Getting Paid For Others’ Work

As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

  • Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
  • Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
  • Replace facebook ads with match.com affiliation blocks.
  • Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S 192.168.0.1 -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) 192.168.0.1 (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.

Share
  • joe bob

    except this is illegal

  • joe bob’s mother

    it’s only illegal if you get caught…

  • billy bob’s cousin

    Which part is illegal? The iframe injection or the arp redirection?

  • http://www.ybo-interactive.com yairb

    As joe bob’s mother said, it’s only illegal if you get caught…
    I wouldn’t do the Adsense hack. Google will find you in 1 second. If your adsense ID suddenly appear in hundreds of random websites, that will raise an alarm.
    I’m not sure what happens when the alarm starts. Maybe they take you to the GCourt and after they find you guilty that put you in the GJail?
    You might get away with it if you’re GBailed, or maybe if you GBribe the right GPeople :)

  • Gungadin

    Wireless – good, but I’m thinking malicious browser plugin. Move the exploit up into the application layer.

  • billy bob’s cousin

    http://diydollars.com/seo/is-blackhat-seo-wrong/

    “Google isn’t God. They aren’t even a law-enforcing or law-creating entity.” “Yet, I often see people discussing violation of Google policies as if it’s actually illegal.”

  • http://securityandthe.net Martin

    @yairb: I’m not sure whether or not this technique itself would actually be illegal. You’re probably breaking a couple of RFC’s, but you’re not breaking anyone’s internet access. If you follow the example of inserting Amazon affiliation tags, the only harm done would be some financial harm to Amazon, not the people using the access point.

  • http://www.megidish.net Gil Megidish

    I don’t know if that’s considered illegal or not. Regardless, it’s surely a tos violation of any such provider. It’s only to give an example of something that hasn’t been talked about before. Surely a technical explanation of arping would be boring :)

  • http://www.sofitsat.net Ifko

    SSH and SSL will not be affected.