|
|
Tools hakin9 2/2007 AimjectSystem: Linux/BSD/Windows License: GNU General Public License (GPL) Purpose: Perform MITM attacks against AIM clients Homepage: http://jon.oberheide.org/projects/aimject/ Author: Jon Oberheide Aimject facilitates man-in-the-middle attacks against AOL Instant Messenger's OSCAR protocol via a simple GTK interface.
Quick start. Instant messaging and real-time network communication are becoming increasingly prevalent in both the personal and professional arenas of the global computer community. While recent current events have brought IM privacy to the attention of mass media, security in most systems has not been properly addressed. Given the growing reliance on IM communication for a wide variety of purposes, focused investigation of potential security attacks is long overdue.
Aimject is a tool that demonstrates the
ease of executing these security attacks against existing IM
protocols, specifically the popular AOL Instant Messaging (AIM)
service which uses the OSCAR protocol. By performing a hybrid
network/application-layer man-in-the-middle (MITM) attack, Aimject
can m The major features of Aimject include message viewing, muting, and injection. The message viewing aspect decodes all intercepted AIM communications and organize them into browsable conversations. Message muting allows selective blocking of communication to and/or from AIM users at a conversation-level granularity. Last, but not least, Aimject allows bidirectional injection of arbitrary messages into conversations. All of these features are accessible via a simple, intuitive GTK interface that even an inexperienced user would have no problem interacting with. Other useful features. Aimject provides integrated ARP and DNS spoofing, which allows the MITM attack and intercepting AIM connections to be completely automated without relying on any external utilities. The ARP spoofing component broadcasts ARP replies to the network, advertising the host running Aimject as the gateway. This causes hosts on the local network to send their traffic through the Aimject host instead of directly to the gateway, setting up our DNS attack. The DNS spoofing component then listens for DNS A record queries for login.oscar.aol.com traversing the Aimject host and sends spoofed replies with its own IP. When a client logs in to AIM, several connections are established. The first connection contacts login.oscar.aol.com and authenticates the client's credentials. The OSCAR login server will then return the address of the next server that the client must connect to in order to utilize AIM services. Due to this unique login sequence, Aimject must intercept the first connection, then dissect and manipulate the server's response to effectively redirect the client's subsequent connection to Aimject. Aimject also tracks subtleties such as font style and screenname formatting. Given the ease of use and public availability of Aimject, it would be unwise to unconditionally trust any communication from the AIM service. While Aimject is currently specific to AIM, it would be trivial to extend to other IM protocols that share the same inherent vulnerabilities. Existing solutions such as SSL-enabled IM services and off-the-record (OTR) messaging can provide end-to-end security and mutual authentication but unfortunately are not widely deployed. Hopefully tools such as Aimject will raise awareness of current security issues and spur the adoption of alternate secure instant messaging solutions. Disadvantages. Use of this software may be in violation of local, federal, and/or international laws. Please be aware of legal ramifications and use Aimject responsibly on authorized networks.
|
anipulate communication flow and gain authority over several
aspects of the AIM service.
