Title: Man in the Middle
1Man in the Middle
- Paul Box
- Beatrice Wilds
- Will Lefevers
2Project Goal
- Demonstrate a Man in the Middle Attack on a
wireless network
3Agenda
- What is Wireless?
- How can we make it secure?
- Man in the Middle
- Demo
- Can we ever be truly secure?
- Conclusions
4What is wireless
- More or less it is a radio signal that carries a
digital signal
Sender (Router)
Receiver
5Securing Wireless Networks
- The basic security used for a WLAN was originally
Wired Equivalent Privacy (WEP), but this was
shown to provide minimal security due to serious
weaknesses. The alternate Wi-Fi Protected Access
(WPA) security protocol was later created to
address these problems. The second generation of
the WPA security protocol (WPA2) is based on the
final IEEE 802.11i amendment to the 802.11
standard and is eligible for FIPS 140-2
compliance. Software solutions such as SSL, SSH,
and various types of software encryption have
become the preferred methods of securing wireless
information transmission. - Wikipedia, 2005
6Project Description
- Configure a wireless network
- Perform a Man-in-the-Middle (MITM) attack over a
wireless network - MITM is an attack in which an attacker is able to
read, insert and modify at will, messages between
two parties without either party knowing that the
link between them has been compromised.
(Wikipedia)
7Test bed Description
- 1 D-Link DI-624 802.11b/g Router
- 2 Laptops
- Victim Laptop Windows XP
- Auditing Laptop Fedora Core 4
8Connecting to the Router
First plugged the router in and plugged a laptop
into it. After acquiring a network address and
gateway. We then went to the D-link web Site and
looked up the DI-624 user manual and looked up
the default username and password. This also
confirmed the gateway IP address.
9D-Link Manual
10Log in to The Router Admin
Using IE we connected to the gateway and entered
the default username and password
11WEP Configuration
Changed SSID, changed default username and
password to log in and enabled WEP with one key.
Chanel 6 was used instead of 11 because the
router was firmware routed to number 6 only.
12Setting up wireless receiver
WEP enabled with key 1
13Securing Our Wireless Network
We are then able to see and connect to the
network we have configured
14WPA Configuration
WPA-PSK password with broadcast turned off
15MAC Filtering
Turned on MAC filtering and cloned the known
computer and only allowed it
16Hijacking Wireless AP
- We could easily get into a default configured
gateway and shut down wireless and make them
connect to us instead. - Or we could block their MAC or De-Auth them and
make the Authenticate to us. - But can we make it so they dont even notice any
change at all?
17Man in the MiddleHacker Tools
- Wellenreiter
- Displays a list a available APs
- Gives SSIDs, MAC Addresses and Encryption
- Ettercap
- Filter and MITM attacks
- HostAP drivers
- WLan-NG tools
- Laptop with wireless receiver
18MAN IN THE MIDDLEHow It Works
- The MitM poisons the ARP cache of the victim and
the server/gateway/switch - So the victim computer then thinks the hacker's
ARP address is the gateways. - The gateway thinks the hackers ARP address is
the victim computers. - All data is redirected through the listening
system.
19MAN IN THE MIDDLEBasic Attacks
- Read all clear text information passed between
the hosts (i.e., browser requests,
username/passwords) - Log/trap all data packets
- Packet injection
- (all these attacks can be performed through
traffic dumps and setting your NIC to promiscuous
mode)
20MAN IN THE MIDDLEAdvanced Attacks
- Traffic Blocking
- Web page denied 404 error even though the page
works fine - Filters
- Listen for any signature and change it
- Break Encryption
- Crypto rollbacks and de-authorization
- PPTP/Chapv2-gtChapv1-gtclear text
21Why does it work on Wireless
- Wireless routers are also switches. Most of the
time the wired and wireless side are bridged
making them act like one network. - 802.11 signals are broadcast, so they're
essentially working like a hub. - Client devices are supposed to filter out
anything not addresses to them, but they don't
have to.
22DEMO!!!
23Similar Attacks
- HostAP can be used to create a rogue access point
that clients will authenticate with, much like
ARP poisoning, but it's more obvious to admins. - Other MitM attacks can use HostAP to
deauthenticate a client and force it to
re-authenticate with themselves on a different
channel.
24Protections
- SSL connections may prevent you from connecting
through the MitM. - Read certificates carefully (https pass through)
before connecting. - File-Encrypt (pae or other encrypted files) any
file you don't want intercepted. - Tunnel into a trusted endpoint
- IPSEC, SSH tunnels, VPN
- WEP won't work at all because the hacker can
tumble your data and find the Key. With the key,
all traffic can be decrypted on-the-fly, as if
it's clear text.
25Conclusions
- Lessons Learned
- Never assume you are the only one that sees your
traffic - Defense Suggestions
- Encrypt, Encrypt, Encrypt
- Both the connection and the data being passed
- WEP and WPA will help but is not infallible
26Questions