[HN Gopher] Operation Luigi: How I hacked my friend without her ...
___________________________________________________________________
Operation Luigi: How I hacked my friend without her noticing (2017)
Author : mfbx9da4
Score : 174 points
Date : 2023-02-01 13:52 UTC (9 hours ago)
(HTM) web link (mango.pdf.zone)
(TXT) w3m dump (mango.pdf.zone)
| spicyramen_ wrote:
| Good one
| vhcr wrote:
| In what world is the author living that "Physically go to the
| same place as her, connect to the same WiFi, and steal her
| browser session" would work?
| Logans_Run wrote:
| Perhaps in the world where you (the red-teamer) sets up their
| phone and/or laptop as an unencrypted/open wifi hotspot access
| point and then follow them (the blue-teamer) to their favorite
| coffee spot / burger bar / etc?
|
| If I recall correctly even current phones will connect to open
| wi-fi spots preferentially and/or automatically. Bingo, job
| MITM done! Bonus points for having a tool on the red-teamers'
| laptop that can send wi-fi de-auth packets :)
|
| That would be the first thing I would look in to to see if it
| is still do-able today if the problem was 'hmmmmm. Given the
| parameters, how could I MITM the blue-teamer?'
|
| I'm sure that others can come up with even wilder ideas
| involving can-tennas or bird-dogging the blue-teamer into a
| elevator with a 'running useful and interesting stuff' laptop
| in a backpack and wait for the blue-teamers' cell phone to
| start reaching out desperately for a way to remain connected
| (cell tower, wifi, 2G cell signal etc) either of which might
| work
| runnerup wrote:
| With HTTPS a lot of this doesn't work anymore. You generally
| need to install a MITM certificate on the target device so
| that it doesn't say "HEY EVERY WEBSITE YOU VISIT HAS A
| CERTIFICATE ISSUE!" and fail to load unless you find an
| esoteric button/link/series of clicks that lets you load the
| insecure page.
| ospray wrote:
| As a pen tester this ^, controlling the network doesn't
| help for browser stuff. The fastest way is usually
| phishing.
| moffkalast wrote:
| Living back in the ancient world of 2017. I think they still
| had CRTs back then.
| 4gotunameagain wrote:
| presumably part of the challenge was to do it without using
| already known information, as he probably already had her email
| and phone number but still looked for them
| vhcr wrote:
| What I mean is that stealing cookies over Wi-Fi hasn't been a
| thing for a long time because of HTTPS.
| Logans_Run wrote:
| Ah. I see what you mean now. Ignore what I said above but
| will leave it up for context.
| 4gotunameagain wrote:
| ah sorry, didn't understand it correctly. sslstrip used to
| be a thing, is it still ? I haven't been in touch with the
| status quo
| [deleted]
| Taywee wrote:
| sslstrip doesn't crack ssl, it MitMs non-ssl HTTP
| responses to switch https to MitM http addresses.
|
| If you start on HTTPS and never access plain HTTP
| resources, it's powerless, otherwise there would be no
| way to be safe on a public network at all.
| cmeacham98 wrote:
| I just typed catb.org (random website I know only serves
| HTTP) into Chrome's address bar and it landed me on the
| HTTP version, no warnings or anything. I assume Firefox
| works the same, but I can't be bothered to disable HTTPS-
| only mode.
|
| sslstrip will still work today on any website that
| doesn't use HSTS. It will work for the first ever visit
| (by that browser) of a website that uses HSTS if they
| aren't on the preload list. A surprising number of
| websites have neither.
| Taywee wrote:
| That's assuming the average internet user types a url
| into their address bar instead of using their browser's
| "new tab page" with recent sites (all probably HTTPS) and
| finding non-history pages through a search engine that
| will be HTTPS by default and point mostly to HTTPS
| endpoints.
|
| So yes, you can catch a subset of users who type new urls
| into their address bar, but that's a minority of people a
| minority of the time.
| itsthecourier wrote:
| That's why you should always use AP isolation in your router.
| Protecting yourself from ARP spoofing
| sublinear wrote:
| Good thing multifactor auth is the norm today?
| moffkalast wrote:
| Passwords feel more like extra usernames these days with 2FA.
|
| Why bother changing them when hashes will be leaked immediately
| by the incompetent idiots at <insert this week's big company
| that had data stolen yet again>.
| sublinear wrote:
| To avoid getting hit by an MFA fatigue attack. Passwords are
| still not obsolete.
| moffkalast wrote:
| I don't think those work with today's code generators,
| since nothing is ever sent to the user. SMS and other types
| of 2FA should hopefully be obsolete soon.
| MSFT_Edging wrote:
| maybe on this forum it is.
|
| I'm sure there's tons of folks who just click "maybe later" and
| forget entirely.
| ChrisArchitect wrote:
| Discussions
|
| _4 years ago_ https://news.ycombinator.com/item?id=18391120
|
| _6 years ago_ https://news.ycombinator.com/item?id=14919845
| jancsika wrote:
| > Set her password to qwerty1
|
| I feel like this may break the rule about not interrupting her
| daily life.
|
| Since the other easy password documented in the article wasn't
| her current one, it is at least possible that she had chosen a
| more difficult password as her current one. Downgrading from her
| current password back to the old easy one makes her vulnerable to
| other attackers-- especially if she did not quickly reset it to
| something other than qwerty1.
|
| If it sounds like I'm nitpicking, just imagine that the game was
| "try to hack my old bitcoin and send it around and back." The
| moment the hacker sends to the "qwerty1" address it's going to
| get immediately eaten by some automated script by one of a
| thousand other hackers.
| chennaiexpress wrote:
| [dead]
| bogwog wrote:
| How does this guy not know his friend's phone number?
| gommm wrote:
| I assume he does but he wanted to simulate how a random person
| who doesn't know his friend could get access to her data.
| [deleted]
| jacquesm wrote:
| previously on HN:
|
| https://news.ycombinator.com/item?id=18391120
|
| And many other submissions besides that one.
|
| For instance
|
| https://news.ycombinator.com/item?id=14919845
| dan-g wrote:
| (2017)
|
| A classic story!
| elonmusk11 wrote:
| [flagged]
| EGreg wrote:
| who cares?
| [deleted]
| Beldin wrote:
| Sweet hesus, installing a keylogger on your own system to steal
| passwords from friends who are trying to help you?
|
| And the content doesn't show any awareness of the issue. Perhaps
| it'd be more clear to that poster if one of those friends
| would've used the keyboard access to type "format c:<enter>".
| throwaway045892 wrote:
| I don't see any mention of keylogging in the blog post, did I
| miss it? Or might you be referring to a comment on another HN
| submission of the same post?
| https://news.ycombinator.com/item?id=14921120
| Beldin wrote:
| Sorry, a comment pointed to a previous thread where i saw
| this comment:
|
| https://news.ycombinator.com/item?id=14921120
|
| I intended to reply to that comment, but clearly failed.
| narimoney wrote:
| on Aug 3, 2017
| jacquesm wrote:
| Agreed.
|
| We'd do similar tricks but only between a small group who all
| knew what they'd signed up for. It definitely helped to make
| you more aware of people trying to get into your accounts. To
| the point where someone would have to add a long list of
| disclaimers on sending an innocent link to their holiday
| pictures if they expected you to view them. And there are still
| some people who can't get me to click any link they send me
| (fool me once, etc).
|
| Even so to do it to unsuspecting people isn't nice at all and
| essentially a breach of trust, especially using a keylogger.
| Even today I'm not going to use someone else's device to do
| anything requiring a login so some of the paranoia lingers, but
| leave your device out of sight for long enough and it might as
| well be somebody else's.
|
| Samy's little tools always impress me, he gets a ton of mileage
| out of this stuff and it is a really good warning to read his
| posts every now and then to get an idea of what a talented
| individual can achieve.
|
| https://samy.pl/poisontap/
___________________________________________________________________
(page generated 2023-02-01 23:01 UTC)