Thursday, February 2, 2012

Learn how to Sniff Wireless Passwords with Pirni (Man in the Middle Attack)

The thing about the iPod Touch and the iPhone is that they are great portable hacking devices. To the naked eye the iPod Touch/iPhone looks like nothing more than an ordinary mp3 player/cellphone however that is just an understatement to its full potential. Once your iPod Touch/iPhone is jailbroken you have access to your whole file system meaning that applications generally associated with laptop/desktop hacking can be ported and used on the iPod Touch/iPhone. This opens up a whole lot of possibilities for network sniffing, port scanning and much much more! In this tutorial we are going to take a look at one of these programs called Pirni.

What is Pirni?

Pirni is an application that was ported to The Ipod Touch/iPhone to be used as a native network sniffer. Pirni is so useful because it gets past the iPod Touch’s/iPhone’s wifi hardware limitation of not being able to be set into promiscious mode (a mode that allows a network device to intercept and read each network packet that arrives in its entirety).  To get past this limitation Pirni comes with an ARP spoofer that successfully routes all the network traffic through your iPod Touch/iPhone, records it to a dump file and then uses packet forwarding to send it to it’s normal recipent (ie. the router). What this basically means in simpler terms is that all the traffic on a specific network comes through your iPod Touch/iPhone before it reaches the router. This meaning that if we sniff the network long enough, another user connected to the network could enter in an unencrypted password and you could then retrieve that password after looking through your dump file.
Pirni Graph

Using Pirni

Pirni is an application that does not have a GUI (Graphical User Interface) and it requires a program called Terminal to run and be used. Terminal is basically an application that allows you to give your iPod Touch/iPhone simple commands. Below I am going to go through the steps of installing and using Pirni… **Note this is a technical tutorial and is not recommended for users new to computers. Please also note that this tutorial is for educational purposes only. It is illegal to sniff a wireless network that is not your own. Use and Follow this Tutorial at your own Risk.
Step 1) - The first thing you are going to need to do is install a program called Mobile Terminal on your iPod Touch/iPhone. This program is available through cydia, so open up cydia and type in terminal into the search tab. Once you find Mobile Terminal on your search Results install it to your iPod Touch/iPhone.


Step 2) - Once you have installed terminal the next application you are going to install is Pirni. Type pirni into the search tab and once it appears on your search results click it and install it to your iPod Touch/iPhone. Once Pirni installs you will have installed everything you need to begin sniffing wireless networks


Step 3) - Before you launch terminal and begin sniffing you will need a few pieces of information on your wireless network; the network’s ip address and the router’s ip address. You can find out this information by launching  Settings and clicking  Wifi then clicking on the arrow next to Your wireless network’s Name. Once you find the information you are looking for which is the IP Address and the Router IP Address write it down on a piece of paper so you remember it.


Step 4) - Now that you have the required information you are ready to begin the process of sniffing with Pirni. The first thing you need to do is open up Terminal; so do this now by finding Terminal on your springboard and clicking it to launch it. **Note Terminal sometimes takes a few times to actually load. If you click the Terminal application and it opens and closes then simply click it again until it fully launches. Once you get Terminal up and Running you are going to need to login as a a root user to gain full access to your iPod Touch/iPhone. Type in the following commands and please note they are all case sensitive so copy them exactly as shown…
su
alpine (alpine is the default password. If you have not changed your password then use alpine)


Once you have gained root access continue to step 5…
Step 5) - Once you are logged in as the root user you can begin using Pirni. To initiate Pirni you are going to need to enter in a line of commands replacing whats in red with your network specific information.
-s: Specifies the IP-adress you want to spoof, this is where the Router IP Address goes.
-d: Specifies the target you want to perform MITM on, this is where the IP Address of your network goes.
-f: Specifies the Berkley Packet Filter so that pirni only collects interesting packets. This is very good if you want to filter out specific packets – such as FTP, SMTP or HTTP. If no -f options is supplied, all packets will be captured.
-o: Specifies the dumpfile where all the collected packets end up. This is a pcap dump format, that most traffic analyzers can handle.

iphone4s:~ root# more get.sh
pirni -s 192.168.1.1 -o log.pcap
pirni -s 192.168.1.1 -d 192.168.1.189 -f "tcp dst port 80" -o log.pcap
pirni -i en1 -s 192.168.1.1 -d 255.255.255.0 -o log.pcap

iphone4s:~ root# 

Once you enter the Commands Pirni will initiate and begin collecting packets. A packet is a formatted unit of data carried by a packet mode computer network. For example, every Web page that you receive comes as a series of packets, and every e-mail you send leaves as a series of packets. Pirni collects these packets and records them into a readable dump file that can be analyized at a later date on your computer. In order for Pirni to collect something interesting you are going to need to visit a website that doesnt use an ssl encrypted connection. Leave your iPod Touch or iPhone alone collecting packets and go to a website that doesn’t use an ssl encrypted connection and login to that website. An example of this kind of website would be Hawkee.com this website does not use an ssl encrypted connection while handling logins. If you want to test out Pirni to see if you can get a password register an account up with Hawkee.com and login to your account while you are sniffing your network. Once you are done scanning the network drag your finger across the screen in a diagnol direction and this will stop pirni correctly. **Note it is important to close pirni this way to avoid errors while analyzing your dump file later on.

Analyzing your Dump File

Now that you have sniffed the packets on your network you now have to analyze the dump file created by Pirni. To do this you will need to get the dump file off your iPodTouch/iPhone by using a program called Winscp. This program allows you to access the files on your iPodTouch/iPhone. To use this program you will need two things; open ssh installed on your iPodTouch/iPhone and Winscp installed on your computer…
Step 1) - Download openssh to your iPodTouch/iPhone by going into Cydia and typing in openssh into the search panel. Once you see openssh on the search results click it and install open ssh. Once open ssh has been installed exit cydia and continue to step 2…


Step 2) - The next thing you need to do is install a program called winscp to your computer. This program will allow you to take files off your iPod Touch/iPhone with an easy to use GUI (Graphical User Interface).

Download Winscp Here

Once Winscp Downloads to your computer install it by following the easy to use steps of the installer…
Step 3) - Once Winscp has finished installing double click the winscp.exe to launch the program. You will be presented with a window like the one depicted below…
Once you get Winscp up and running you are going to need to enter in some information  into Winscp. The first thing you need to enter is the Host name which is your networks IP Address. This is the Address that you wrote down earlier you can find it inside Settings > Wifi >Your Network Name Tab. The next thing you need to enter is the Username this is always left as root. The last piece of information you need to enter in is the password the default password if you haven’t changed it is alpine. If you have changed your password then enter your current password in the password field now.
Once you enter in the required information click the Login Button. The first time you login it will take awhile to load just be patient and wait it can take up to five minutes. The first time you login you will also get a warning message that will appear simply hit the ok button to the warning message. When you succesfully login click the / button on the top right hand corner of the screen…
Once you click the / Button (Which is the Root Directory Shortcut) the next thing you are going to do is click the User file directory as shown below. This is where all your dump files are saved and stored through Pirni…
Once you are inside the User File Directory you should now see your log file. Drag the Log file to your Desktop and then Exit Winscp as you are now done using the program. Winscp is a useful program if you need to access your iPod Touch/iPhones internal File Structure. Now that you know how to use Winscp you can use this useful program anytime you want.
Step 4) - Now that your Log File has been successfully transferred to your computer you are now going to need to download an application that will analyze the dump file called WireShark.

Download WireShark Here

With WireShark successfully downloaded to your computer double click the setup.exe and install it to your computer. When it asks you if you want to install WinPcap click no because you will not need this functionality while analyzing your dump file.
Step 5) - Now that WireShark is installed double click the WireShark.exe on your Desktop to start the program. Once the Program is up and running you are going to need to open your log file. Click the Open Button in the middle of the screen and then locate your log file which should be on your Desktop.
Once you locate your Dump file and load it into WireShark you will now see a screen with a bunch of packets displayed. These are all the Packets that you captured while you were sniffing your network. If you have never seen packets before all of this information will mean nothing to you and seem confusing. If you research a little bit online about packets you will find these packets are a lot more interesting however if you are new to this whole thing then the search tool will be your friend. Click the Magnifying glass on the top of the screen and it will bring up a search window.
Once the Search window comes up you will be presented with three options Display Filter, Hex Value and String. Click the String Option and then type in password into the search field and click the Find Button. The Search Tool is a great tool to find interesting information in your dump file. With the search tool it will quickly scan through all your packets and will find a match to what you are searching for. It defiantly beats looking through hundreds of packets till you find something interesting. With the search tool you can simply type in keywords that would be of interest to you like password,username,login,email and it will try to find a match. **Note not all dump files will contain interesting information like passwords,usernames etc… It all depends on what users connected to the network you are scanning are doing.
Once you click the find button you will be directed to the packet that contains the password string or the string that you typed into the search field. If you look at what is highlight you can see that you have successfully found the username and password to your hawkee.com account. If this was performed on an unknown network you would have successfully sniffed a password that you can then do what you want with. WireShark is a very powerful tool for analyzing packets if you go to their Website you can learn a lot about packets and other analyzing techniques not discussed on this tutorial.
As you can see your iPod Touch or iPhone can be transformed into a powerful password sniffing device. With Pirni you can have a powerful password sniffing program hidden within your iPod Touch/iPhone. You can have your morning coffee at starbucks while sniffing its wireless network without anyone knowing or suspecting a thing. There are many other useful hacking programs on the iPod Touch/iPhone, and I will write more tutorials for programs like Ngrep and TCP Dump in the future if enough interest is given. As always if you require any help with this tutorial please feel free to post your questions/comments in the comments section below.

No comments: