Bandwidth Theft in South Africa

[Hex_Rated]

do you know how easy it would be to write a script that scan telkoms ip range . tries to log into any wan address it finds and collects login info !!!!!!!!!! I could have a thousand accounts in a day or so.

pingsweep, portscan, rape!

j/k

Out of interest, would you theoretically just be cycling through usernames and passwords through brute force (eg User 0000001, Pass 000001) or use common passwords? I think there's a list of common account information people use.

[Frozenfireside]

Heres an hypothetical situation: tell me what you think.

hacker, lets call him Tim, goes and gets a network scanner and scans the Telkom I.P. range for routers.

He finds one and cracks the password as you left it on admin/adminsitrator/the default password.
He then uses X-pass or something to get the ADSL line password.
Now you can manually define DNS in a router-fantastic. Tim creates his own DNS server with his own machine and uses the Telkom DNS as a reference. Now he can capture all your data and the victims internet will be slow but not stopped.

How? because a packet sniffer can capture all the data as it passes through his network card.
Now all this is going to use a lot of data so he enters in your own ADSL line into his router.

Now he starts to capture the data. He gets some encrypted data but since he has captured the negotiation process and all the keys/encryption process, he can decrypt the data. Also known as a replay attack.

Fantastic-he now has email addresses, banking details and anything else valuable and it hasn't even cost him any band width. It costs you twice the bandwidth AND you lose all your money...so you can't pay for the bandwidth anyway.

The end.

Now go and change your default username and password on your router.

[Kasyx]

do you know how easy it would be to write a script that scan telkoms ip range . tries to log into any wan address it finds and collects login info !!!!!!!!!! I could have a thousand accounts in a day or so.

pingsweep, portscan, rape!

j/k

Out of interest, would you theoretically just be cycling through usernames and passwords through brute force (eg User 0000001, Pass 000001) or use common passwords? I think there's a list of common account information people use.

Are you talking about the ISP username or router username?

For the router username and password, you could brute force with your own library based on router default usernames and passwords.

As for the ISP username and password, once you are logged into the router, the username is displayed right there for everyone to see, and the password is shown unencrypted in the (usually HTML) source of the page.

[Ron2K]

Now you can manually define DNS in a router-fantastic. Tim creates his own DNS server with his own machine and uses the Telkom DNS as a reference. Now he can capture all your data and the victims internet will be slow but not stopped.

The only thing that Tim is going to capture will be DNS lookups. Nothing else will be going through Tim, unless he fiddles with the routing tables as well (and I'm not sure how that would work).

[Frozenfireside]

routing tables

They are easy to modify. You can manually edit them with a text editor.

You can display the current route table to determine whether any changes are required. To see the route table for your computer, at the command prompt type route print .

You just redirect it to the Telkom IP from yours.

[Hex_Rated]

routing tables

They are easy to modify. You can manually edit them with a text editor.

You can display the current route table to determine whether any changes are required. To see the route table for your computer, at the command prompt type route print .

You just redirect it to the Telkom IP from yours.

So all the data flows through your PC? But wouldn't SSH/HTTPS prevent you from getting banking info? All you'd be able to really steal is the pcformat logins or whatever the guys downloading. Maybe his WoW account as well.

[Frozenfireside]

But wouldn't SSH/HTTPS prevent you from getting banking info?

Depending on your ability, yes. Buuuut since you hold the data used to encrypt the transmission of data, you could do a reply attack on that data and it could decrypt it.

You also know the process used to encrypt the data so it's possible to deduce the key.

[Anthro]

http://forums.pcformat.co.za/viewtopic.php?f=24&t=21391

do you know how easy it would be to write a script that scan telkoms ip range . tries to log into any wan address it finds and collects login info !!!!!!!!!! I could have a thousand accounts in a day or so.

... read it and weep ... it happens

[Frozenfireside]

It's easy to get the IP range.

http://www.cmyip.com if you are with Telkom. Subnet mask is 255.255.0.0.
It's sometimes different with other companies like Mweb but that's obvious.

[Ron2K]

It's easy to get the IP range.

http://www.cmyip.com if you are with Telkom. Subnet mask is 255.255.0.0.
It's sometimes different with other companies like Mweb but that's obvious.

Not necessarily.

The AfriNIC WHOIS tool will give you a far better idea as to the subnet mask.

[Frozenfireside]

parent: 41.240.0.0 - 41.247.255.255

interesting...

[Ron2K]

Point made - in your case, the subnet was 255.248.0.0.

[Mow]

Ok , so yesterday i went on a bit of a mission updating my slightly dated WPA cracking skills.I felt that the information i provided might not be accurate anymore.So here are my findings.

The anon hacking your WPA/WPA2 has to be running a nix disty . The reason is that no wireless interface on the market has a driver hacked or otherwise that support packet injection properly.

Packet injection is a system wereby the interface sends mass amounts of packet to the AP assisting in the collection of the 2million or so ivs required to hack even WEP. So more for wpa. Tried it last night without this and its still running with no were near enough data to run the decryption data on.

What im saying here is that possible number of thieves is reduced by a factor of ... well tons.

I only had access to a dictionary lists for possible password and this is fairly quick. Mostly took me less than 5 min to get the pass phrase. Running on a 4ghz dual.

Now if the above phrase was anything like bob@dsl.0113519400 this would take way to long for a drive-by . I would think that if an attacker were intent on doing this there would be two ways.

Firstly he would need to get a nano atx machine with a wireless interface and a battery backup and leave it the to collect the ivs for a few days. then grab the ivs from the machine and run the decryption matrix at home. Or he would need a high end quad core lappie and hope for the best.

now lets say that some kid with alotta cash were to take this up as a hobby . He would need to be a really rich get with a lotta leet nix skills cause getting the packet injection to work required recompiling a hacked driver with the correct kernal headers.

Its possible ... To steal accounts this way. But as i said limit the size of your sell and use more complex pass phrases you should be fairly safe. I cant see someone putting in this amout of effort for a couple of gigs of bandwidth .

[Frozenfireside]

now lets say that some kid with alotta cash were to take this up as a hobby . He would need to be a really rich get with a lotta leet nix skills cause getting the packet injection to work required recompiling a hacked driver with the correct kernal headers.

This is where WPA gains an advantage-if he is that rich, why would he be trying to hack you in the first place? He could just buy everything he wants. Also he could buy uncapped internet.

Guys use WPA with a long password and MAC filtering and SSID broadcasting off and so on.

[Mow]

Sorry but mac authentication and no broadcast is a waste of your time. Kistmet will detect the ssid and any packet sniffer with a interface in monitor mode will show a wireless mac on the network.

These are delay tactics not security systems.

edit. but every security measure helps . so go ahead and use whats available to you.

[Frozenfireside]

These are delay tactics not security systems.

edit. but every security measure helps . so go ahead and use whats available to you.

Yeha any determined clever hacking can get past these measures but if you make it hard enough, some hackers will just give up. It isn't worth the effort.

[Mow]

im gonna add to the problem here . im writing a script that automates the wpa hack process. For own whitecollar use . Gonna release it though. More tool eventually = better security.

[Frozenfireside]

oh do share.

[w1z4rd911]

I figured out how this guy got the ISP username and password......I use the wireless at home for the laptops and xbox. My laptop had a mobo meltdown and I sent it in to get repaired...The username and password was saved in the wireless software profiles. He simply took the details, planted it into his router and went nuts with it. I opened a police case for Information theft and identitiy theft, worst of all, they inspector investigating has found this person, somewhere in the cape (I am in Jozi) was downloading some questionable porn and movies to distribute on pirate dvd's now this guy is easiliy tracable if you have the subpoena to get his port address which is linked to his line which is trace able as we have monopoly telecoms here, and he has left quite a bit of a digital signature with many other accounts.
Poor oke is going to pay forever as there is quite a hefty fine once the prosecution has taken place but for the loss of business as well that I have experienced as well as jail time.

[DeathStrike]

I figured out how this guy got the ISP username and password......I use the wireless at home for the laptops and xbox. My laptop had a mobo meltdown and I sent it in to get repaired...The username and password was saved in the wireless software profiles. He simply took the details, planted it into his router and went nuts with it. I opened a police case for Information theft and identitiy theft, worst of all, they inspector investigating has found this person, somewhere in the cape (I am in Jozi) was downloading some questionable porn and movies to distribute on pirate dvd's now this guy is easiliy tracable if you have the subpoena to get his port address which is linked to his line which is trace able as we have monopoly telecoms here, and he has left quite a bit of a digital signature with many other accounts.
Poor oke is going to pay forever as there is quite a hefty fine once the prosecution has taken place but for the loss of business as well that I have experienced as well as jail time.

thats if the sa justice system rules in your favour.

[Mow]

let us know what happens .

"The username and password was saved in the wireless software profiles"

Your dsl was saved where ?

surely this would have been your wpa keys not your dsl login info.

[w1z4rd911]

let us know what happens .

"The username and password was saved in the wireless software profiles"

Your dsl was saved where ?

surely this would have been your wpa keys not your dsl login info.

DSL info was saved in cookies when I was using the modem login page, I still dont know how that happened coz I went through every possible cookie that was saved and I made the fatal mistake of asking firefox to save login info and somehow it made a cookie. Now I had not done a disk clean up in a while as the laptop is used purely for business so it doesnt quite get the level of care as the Desktops do......My bad caused my heartache and December of no online gaming