Transcript Man in the Middle, Is your wireless connection secure

Man in the Middle
Paul Box
Beatrice Wilds
Will Lefevers
Project Goal
 Demonstrate a Man in the Middle Attack
on a wireless network
Agenda
 What is Wireless?
 How can we make it secure?
 Man in the Middle
 Demo
 Can we ever be truly secure?
 Conclusions
What is wireless
 More or less it is a radio signal that carries
a digital signal
Sender (Router)
Receiver
Securing Wireless Networks
 The basic security used for a WLAN was originally Wired
Equivalent Privacy (WEP), but this was shown to provide
minimal security due to serious weaknesses. The
alternate Wi-Fi Protected Access (WPA) security protocol
was later created to address these problems. The
second generation of the WPA security protocol (WPA2)
is based on the final IEEE 802.11i amendment to the
802.11 standard and is eligible for FIPS 140-2
compliance. Software solutions such as SSL, SSH, and
various types of software encryption have become the
preferred methods of securing wireless information
transmission.
 Wikipedia, 2005
Project Description
 Configure a wireless network
 Perform a Man-in-the-Middle (MITM)
attack over a wireless network
 MITM is an attack in which an attacker is able
to read, insert and modify at will, messages
between two parties without either party
knowing that the link between them has been
compromised. (Wikipedia)
Test bed Description
 1 D-Link DI-624 802.11b/g Router
 2 Laptops
 Victim Laptop – Windows XP
 Auditing Laptop – Fedora Core 4
Connecting to the Router
First plugged the router in and plugged a
laptop into it. After acquiring a network
address and gateway.
We then went to the D-link web Site and
looked up the DI-624 user manual and
looked up the default username and
password.
This also confirmed the gateway IP
address.
D-Link Manual
Log in to The Router Admin
Using IE we connected to
the gateway and entered
the default username and
password
WEP Configuration
Changed SSID, changed
default username and
password to log in and
enabled WEP with one
key.
Chanel 6 was used
instead of 11 because the
router was firmware
routed to number 6 only.
Setting up wireless receiver
WEP
enabled
with key 1
Securing Our Wireless Network
We are then able to
see and connect to
the network we have
configured
WPA Configuration
WPA-PSK password with
broadcast turned off
MAC Filtering
Turned on MAC
filtering and cloned
the known computer
and only allowed it
Hijacking Wireless AP
 We could easily get into a default
configured gateway and shut down
wireless and make them connect to us
instead.
 Or we could block their MAC or De-Auth
them and make the Authenticate to us.
 But can we make it so they don’t even
notice any change at all?
Man in the Middle
Hacker Tools
 Wellenreiter
 Displays a list a available APs
 Gives SSIDs, MAC Addresses and Encryption
 Ettercap
 Filter and MITM attacks
 HostAP drivers
 WLan-NG tools
 Laptop with wireless receiver
MAN IN THE MIDDLE
How It Works
 The MitM poisons the ARP cache of the
victim and the server/gateway/switch
 So the victim computer then thinks the
hacker's ARP address is the gateway’s.
 The gateway thinks the hacker’s ARP
address is the victim computer’s.
 All data is redirected through the listening
system.
MAN IN THE MIDDLE
Basic Attacks
 Read all clear text information passed
between the hosts (i.e., browser requests,
username/passwords)
 Log/trap all data packets
 Packet injection
(all these attacks can be performed through traffic dumps
and setting your NIC to promiscuous mode)
MAN IN THE MIDDLE
Advanced Attacks
 Traffic Blocking
 Web page denied – 404 error even though the
page works fine
 Filters
 Listen for any signature and change it
 Break Encryption
 Crypto rollbacks and de-authorization
 PPTP/Chapv2->Chapv1->clear text
Why does it work on Wireless
 Wireless routers are also switches. Most
of the time the wired and wireless side are
bridged making them act like one network.
 802.11 signals are broadcast, so they're
essentially working like a hub.
 Client devices are supposed to filter out
anything not addresses to them, but they
don't *have* to.
Similar Attacks
 HostAP can be used to create a rogue
access point that clients will authenticate
with, much like ARP poisoning, but it's
more obvious to admins.
 Other MitM attacks can use HostAP to
deauthenticate a client and force it to reauthenticate with themselves on a different
channel.
Protections
 SSL connections *may* prevent you from
connecting through the MitM.
 Read certificates carefully (https pass through)
before connecting.
 File-Encrypt (pae or other encrypted files) any file
you don't want intercepted.
 Tunnel into a trusted endpoint
 IPSEC, SSH tunnels, VPN
 WEP won't work at all because the hacker can
tumble your data and find the Key. With the key,
all traffic can be decrypted on-the-fly, as if it's
clear text.
Conclusions
 Lessons Learned
 Never assume you are the only one that sees
your traffic
 Defense Suggestions
 Encrypt, Encrypt, Encrypt
 Both the connection and the data being passed
 WEP and WPA will help but is not infallible