There are hundreds of applications out there from spyware cleaners to built-in browser features that eliminate cookies on the spot, and even let you set cookie policies on your computer regarding what can be stored in your machine, and for how long.
I’m assuming that if you’re here reading this post, you already know all of the dangers of cookies on your computer. In all honesty, I don’t seriously believe that they’re the most dangerous form of movement or web tracking, but they can definitely be used to monitor more movements than a person should feel comfortable with.
What if there was a type of cookie that could:
- Stay on your computer for an unlimited amount of time
- Store 100 kb of data by default, with an unlimited max
- Couldn’t be deleted by your browser
- Send previous visit information and history, by default, without your permission
Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of can store a maximum of 4 kb of information, are manage by your browser, and by default have reasonable defaults and restrictions.
This type of cookie exists on 98% of global computers, across all operating systems. it’s the Macromedia Flash Player.
The Macromedia Flash Player maintains proprietary cookies called Local Shared Objects or LSO’s. LSO’s are capable of storing 100 kb’s of information for an indefinite amount of time by default. When you clear your browser history in Internet Explorer, Firefox or Opera on Windows, Linux, or OS X LSO’s are not cleared from Macromedia’s local repository.
In fact, all the information in those cookies will remain indefinitely until they’re removed by the issuing website, or by you via a cumbersome and ridiculous process.
Unfortunately, I haven’t even explained the worst of it.
There’s no easy way to tell what sites are using flash cookies to track your movements. There’s no list, and there doesn’t have to be a flash GUI or visible application for flash cookies to be present. In fact, most websites using flash for user tracking don’t create GUI’s, toolbars, or applications that you can actually see in your browser while browsing the site.
Many times a tiny flash module, 2 kb in size or less is loaded into your browser on every page visit in the same way a gif, jpg or other image is. The whole purpose of this tiny, invisible flash module might be to simply record the page request, and your username or other session variables.
Alright, so now you’re sufficiently convinced that this is creepy stuff. Let’s talk about how to get rid of it?
Lame as it might be, the Flash Player has no ability to delete cookies. And as I’ve already said, your browser can’t help you out. It doesn’t even know these cookies exist! Most of the privacy settings for Macromedia Flash have be accessed via a flash application on Macromedia’s website called the Adobe Flash Player Settings Manager.
If you want to access the Settings Manager, you can do so here. In fact, open it up now and let’s take a look.
If you’ve clicked the link above, then you’re looking at the Flash Player Settings Manager, and a list of all the sites currently storing information on the cookies stored on your computer.
Looking at my list, I see over 100 websites that have been accessing the same cookie for the last year (the last time I formatted my computer). Some of them are storing only 1kb of information, some are storing the full 100 kb’s. On my own computer, I see that my bank is storing flash information despite the fact that there isn’t a single flash application visible when I log in to check my balance. I see Youtube, CNN, Microsoft, Rotten Tomatoes and a ton more!
To delete all the Flash Cookies currently being stored on your machine:
- Go to the Settings Manager (Website Storage Settings)
- Go to the far-right tab
- Click “Delete all sites”
To prevent websites from storing any more information on your computer:
- Go to Settings Manager
- Click the Second Tab from the left (Global Storage Settings)
- Set the Storage Settings slider to None
- Uncheck “Allow Third Party Flash Content to store data on your computer
There are several other “privacy” settings on the other tabs, but don’t be persuaded. Most of those privacy settings have to do with whether or not websites can access your microphone and webcam. There isn’t a single cookie option on any of the privacy tabs on the Settings Manager.
Macromedia, as a global leader in browser technology (a 98% computer market share), has a responsibility to make Privacy Options easily accessible from within the Player application itself. They also have a responsibility to set reasonble default limitations. It’s ridiculous that they would enable websites to store cookies indefinitely, and in such large sizes.
Is Macromedia intentionally allowing websites to abuse privacy? You tell me.
October 9th, 2008 in
Technology. |
No Comments
Internet Explorer has a fantastic Web Cache option in Tools > Internet Options > Browsing History > Settings > called “Check for newer versions of Stored Pages:’. This option lets you override Internet Explorers smart caching option.
This is useful when you’re visiting websites that frequently have changing, dynamic data, but their meta tags or HTTP Content headers don’t tell your browser to get a new copy of the page every time. All you have to do is switch the setting to “Every time I visit the webpage“.
Low and behold, Firefox actually has an equivalent setting that allows the browser to check for newer versions of the page each and every time. It’s called browser.cache.check_doc_frequency and it can be found in the about:config menu of Firefox. Who knows why it’s not in any of the GUI options of settings for Firefox. They must be crazy.
To access it, simply enter this into your URL location box in Firefox:
about:config
Then find the browser.cache.check_doc_frequency and change it to 1. This will force Firefox to check for a newer version of the page you’re viewing, regardless of the servers instructions, or Firefox’s default settings.
This is useful because by default Firefox is set at 3 which means that it will always used an old, cached version of the web page, unless the server specifically indicates a newer one is available. You never know if you’re getting the right stuff.
For reference, valid values for browser.cache.check_doc_frequency are:
0 - Check for a new version of a page once per session (a session starts when the first application window opens and ends when the last application window closes).
1 - Check for a new version every time a page is loaded.
2 - Never check for a new version - always load the page from cache.
3- Check for a new version when the page is out of date. (Default)
October 7th, 2008 in
Technology. |
2 Comments
Everyone knows that unencrypted wireless traffic can be viewed by anyone, and your data can easily be compromised. But how often have you disregarded unsecured wifi, and used it anyway? You know, when you’re at that local Starbucks or other coffee shop, or when you’re staying in that cheap motel, or even nicer Hotel.
I’m sure you’ve told yourself “Well yes, I’m sure it is easy to view unecrypted traffic, but it probably takes a little work!”. You’ve reassured yourself, and talked yourself into using an unecrypted connection under the guise that surely no one will go through the work of listening, regardless of how “easy” it is.
This tutorial will show you, in detail, how to view unencrypted Wifi (Wireless) 802.11 G (Or a & b) traffic using a simple linux-based security suite titled BackTrack 3. You don’t even need linux! A free, downloadable CD ISO image will do all the work for you! The steps outlined here have been tested for clarity in a controlled, legal home networking environment, and work great.
Viewing Unencrypted Wifi in 5 minutes or less:
Alright, you got me. You really can view unencrypted traffic in 5 minutes or less, but you’ll need to do some prep first.
What you need:
- A Computer (laptop) with a CD-ROM Drive and a wireless adapter (Preferrably not USB)
- The ability to burn ISO images to CD or DVDThe ability to burn ISO images to CD or DVD
- A copy of BackTrack 3 Security Suite from Remote-exploit.org
Brief Background:
BackTrack 3 is a legal and mostly open-source security suite designed by security experts in the computer and software Industry. It’s creation is intended as both an educational tool, and as a toolbox for network adminstrators who wish to secure a private or corporate network, or used in testing a ’secured’ network. When searching for it, you’ll often see it titled as BackTrack3 or Backtrack 3. 3 is the version number, and will change with time.
Unecrypted wireless technology is so dangerous because packets are broadcast in a digital, 010101 format in the open air without any form of encryption. Any device capable of sniffing radio traffic can read your datagrams, and view your traffic including IM’s, passwords, URL’s, and other HTTP GET and POST Content.
Step 1 - Get BT3 and Burn the Image:
Download Backtrack 3 from Remote-exploit.org. You’ll need to download the bt3-final.iso image. You can also use the USB version, bt3final_usb.iso which includes some extra tools, but we won’t be using them here.
Burn the ISO images to a CD or DVD. You won’t need to make any changes. I won’t go into specifics of how to burn an ISO here. If you don’t have the vaguest idea how to do this, then it’s highly likely that “cracking WEP” is definitely not for you. However for those of you know think you can figure it out on your own, I have used CDBurnerXP. It’s open-source and simple to use, so that’s good.
Alternatively, you can image a thumbdrive with the ISO. That’ll be MUCH faster than the optical drive at any rate.
Step 2 - Boot BackTrack 3:
Throw the Backtrack 3 disc into your laptop or desktop (I haven’t tested this on a desktop, but I’m sure the steps are the same), set your BIOS to boot from your optical drive, and BOOT! You’ll get a prompt asking how to boot into Backtrack 3. You should boot using the KDE method. If you have weird display issues, you can try the VESA boot method. At any rate, one of these should work. Once you’ve become an elite hackmaster, and have memorized this process, you can use the command console.
Step 3 - Find your Adapter Name:
Open a linux command console (The little black Monitor Icon next to the KDE Icon{Where the startmenu would be}) and type:
iwconfig
This will tell you what wireless adapter to use, usually eth0 or ath1. Something like that.
Step 4 - Open up Wireshark and View data!:
Yep. You’re already done. In fact, if you already knew your Adapter name, and already had this disc burned, you’d be capturing unecrypted wireless traffic in less than 5 minutes.
Navigate to the KDE Icon (again, where the start menu would be). KDE > BackTrack > Privelege Escalation > Sniffers > WireShark
Navigate to Capture > Interfaces…
Select the Start button next to your adapter.
Wireshark will immediately begin capturing data packets through your wireless radio, from any network within range. Both encrypted and unencrypted packets will be capture. For this reason I recommend you filter your results in Wireshark by TCP or UDP traffic.
You can view clear text instant messages (MSN Messenger sends in clear text), emails in POP or SMTP that isn’t encrypted, and most all web traffic that isn’t being used via an SSL socket.
It’s really that easy. There is NOTHING to it! In fact, I bet a lot of those hotels have a creepy IT guy that set up his laptop in the basement to record ALL the traffic pushed through the hotel network, just to get his jollies.
Think of this the next time you think no one is watching. It’s far too easy to view unencrypted traffic, and well worth the time for people with less than honorable intentions. Don’t fall for the trap. If it’s not secured, it’s not for you.
Next step? Cracking WEP.
October 6th, 2008 in
Technology. |
No Comments
This tutorial will show you, in explanatory detail, how to Break or crack WEP encryption using a simple linux-based security suite titled BackTrack 3. You don’t even need linux! A free, downloadable CD ISO image will do all the work for you! The steps outlined here have been tested for clarity in a controlled, legal home networking environment, and work great.
What you need:
- A Computer (laptop) with a CD-ROM Drive and a wireless adapter (Preferrably not USB)
- The ability to burn ISO images to CD or DVDThe ability to burn ISO images to CD or DVD
- A copy of BackTrack 3 Security Suite from Remote-exploit.org
Brief Background:
BackTrack 3 is a legal and mostly open-source security suite designed by security experts in the computer and software Industry. It’s creation is intended as both an educational tool, and as a toolbox for network adminstrators who wish to secure a private or corporate network, or used in testing a ’secured’ network. When searching for it, you’ll often see it titled as BackTrack3 or Backtrack 3. 3 is the version number, and will change with time.
As I’m sure you’re now well aware, WEP is a first generation wireless encrpytion technology that was used to provide basic security to users utilizing 802.11 wireless on their portable computers or devices. It was soon found to be extremely vulnerable to hack attemptions, and has since been replaced by the much more robust WPA technologies.
Common Shortcut terminiology (Important):
Throughout this post, I’ll be referring to ID’s, names, and addresses unique to your configuration. Look for these in italics and replace them with values you’ve collected throughout the tutorial. Although I will always show the # in front of the values, never include it in the actual command.
- #SSID - Target SSID (ex: linksys)
- #BSSID - Target BSSID (ex: 2D:3F:33:45:56:53)
- #Channel - Target Channel (ex: 8 )
- #adapter - Your adapter (ex: ath0 or eth1)
Step 1 - Get BT3 and Burn the Image:
Download Backtrack 3 from Remote-exploit.org. You’ll need to download the bt3-final.iso image. You can also use the USB version, bt3final_usb.iso which includes some extra tools, but we won’t be using them here.
Burn the ISO images to a CD or DVD. You won’t need to make any changes. I won’t go into specifics of how to burn an ISO here. If you don’t have the vaguest idea how to do this, then it’s highly likely that “cracking WEP” is definitely not for you. However for those of you know think you can figure it out on your own, I have used CDBurnerXP. It’s open-source and simple to use, so that’s good.
Alternatively, you can image a thumbdrive with the ISO. That’ll be MUCH faster than the optical drive at any rate.
Step 2 - Boot BackTrack 3:
Throw the Backtrack 3 disc into your laptop or desktop (I haven’t tested this on a desktop, but I’m sure the steps are the same), set your BIOS to boot from your optical drive, and BOOT! You’ll get a prompt asking how to boot into Backtrack 3. You should boot using the KDE method. If you have weird display issues, you can try the VESA boot method. At any rate, one of these should work. Once you’ve become an elite hackmaster, and have memorized this process, you can use the command console.
Step 3 - Obtain your target:
Now is were we get to the fun part. We need to know which router, or Access Point, we intend on attacking.
First we’re going to use KISMET. Kismet is graphic 802.11 locator. It will show detailed information about all the wireless networks and devices that are being picked up by your wireless router.
To use kismet, head to your KDE Menu (Where a Windows Startmenu would be). Then navigate to:
Backtrack 3 > Radio Network Analysis > 80211 > Analyser > Kismet
Wireless Networks will begin to appear in Kismet as it begins to gather and analyze radio packets. These are all the wireless networks in your neighborhood or general area. You can see there is a wealth of information here. From this point, we’ll need to use the keyboard, so get rid of your mouse.
We need to sort our data, so while in the kismet window, hit the “s” key and then “w” for WEP. This will sort all of the wireless networks by their WEP encrpytion. You’ll see everythng is reordered and sorted via the ‘w’ column.
Once you’ve determined your target, you can use your keyboard arrow keys to navigate to your target, and hit enter. You’ll need some of the information on the new screen. You can write it down, or you can use kedit by going to IDE > Editors > Kedit. This works like Windows Notepad, so you can cut and past at your leisure.
You’ll ned the following information:
The SSID is essentially the friendly wireless name you see all the time. the BSSID is the MAC address, or unique-hardware address of the AP or router.
Exit Kismet with “CNTRL-Q”. Note the Capital Q.
Step 4 - Get system ready to record:
Now the fun part. We need to get your computer ready to record all the radio packets you want to capture, so you can analyze them later. Down by the KDE start menu, you’ll see a little Black Monitor which will bring up a command console. We’ll be using these a lot, so just remember where it is.
Launch a new command window and enter the following:
airmon-ng
This will tell us how many adapters we have running. Stop everything that is running:
airmon-ng stop #adapter
Repeat the above command for every adapter listed from the airmon-ng command.
Now we have no running adapters, or virtual adapters. essentially, anything Kismet started to capture radio packets has been turned off. On some laptops the above steps were absolutely essential, on other laptops, not so much.
Start your adapter, capture only the channel that your target AP is broadcast on. We got this information above:
airmon-ng start #adapter #channel
run airmon-ng one more time to see what your new adapter is named. You’ll want to keep this in mind as your adapter from here on out.
Step 5 - Recording packets:
We’re going to be gathering radio packets from you target router (AP) but we haven’t started recording them yet. Obviously if we don’t record, we won’t be able to analyze them, so let’s start recording them now:
airodump-ng adapter -w /hackme –channel #channel –ivs
We’ve now begun recording all data packets on your channel and started writing them to a hackme file located in the linux root, or /. For those of you really curious, the –ivs tells it to record only authentication data packets, which is the heart of WEP exploitation.
Leave this recording in this console Window. it will remain open for the remainder of this insane adventure.
Step 6 - AP assocation:
Now that we’re recording data, we need to do kind of a handshake with your target WEP router. You see, when WEP computers and routers talk to one another, they initation their conversation with a little handshake or hello. this comes before authentication ever happens. If you try to do some authentication (step 7) without this hello, your target AP will simply ignore the authentication, because, like most people, there’s no sense in talking to some jerk who won’t even say hello.
To associate your laptop with your access point, run the following command:
aireplay-ng -1 0 -e ssid -a #bssid #adapter
This is absolutely critical. Your return should try a couple of authentication requests, and then return “Assocation successful :-)”. If it does not, you’re not going to be able to do packet injection (step 7). If you don’t get a friendly return, you can try this:
aireplay-ng –test
If you get a return indicating that Packet Injection should be possible, try another AP. You can also try getting physically closer to your target. Assocation and injection are difficult from distances, and may not work at all. I won’t go into deep troubleshooting of assocation at this point.
If for some terrible reason, your computer is not capable of assocation, don’t fret. You won’t be able to do packet injection though. Which means the process of collecting packets will take MUCH longer. Skip step 7 & 8 if you can’t associate, but be advised it will likely take you hours if not days to collect enough packets to crack WEP. That’s why injection is so useful.
Once you’ve associated successfully, continue on to the next step!
Step 7 - Packet Injection:
In step 6, we said hello to the AP. The target AP or router is now aware of us. It knows we exist, and won’t be surprised when we try to shake hands and authenticate with the network (Send a WEP key, authenticate, and get online to surf the web). This is where a major exploit becomes possible.
With every IVS packet we receive (The packets sent from the AP when we try to authenticate) we become closer to cracking WEP. The best way to get hundreds of thousands of packets, is to repeatedly try to authenticate with the AP or router. This process is knowing as packet injection. We’re injecting authentication packets repeatedly into the target AP, and forcing it to send us data back telling us “OMG! You’re sending me the wrong AUTH DATA! NOOB!”. What’s funny about it, is that with every “wrong WEP Key. Try again!” message it sends, we’re getting closer to the packets needed to mathetmically break down WEP and help ourselves to the target AP.
To begin injection, do this (You can reuse the window created in step 6 if Authentication was successful):
aireplay-ng -3 -b #bssid #adapter
This will send thousands of fake authentication requests. This process doesn’t end, and will continue to send until you’ve manually stopped it using CNTRL-C or close the window. Keep in mind, there is no reason to stop it until we’ve received the WEP key.
You’ll see your IVS packet count going higher and higher, likely incredibly quickly. Meaning, hundreds every few minutes.
After you’ve collected between 300,000 (300k) and 500,000 (500k) IVS data packets, you can move on to the next step.
If you’re not collecting IVS packets, you can open a new command console and rerun step 6 while step 7 is still running in another window. If you do this, you’ll notice that your ARP packet count begins to go up with every connection attempt in the other window.
If you can’t collect IVS packets, you’ll never get a WEP key. If your IVS count isn’t going up, your whole process is hosed. Figure out where the kink is, and try again.
Step 8 - Breaking the WEP key:
Okay, you’ve made it! You’ve collected at least 300k IVS keys. If you haven’t, but you have at least 100, you can try this step anyway. It’ll be fun.
Now that we have all this recorded IVS packet information, we can crack the WEP key in a matter of moments. Run this command:
aircrack-ng -s /hackme-01.ivs
Now select the number that corrresponds to your target Access Point, or ssid. The screen will flash with a bunch of crazy, matrix looking numbers, and in 5 seconds or less will actually give you your Broken WEP key.
If it doesn’t return a WEP practically immediately, just exit (CNTRL-C) and wait a few more minutes. Eventually, you’ll have enough iVS packets to break the WEP key in literally just a few seconds.
Congratulations! You’re done!
I was one of the poor saps who couldn’t associate, or do packet injection. Do I still have a chance?
Yes! IVS packets are the whole key to successfully using airecrack to break a WEP key. If your attempts at packet injection have failed, or you can’t associate (which forces injection to fail by default) then obviously, it becomes much harder to crack WEP. But you can still do it. Just record (Step 5) IVS information until you’ve built up enough packets by watching OTHER computers connecting to the AP. The more legitimate devices connecting to the AP, the better chance you have at getting enough IVS data without waiting for a lifetime. If your AP has 2 or 3 laptops connecting to it every few hours, you can leave your computer capturing IVS information for a couple of days, and still break the WEP key using Step 8.
Why can’t I crack WEP in Windows? I’ve looked everywhere, and there just isn’t a tutorial!
You can thank most Windows Hardware Vendors for that. The ability to snoop IVS packets comes from a wireless card’s ability to enter Promiscious mode, Monitor mode, or rfmon mode. This allows a wireless card to captures all data packets, headers and all. Unfortunately, most windows drivers, with the exception of a few custom hardware solutions (AirPcap), don’t allow you to put your wireless card into this kind of mode. It’s not necessarily intentional. The likely explanation is that they simply didn’t realize Windows users would like this functionality. Heaven forbid someone desire to use Windows hardware for something other than it was intended for.
So the linux community, like in many situations, simply wrote custom drivers to work with hardware, and put it into promiscuous mode. No one has yet done this with Windows.
There are some, very limited wireless cards out there that will go into rfmon mode without much effort, but my friend, I have to tell you, you probably don’t have one of those cards.
So for now, just continue to boot off of BackTrack 3 and have it do all the work for you!
October 6th, 2008 in
Technology. |
1 Comment