NPR Blog Series Part 2: A Week in the Life

Note: Per our agreement with NPR, Pwnie Express is not disclosing any data collected during the research experiment with Steve Henn, but focusing it’s comments on providing education on the techniques used.

In my last post I described how I configured a Pwn Plug R2 to stream Steve Henn’s laptop and iPhone traffic from his home office to my analysis server in Vermont. Steve was acting as a proxy for the average Internet user, whose traffic could be monitored by any malicious intermediary. With our Pwn Plug now acting as a “web surveillance” drop box, we then proceeded with our first order of business: A week in the life of Steve Henn.

Note our approach here was not to emulate advanced NSA surveillance techniques, such as exploitation of SSL protocol weaknesses, malware delivery, or other “active attacks”. Instead, we focused on what the NSA, your ISP, the dude with a Pwn Phone at your local coffee shop, or any number of other intermediaries can discern about an individual by passively monitoring the enormous amount of Internet traffic that’s still transmitted in clear-text (unencrypted) today.

With just a week’s worth of web traffic I was able to assemble a rather thorough personal profile of Mr. Henn. Between Steve’s day-to-day laptop/iPhone web traffic and some additional testing in Pwnie’s lab environment, we were able to capture:

  • Passwords
  • Phone numbers
  • Email addresses
  • Physical location
  • VoIP/SIP phone calls
  • Cell carrier parameters
  • Audio recording from an FTP file transfer
  • Search keywords
  • Personal interests & shopping habits
  • Session keys & cookies
  • Universally-unique session IDs
  • Make, model, & BIOS/firmware versions of laptops, mobile devices, & printers
  • Installed OS/application versions & patch levels (including AV software)
  • Running Windows processes, exe/dll versions, & connected USB devices
  • MAC addresses, internal IPs, & other unique device identifiers
  • Log of all visited domains, websites, & countries
  • Images, photos, software downloads, SSL certificates

In this post I’ll describe the techniques I used to extract this information from raw web traffic. This analysis was completed on a Pwn Plug R2 (via SSH) with the following open-source tools installed: tcpflow ngrep tshark ssldump p0f pads trafshow tcpxtract pcregrep tcpslice dsniff xplico argus libplist-utils

The below examples reference a “CAPFILE” variable, which can be set to your target tcpdump capture file as follows:

$ CAPFILE=”June-3.cap”

Extracting clear-text passwords:

$ ngrep -I “$CAPFILE” -W byline -q -t | egrep -i “password=|pass=|secret=|^PASS |^USER ”
$ dsniff -p “$CAPFILE”

Extracting phone numbers:

$ tcpflow -r “$CAPFILE” -c -s port 80 | pcregrep -o “[^a-zA-Z0-9](\d{3}).(\d{3}).(\d{4})[^a-zA-Z0-9]” | pcregrep -o “(\d{3})-(\d{3})-(\d{4})|(\d{3})\.(\d{3})\.(\d{4})”

Extracting email addresses:

$ tcpflow -r “$CAPFILE” -c -s | grep -v “\.\.” | pcregrep -o ‘\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}’

Extracting clear-text credit card numbers:

$ ngrep -I “$CAPFILE” -q -t ‘(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)’
$ ngrep -I “$CAPFILE” -q -t ‘(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)’
$ ngrep -I “$CAPFILE” -q -t ‘(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12}(\s|$)’

Extracting clear-text social security numbers:

$ ngrep -I “$CAPFILE” -q -t ‘(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)’
$ ngrep -I “$CAPFILE” -q -t ‘(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)’

Extracting physical location (GPS latitude & longitude) from iPhone Weather app traffic:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST|HTTP/)’ port 80 |egrep “%2Clatitude%2Clongitude%2C”

Extracting VOIP/SIP call data:

$ ngrep -I “$CAPFILE” -W byline -q -t | grep -v “\.\.” |grep SIP

Decoding Apple device plist files to obtain cell carrier parameters:

First, use xplico to carve the plist XML files out of the packet capture:

$ xplico -l -m pcap -f “$CAPFILE”

Then, use plutil to decode the plist XML files into readable strings:

$ plutil -i “xdecode/bag” |strings > iphone_plist_bag.txt
$ plutil -i “xdecode/bag(1)” |strings > iphone_plist_bag1.txt
$ plutil -i “xdecode/getBag%3fix\=1” |strings > iphone_plist_getBag.txt
$ plutil -i “xdecode/version(1)” |strings > iphone-plist-cell-carriers.txt

Carving out & listing audio/video files, images, photos, executable files, SSL certificates, etc:

$ xplico -l -m pcap -f “$CAPFILE”
$ find xdecode/

Extracting keyword strings from HTTP Referer values:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST)’ port 80 | egrep “^GET |^POST |^Referer: ” | egrep -o “[a-z-]*” | egrep “[a-z-]*-[a-z-]*-” | egrep -v “(^-|-$)”

Displaying Microsoft Bing Search keywords:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST|HTTP/)’ port 80 | egrep “bing.com.search.q=”

Displaying Amazon product searches:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST|HTTP/)’ port 80 | egrep “amazon.com/gp/aw/s/ref=is_box_.k=”

Extracting cookies, session IDs, keys, tokens, etc:

$ tcpflow -r “$CAPFILE” -c -s port 80 | grep -v “\.\.” | egrep “^Set-Cookie|oauth|UUID|session.id|session.token|Authorization:”

Extracting make, model, & BIOS/firmware versions of PCs & mobile devices from Microsoft Windows error reporting, Apple iDevice browser, & Android YP app traffic:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST)’ port 80 |egrep “^T |^GET |^Host: ” |egrep -B2 “watson.microsoft.com.$”
$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST|HTTP/)’ port 80 | egrep “X-Device-Info: ”
$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST|HTTP/)’ port 80 | egrep “macAddress=|device_name=|device_type=|os_version=|dev=”

Displaying client OS/applications & versions:

$ ngrep -I “$CAPFILE” -W byline -q -t port 80 | egrep “^User-Agent: “

Extracting running processes, exe/dll versions, & connected USB devices from Microsoft Windows error reporting traffic:

$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST)’ port 80 |egrep “^T |^GET |^Host: ” |egrep -B2 “watson.microsoft.com.$”

Top 10 domains:
$ tcpdump -nn -r “$CAPFILE” port 53 | egrep ” A\? ” | awk ‘{print$8}’ | egrep -io “[a-z0-9]*\.[a-z]*\.$” | sort | uniq -ic | sort -nr | head |awk ‘{print$1,$2}’

Top 10 websites (based on number of HTTP requests):
$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST)’ port 80 | grep “^Host:” | sort |uniq -ic |sort -nr |head |awk ‘{print$1,$3}’

Top 10 referers:
$ ngrep -I “$CAPFILE” -W byline -q -t ‘^(GET|POST)’ port 80 | egrep “^Referer: ” |sort |uniq -ic | sort -nr |head |awk ‘{print$1,$3}’

Top TLDs/countries:
$ tcpdump -nn -r “$CAPFILE” port 53 | egrep ” A\? ” | awk ‘{print$8}’ | egrep -io “\.[a-z]*\.$” |sort |uniq -ic |sort -nr |awk ‘{print$1,$2}’

List any weak/vulnerable SSL sessions:
$ ssldump -n -r “$CAPFILE” | grep “cipherSuite” | egrep -i “RC4|MD5|EXP|NULL|_DES|ANON|64″ | sort | uniq -c | sort -nr | awk ‘{print$1,$2,$3}’

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *