{"id":139,"date":"2015-04-02T01:05:36","date_gmt":"2015-04-02T05:05:36","guid":{"rendered":"https:\/\/www.ccrossan.com\/?p=139"},"modified":"2015-04-17T19:53:52","modified_gmt":"2015-04-17T23:53:52","slug":"april-fools-day-2015-whats-in-pandoras-box","status":"publish","type":"post","link":"https:\/\/crossan007.dev\/blog\/fun\/april-fools-day-2015-whats-in-pandoras-box\/","title":{"rendered":"April Fools Day 2015 – What’s in Pandora’s Box"},"content":{"rendered":"\n
Tweet<\/a><\/div>\n

The Idea<\/h1>\n

So, I’ve seen the\u00a0Upside-Down-Ternet<\/a>\u00a0many times, and I began thinking…How can I leverage this idea on one of my wife’s favorite websites – Pandora.<\/p>\n

She listens to Pandora for a good part of the day from our home internet connection… Perfect! I can set up a transparent http proxy, and manipulate requests for Pandora as they come through.<\/p>\n

Now, what should I play? \u00a0 This <\/a>of course. And may more things. \u00a0And maybe\u00a0What does the spleen do?<\/a><\/p>\n

The Implementation<\/h1>\n

Determining an “attack vector”<\/h2>\n

I fired up Chrome’s developer tools while listening to a pandora stream, and was quite pleasantly surprised: the audio is transferred over HTTP (correct – no encryption), in MP3 format. (And I discovered a little too late that the Pandora ONE Player will play audio\/mp3 streams, while the free pandora player will only play audio\/mp4 streams – This is important later on!) \u00a0How easy this will be! \u00a0All I’ll need to do is watch for the \u00a0specially crafted URL requesting resources from http:\/\/audio-*.pandora.com\/ (and *.p-cdn.com) access and respond accordingly – In this case, with an mp3 pre-staged on my intercepting server.<\/p>\n

<\/h2>\n

Base Environment<\/h2>\n

My “host”\u00a0in this scenario is a VM running on Hyper-V on my Windows 8.1 Desktop. \u00a0The VM is running Ubuntu 14 as a guest OS, and has \u00a02 cores with 256 MB ram, and one network adapter.<\/p>\n

Phase 1: Configuring Squid3 & iptables<\/h2>\n

Squid3 <\/a>is a proxy server that supports something called “transparent mode.” \u00a0In conjunction with iptables<\/a>, squid can be a very effective content filter<\/a>, caching proxy, or the perfect tool to carry out an April fools prank.<\/p>\n

In this scenario, we’ll be setting up our linux machine to “Masquerade” as the machines that will be passing traffic\u00a0to (through) it. In much the same manner as\u00a0how your existing home router works: You have one public IP address<\/a>,\u00a0and all of the requests from computers within your network (using private IP addresses<\/a>) \u00a0appear to come from that one public IP. This is called NAT<\/a>.<\/p>\n

Since this linux machine will facilitate the transfer of all traffic from the “victim” machines to the internet, It’s in the perfect location to identify (and manipulate) Pandora requests.<\/p>\n

OK, OK, enough theory, let’s get some code<\/p>\n

Iptables<\/h3>\n
    \n
  1. Enable ip_forwarding (this is temporary, and will go away after a reboot of the \u00a0“host” machine)\n
    echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n<\/li>\n
  2. Configure iptables to pass traffic (Never configure it this way if you’re actually building an edge device. \u00a0Since all of my devices – both “host” and “victim” machines are on the same physical network, I took some liberties with security)\n
    iptables -F\r\niptables -t nat -F\r\niptables -P INPUT ACCEPT\r\niptables -P OUTPUT ACCEPT\r\niptables -P FORWARD ACCEPT<\/pre>\n<\/li>\n
  3. Next, we need to tell iptables to “masquerade,” or that is to “NAT” the traffic that comes from the local subnet, and is destined for the internet.\n
    iptables -t nat -A POSTROUTING -s 172.16.9.0\/24 -j MASQUERADE<\/pre>\n<\/li>\n
  4. Great, but what about our prank? \u00a0 Let’s explicitly redirect traffic destined for the IP segment owned by Pandora (you can find this using whois)\n
    iptables -t nat -A PREROUTING -d 208.85.40.0\/21 -p tcp --dport 80 -j DNAT --to-destination 172.16.9.155:3128<\/pre>\n<\/li>\n<\/ol>\n
    Squid3<\/h3>\n
      \n
    1. First, install squid using your favorite packaging tooapt-get install squid3<\/li>\n
    2. Configure Squid. \u00a0I’ve taken the liberty of trimming down the config file as thin as possible for this scenario. \u00a05 lines!\n
      redirect_program \/home\/administrator\/pandora.pl\r\nhttp_access allow all\r\nhttp_port 3128 transparent\r\nstrip_query_terms off\r\ncoredump_dir \/var\/spool\/squid3<\/pre>\n<\/li>\n
    3. Next, we need to write the redirect_program. \u00a0Having not actually read the Squid3 documentation, and surmising based on operation – This is loaded at the time the Squid3 service is started, and continually runs in the background. \u00a0Squid3 then passes URLs from clients into the script through the pipeline. \u00a0The script then passes a URL back to Squid3. \u00a0In this circumstance, we use some regex to identify all requests for a Pandora song (http:\/\/audio.*?pandora\\.com<\/em> and\u00a0http:\/\/.*\\.p-cdn\\.com<\/em>)\n
      #!\/usr\/bin\/perl\r\nuse strict;\r\n$| = 1;\r\nwhile (&lt;&gt;) {\r\nmy @elems = split;\r\nmy $url = $elems[0];\r\nif ($url =~ m#^http:\/\/audio.*?pandora\\.com#i) {\r\n$url = "http:\/\/172.16.9.155\/test.mp4";\r\nprint "$url\\n";\r\n}\r\nif ($url =~ m#^http:\/\/.*\\.p-cdn\\.com#i) {\r\n$url = "http:\/\/172.16.9.155\/test.mp4";\r\nprint "$url\\n";\r\n}\r\nelse{\r\nprint "$url\\n";\r\n}\r\n}<\/pre>\n<\/li>\n
    4. Restart Squid3\n
      service squid3 restart<\/pre>\n<\/li>\n<\/ol>\n
      Apache2<\/h3>\n
      Since we’re actually replacing the song in Pandora with a “payload” track, we need some way of hosting this audio. \u00a0Additionally, we need the host to respond with the “payload” track for any and all incoming requests<\/i>. \u00a0Queue: Apache mod_rewrite.<\/p>\n
        \n
      1. Edit the\u00a0 \/etc\/apache2\/sites-enabled\/000-default.conf file, and add these three lines. \u00a0This causes any inbound HTTP requests to return the test.mp4 file (with the correct MIME association, so as not to break “free” Pandora)\n
        RewriteEngine on\r\nRewriteRule .* \/test.mp4\r\nAddType audio\/mp4 .mp4<\/pre>\n<\/li>\n
      2. Place the test.mp4 file at \/var\/www\/html<\/li>\n<\/ol>\n
        Phase 1.5: Test Proof of Concept<\/h2>\n
          \n
        1. Set a host on the LAN to use the afforementioned box as a default gateway.<\/li>\n
        2. Launch Pandora<\/li>\n
        3. Validate that only the payload song\u00a0will play.<\/li>\n<\/ol>\n
          Phase 2: Deploy to LAN<\/h2>\n
          I have a standard FiOS router as my default gateway, and the device does not give total control over the DHCP server settings. \u00a0Of particular interest here is the option routers\u00a0<\/em>parameter. \u00a0This allows the DHCP server to dictate to the clients\u00a0what IP address they should use as a default gateway<\/em>. \u00a0Obviously if this prank is going to affect more than my sandbox, I need the other devices on the LAN to pass all of their traffic through the “host”<\/p>\n
          Configure isc-dhcp-server<\/h3>\n
            \n
          1. Install isc-dhcp-server using your favorite package manager\n
            apt-get install isc-dhcp-server<\/pre>\n<\/li>\n
          2. modify the lines below in the \/etc\/dhcp\/dhcpd.conf<\/em> file. \u00a0Define some hosts if you’d like to exclude them from the prank. \u00a0All hosts with a\u00a0host<\/em>\u00a0block will be issued an IP in the\u00a0deny unknown clients<\/em>\u00a0pool: \u00a0this is not; however, what determines their gateway, but rather the\u00a0options routers<\/em> clause in the\u00a0 host\u00a0<\/em> block. \u00a0 One very important thing here is to set the lease time rather low. \u00a0I don’t want this prank to cause some random device to get an IP and hold onto it for the default of 8 days. Bumblebee happens to be my desktop:\n
            option domain-name "ccrossan.com";\r\noption domain-name-servers 172.16.9.1,8.8.8.8,8.8.4.4;default-lease-time 100;\r\nmax-lease-time 100;\r\n\r\nhost bumblebee\r\n{\r\nhardware ethernet 00:24:8C:93:7C:EE;\r\nfixed-address 172.16.9.100;\r\noption routers 172.16.9.1;\r\n}subnet 172.16.9.0 netmask 255.255.255.0\r\n{\r\noption routers 172.16.9.155;\r\n\r\npool {\r\ndeny unknown clients;\r\nrange 172.16.9.100 172.16.9.150;\r\noption routers 172.16.9.1;\r\n}\r\npool\r\n{\r\nallow unknown clients;\r\nrange 172.16.9.200 172.16.9.250;\r\noption routers 172.16.9.155;\r\n}<\/pre>\n<\/li>\n
          3. Re-start the DHCP\u00a0server<\/li>\n
          4. Disable DHCP on the FiOS router.<\/li>\n
          5. Watch hilarity ensue as users launch Pandora in their browsers only to hear your specially selected track!<\/li>\n<\/ol>\n
            Thanks for reading. \u00a0If you stuck with it this far, you’re a trooper.<\/p>\n
            Please leave any comments or suggestions you may have below!<\/p>\n","protected":false},"excerpt":{"rendered":"
            The Idea So, I’ve seen the\u00a0Upside-Down-Ternet\u00a0many times, and I began thinking…How can I leverage this idea on one of my wife’s favorite websites – Pandora. She listens to Pandora for a good part of the day from our home internet connection… Perfect! I can set up a transparent http proxy, and manipulate requests for Pandora … Continue reading April Fools Day 2015 – What’s in Pandora’s Box<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[62],"tags":[63,68,25,69,64,66,65,67,70],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n