XCREDS - Xfinity WiFi Honeypot

Hello, 0x00sec!

Before discussing my project, I want to introduce myself a little; if you’re more interested in xcreds, feel free to skip to the bottom.

Introduction

I’ve been reading 0x00sec for a while, but have held off from creating an account until I had something interesting to share. I used to be an active member of Null-Byte until its leader, OccupyTheWeb, left a little while back. You can find my account here: https://creator.wonderhowto.com/codesynced/. After that community broke up, I took a break from computer security for a while to work on other computer science topics (mainly making, instead of breaking). However, now I’m back with a new project I’ve spent the last few days on—xcreds.

XCREDS

Xfinity has been rolling out free WiFi hotspots for their subscribers, which run not only at coffee shops and airports but side-by-side to home networks on their new router/modem combos. To use them, one must first sign in with their comcast email address and password. As more and more Comcast users upgrade to these new routers, Xfinity WiFi hotspots seem to be everywhere… which poses the question: how dangerous is it to have such widespread use of these free WiFi networks?

I’m sure all of you here are aware of the possible MiTM attacks that can be used on open networks, but putting that aside, how easy is it to steal Xfinity credentials now that these networks are so common? Spoiler alert… the answer is really easy.

Background

At first, I wondered how a previously signed-in device could automatically use a new Xfinity hotspot without manually signing in first. My first thought was that the device was signing in by sending the proper credentials to the router… which would make stealing them extremely easy and wouldn’t even require user interaction. However, Comcast was a little smarter than that when setting this system up and instead seems to be recording the MAC address of the devices that have signed in through their servers. That way, when a returning user connects to a new hotspot, the router can simply check if that device’s MAC address is listed on their servers. So instead I set out to replicate their sign in process to harvest credentials, which may not be as quick and stealthy, but it is almost as effective.

How it works

Simply put: xcreds first sets up a fake access point, then runs a webserver hosting modified HTML from Xfinity’s WiFi login page. All requests are directed to this page until the user has signed in, upon which the user can then browse the internet. Meanwhile, their login credentials have been recorded.

EDIT: Here’s some screenshots.

On the attacker machine:

On the victim machine:
(I’ll have to upload this later, I’m only allowed one image due to being a new user)

Installation

*This program is intended for Kali Linux

You can download my project from GitHub here: https://github.com/spec-sec/xcreds

Once you unzip it to a folder, run the installer [installer.sh]. This installs the following prerequisites if you don’t already have them:

  • hostapd
  • dnsmasq
  • web.py [Python module]

After it completes, run the main program file [xcreds.py] with Python in a terminal window. Credentials are displayed on-screen (in the webserver window) and stored in creds.log.

Bonus

After a victim connects and signs in, it’s easy to run other attacks since you own the network. One quick example is urlsnarf, which will show you the websites your victims are visiting. If you want me implement any of these kinds of attacks as features in xcreds, I’d be happy to do so.

Sincerely,
~ spec [formerly Code]

P.S. This is only version 1.0, so I would greatly appreciate any critique or recommendations for improvements on this program.
Also, I’m hoping some of you will recognize me (looking at you, Phoenix750!)

15 Likes

Nice work.

And just to quote your README:

Disclaimer

This project is for demonstration purposes ONLY. I am not responsible for any usage outside of the law.

Glad you chose to write this here. Join us on IRC.

4 Likes