Keith Hunter wrote:
> Wow! If you can now tell me which dot is me I am going to get very
> afraid...
Well, now you've challenged me.
First, I need access to the web-server (and backend database) so I
can find all the dots. Since the web-page was created with Fireworks MX
and Dreamweaver MX it was probably created on a Windows box (there's
also a Mac version of this software). I'm at work, so the proxies
prevent me from determining the type of web-server, but let's say for
argument that if the developer uses Windows, the web-server is also
Windows. If the admin hasn't kept up their patches, they should still
be vulnerable to the Front-Pages Extensions exploit, which gives me
remote access as the web-server user. I can probably obtain everything
I need to know as the web-server user, but I can always get system/root
access via a local privilege escalation.
Next, I need access to the Wireless Andrew network so I can sniff
your traffic. Since Wireless Andrew is open, I just need to war-drive
the campus to pick up traffic. If I need to do this remotely, I could
place a few sniffers around the campus that report back to me via their
own wireless connection to a wired access point. Since the Apple
AirPort Base Station is banned from campus, I suspect that I could use
one either to power my sniffer wireless network or even to divert
traffic and analyze it for user authentication information. I think
that gaining direct access to Wireless Andrew should be doable [1].
With knowledge of the user accesses and nodes of Wireless Andrew from
the web-server, I should be able to match traffic to dots. Scanning the
traffic for simple identifiers such as your email address or name should
make it possible to find you.
If I can divert your traffic through an Apple AirPort Base Station, I
should be able to not only track you but to become you, stealing your
virtual identity.
To summarize - first get access to the dot database, next sniff
traffic for user identification, then associate the two. There's a host
of alternative attacks as well as alternate attack steps. For instance,
an alternate attack might involve gaining direct access to the NetMon
systems via MySQL, Apache, or mod_perl vulnerabilities and then monitor
you directly. Since the network admins can monitor you, I just need to
become a network admin.
1. Wireless Andrew's security model requires that a user authenticate
via AuthBridge (which passes the authentication on to NetReg). The
on-line documentation is not clear on what is required to register a
system, but there is no mention of security features such as one-time
password generators. So, I think some social engineering to gain a
user's authentication information would allow registration of rogue
systems in that user's name.
The on-line documentation of Wireless Andrew, AuthBridge, and NetReg
were very useful in understanding how to perform this attack.
--
Ray Parks
[hidden email]
IDART Project Lead Voice:505-844-4024
IORTA Department Fax:505-844-9641
http://www.sandia.gov/idart Pager:800-690-5288
Locked
Nov 13, 2003; 6:13pm
