slow speed as snail. But in the download, it can easily soar to a few megabytes per second. At this time the role of the local area network play out, if there are many people around the same video, peer-to the network directly in the sharing of traffic, greatly reducing the pressure of the node.

However, the entire community has become a local area network, how insecure. Sometimes even unreasonable VLAN partitioning, resulting in multiple cells into an intranet. If someone turns on the DHCP service, other users can plug in the Internet, and even dial-up is not used, the sky fell pie? If you dare to eat, it may fall into the trap of hackers.

Of course, now directly plug the network cable is not much, basically through the router automatically dial. But their agreement is the same--pppoe, a very insecure protocol.

Like the DHCP protocol, PPPoE is also broadcast to explore which terminals are available, meaning that the entire area of the intranet users can receive, while the search package has been bubbling up until it was received by the Metro Terminal, and then began to respond.

If someone in the community opens a PPPoE Terminal service privately, it is clearly the first to receive it. The real response package is still passing through the streets, users and hackers have begun to negotiate certification.

But perhaps you would say that this must be dialed to the bait, now with the router, the ages will not be disconnected. If you don't want to be patient, there's a very simple way to do it: to drop the line collectively.

Just said, can use a short-circuit cable, triggering a broadcast storm. However, this is too violent, and can even cause abnormal traffic alarm. We can use a more simple and effective method: Mac spoofing, and constantly forge the terminal Server MAC address, you can all the cell users of the packet sucked over.

PPPoE uses a tunneling method that encapsulates any data under its stack, so capturing a user's package can get the session ID on the PPPoE stack. Then impersonate the terminal, send a "disconnect" instruction to the user, the user will be obediently offline. Using this method, the entire cell can be re-dialed in minutes, so that it is quick to fish.

What's worse, PPPoE most of the time is the plaintext transmission of the user name and password, so you can also obtain additional user authentication account.

The front spit groove of the university dormitory building more than 1000 machines are not zoned VLAN, so write a simple PPPoE simulator, you can easily catch the entire network environment in the online account. (also support a key all dial up, collective offline prank function ~)

Precautions: Because PPPoE security relies heavily on the physical layer, try not to install the broadband Ethernet access. Of course, administrators should strictly restrict the PPPoE search reply package, just like DHCP allows only specific interfaces to appear. In fact, it is impossible to have BRAS server inside the cell, so only the WAN port of the switch is allowed to reply packets, so it is not easy to be fishing.

PPPoE has a more serious BUG, with a session ID of only 2 bytes and a maximum of 65536 possible. A "dial-off" request package is constructed beforehand, and then the session ID is traversed sequentially, allowing all users of a terminal server to go offline. If you gather all the terminal server addresses in advance, you can start a whole city off-

This BUG should have been fixed already, just binding < session ID, user MAC, cell vlan-id> relationship can be. and a small script can break the city's network of counties and cities, indicating that the terminal deployment can not be too centralized.

Honeypot Agent

For well-known reasons, a country's demand for agents remains high. Whether black white, transparent or high-hide, as long as can turn out is good.

VPN requires user name password and a variety of authentication, halfway hijacked is almost impossible. Hackers seize the hearts of people's innocence, the eyes turn to the agent above. It is true that the encrypted data is hard to hijack halfway, but it is still the end of the service to restore the real content. If a temporary carelessness, connected to a free VPN, may have boarded the hacker's pirate.

Compared to the HTTP proxy only affects part of the functionality, the VPN will be the entire system through the traffic through the past. All of these applications are unaware, and still send some important data out, eventually hijacked by hackers.

Precautionary measures: Do not covet small profits, with those under the guise of free agents. There is no free lunch in the world.

Many honeypot agents may not be the hacker, but you understand.

WiFi Weak password

When the internet extends to mobile devices, network cables become the biggest nuisance, wireless network gradually into people's horizons. Today, because of the cheap and convenient wireless, almost all the convenience of the application of equipment. Everything is no longer restricted, people can surf the internet at any time, which is unimaginable in the past, and hackers can launch attacks anytime and anywhere, which is the dream of the past.

But no matter how the Internet changes, Ethernet is always the core of the network. As just said ADSL, although the carrier is the telephone line, but the final demodulation is still Ethernet data. WiFi is the same, no matter how the radio wave spread, eventually only the standard Ethernet packets can be restored to be routed.

The wireless network is the same invisible huge hub, without any physical media, and everyone in the vicinity can listen to data signals, and professional equipment can even be captured farther away. Without a strong encryption method to encapsulate the data, there is no privacy to be made.

After a variety of encryption has been compromised, WPA2 is now a standard encryption algorithm for wireless networks. If you try to connect with a weak password again and again through a traditional pop-up, it will be inefficient.

Unlike dialing, WiFi users first need to "correlate" hotspots to establish physical channels. Like PPPoE, WiFi can be communicated before authentication, and is plaintext data-but this is only the authentication packet plaintext, and the real password obviously does not appear in it. After all, it is completely different from the purpose of dialing: one is to encrypt all traffic after that, while the latter only recognizes that you have no access to the Internet.

These handshake communication packets are easily accessible through traditional sniffer tools. Although the password cannot be found, the key initialization-related data is stored in it. With a professional WPA2 hack tool, plus a rich password dictionary, a significant portion of the wireless network can be cracked in an acceptable time.

For many people, the wireless password is his first and only line of defense. After the connection, no accident can easily enter the router backstage, and then you can control his entire intranet traffic.

Precautions: The simplest and most effective method: add some special symbols to your password.

If to his router to brush a firmware, can automatically crack other wireless network, after the hack automatically into the background, automatically to it upgrade its own firmware ... An avalanche of router Trojans broke out.

WiFi Hotspot Fishing

The above simply said the wireless password hack. But how do you initiate an intrusion if you already know the password?

Such occasions are very common, in some shopping malls, restaurants, hotels and other places, wireless network even if there is a password, you can generally be found on the wall or card, in a semi-public state. Or to crack the neighbor's wireless password, but unable to enter the router backstage, and how to continue?

Today's increasingly intelligent wireless devices, which have been able to defend against primitive intrusions such as MAC spoofing and ARP attacks, require a more advanced and covert way to bypass network devices and directly initiate point-to-point attacks.

In large companies or large shopping malls over the wireless network users will find that in the room wherever the network is there, even from one layer to five layers of signal is still full, and in their own home signal partition fell a lot. Is it a particularly powerful hot spot? But outside the building, it can't be received. In fact, it is not difficult to find the ceiling on each floor, the adsorption of a lot of dishes like things. Yes, it is these devices that are distributed throughout the building, covering the entire floor of the wireless network, so that the signal dead ends become less.

But there are so many hotspots at the same time that there are few in the search list. Because they all have the same hotspot name (SSID), the client typically merges the same name hotspot into one. As for the connection, the system chooses the one with the best signal. If these hotspots are certified the same way, no matter what.

It's not hard to find out what great article can do--it's not natural for us to fish! We'll open a pseudo hot spot with the same name, as long as the signal to overwhelm each other, fishing nearby fish that is duly completed.

There is hardly any client that has a defense at this time, whether it's a mall or a coffee shop or even a big company. The reason is simple, the problem is not in the device, nor the deployment, but also can not be blamed on the user. This is the weakness of the entire protocol stack.

The only material to launch this attack, is a super-power hotspot, in order to overwhelm the normal, to do the user "most trusted" signal source.

In fact, each hotspot always broadcasts a packet called Beacon, which contains information about the hotspot name and so on. After the user network card is collected and analyzed, it is possible to know what hotspots are nearby and how the respective signals are. High-power hotspots, the signal strength (RSSI) is naturally higher when the user receives it.

Of course, too high a signal source may cause some monitoring vigilance, oneself also is placed in the huge radiation. Using a directional antenna will have a better effect if you kill only one of the azimuth pieces.

However, the ability to emit light is not enough. Even if the Beacon can be pushed to dozens of kilometers away, so that the city can see your hot name, but the connected device can not be so strong signal. So without a highly sensitive receiving system, the strong signal is just wishful thinking.

Precautions: This hijacking is often difficult to defend because it is the underlying flaw. In theory, hotspots are usually fixed, so you can record the 3D coordinates of each hotspot in advance, and then monitor the hotspot location according to the WiFi location, if a hotspot signal appears away from the prior place, it is probably a false signal from the fishing hotspot.

But in reality, it's not easy to keep track of so many devices at once. Unless all wireless devices come with the ability to monitor nearby hotspots, you can save a lot of tracking costs.

However, in the case of high security, or use "Access authentication", the connection requires a user name and password to access.

After the user has successfully connected to the WiFi, causing the network status to change, some system will try to request a specific URL, if the return is HTTP 302, will automatically pop up the redirected page. The purpose is to facilitate the opening of the web version of Access, and sometimes even the CMCC will automatically pop up a login page is so. IPHONE,IPAD,WP support, the latest version of MacOS pop-up page will not execute the script. Use this scrap function to play advertising should be very good ~

WiFi forced disconnection

Have to say another drawback of WiFi--be offline. Like PPPoE active or passive disconnect dial when there is a logoff package, WiFi is the same.

Previously mentioned, traversing the session ID of PPPoE, impersonating all users to issue a logout request, you can disconnect the entire city network. WiFi also has a similar flaw, but just the reverse: Impersonate a hotspot, to all users broadcast the cancellation package, so all the users attached to the hotspot are offline.

However, the WiFi is only the offline authentication is cancelled, users and hotspots are still related. The user then re-initiates the authentication, thus giving the hacker a chance to get the handshake data.

If the broadcast continues, the user has been unable to surf the internet, the screen will be flashing "connected .../disconnected." The other side may try to restart the route, but found that the problem is still, and all the devices are the case, the router will be considered a problem, and then try to restore the factory settings-this moment, the danger has come!

According to the style of domestic router, the factory WiFi is no password, and the background is basically weak password. So there is a very short security gap, can drill into this device and take his network! If you write a script beforehand, once found that there are open hotspots, immediately connected and burst into the background, but also can be directly killed! The other side has just resumed the router, has not yet returned to the computer has been hijacked, which is no surprise ...

Of course, in order to prevent him from entering the router after the password, you must immediately hide the SSID, so that Beacon no longer send out, so that everyone can not see this device, only through the BSSID (Router MAC address) to connect. But people will have doubts, the newly restored router how can not see? You have to set up a fishing hotspot in advance, the name and the hidden SSID, the other side to lure their own honeypot.

In this honeypot open a router page similar to the site (you can directly reverse proxy his router page), stall users, so that you have enough time to operate the hidden real device. You can even replace his firmware!

Of course, some devices don't let you update the firmware easily, you need to enter a number on the router, or press a key to start. Then you have to play the role of the Honeypot site, you can draw a text box on the page, prompting him to enter the number on the router, or directly let him to press the button. Because the router backstage is too professional, few people will question its authority, almost all step by step.

In fact, your honeypot is always on, and the other side will definitely configure the WiFi password and admin password, as well as the PPPoE account. So all his Internet secrets are under control! Even if you do not change his router does not matter, in the future can be entered at any time.

Precautions: Do not easily restore the router's factory settings. It's really necessary to be careful and get rid of the default password as soon as possible. Even if there is no hacker around, some poisoned equipment can be connected and burst into the background.

Carrot, is this a lunar move? A little bit of psychology or social work, the original less serious loopholes can be expanded many times.

WLAN Base Station Fishing

The above mentioned hot fishing, can only be carried out under certain circumstances. The users who hijack KFC can only be found in the vicinity of KFC, and the route of invading cells can only be done at home. This greatly limits the scope of the attack, completely without the flexibility of the wireless network.

However, there is a network that can be received wherever it goes. Turn on the phone, always see CMCC such hotspots are like ghosts. Today, the WLAN business has been everywhere, almost across the country. It supports higher frequency bands and is backwards compatible with Wi-Fi, with devices all over the city trying to build a wireless metropolitan area network. The only regret is the charge, and the signal is also general, far less than 3G practical.

Sometimes we do not connect these hotspots, but the system is connected automatically. The reason is simple, before some time the hands of the cheap, to connect them. And the system will save the active hot spot, when it appears again automatically. In fact, there are a few people who have been to these hotspots.

Needless to say, you also want to open hot fishing. And users are almost connected with WiFi, there is no need to use Wi-Fi devices. Use before the high-power hot spot, take a CMCC name, put on the balcony against the street, will be connected to a bunch of users. If support virtual AP, the cmcc-auto,chinanet and so on all the names used, come to visit more.

As mentioned above, a lot of equipment connected to the WiFi can automatically play Web pages, using this feature, fishing is easier. Most of the mobile phone system in order to save traffic, when WiFi and 3G are available at the same time, will be preferred to use WiFi, so the user's traffic unknowingly streamed to the hacker there.

In fact, we can also integrate the entire fishing package into Android. Using the hotspot created by the phone to attract nearby users, the captured traffic can also be sent through their own 3G network proxy. Using the powerful forwarding mechanism of the Linux kernel, we can easily control the user's various traffic. Don't laugh at the people in the street to play with their phones, they might be hijacking you.

However, in some places such as the subway above, 3G signal is very poor, it is difficult to send the data received by the hotspot, so only fishing can not hijack. Can this stand-alone mode still be able to invade? The next article will describe how to launch offline fishing.

Precautions: WiFi should be closed in time, so as not to automatically connect to unsafe hot spots. For some long-term unused connection records, it is better to delete it.

Android hotspot by default only supports 10 users, in the street to open a hot spot called CMCC, will find the instant is full. So the notebook is still a collection of bags, with a few better wireless card, both hidden effects. High-power antenna although very enjoyable, but not over-use, maybe one day it was checked water meter ~

End

Just talk about it, these are just a few of the examples that have been tried before, in fact there are too many ways to count the internal ways of the system. But no matter how it changes, the final use of traffic hijacking is almost identical-what can be done with it? How big is the ultimate hazard? Listen to the tell, please.

Transferred from: http://netsecurity.51cto.com/art/201404/435699_all.htm

Reasons for the formation of safety-traffic hijacking