Man in the MiddleMan in the Middle

Paul Box Paul Box

Beatrice Wilds Beatrice Wilds

Will Lefevers Will Lefevers

Project GoalProject Goal

Demonstrate a Man in the Middle Attack Demonstrate a Man in the Middle Attack on a wireless networkon a wireless network

AgendaAgenda

What is Wireless?What is Wireless? How can we make it secure?How can we make it secure? Man in the MiddleMan in the Middle DemoDemo Can we ever be truly secure?Can we ever be truly secure? ConclusionsConclusions

What is wirelessWhat is wireless

More or less it is a radio signal that carries More or less it is a radio signal that carries a digital signala digital signal

Sender (Router)

Receiver

Securing Wireless NetworksSecuring Wireless Networks

The basic security used for a WLAN was originally The basic security used for a WLAN was originally Wired Equivalent PrivacyWired Equivalent Privacy (WEP), but this was shown to (WEP), but this was shown to provide minimal security due to serious weaknesses. provide minimal security due to serious weaknesses. The alternate The alternate Wi-Fi Protected AccessWi-Fi Protected Access (WPA) security (WPA) security protocol was later created to address these problems. protocol was later created to address these problems. The second generation of the WPA security protocol The second generation of the WPA security protocol (WPA2) is based on the final (WPA2) is based on the final IEEE 802.11iIEEE 802.11i amendment amendment to the to the 802.11802.11 standard and is eligible for standard and is eligible for FIPS 140-2FIPS 140-2 compliance. Software solutions such as compliance. Software solutions such as SSLSSL, , SSHSSH, and , and various types of software various types of software encryptionencryption have become the have become the preferred methods of securing wireless information preferred methods of securing wireless information transmission. transmission. Wikipedia, 2005Wikipedia, 2005

Project DescriptionProject Description

Configure a wireless networkConfigure a wireless network Perform a Man-in-the-Middle (MITM) Perform a Man-in-the-Middle (MITM)

attack over a wireless network attack over a wireless network MITMMITM is an attack in which an attacker is able is an attack in which an attacker is able

to read, insert and modify at will, messages to read, insert and modify at will, messages between two parties without either party between two parties without either party knowing that the link between them has been knowing that the link between them has been compromised. (Wikipedia)compromised. (Wikipedia)

Test bed DescriptionTest bed Description

1 D-Link DI-624 802.11b/g Router1 D-Link DI-624 802.11b/g Router 2 Laptops2 Laptops

Victim Laptop – Windows XPVictim Laptop – Windows XP Auditing Laptop – Fedora Core 4Auditing Laptop – Fedora Core 4

Connecting to the RouterConnecting to the Router

First plugged the router in and plugged a laptop into it. After acquiring a network address and gateway.

We then went to the D-link web Site and looked up the DI-624 user manual and looked up the default username and password.

This also confirmed the gateway IP address.

D-Link ManualD-Link Manual

Log in to The Router AdminLog in to The Router Admin

Using IE we connected to the gateway and entered the default username and password

WEP ConfigurationWEP Configuration

Changed SSID, changed default username and password to log in and enabled WEP with one key.

Chanel 6 was used instead of 11 because the router was firmware routed to number 6 only.

Setting up wireless receiverSetting up wireless receiver

WEP enabled with key 1

Securing Our Wireless NetworkSecuring Our Wireless Network

We are then able to see and connect to the network we have configured

WPA Configuration WPA Configuration

WPA-PSK password with broadcast turned off

MAC FilteringMAC Filtering

Turned on MAC filtering and cloned the known computer and only allowed it

Hijacking Wireless APHijacking Wireless AP

We could easily get into a default We could easily get into a default configured gateway and shut down configured gateway and shut down wireless and make them connect to us wireless and make them connect to us instead. instead.

Or we could block their MAC or De-Auth Or we could block their MAC or De-Auth them and make the Authenticate to us.them and make the Authenticate to us.

But can we make it so they don’t even But can we make it so they don’t even notice any change at all?notice any change at all?

Man in the MiddleMan in the MiddleHacker ToolsHacker Tools

WellenreiterWellenreiter Displays a list a available APsDisplays a list a available APs Gives SSIDs, MAC Addresses and EncryptionGives SSIDs, MAC Addresses and Encryption

EttercapEttercap Filter and MITM attacksFilter and MITM attacks

HostAP driversHostAP drivers WLan-NG toolsWLan-NG tools Laptop with wireless receiverLaptop with wireless receiver

MAN IN THE MIDDLEMAN IN THE MIDDLEHow It WorksHow It Works

The MitM poisons the ARP cache of the The MitM poisons the ARP cache of the victim and the server/gateway/switchvictim and the server/gateway/switch

So the victim computer then thinks the So the victim computer then thinks the hacker's ARP address is the gateway’s. hacker's ARP address is the gateway’s.

The gateway thinks the hacker’s ARP The gateway thinks the hacker’s ARP address is the victim computer’s. address is the victim computer’s.

All data is redirected through the listening All data is redirected through the listening system.system.

MAN IN THE MIDDLEMAN IN THE MIDDLEBasic AttacksBasic Attacks

Read all clear text information passed Read all clear text information passed between the hosts (i.e., browser requests, between the hosts (i.e., browser requests, username/passwords)username/passwords)

Log/trap all data packetsLog/trap all data packets Packet injectionPacket injection

(all these attacks can be performed through traffic dumps (all these attacks can be performed through traffic dumps and setting your NIC to promiscuous mode)and setting your NIC to promiscuous mode)

MAN IN THE MIDDLEMAN IN THE MIDDLEAdvanced AttacksAdvanced Attacks

Traffic Blocking Traffic Blocking Web page denied – 404 error even though the Web page denied – 404 error even though the

page works finepage works fine

FiltersFilters Listen for any signature and change itListen for any signature and change it

Break EncryptionBreak Encryption Crypto rollbacks and de-authorizationCrypto rollbacks and de-authorization PPTP/Chapv2->Chapv1->clear textPPTP/Chapv2->Chapv1->clear text

Why does it work on WirelessWhy does it work on Wireless

Wireless routers are also switches. Most Wireless routers are also switches. Most of the time the wired and wireless side are of the time the wired and wireless side are bridged making them act like one network. bridged making them act like one network.

802.11 signals are broadcast, so they're 802.11 signals are broadcast, so they're essentially working like a hub. essentially working like a hub.

Client devices are supposed to filter out Client devices are supposed to filter out anything not addresses to them, but they anything not addresses to them, but they don't *have* to.don't *have* to.

Similar AttacksSimilar Attacks

HostAP can be used to create a rogue HostAP can be used to create a rogue access point that clients will authenticate access point that clients will authenticate with, much like ARP poisoning, but it's with, much like ARP poisoning, but it's more obvious to admins. more obvious to admins.

Other MitM attacks can use HostAP to Other MitM attacks can use HostAP to deauthenticate a client and force it to re-deauthenticate a client and force it to re-authenticate with themselves on a different authenticate with themselves on a different channel. channel.

ProtectionsProtections

SSL connections *may* prevent you from SSL connections *may* prevent you from connecting through the MitM. connecting through the MitM.

Read certificates carefully (https pass through) Read certificates carefully (https pass through) before connecting.before connecting. File-Encrypt (pae or other encrypted files) any file File-Encrypt (pae or other encrypted files) any file

you don't want intercepted.you don't want intercepted. Tunnel into a trusted endpointTunnel into a trusted endpoint

IPSEC, SSH tunnels, VPNIPSEC, SSH tunnels, VPN WEP won't work at all because the hacker can WEP won't work at all because the hacker can

tumble your data and find the Key. With the key, tumble your data and find the Key. With the key, all traffic can be decrypted on-the-fly, as if it's all traffic can be decrypted on-the-fly, as if it's clear text.clear text.

ConclusionsConclusions

Lessons Learned Lessons Learned Never assume you are the only one that sees Never assume you are the only one that sees

your trafficyour traffic

Defense SuggestionsDefense Suggestions Encrypt, Encrypt, EncryptEncrypt, Encrypt, Encrypt

Both the connection and the data being passedBoth the connection and the data being passed WEP and WPA will help but is not infallibleWEP and WPA will help but is not infallible