*Neccesary obvious disclaimer: all the following was 100% on my own local network...
Recently I set out to find just how easy it was to read someones password from the usual web protocol HTTP & one of the most popular blogging platforms - Wordpress.
The theory is simple: a website with an SSL certificate will locally encrypt its data before sending it to a server; while a website without will not encrypt its data - leaving anything you type into a webform open to be read by an entity in between your browser and the server. In fact, you don't need an SSL certicate to encrypt your data - you just need to use the HTTPS protocol (ignoring browser warnings, of course).
In this case, the entity in between the browser and the server was my computer on the local wifi (LAN) network.
How easy was it?
Rediculously simple, for Wordpress we find the following cookie after playing with aircrack-ng tools:
... log=admin&pwd=PASSWORD&wp-submit= ...
How was this done - script kiddie style?
This was done using the aircrack-ng suite of wireless security testing tools.
Simply use one computer for attacking, and your phone or second computer as the target:
1. Run airodump-ng mon0 from the attacking computer (I'll assume you know how to put your wireless card into monitor mode, save the dump to a file - if not, read the man pages)
2. Wait long enough for a handshake (reboot your test computer or use aireplay-ng deauth)
3. Log in to a normal Wordpress site on your target computer
4. Run the airodump-ng log through airdecap-ng and search through the output. For example, search for "wp-login.php"
What does this mean?
Anyone in between your computer and your server can (generally) read your password if your website is not using HTTPS.
Of course, the chances of somebody on your home network are slim to none, however if you take into account:
1. The frequency you log into websites each day
2. The route your data goes from A to B - often running a 'traceroute' will result in 10 - 20 hops (your data may pass through a dozen countries & 20+ servers)
3. Local and remote malware (at any of the above locations)
4. Malicious employees / countries / governements at any of the above locations.......
5. Do you reause the same password in multiple locations?
All of a sudden the risk looks a little larger.
I'll test more web frameworks soon and give a more detailed report. In the meantime, get an SSL certificate.
How easy was it?
Rediculously simple, for Wordpress we find the following cookie after playing with aircrack-ng tools:
... log=admin&pwd=PASSWORD&wp-submit= ...
How was this done - script kiddie style?
This was done using the aircrack-ng suite of wireless security testing tools.
Simply use one computer for attacking, and your phone or second computer as the target:
1. Run airodump-ng mon0 from the attacking computer (I'll assume you know how to put your wireless card into monitor mode, save the dump to a file - if not, read the man pages)
2. Wait long enough for a handshake (reboot your test computer or use aireplay-ng deauth)
3. Log in to a normal Wordpress site on your target computer
4. Run the airodump-ng log through airdecap-ng and search through the output. For example, search for "wp-login.php"
What does this mean?
Anyone in between your computer and your server can (generally) read your password if your website is not using HTTPS.
Of course, the chances of somebody on your home network are slim to none, however if you take into account:
1. The frequency you log into websites each day
2. The route your data goes from A to B - often running a 'traceroute' will result in 10 - 20 hops (your data may pass through a dozen countries & 20+ servers)
3. Local and remote malware (at any of the above locations)
4. Malicious employees / countries / governements at any of the above locations.......
5. Do you reause the same password in multiple locations?
All of a sudden the risk looks a little larger.
I'll test more web frameworks soon and give a more detailed report. In the meantime, get an SSL certificate.
Sunday, January 24, 2016
Powered by WHMCompleteSolution
