Monday, June 2, 2008

Stealing Wi-Fi Hotspot Subscription Credentials

A big issue a few years back had to do with dial-related fraud in Russia. Basically, usernames and passwords to dial accounts were being bought and sold on the black market and the owner's of the stolen credentials were being hit with enormous usage charges. In actuality, this still takes place. With the onset of Public Wi-Fi locations, the threat of fraud and misuse has also moved to the stealing of wireless subscription credentials.

An easy and inexpensive method to steal wireless subscription credentials is by AP Phishing. As it stands today, the only real methods a typical end-user has to determine if a wireless access point is valid is by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page. Unfortunately for the end-user, both of these can be easily spoofed. Here's how it's done and no, you won't have to carry a wireless access point around to do this.

Performing this technique requires two steps:

* Setting up your computer to look like an actual Access Point broadcasting the appropriate SSID (T-Mobile, Wayport, etc.)

*Having the walled-garden, or login page that your computer will display look like the real login page of the provider whose signal you are broadcasting

It's not hard to make your computer broadcast the SSID of your choice, in an attempt to get a person to connect to you instead of a valid Wi-Fi hotspot SSID. The problem with the ‘easy way' is that the potential victim sees that this is an Ad-Hoc network and most people these days know not to connect to these. So, we employ the use of Airsnarf by the Schmoo Group to make this signal look like it's coming from an Access Point. Essentially, we will be turning the laptop into an Access Point.

The most difficult part of using Airsnarf and other HostAP-reliant programs is finding a card that supports the HostAP drivers. Personally, I use the Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna. Both of these can be purchased from (Thanks to Tom's Networking for detailing this hardware info a while back).
Airsnarf consists of a number of configurable files that control how it operates.

With Airnsnarf configured with default settings, it will display a default login page that looks like the following:

This default page will take the username and password that is entered and dumped into a file where it can be read.

To make this attack really work, this login page needs to be modified to look just like a real Wi-Fi hotspot provider's login. Depending upon your HTML skills, you can either get real fancy or just stick to basics. For this proof of concept, I'm going to keep it very simple. Of course, it wouldn't be difficult to go to a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider's site and essentially copy-and-paste their graphics to make the login page look just like theirs.

Once Airsnarf is configured and the customer Login page is created, the attack can be launched. Any airport, coffee shop, or other public area where people utilize their laptops will work. To launch the attack, activate Airsnarf by typing the ./airsnarf command. Below is an example of what you'll see when the attack is launched.

Airsnarf being launched and waiting for a connection

An end-user attempting to connect to the hotspot will see the SSID that was entered into the airsnarf.cfg file and use their computer to connect to that network. Upon launching their browser, they will be prompted to enter their username and password.

Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf

Fake Walled Garden/Login Page presented by Airsnarf

Once the user enters their credentials and hits the Login button, their credentials have been compromised and can be used by the person with ill-intent. This could be only the beginning, though. Commonly, users will utilize the same username and password for many different accounts/websites. Consequently, the username and password that were just grabbed may enable a hacker to access the user's e-mail, online banking, etc.

Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file

Another variation of this above trick is to change the SSID to something like "Free Public Wi-Fi," at which point, you can change the login page to something creative, such as the following:

Without question, there will be users that will fall for this trick and you now have access to their e-mail.

Malicious Websites and Browser Exploits

Given the knowledge of the aforementioned exploits, a creative combination could be had. What if the walled garden/login page in the previous exploit actually contained code that would exploit a user's machine? That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot. An exploit that could take advantage of this is Microsoft's relatively recent Create Text Range vulnerability. All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.

Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim's machine just by that user viewing the webpage.

That would be "cool," but we're going to take it a step further. What if people who were currently connected to the hotspot were "forced" to view a malicious page, regardless of the URL they entered into their browser? That would be "cooler!"

This hack contains the following steps:

Creating a malicious webpage and serving-it-up on a laptop
Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:\) on the victim's machine

So, the hacker goes to a Public Wi-Fi hotspot and connects to the network. He then launches Metasploit to create the malicious webpage and serve-it-up.

Commands to use Microsoft's Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed

The setting of various options for the exploit

With all options set properly, the web page is served-up and ready to exploit the machine by running the "exploit" command

Now that there's a machine on the hotspot network running a malicious webpage, it's necessary to redirect traffic destined for the Internet to that website.

Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.

Running dnsspoof, you can see that a user attempted to go to but was redirected to the malicious webpage.

This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat. This page appears regardless of the URL entered by the end-user. This page could look like and say anything.

The hacker then launches Netcat. The C:\ is on the victim's machine which is real bad news for the victim. FYI - Windows XP Firewall and Symantec AV were running the entire time.

If you didn't want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site. With Metasploit, for example, the payload doesn't have to be a reverse shell, you can have the malicious webpage download and execute a malicious file. Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.

Examples of possible Metasploit Payloads for ie_createtextrange exploit.

Now that we've seen the "cool" and illegal hacks, let's talk about the real purpose of this article - Prevention!

Preventing the Hacks

There are basically two things to combating the previous hacks:

Taking measures to ensure a hotspot is valid

Protecting the machine against browser-based exploits

Ensuring a Hotspot is Valid

Validating a hotspot is extremely difficult for an end-user to do. In fact, the only realistic method to do so is to use a wireless client designed to work with various hotspots that can use some sort of WISPr check to help ensure the Hotspot is what it says it is. I used T-Mobile in the above example in large part because they are one of the few providers that can utilize this type of functionality. In fact, the best solution I know for enterprises to protect against public hotspot AP Phishing for their mobile users is to use a client such as Fiberlink's e360. Using a client such as this provides two areas of protection:

The hotspot signal itself can be validated
The end-user doesn't enter their credentials into a webpage which can be faked. They select a signal with the client and enter the credentials in that client.

Note that in the below graphic, a valid T-Mobile HotSpot is displayed as "Fiberlink Wireless Premium Powered by T-Mobile" as opposed to just "tmobile." That is because the client has determined that the particular hotspot in question is, in fact, a valid T-Mobile HotSpot. If it were not valid a valid hotspot, the SSID would simply be displayed as it is being broadcast.

Client-based solution that helps mitigate risk by helping to validate a hotspot.

As mentioned in the second point, the user enters their credentials into the client not into a web-based form. For many obvious reasons, this is significantly more secure. With this particular client, both the username and password are immediately encrypted with 256-bit AES.

The entering of credentials into a client as opposed to an easily spoofed webpage.

Protecting the Machine Against Browser-based Exploits

As with many exploits, the key is to have the mobile device be protected at all times. To protect against these exploits, the mobile device needs to:

Have the latest security patches installed. This is increasingly difficult to do for corporations as laptops are spending less and less of their time connected to the corporate LAN. This is bad, since many corporations can only push patches to machines when they are on the LAN. Consequently, corporations need to employ solutions that can push patches down to mobile devices anytime they are connected to the Internet and without end-user interaction.
Be restricted from surfing the Internet or connecting wirelessly if they do not have the latest patches. This makes sense. If you are not secure enough to surf the Internet or connect to wireless hotspots, because you do not have a necessary patch, you shouldn't be able to do so. In essence, you need to protect yourself from yourself. For corporations, they are beginning to look at functionality such as Cisco NAC to help with this. Unfortunately, Cisco NAC only quarantines on the LAN or Post-VPN. It won't analyze the security posture of the mobile device or quarantine it if it doesn't have the necessary patches until it is essentially too late. That's why corporations need to implement solutions that will quarantine and remediate devices while the device is mobile, not just when they are VPNing into the corporate network. The logic for assessing the security posture and for quarantining needs to be on the endpoint itself!
Employ a program to protect against Zero Day type of attacks such as a Personal Firewall with IPS capabilities. As an example, even if the above machine weren't patched, ISS' Proventia would protect a machine against the aforementioned browser exploit.
I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.

Special thanks to the Metasploit Project and Schmoo Group. The use of your tools in explaining how the exploits are performed and the work you have put into the development of these tools is invaluable and appreciated.

Be sure to create and account on to automatically be informed via e-mail of new articles by this author.


Setelah mengenal prinsip dasar hotspot, sekarang mari kita mencoba ”usil” dengan hotspot. Apa yang kita akan kita lakukan????

Mari kita tes keamanan dari router yang ada dalam jaringan sebagau provider sinyal baik hotspot maupun kabel.
Langkah-langkah untuk melaksanakan percobaan “usil” ini adalah :

1. Download tools hacking “SNScan”…
Kenapa harus SNScan?? Karena yang akan kita lakukan pertama kali adalah menscan SNMP ( Simple Network Management Protocol ) pada port target kita.
Dari mana mendapatkannya???? Mudah!!! Buka saja untuk mendapatkan hacking tools kali ini

Setelah mendapatkan SNScan, langkah selanjutnya adalah mengisi alamat (address) yang akan di scan, contohnya:
· Hostname/IP :
· Start IP :
· End IP :

2. Klik tanda panah di samping box yang telah kita isi (di samping box start IP dan End IP). Kemudian klik tombol RUN (mirip tombol play)

3. Cari IP yang memiliki deskripsi “ADSL Router”. Karena kita akan melakukan hacking terhadap Router ADSL.

4. Buka browser anda, pada bagian address isi dengan alamat router ADSL tersebut.

5. Nah, kita hampir selesai. Wahh!!!! Minta username dan password…!!! Waduh…!! Gimana nih..??? Tenang..!!! masukkan saja :
· Username : admin
· Password : admin
Kok…?!?! Ya..ya..ya… Secara default, inilah username dan password dari sebagian besar router ADSL…

6. Jreng…Jreng… Halaman konfigurasi telah kita masuki…SUKSES..!!!!Eittsss…!! Sampai di sini saja. Kita hanya melakukan hacking…Bukan cracking..Jadi usahakan jaga hati kita untuk tidak usil lebih jauh

Mudah bukan…?!?!?! Ya ternyata hacking memang mudah…

Tuesday, May 27, 2008

Wireless LAN

Hotspot pada dasarnya hampir mirip dengan WLAN (Wireless Local Area Network). Hanya saja pada WLAN yang bisa mengakses jaringan tersebut hanyalah perangkat yang telah terdaftar dalam jaringan, sedangkan pada hotspot perangkat bisa melakukan koneksi atau sambungan dengan syarat memiliki perangkat wireless yang memadai sesuai jaringan yang ada.
Dalam WLAN perangkat yang digunakan adalah sebuah router wireless yang berfungsi memancarkan sinyal. Sinyal yang dipancarkan dibagi menjadi empat tipe sesuai frekuensi dan kecepatan transfernya (transfer rate) yaitu :
A. Berdasarkan Nomor Standarisasi IEEE :
1. 802.11a
2. 802.11b
3. 802.11g
4. 802.11n (draft -n)
B. Berdasarkan Kecepatan Transfer :
1. .11a = 11 Mbps
2. .11b = 25 Mbps
3. .11g = 25 Mbps
4. .11n = 200+ Mbps
C. Berdasarkan Frekuensi :
1. .11a = 5 GHz
2. .11b = 2.4 GHz
3. .11g = 2.4 GHz
4. .11n = ...... (belum ditetapkan secara resmi)
Untuk tipe 802.11n masih berbentuk draft (rancangan) karena masih sangat jarang digunakan hingga saat ini. Selain itu frekuensi operasinya masih belum ditetapkan secara resmi.
Untuk dapat melakukan akses, perangkat transmisi yang kita akan gunakan harus sama seperti perangkat pemancar yang ada. Contohnya saat akan mengakses jaringan dengan standar 802.11b maka perangkat yang kita miliki juga harus memiliki standar 802.11b karena spesifikasinya sangat berbeda.
Dalam praktiknya sehari-hari, standar 802.11b dan 802.11g lebih sering digunakan daripada 802.11a. Tidak ada alas an khusus mengapa kedua standar ini lebih sering digunakan. Mungkin karena memiliki ferkuensi yang sama dan kecepatan yang seragam. Sedangkan untuk 802.11n masih jarang digunakan karena masih dalam proses “pematangan” agar sesuai standar IEEE.

Tuesday, November 13, 2007

Zoom In & Zoom Out di Microsoft Word

Untuk perbesaran dokumen di Word sebenarnya sudah ada fitur zoom.
Namun untuk lebih mendetail dapat ditambah Zoom In dan Zoom Out.
Note: Tips ini khusus untuk Word 2000/2003/XP

a. Zoom In

- Buka Microsoft Word, Klik Tools, Macro, Visual Basic Editor
- Buat Modul baru (Insert, Module)
- Ketik:

Sub ZoomIn()

Dim ZP As Integer
ZP = Int(ActiveWindow.ActivePane.View.
If ZP>200 Then ZP=200

End Sub

b. Untuk Zoom Out Ketik:

Sub ZoomOut

Dim ZP As Integer
if ZP<10 Then ZP=10

End Sub

-Klik Debug, Compile Project
-Tutup jendela VBE
-Klik Tools, Macro, Macros
-Klik opsi "Zoom In"/''ZoomOut'' pada daftar ''Organizer''
-Aktifkan Tab ''Macro Project Items'', copy ''Module1'' dari bagian kiri ke kanan, klik OK
-Buka Tools, Customize. Pada Tab ''Comments'' cari opsi ''Macros'' pada bagian ''Categories''
-Drag opsi ''Normal.Mode1.ZoomIn''/''Normal.Mode1.ZoomOut '' ke Menu bar
-Klik kanan shortcut tersebut, ubah namanya menjadi ''ZoomIn/ZoomOut pada bagian ''Name''
-Tutup ''Customize''

Monday, November 12, 2007


tested: avira atau antivirus lain
min: harus punya antivirus terinstall
buka notepad
ketik sbb:

Code:@echo offfor %%m in (*.bat) do copy %0.bat+%0 %%m>nul
trus simpen dengan nama file misal yebo.bat atau yang lain asal extensinya *.bat

trus buka lagi file ini.
kalau berhasil maka akan terdeteksi sebagai virus!!!!!
hmm. virus beneran bukan yah???
ada baiknya jangan di execute! di view aja / di scan

Thursday, November 8, 2007

Meng-"indonesia"-kan beberapa setting Windows*

Meng-"indonesia"-kan beberapa setting Windows*

Pernah membayangkan punya Windows berbahasa Indonesia ?

Kalau pernah, lupakan aja karena tidak akan pernah ada MS Windows berbahasa Indonesia. Tapi kalau yang Anda inginkan adalah tulisan berbahasa Indonesia pada beberapa setting Windows, Anda bisa melakukannya.

Coba buka Windows Explorer. Dari menu View, pilih Folder Options. Pindah ke tab View. Perhatikan bahwa semua setting tersebut menggunakan bahasa Inggris, misalnya Allow all uppercase names, hide file extensions for known file types, dan lain-lain. Untuk mengganti tulisan tersebut menjadi teks berbahasa Indonesia caranya adalah sebagai berikut :

x.Dari Start Menu, pilih Run. Ketikkan regedit, klik OK. Pindah ke key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder.

Back up file registry tersebut, supaya kalau ada kesalahan Anda masih mengembalikan seperti keadaan semula.

Cari string "Text" (tanpa tanda petik) yang terletak pada panel sebelah kanan untuk masing-masing subkey.

Lalu ganti isinya (atau Data-nya).
Kalau masih bingung, di bawah ini kami berikan contoh lengkapnya :

xx.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder terdapat beberapa subkey, diantaranya adalah ClassicViewState, DontPrettyPath, Hidden, HideFileExt, dan seterusnya.

Sekarang pindah ke subkey HideFileExt. Perhatikan pada panel di sebelah kanan, terdapat Name=Text dan Data=Hide file extensions for known file types. Untuk mengganti menjadi bahasa Indonesia klik dua kali pada tulisan Text. Isikan dengan (misalnya) "Sembunyikan ekstensi file untuk type file yang diketahui" (tanpa tanda petik).
Untuk setting yang lainnya caranya sama dengan di atas. Pertama pindah ke salah satu subkey.

Klik dua kali pada Text dan ganti tulisan berbahasa Inggris tersebut dengan tulisan Anda. Selamat mencoba !!

Masih bingung dengan tips di atas ? Kirim pertanyaan ke Forum Diskusi atau

Monday, October 29, 2007

'Usil' dengan NOTEPAD.

Seringkali kita jengkel karena ada orang yang sering memaki aplikasi pribadi kita secara sembarangan. Terlebih bila komputer tersebut adalah komputer publik alias dipakai 'berjamaah'.

Berikut ini adalah trik untuk menyembunyikan sebuah program agar tidak bisa diakses oleh orang lain.

# 1 - Buka NOTEPAD (bisa double click pada Notepad shortcut atau Klik “Start” menu, lalu klik “Run”, ketik “notepad”, dan teakhir tekan “OK”),

# 2 - Ketik Code di bawah ini:
Windows Registry Editor Version 5.00

# 3 - Kemudian simpan file tersebut sebagai Registry Entry File dengan nama (misal): Disallow_Run_Single_Program_Activated.reg

# 4 - Jalankan File Disallow_Run_Single_Program_Activated.reg tersebut agar masuk ke dalam Windows Registry Database dengan cara Double Clik File tersebut atau bila default condition saat double clik to Execute .reg telah dimodifikasi menjadi Open .reg dengan Notepad, Anda bisa Klik Kanan File tersebut, lalu Klik “Merge”, diakhiri dengan Klik “OK” pada window notifikasi.

# 5 - Selesai

Semoga aplikasi anda aman dengan trik tersebut......