Trying (and failing) to hack the Wall of Sheep (2022)

Summary

The Wall of Sheep is a popular exhibit at DEF CON. Participants run packet sniffers on an insecure Wi-Fi network and try to catch people logging into unencrypted websites and other services. If they see that happening, they post the person’s username and password on a giant display. It looks something like: That’s an excellent reminder to be careful when you’re connected to an unknown network, and not to send your login credentials out in the open. From the first time I saw it, though, I had to wonder: is the wall itself hackable? Could I make it look like this instead? The idea kept bouncing around the back of my mind until I added it to my to-do list so I could stop thinking about it. I had to at least try it. Assumptions I know nothing about the Wall of Sheep’s internal workings. That’s deliberate. I wanted to test this for the fun of it, and part of the challenge was to see how far I could get without any knowledge of it. I had to make a few assumptions: If you’re connected to the right Wi-Fi network and submit credentials in plaintext, they’ll be shown on the wall. The process of getting captured credentials on the wall is automated. The wall is rendered by a web browser. The wall’s software has been around for a while and wasn’t written to be particularly secure. After all, it’s on the attacking end, right? No one’s tried this before, so no one’s fixed it before. Choosing the attack If the above assumptions are true, the obvious attack vector is Cross Site Scripting (XSS). The method is to create a snippet of JavaScript and then trick the Wall of Sheep into displaying — and executing — it. This should work: <script type="text/javascript">alert("I was here.");</script> But how do I get that onto the board? The password field is usually censored, such as hunter2 being masked to hunt***. That would destroy the payload, so that wouldn’t work. Is there a way to make a DNS hostname that renders correctly? Eh, maybe, but crafting that sounds like work. (Note to self:...