AdSense

Monday, October 17, 2016

WI-FI PT / 4 - ATTACKS MAN-IN-THE-MIDDLE / 4.2 - Eavesdropping with MITM attacks


4.2 - Wireless Eavesdropping with MITM attack

- The first step in this attack, as usual, is the attacker creating a virtual monitoring interface mon0 attached to the physical interface wlan0.

- Then, a fake AP called "mitm" is created using airbase-ng, broadcasting its beacon frames everywhere in the channel 6:



- After running airbase-ng there is a new interface called at0 (tap interface), that could be considered as the wire-side interface of the virtual fake AP. In contrast with mon0, that would be the wireless side interface:



The next step consists of establishing a bridge called "puente" between at0 and the physical Ethernet interface eth0:



- Interfaces eth0 and at0 are added to the bridge "puente":



Both interfaces are turned on:



Verifying that the bridge "puente" has been correctly created:



- The bridge "puente" is assigned an static IP 192.168.0.50 (also it could be do dynamically with DHCP):



A very important step is to prepare the attacker "kali "for being able to route and forward packets, turning IP Forwarding on:



At this moment of the attack, let's consider that the victim "roch" connects to the fake AP "mitm":




airbase-ng immediately detects that "roch" (28:C6:8E:63:15:6B) has connected to "mitm":



- One interesting aspect of the connection is that the victim "roch"automatically gets a dynamic IP, because at the wired-side the legitimate AP is running the DHCP service. So, as the victim connects to the network (through the fake AP), it is also considered a host of the network with the right of being assigned an IP and DNS services:



- Now, the victim "roch" can ping the default gateway of the network 192.168.0.1:



- Also, the victim "roch" has got access to the Internet pinging Google's public DNS 8.8.8.8:



- Because the attacker "kali" is located in the middle of the victim and the legitimate AP, he is able to sniff, see and analyze all the traffic sent and received by "roch". Let's see what happens when the victim "roch" decides to connect to www.ual.es:



- "kali" runs Wireshark, which allows the "Follow TCP stream" option to see all packets from a single TCP stream displaying them in order:



- Applying that option, the filter "tcp.stream eq 18" is generated automatically. Then, the whole conversation between the victim "roch" and "www.ual.es" is available for the attacker "kali" to be analyzed and eavesdropped.

- At next screenshot, "roch" (192.168.0.15) and "www.ual.es" (193.147.117.18) establish a TCP and HTTP session, what is being captured by the attacker "kali":


- It can be checked that 193.147.117.18 corresponds to www.ual.es:



- Also with whois: