07-22-2006, 06:31 AM | #1 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Sniffing the iDS connection
|
07-22-2006, 06:51 AM | #2 | |
Addict
Posts: 302
Karma: 116
Join Date: May 2006
Device: Iliad, dude!
|
Quote:
|
|
Advert | |
|
07-22-2006, 06:58 AM | #3 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
True it wouldn't help to fix a dead iLiad (for that we'd probably need to find out how to boot the iRex connected via usb and lan to some BootP/TFTP server).
But if you capture the ids connection, you might find out other interesting things. For instance, what data is exactly being transferred to the server. Or, how does the flash file(s) look like? By capturing the flash file(s), one could find out the structure of the flash - and then we could perhaps disect it and write custom flash files. |
08-08-2006, 09:54 AM | #4 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
I also posted this elsewhere in this forum, but in case someone is looking for specific information how to sniff the traffic from your iLiad, here the info again:
Let's assume:
Then use the following Ettercap commandline to log all traffic between your router and the iLiad: Code:
ettercap -Tq -L /tmp/logfile.log -M arp:remote /192.168.0.1/ /192.168.0.10/ Last edited by TadW; 08-15-2006 at 12:59 PM. Reason: added quite mode switch -q |
08-08-2006, 12:04 PM | #5 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
Then the 2.5 update did the designed update method, running from the script in /old-root (the initial run). This script runs instead of "init" when the machine starts-up, and then it chroots and switches into init. The script checks for the presence of files in the update directories and for the raising of a pair of flags somewhere in the hardware. |
|
Advert | |
|
08-09-2006, 05:04 AM | #6 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
SSL MITM Attack of iLiad reader
Requirement: OpenSSL libraries to support SSL and TLS To sniff a HTTPS connection with Ettercap, we must set up two separate SSL tunnels. Essentially we first ARP poison the iLiad and the gateway (as described earlier), then intercept the iLiad's SSL request, and present it with our own certificate. When the iLiad accepts the certificate, ettercap establishes an SSL tunnel from the device to itself, masquerading as the iDS server. It then establishes a second SSL tunnel to the real web server, with itself as the SSL client.
|
08-09-2006, 05:34 AM | #7 |
Groupie
Posts: 197
Karma: 16
Join Date: Apr 2006
Device: irex iliad, uk Kindle gen3
|
would the iliad see the cert as coming from irex?
the mitm attacts i've seen depended on the victim accepting the certificate without properly checking it. i tried an ssl proxy program but the iliad wouldn't accept the certificate. Last edited by deadite66; 08-09-2006 at 06:24 AM. |
08-09-2006, 09:51 AM | #8 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Yeah it would see it as coming from the iRex. Why don't you test it by sniffing another PC and then running a HTTPS site. You will get a message that the certificate is not valid (because our fake is not signed e.g. by Thawte), but if you look at the details of the certificate, you see its the one that's originally coming from the server. If you want to make the attack perfectly undistinguishable, you'd have to use a signed certificate.
I don't exactly know how you tried an ssl proxy program on the iLiad. |
08-09-2006, 05:31 PM | #9 |
Groupie
Posts: 197
Karma: 16
Join Date: Apr 2006
Device: irex iliad, uk Kindle gen3
|
did you get my pm TadW?
ettercap only picked up UDP traffic. |
08-10-2006, 04:04 AM | #10 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
I PMed you back. You must make sure to give Ettercap root privileges, or it won't be able to tune your firewall for the necessary forwarding rules. See point 2 above.
|
08-10-2006, 04:17 AM | #11 |
Groupie
Posts: 197
Karma: 16
Join Date: Apr 2006
Device: irex iliad, uk Kindle gen3
|
arggg, i made somechanges but the forums wont let me post them.
"server made a boo boo" error :/ hmm, ok will have to do it this way. http://ghostpilot.dyndns.org/etterlog.txt Last edited by deadite66; 08-10-2006 at 04:21 AM. |
08-10-2006, 08:02 AM | #12 | |
Fully Converged
Posts: 18,170
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
|
Quote:
|
|
08-10-2006, 08:11 AM | #13 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
deadite66, any news?
|
08-10-2006, 05:37 PM | #14 |
Groupie
Posts: 197
Karma: 16
Join Date: Apr 2006
Device: irex iliad, uk Kindle gen3
|
only this http://ghostpilot.dyndns.org/etterlog.txt so far, well i seem to have sniffed the time sync from the ids.
|
08-11-2006, 03:32 AM | #15 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Looks very good to me. Hope the instruction was a bit useful, too
Now it's getting more interesting to see what's going on when you e.g. update the device. You could easily catch the entire content of the update and save it to an external file. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ids down ? | reaver121 | iRex | 0 | 01-16-2010 09:53 AM |
Wireless internet connection frustrating IDS connection | Socrates | iRex | 8 | 10-21-2009 12:46 PM |
how to connect to ids? | foxql | iRex | 10 | 04-01-2009 10:38 AM |
Cannot Find an Answer IDS Connection | barney111 | iRex | 3 | 11-04-2008 07:13 AM |
iLiad I want to connect to IDS. Please help me. | wklee | iRex Developer's Corner | 3 | 07-17-2007 11:52 PM |