Friam
Login  Register

cmu wifi map

Posted by Parks, Raymond on Nov 17, 2003; 6:42pm
URL: http://friam.383.s1.nabble.com/cmu-wifi-map-tp518922p518934.html

Keith Hunter wrote:
> Wow!  If you can now tell me which dot is me I am going to get very
> afraid...

   Well, now you've challenged me.

   First, I need access to the web-server (and backend database) so I
can find all the dots.  Since the web-page was created with Fireworks MX
and Dreamweaver MX it was probably created on a Windows box (there's
also a Mac version of this software).  I'm at work, so the proxies
prevent me from determining the type of web-server, but let's say for
argument that if the developer uses Windows, the web-server is also
Windows.  If the admin hasn't kept up their patches, they should still
be vulnerable to the Front-Pages Extensions exploit, which gives me
remote access as the web-server user.  I can probably obtain everything
I need to know as the web-server user, but I can always get system/root
access via a local privilege escalation.
   Next, I need access to the Wireless Andrew network so I can sniff
your traffic.  Since Wireless Andrew is open, I just need to war-drive
the campus to pick up traffic.  If I need to do this remotely, I could
place a few sniffers around the campus that report back to me via their
own wireless connection to a wired access point.  Since the Apple
AirPort Base Station is banned from campus, I suspect that I could use
one either to power my sniffer wireless network or even to divert
traffic and analyze it for user authentication information.  I think
that gaining direct access to Wireless Andrew should be doable [1].
   With knowledge of the user accesses and nodes of Wireless Andrew from
the web-server, I should be able to match traffic to dots.  Scanning the
traffic for simple identifiers such as your email address or name should
make it possible to find you.
   If I can divert your traffic through an Apple AirPort Base Station, I
should be able to not only track you but to become you, stealing your
virtual identity.
   To summarize - first get access to the dot database, next sniff
traffic for user identification, then associate the two.  There's a host
of alternative attacks as well as alternate attack steps.  For instance,
an alternate attack might involve gaining direct access to the NetMon
systems via MySQL, Apache, or mod_perl vulnerabilities and then monitor
you directly.  Since the network admins can monitor you, I just need to
become a network admin.

1. Wireless Andrew's security model requires that a user authenticate
via AuthBridge (which passes the authentication on to NetReg).  The
on-line documentation is not clear on what is required to register a
system, but there is no mention of security features such as one-time
password generators.  So, I think some social engineering to gain a
user's authentication information would allow registration of rogue
systems in that user's name.

   The on-line documentation of Wireless Andrew, AuthBridge, and NetReg
were very useful in understanding how to perform this attack.

--
Ray Parks                   [hidden email]
IDART Project Lead          Voice:505-844-4024
IORTA Department            Fax:505-844-9641
http://www.sandia.gov/idart Pager:800-690-5288



Free forum by Nabble Edit this page