|
-----Original Message----- Yes and no... which is to say,
it doesn't have to be that complicated. Chow wants us to demonstrate a MitM
attack across a wireless network... in class. What we're breaking is
less an issue, and here's why: 1) Once we have the software to do it in a cleartext WAP, we've proven that it can be done. 2) Once we've got WEP to break (not that hard...) we
just implement the same attack and allow it to tear apart WEP (there are tons
of tools for this) 3) MitM has been proven
against many systems, including ssh and https. We
can either prove, or provide
secondhand research to show it can be done. MitM on Ethernet: 1) Poison the ARP Caches of the server/gateway and the
client/victim. Tell each one that your MAC address is
linked to their IPs. Route all packets from the victim to you, then to the server. Victim
requests data, you request from the server, victim thinks it comes from the
server. 2) Read victim's traffic. Since it all passes through
you, you can pcap or tcpdump
most of it into readable files/logs. 3) Sift the traffic for interesting things (passwords,
handshakes, certificates) and optionally, use them to spoof the end user allowing
you access to their sites (think about the client-side certificate
demo... you present their cert.) 4) Proxy their secure connections. Present the server's
cert to the client, present your cert to the
server. Filter all data. (https) How it would work on Wireless: 1) Track the WAP's channel
and learn its' MAC address, SSID, etc. 2) Listen for clients to connect to the WAP. Echo bad
data to the WAP to make it look like the client's misauthenticating or set up wrong. Complete the handshake with the client while spoofing the
SSID/MAC/etc. Client thinks you're the WAP and handshakes with you. Now
establish your own session with the real WAP using the client's credentials (all the way down
to the IV if using WEP). 3) You're now the MitM, and
since 802.11 works a lot like the old token ring, hosts are going to ignore
packets that are not destined for them. Suck up passwords and spoof connections just like you're
on a wired LAN. Tools worth considering (linux): Wired: Ethereal Ettercap <--check this
shit out. Wireless: Airsnort Wepcrack Immediate goals: 1) Get an acedemic
understanding of how MitM works, then how 802.11
works. 2) Pick a testbed and build
it 3) Crack/MitM a cleartext WAP 4) Crack/MitM a WEP WAP (man,
that's confusing...) 5) Consider harder methods to try 6) Write it up and demo it in class ...and you thought I had dropped off the face of the
earth... Will :D ((have coffee, will travel))
|