Penetration Testing with Smartphones Part 2: Session Hi-Jacking & ARP Spoofing
In the first part of this series “Penetration Testing with Smartphones Part 1” we covered several network and vulnerability scanning applications that can be run from a smartphone. In this section we will be covering some additional tools for Wi-Fi sniffing, session hi-jacking and ARP spoofing.
Session Hi-Jacking & ARP Spoofing
You may be familiar with FireSheep, the Firefox browser plug-in that allowed you to easily sniff out and hijack Facebook, Twitter and other sessions and resulted in these networks implementing SSL. Well there is also an app for that called DroidSheep and it works similarly. The application requires a rooted Android phone (see part 1). Once you run the application you can run the app in a few different modes, when it is connected to an open network it uses ARP spoofing to hijack the sessions.
A word of warning, on some networks this tool can slow an entire network and be detected, this occurred a few times on my test network. You can disable ARP-Spoofing, which will make it undetectable, however is not as efficient and will not pick anything up on an encrypted network.
The application provides a “Generic mode” that will display all possible account sessions, not just from known sites like Twitter and Facebook. During my test I was able to pick up sessions on my phone and test accounts from WordPress, Facebook, Twitter and Trimet.org.
Another application that provides a more invasive approach is Network Spoofer which allows you to user ARP Spoofing to actually alter the web traffic being sent to a network or specific machine. The application is a hefty download at around 600MB, as it is actually a Debian image that includes Squid proxy to modify the data and some other tools to modify images and other tasks. The application allows you to redirect web traffic to a specific site, flip images, alter queries and other harmless attacks allowing you to show that the network was compromised.
The application works well on an open network, however on a WPA/WPA2 network it simply cripples or slows the network. Hardware is also an issue, although the application works with most phones, some device are incompatible, I tested it on a Nexus One and a Galaxy S and both worked.
Network Spoofer also allows you redirect all network traffic directly to the phone. The packet data can then be logged by packet sniffer application such as Shark for root which is one of the better apps I found for this task ( except for the ads that appear which interfere with capture). The issue with using ARP Spoofing for this however is that it can slow or cripple the network.
A better route for packet sniffing is to create a Wi-Fi hotspot on the device itself. A great thing about a rooted Android phone is the ability for it to be an ad-hoc Wi-Fi hot spot. By creating an open Wi-Fi hot spot on the device that has a similar name to an existing on in the office, or one that simply one that looks like a guest account ( “Acme-Guest”) allows you a great way to intercept a great deal of traffic from users duped into connecting to it.
There are a number of packet sniffing apps available for Android, the best I have found is Shark for root, which logs the pcap file to the SD card of your device. There is also a Shark Reader application that allows you to read the pcap files, however you will probably want to copy the files over to your laptop via FTP etc and view them in Wireshark or other more robust tools.
I hope you found this post informative and helps to raise awareness regarding how smartphones can be used to attack your network. In the next post in this series I will be discussing remote scripting.