Getting Paid For Others’ Work

As I was turning to signal my waitress for the bill, I noticed that aside the couple at the corner, everybody else was hooked to their laptops. Time has changed and now people sit in cafes for wireless internet, a play list on shuffle and some good cappuccino. Even though we are all mixing business with pleasure, we are just like the next guy: we eat, we Google, we Facebook.

But I’m not here to talk about aroma, I’m here to explain how you can get money for somebody else’s work.

Tap the airwaves and play a role of a man-in-the-middle. When you’re right in the center of things, imagine doing these:

  • Grep and replace adsense code blocks with your own pub-id. You will get paid, and not the owner of the website.
  • Shove 1×1 px iframes to Amazon with your affiliation tag. These will store a cookie on the victim’s browser with your tag. Even if she buys a book a week later, you will still get your hard-earned pay.
  • Replace facebook ads with affiliation blocks.
  • Proxy DNS lookups, and if dns resolve fails, show ads instead.

So how is it done? Quite simple, wlan is merely ethernet network over airwaves. It deals with the same concepts, IPs, MACs and ARPs. Whenever a program wishes to connect to a remote box (outside your netmask,) it will route the requests via the gateway. This gateway is the wireless router you laptop is connected to. Computers inside the local area network communicate in ethernet protocol, so when my laptop sends an IP packet to the gateway, it wraps it up with an ethernet header. ARP is a protocol used to associate IP addresses with MAC addresses.

The brunette next to the magazine stand is using her laptop. Since we are both connected to the same gateway, we are on the same subnet. Using a nifty tool called arping, I can send an arp announce (also named “Gratuitous ARP“) to her computer, forcing it to associate the gateway IP address with my laptop mac address. So whenever she browses the internet, my computer will receive all the packets.

I have no idea what’s her IP address, and it doesn’t really matter. I can just broadcast an ARP announcement and update all arp caches in this subnet. Consider the following command line:
C:\>arping -i “\Device\NPF_{031C071A-8ED1-4AD9-8FD6-A930D4FA15F9}” -v -S -s 00-1b-77-53-f7-2f -B

This will broadcast (-B) an arp announcement of the address (-S) (gw) with the mac address (-s) of my laptop. Use Wireshark to find out the interface name (-i) of your wireless adapter. If you are targeting a single computer, replace -B with the ip address of the victim.

Note that broadcasting to the entire subnet will also damage your own arp cache table. To re-associate with the real mac address, clean entry with ‘arp -d’.

Unlike other approaches for man-in-the-middle attack, this one keeps you hidden. Unless you make it obvious, people won’t suspect. After all, it hijacks an existing router, does not require reconnecting and I am pretty sure nobody keeps record of their arp table.

Remember, just don’t be a jerk.