Transcript Introduction

A Proof of MITM Vulnerability in
Public WLANs Guarded by
Captive Portal
Speaker : Po-Kang Chen
Advisor : Quincy Wu
Date : 2010/06/13
Outline
Introduction
Motivation
Related Work
Authentication of Public WLAN
Implementation & Experiment result
Conclusion






2
Introduction

The Internet has become more important and wireless
network is more convenient. A lot of public areas begin
to provide the Wireless LAN for users, it is called Public
WLAN (PWLAN).

PWLANs are usually provided by Wireless Internet
Service Providers (WISPs) which manage the payment
mechanism of PWLANs.

The users can sign a contract with the WISP or buy the
pre-paid cards for using PWLAN.
3
Introduction

Nowadays it is easy to find PWLAN service in a coffee
shop or a fast food restaurant, people enjoy this
convenience to access Internet in these public places.

According the TWNIC reports the sample survey on
January 2010, the frequency of using the Internet service
in public areas which becomes higher.
4
Figure 1. 2010年1月台灣網路使用調查報告 (單位：相對次數)
5
http://www.twnic.net.tw/download/200307/200307index.shtml
Outline
Introduction
Motivation
Related Work
Authentication of Public WLAN
Implementation & Experiment result
Conclusion






6
Motivation

As more people are utilizing the PWLANs, the security
of PWLANs is more important than the past.

Traditionally, we rely WEP or WPA-PSK to protect our
WLAN. The vulnerability of WEP and WPA-PSK has been
pointed out.

The malicious user uses the readily available tools to
perform Caffe Latte Attack which can crack the WEP or
WPA-PSK secret keys within a tea break time.
7
Motivation
Therefore, most PWLANs now use a new secure
mechanism, called Captive Portal.
The Captive Portal uses a webpage to authenticate users.
It was widely accepted by WISPs as a useful mechanism to
ensure that all users must be authenticated before
accessing Internet via the WLAN.



8
Figure 2. Login webpage
Motivation
Although a new standard IEEE 802.1X is proposed to
replace the Captive Portal, the 802.1X standard is more
complicated than Captive Portal, so 802.1X is not widely
deployed in PWLANs.
We shall show that for PWLANs which are guarded by
Captive Portal will be vulnerable to Man-In-The-Middle
attacks, so that unauthenticated users can access Internet
via the PWLANs.


9
Outline






Introduction
Motivation
Related Work
Authentication of Public WLAN
Implementation & Experiment result
Conclusion
10
ARP

ARP (Address Resolution Protocol)

To convert IP address to MAC address in order to
communicate in Ethernet communications

Broadcast ARP Request message to ask for the MAC address
associated with the destination IP address

The host sends a unicast ARP Reply message to sender with
the IP-MAC address pairing

It update the ARP cache after receiving ARP Reply
11
ARP Spoof

The malicious user sends ARP Reply with fake IP-MAC
pairing, in an attempt to spoof the ARP cache of other
hosts on the network.

ARP Spoof can perform Man-In-The-Middle (MITM)
attacks or Denial of Service (DoS) attacks.
12
MITM

Before the network does not occur the MITM attack, the
hosts has correct MAC address for both, they
communicates with each other directly.

After the network occur the MITM attack, the dynamic
IP-MAC pairing will be modified in ARP cache for both
hosts. The attacker can receive the packet from one side
host and forward it to other host.

The MITM often use to sniff the sensitive information in
network.
13
MITM
14
Figure 3. MITM attack
Outline






Introduction
Motivation
Related Work
Captive Portal in Public WLANs
Implementation & Experiment result
Conclusion
15
Captive Portal

The Captive Portal deploys the authentication
architecture which has the Access Controller, Web
Application Server and RADIUS server.

If the unauthenticated users tries to access the Internet,
the Access Controller responds the packet with HTTP
status code 302 to redirect the users.

The user must be authenticated with a correct
username/password provided by the WISPs.
16
17
Figure 4. PWLANs architecture
18
Figure 5. Captive Portal process
Outline






Introduction
Motivation
Related Work
Authentication of Public WLAN
Implementation & Experiment result
Conclusion
19
Implementation
Figure 6. MITM in Captive Portal (1/2)
20
Victim packets
Attacker packets
21
Figure 7. MITM in Captive Portal (2/2)
Implementation
Data
TCP/UDP/ICMP
IP
ETHERNET
22
TCP/UDP : checksum
IP : source IP address
& checksum
Figure 8. To modify of masquerade packet
Experiment & Result
Eee PC 701
(victim)
Lenovo X200
(attacker)
Remote FTP
server
CPU
Intel Celeron M
processor 900MHz
Intel Core2 Duo
CPU P8600
2.40GHz
Intel Pentium Dual
CPU E2200
2.20GHz
Memory
512MB
4GB
2GB
Operating System
Windows XP 32-bit
Windows 7 32-bit
Ubuntu 9.10
TCP buffer size
(bytes)
65,535
65,535
65,535
23
Table 1. Implementation spec.
24
Figure 9. Implementation environment
Figure 10. Download 10MB files
25
Figure 11. Download 20MB files
Experiment & Result
File size
26
Average Download Speed (Kbps)
Performance
without relay
with relay
10MB
241.55
234.06
97%
20MB
243.34
235.72
97%
Table 2. Experiment result
Outline






Introduction
Motivation
Related Work
Authentication of Public WLAN
Implementation & Experiment result
Conclusion
27
Conclusion


We demonstrate how ARP Spoof can be used to launch
MTIM attack in PWLANs, the unauthenticated users can
access Internet via the PWLANs.
We advise the WISPs can deploy the network devices
that support the intrusion detection feature, or re-design
the PWLANs architecture and authenticate users by
802.1X.
28