Hacking Wifi and Man-in-the-Middle attacks

OSI Model Review

Open Systems Interconnection (OSI) model of network communication. This model consists of 7 nested layers. For the sake of our discussion on security, however, the 4-layer Internet Protocol suite model is a good starting point:

Layer Data Structure Information of Interest Protection
Application   Application data including session cookies, document content (HTML, images, etc) n/a
Transport TCP Segment HTTP request methods (e.g., GET/POST) including the URL of sites visited. Application layer data n/a
Network IP Packet IP header including IP address, IP packet contents including higher layer data Packet contents encrypted/authenticated with transport layer security (TLS) if communicating over HTTPS. Unencrypted over HTTP.
Link Frames Frame header including MAC address, frame contents including higher layer data. Frame contents exposed in a wired LAN but physically isolated across network segments by switches/routers. In a wireless (WiFi) setting frame contents are encrypted/authenticated with wireless protected access (WPA) or related security protocols.


Access from the Hacker’s Perspective

Consider a scenario in which someone in a car outside your house or business is trying to eavesdrop on your wireless network traffic.

  • Baseline: As a baseline, any attacker can sniff data link layer frames, and as such can:
    • See the existence of the wireless access point (AP) and any hosts communicating with it
    • See the MAC addresses of devices communicating of the network
    • See amount and frequency of data being exchanged between the AP and the device
    • See the signal strength and potentially location of devices
  • Barrier 1: Overcome WiFi encryption. If the hacker is able to overcome wifi data link layer encryption (through the methods described below) they could:
    • See the IP addresses and associated domain-names of any sites visited (whether HTTP or HTTPS)
    • See the amount and frequency of data being exchanged between a particular website and the device
    • See and modify any data (including passwords, cookies) served over HTTP
  • Barrier 2: Overcome TLS encryption. If the hacker is able to overcome TLS encryption, either through a direct cryptographic attack (see e.g., the SE 4472 course notes) or through some indirect method (e.g., XSS or other code injection attack), the hacker would be able to:
    • See and modify any data

Overcoming Wifi Encryption

  • Monitor mode
    • Grab packets of any WiFi network, even if you’re not associated with it
  • Promiscuous mode
    • Grab all packets on Wifi and Ethernet, even if they’re not destined for your MAC address
  • Option 1: Passive sniffing + Decryption: For this attack to be successful, the hacker must around to sniff the 4-way handshake when the target device joins the network, which is used to generate WPA2 pairwise transient key (PTK), which in turn is used to encrypt/authenticate all traffic between a host and the access point. The attacker can potentially induce a 4-way handshake by forcing the device to deauthenticate from the AP.

  • Option 2: AP Association + Man-in-the-middle: For this attack to be successful, the hacker attacker must already be associated with the AP, but does not need to observe a 4-way handshake. In this strategy, the attacker will use ARP spoofing at the link layer to:
    1. Trick the target device into thinking the hacker’s computer is the AP
    2. Trick the AP into thinking the hacker’s computer is the target device

The address resolution protocol (ARP) is a base link-layer protocol allowing devices to associate physical (MAC) addresses with network (IP) addresses. The idea is that the attacker will send out a flood of ARP frames ostensibly “informing” the target computer what the MAC address of the AP is. Instead of giving the real MAC address of the AP, the hacker gives their own MAC address. Now the target computer will broadcast frames intended for the AP, but with the hacker’s MAC address. Now the AP will ignore them (since they’re addressed to another device). The attacker repeats this with the AP as well, and a two-way MITM is established. Both parties will then send their respective frames to the hackers computer, allowing the traffic to be read.

Passive Packet Capture

In order to sniff the traffic of another computer on the same wifi network as you, you need to capture the 4-way handshake when their device associates with the router. To do this you must configure your device to capture wifi traffic.

Gather Information About Target AP

$ airmon-ng start wlan0

Suppose this initializes the monitor interface wlan0mon. Now gather info about the access point using:

$ airodump-ng wlan0mon

This will tell you what the target router’s MAC address and channel are, as well as the MAC address of any hosts connected to it. Once you have this information, you can begin a packet capture:

$ airodump-ng -c <AP chan> --bssid <AP MAC> -w file wlan0mon  

Once a 4-way handshake is detected, you will see

[ WPA handshake: <MAC address>

appear in the top right of the terminal display. Now continue to collect packets. When you’re finished you will have to decrypt the packet capture. If you already know the password, you can use the airdecap-ng decryption utility:

$ airdecap-ng -p <password> -e <ESSID> <capture file>

If it is successful, you will see:

Number of decrypted WPA  packets       <some number greater than 0>

If you do not know the password, you will have to try your hand at cracking it. If you suspect the password is short, you can get away with using aircrack-ng with a generic wordlist like:

$ aircrack-ng -w <path to dictionary> file.cap

Otherwise you may need to use something more dedicated like john.

Force the 4-way Handshake

It might take a long time to observe a 4-way handshake. One possibility is to instead force deauthentication of devices on the network, so that they will reauthetnicate (and emit the handshake). While running the packet capture process outlined above, in another terminal you can try to force a deauthenticaiton:

aireplay-ng -0 <number of dauths to send> -a <AP MAC> -c <Client MAC> wlan0mon

Wait for a few minute for the device to re-authenticate (until you see the WPA handshake confirmation).

Active Packet Capture with MitM

MitM on an Associated Network

In this scenario you are already associated (i.e., authenticated) with an AP (e.g., your home wifi router) and are targeting another device on the same network.

Ettercap

You can use Ettercap to implement a MITM attack via ARP spoofing. Capture and save the packets to a capture file using tcpdump (see the Packet Capture section below). But first we run

$ ettercap -G

to launch ettercap. Then we select Sniff -> Unified Sniffing -> wlan0. Then we scan the network to find the AP and target IP addresses by running Hosts -> Scan for hosts and add the relevant IPs to the Target1 and Target2 slots. Then we select Mitm -> ARP Poisoning -> Sniff remote connection. You can see a demonstration here. You can now now capture all the packets running between the target and the AP. Word of caution: Ettercap cannot decrypt TLS connections, and if you configure it to try to inject its own certificate, it will give a warning to the user in most browsers when they visit HTTPS sites.

SSL Strip

We can’t decrypt HTTPS websites, but what we can do as a man-in-the-middle is to strip off the TLS layer using a tool like sslstrip. Here’s a video explaining the idea. In short, the idea is that the man-in-the-middle receives an HTTPS request for a website. It then establishes its own connection with the site, and proceeds to return the results to the user over HTTP (instead of HTTPS). From the website’s perspective, nothing is wrong, even for example if the website uses strict rules about always encrypting. The outcome of the attack only depends on the client’s behaviour. If the user explicitly types, for example:

https://website.com

The its browser is expecting a TLS-enabled response and will issue a warning when it doesn’t get one. But what many users actually type in their address is:

website.com

letting the server redirect them to an HTTPS connection. This is where sslstrip can really work its magic. There is a new effort by Chrome and other major browsers to offer what’s called an HSTS whitelist, which is a list of websites included in the browser that have indicated that they will never serve their websites over HTTP. Examples include facebook.com, google.com, github.com, etc. Your browser will issue a warning if you are being attack by sslstrip and try to visit one of these sites. Many other sensitive sites, like bank websites, are not yet on these whitelists.

Other Options for Man-in-the-Middle Attacks

In this scenario you are unable to associate (i.e., authenticate) to the target AP (or just don’t want to), there are some alternatives for conducting Wifi based MitM attacks by creating your own AP:

  • Option 1: Create an open-access rogue i.e., malicious/fake AP. This is the infamous Free Public Wifi AP you sometimes see in your network list at hotels/airports, etc.
  • Create an evil twin AP, i.e., a clone of a legit AP to trick people into connecting to it by booting them off of their network, and then boosting your signal strength so your evil twin will be chosen during the reconnect.

Packet Capture

Once Ettercap has successfully MitM’d the target machine, we can use the tcpdump utility to perform a packet catpure:

$ tcpdump -i wlan0 -n -w file.cap

Analyzing the Packet Capture

There are many great tools for analyzing packet capture (i.e., pcap) files, including Wireshark, tshark, and the dsniff suite of tools.

Extracting visited URLs with urlsnarf

One interesting tool in dsniff is urlsnarf which can extract a list of URLS:

$ urlsnarf -p file.cap >> urls.cap

This might take some time. When urlsnarf is finished you can view the output file urls.cap, but the entries are pretty cluttered, for example:

10.0.1.60 - - [07/Feb/2016:12:10:40 -0500] "GET http://www.prevention.com/sites/all/themes/zeus_base/images/subscribe-btn.png HTTP/1.1" - - "http://www.prevention.com/sites/prevention.com/files/css/css_KEPnFh9zKdQwQa86AFEUGfXYpvqW0KUwMFnZY5VoCkQ.css" "Mozilla/5.0

You can see it include the IP address, the date/time, the user agent, etc. We can clean this up to produce a concise list of URLs as follows:

$ cat urls.cap | cut -f2 -d'"' | cut -f2 -d' ' | uniq | sort >> urls.out

This command breaks down as follows:

  1. Use cut to split each line into fields delimited by a quote using -d'"' and only keep the second field with -f2 which is the portion containing the HTTP method (GET/POST and URL)
  2. Use cut to split each line into fields delimited by a space using -d' ' and only keep the second field, i.e. the part containing the URL
  3. Use uniq to remove duplicates
  4. Use sort to sort the list
  5. Use >> to output to file
Extracting image files with driftnet

You can also extract and save any image files from the capture using the driftnet image extraction tool:

$ mkdir cap-images/
$ driftnet -f file.cap -d cap-images -a
Extracting DNS requests with tshark

Although we were able to capture

tshark

tshark -r file.cap -T fields -e ip.src -e dns.qry.name -Y "dns.flags.response eq 0 and dns.qry.name" | sort | uniq | cut -f2 >> domains.out

Tools

Mitm tools:

  • Ettercap: A tool for facilitating man-in-the-middle attacks
  • sslstrip: A tool for downgrading HTTPS connections to HTTP

Wifi Cracking Tools

General tools for cracking WPA2-PSK, Wi-Fi Protected Setup (WPS), and Wired Equivalent Privacy (WEP):

Additional Resources