[HN Gopher] Operation Luigi: How I hacked my friend without her ... ___________________________________________________________________ Operation Luigi: How I hacked my friend without her noticing (2017) Author : mfbx9da4 Score : 174 points Date : 2023-02-01 13:52 UTC (9 hours ago) (HTM) web link (mango.pdf.zone) (TXT) w3m dump (mango.pdf.zone) | spicyramen_ wrote: | Good one | vhcr wrote: | In what world is the author living that "Physically go to the | same place as her, connect to the same WiFi, and steal her | browser session" would work? | Logans_Run wrote: | Perhaps in the world where you (the red-teamer) sets up their | phone and/or laptop as an unencrypted/open wifi hotspot access | point and then follow them (the blue-teamer) to their favorite | coffee spot / burger bar / etc? | | If I recall correctly even current phones will connect to open | wi-fi spots preferentially and/or automatically. Bingo, job | MITM done! Bonus points for having a tool on the red-teamers' | laptop that can send wi-fi de-auth packets :) | | That would be the first thing I would look in to to see if it | is still do-able today if the problem was 'hmmmmm. Given the | parameters, how could I MITM the blue-teamer?' | | I'm sure that others can come up with even wilder ideas | involving can-tennas or bird-dogging the blue-teamer into a | elevator with a 'running useful and interesting stuff' laptop | in a backpack and wait for the blue-teamers' cell phone to | start reaching out desperately for a way to remain connected | (cell tower, wifi, 2G cell signal etc) either of which might | work | runnerup wrote: | With HTTPS a lot of this doesn't work anymore. You generally | need to install a MITM certificate on the target device so | that it doesn't say "HEY EVERY WEBSITE YOU VISIT HAS A | CERTIFICATE ISSUE!" and fail to load unless you find an | esoteric button/link/series of clicks that lets you load the | insecure page. | ospray wrote: | As a pen tester this ^, controlling the network doesn't | help for browser stuff. The fastest way is usually | phishing. | moffkalast wrote: | Living back in the ancient world of 2017. I think they still | had CRTs back then. | 4gotunameagain wrote: | presumably part of the challenge was to do it without using | already known information, as he probably already had her email | and phone number but still looked for them | vhcr wrote: | What I mean is that stealing cookies over Wi-Fi hasn't been a | thing for a long time because of HTTPS. | Logans_Run wrote: | Ah. I see what you mean now. Ignore what I said above but | will leave it up for context. | 4gotunameagain wrote: | ah sorry, didn't understand it correctly. sslstrip used to | be a thing, is it still ? I haven't been in touch with the | status quo | [deleted] | Taywee wrote: | sslstrip doesn't crack ssl, it MitMs non-ssl HTTP | responses to switch https to MitM http addresses. | | If you start on HTTPS and never access plain HTTP | resources, it's powerless, otherwise there would be no | way to be safe on a public network at all. | cmeacham98 wrote: | I just typed catb.org (random website I know only serves | HTTP) into Chrome's address bar and it landed me on the | HTTP version, no warnings or anything. I assume Firefox | works the same, but I can't be bothered to disable HTTPS- | only mode. | | sslstrip will still work today on any website that | doesn't use HSTS. It will work for the first ever visit | (by that browser) of a website that uses HSTS if they | aren't on the preload list. A surprising number of | websites have neither. | Taywee wrote: | That's assuming the average internet user types a url | into their address bar instead of using their browser's | "new tab page" with recent sites (all probably HTTPS) and | finding non-history pages through a search engine that | will be HTTPS by default and point mostly to HTTPS | endpoints. | | So yes, you can catch a subset of users who type new urls | into their address bar, but that's a minority of people a | minority of the time. | itsthecourier wrote: | That's why you should always use AP isolation in your router. | Protecting yourself from ARP spoofing | sublinear wrote: | Good thing multifactor auth is the norm today? | moffkalast wrote: | Passwords feel more like extra usernames these days with 2FA. | | Why bother changing them when hashes will be leaked immediately | by the incompetent idiots at <insert this week's big company | that had data stolen yet again>. | sublinear wrote: | To avoid getting hit by an MFA fatigue attack. Passwords are | still not obsolete. | moffkalast wrote: | I don't think those work with today's code generators, | since nothing is ever sent to the user. SMS and other types | of 2FA should hopefully be obsolete soon. | MSFT_Edging wrote: | maybe on this forum it is. | | I'm sure there's tons of folks who just click "maybe later" and | forget entirely. | ChrisArchitect wrote: | Discussions | | _4 years ago_ https://news.ycombinator.com/item?id=18391120 | | _6 years ago_ https://news.ycombinator.com/item?id=14919845 | jancsika wrote: | > Set her password to qwerty1 | | I feel like this may break the rule about not interrupting her | daily life. | | Since the other easy password documented in the article wasn't | her current one, it is at least possible that she had chosen a | more difficult password as her current one. Downgrading from her | current password back to the old easy one makes her vulnerable to | other attackers-- especially if she did not quickly reset it to | something other than qwerty1. | | If it sounds like I'm nitpicking, just imagine that the game was | "try to hack my old bitcoin and send it around and back." The | moment the hacker sends to the "qwerty1" address it's going to | get immediately eaten by some automated script by one of a | thousand other hackers. | chennaiexpress wrote: | [dead] | bogwog wrote: | How does this guy not know his friend's phone number? | gommm wrote: | I assume he does but he wanted to simulate how a random person | who doesn't know his friend could get access to her data. | [deleted] | jacquesm wrote: | previously on HN: | | https://news.ycombinator.com/item?id=18391120 | | And many other submissions besides that one. | | For instance | | https://news.ycombinator.com/item?id=14919845 | dan-g wrote: | (2017) | | A classic story! | elonmusk11 wrote: | [flagged] | EGreg wrote: | who cares? | [deleted] | Beldin wrote: | Sweet hesus, installing a keylogger on your own system to steal | passwords from friends who are trying to help you? | | And the content doesn't show any awareness of the issue. Perhaps | it'd be more clear to that poster if one of those friends | would've used the keyboard access to type "format c:<enter>". | throwaway045892 wrote: | I don't see any mention of keylogging in the blog post, did I | miss it? Or might you be referring to a comment on another HN | submission of the same post? | https://news.ycombinator.com/item?id=14921120 | Beldin wrote: | Sorry, a comment pointed to a previous thread where i saw | this comment: | | https://news.ycombinator.com/item?id=14921120 | | I intended to reply to that comment, but clearly failed. | narimoney wrote: | on Aug 3, 2017 | jacquesm wrote: | Agreed. | | We'd do similar tricks but only between a small group who all | knew what they'd signed up for. It definitely helped to make | you more aware of people trying to get into your accounts. To | the point where someone would have to add a long list of | disclaimers on sending an innocent link to their holiday | pictures if they expected you to view them. And there are still | some people who can't get me to click any link they send me | (fool me once, etc). | | Even so to do it to unsuspecting people isn't nice at all and | essentially a breach of trust, especially using a keylogger. | Even today I'm not going to use someone else's device to do | anything requiring a login so some of the paranoia lingers, but | leave your device out of sight for long enough and it might as | well be somebody else's. | | Samy's little tools always impress me, he gets a ton of mileage | out of this stuff and it is a really good warning to read his | posts every now and then to get an idea of what a talented | individual can achieve. | | https://samy.pl/poisontap/ ___________________________________________________________________ (page generated 2023-02-01 23:01 UTC)