Read: How to hack Facebook account: Facebook profile hacking by PHP session hijacking
Read: How to hack Facebook account 2: using LCG for Facebook profile hacking
Read: How to hack Facebook account 3: applying Cross-Protocol Scripting to attack victim’s network
In the final part of Samy’s talk “How I Met Your Girlfriend”, he determines his target’s location.
Alright, well, who cares, it’s a MAC address – like, what’s the big deal? So briefly, what is a MAC address? Basically, every network device on your network has a MAC address – kinda like an IP address – it’s in hardware, you can’t change unless you’re spoofing it, and it’s how everything communicates with each other on your LAN.
So why the MAC address? Why do we want to acquire it? What’s so interesting about it? I’ll take you through the steps. Just Bing it: open you browser, type ‘www.bing.com’ in your URL bar. When the search box comes up, type in ‘Google’ and hit Enter. So why Google? Oh yeah, because they know everything, really. So, some of you may be familiar with the ‘Google Street View’ service.
So what you see on the image is the Street View car. Some of you may have seen it; some of you, well, lot’s of you probably know what it is. It’s the car, it’s the one guy who drives around America taking pictures, drives on every single street. Now, we understand the street view is really cool. You can go onto ‘Google Maps’ and you can see all the different streets, the people flashing the cameras, marriages proposals – all sorts of awesome stuff. What you may have not known is that they are collecting data. Now, recently there’s this big thing about Google collecting unencrypted Wi-Fi data. Well, this has nothing to do with that. And soon they don’t have any of that Wi-Fi data which they’ve already deleted in a lot of places.
They are still collecting other Wi-Fi data. So what are they collecting? Well, as they are driving around, not only are they taking pictures, not only are they mapping GPS coordinates, but they are also looking at just Wi-Fi packets in general: not the data portion – they are looking at the headers.
Now, what’s interesting about the headers? They contain MAC addresses, the hardware MAC address of your router – the same MAC address that we acquired just with the XSS. Alright, so why is that interesting? Well, with Wi-Fi you can detect strength. As they are driving down, they are actually detecting my network at home. They‘re driving on the street and say “Oh, I detected network, it’s about 10 out of a 100 strength wise. It must be close”. Driving a little further, taking the pictures – “Oh, it’s stronger now, it’s 50 out of a 100”. Gets to its maximum, say, 85 out of a 100, and then it start to basically go down. Well, they’ve just triangulated my position.
Not only are they actually going on that street, but they are going on every other street around it, and now they get even more accurate data. They may see it actually goes up to strength 95 on the street parallel to mine. Now they know that I am actually closer to that street than I am to the other one that was at 85 strength. They are literally triangulating your network. It doesn’t matter if you are encrypted, it doesn’t matter if you are using WEP, WPA, WPA2. The packets are flying and the MAC address is in there unencrypted.
So how is this interesting? You know, we can’t really access it, they visit our malicious website, but we don’t want them to see that, and they are not gonna click it. Well, Firefox is making an HTTPS connection to Google and asking them for this information. Why don’t we make that connection? I can write a program on the backend, so when you visit my website, I use XSS to acquire your MAC address, and then I send it back to my little program running in the background. It’s not running on your browser anymore.I then connect to Google. I send your MAC address and this post request, and it sends back your location, your coordinates. Now, just to understand how accurate this is: this is an actual router I’ve exploited, and I knew the address beforehand, because Anna was there. So, I went over there, and I did a ‘Google maps’ request. And I said “Take these coordinates and drive me to the location, the address. The image shows how far it was. Driving directions – 30 feet. Router was 30 feet away. Seriously, that’s what it said – 30 feet. That’s how accurate the coordinates are. It’s on that router that I was exploiting.
I think Mark Zuckerberg said it best: “Privacy is dead”. Thank you!
1 – XSS (Cross-site scripting) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users.
2 – WPA (Wi-Fi Protected Access) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.
3 – CSRF (Cross-site request forgery) is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.