Friday, May 31, 2013

iStupid: Setup & Basic Usage

iStupid, indescreet SSID tool (for the) unknown PNL (on) iOS devices, is a Python-based tool for Linux that allows deleting Wi-Fi network entries from the hidden PNL of iOS mobile devices. For more details see the original iStupid blog post, and it can be downloaded, as usual, from Tadddong's lab.

Setup & Requirements
iStupid directly runs in some of the most famous security Linux distributions, such as Kali Linux, BackTrack Linux (BT5R3), or MobiSec (v1.1) [0]. If you are interested on running iStupid on a different Linux system the main two requirements are Python 2.7.x and Scapy. The next two commands allow you to easily check the Python and Scapy versions (e.g. Kali):
# python -V
Python 2.7.3
# dpkg -l | grep -i scapy
ii  python-scapy    2.2.0-1    all    Packet generator/sniffer and network scanner/discovery

Before running iStupid you need to put your Wi-Fi network interface or card in monitor mode. You can use the well-known "airmon-ng start wlan0" command (from the aircrak-ng suite), or preferably use the following Linux commands, adjusting accordingly your network interface names (e.g. phy11, wlan0, and mon0):


To run iStupid (as root or using "sudo") you simply need to provide the SSID (or network name) of the Wi-Fi network to impersonate (through the "-s" option) and the local monitor mode Wi-Fi network interface (e.g. mon0):

In the example above, iStupid will emulate that a Wi-Fi network called "Taddong" is available, allowing you to delete it from iOS mobile devices. The default security type used for the network is OPEN, very common for public Wi-Fi networks and hotspots. However, the Wi-Fi network security type can be easily changed by specifying one of the different security options: OPEN (--open), WEP (--wep), WPA-Personal (--wpa), WPA2-Personal (--wpa2), WPA-Enterprise (--wpa-enterprise), or WPA2-Enterprise (--wpa2-enterprise). Example for a WPA2-Personal (or PSK) network:

Therefore, the first requirement to be able to remove a Wi-Fi network from iOS mobile devices is to know at least the name of the Wi-Fi network you connected to in the past, which was saved inside the hidden PNL. As a recommended practice, every time you connect to a new network you could take a screenshot of the Wi-Fi screen on iOS (by pressing both the Power and Home buttons simultaneously) in order to easily remember the network name:

The second requirement is to know the Wi-Fi network security type. A very common scenario for end users is to remember the SSID they connected to and (at most) if it was an open or a secure network. Unfortunately, if it was a secure network, iOS does not help the user to differentiate between the multiple security types, as all them are represented by a lock (see the image above).

For this reason, iStupid implements the "--loop" option. When used, iStupid will loop through the different security types, spending by default 30 seconds on each of them. This amount of time allows iOS to re-scan for new networks and identify the new security type, allowing you to manually remove the associated entry from the hidden PNL:

If you don't know the security type, this iStupid basic usage requires you to manually check if the network can be removed from the iOS mobile device, through the blue arrow button available at the right of the network name and the "Forget this network" option, every time the security type changes on the iStupid output. Once you see a new security type printed by iStupid (between curly braces), go to the iOS device, wait until it re-scans for networks (via the spinning wheel at the right of the "Choose a Network..." label), and try to remove the network from the hidden PNL:

The loop interval, that is, the amount of time iStupid spends on every security type, can be changed through the "-l" (or "--loop_interval") option. The next blog post in this series will demonstrate iStupid advanced usage through some additional command line switches (check the help with "iStupid -h"), like the one that tries to identify automatically the security type of the original Wi-Fi network.

Shameless plugI will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Tokyo (October 21-26, 2013) and London (November 18-23, 2013).

[0] Mobisec v1.1 by default uses Python 2.6.5 and will complaint about not having the "argparse" module. You need to update it to Python 2.7.x in order for iStupid to work.

No comments:

Post a Comment