Man-in-the-Middle Attacks
The basic concept of man-in-the-middle (MiM) attacks was
introduced in Chapter 4.
In this section, we discuss the details of how exactly an attacker could
establish a man-in-the-middle attack against your wireless network. There are
two different methods to establish a man-in-the-middle attack in a wireless
network. The first is using management frames and is specific to wireless
networking, and the second is ARP spoofing, which is also a problem for wired
networks.
Management Frames
Because the management frames lack any integrity protection,
establishing a man in the middle with IEEE 802.11 based networks is easy
(there's even a hacker tool that will do it for you, described in Chapter 16). MiMs can be
established regardless of any protections (WPA, RSN, VPN, and so on) that you
might be using but do not necessarily pose a threat if the security protocol is
strong. MiM attacks are possible because there are no integrity guarantees
provided at the link layer (layer 2), and MAC addresses are easily forged.
The attack begins (assuming that the target STA is already
associated to an AP) by the attacker issuing a Deauthentication message to the
target STA. This causes the STA to drop its association with its current AP and
look to reassociate with another (possibly the old) AP. At the same time, the
attacker establishes a malicious AP with the same ESSID and MAC address as an AP
within range of the attacker but on a different channel than the valid AP. The
target STA associates with the attacker's fake AP because it is denied service
at the valid AP by the attacker's forged Deauthentication messages. Once the STA
has associated with the bogus AP, the bogus AP immediately associates with the
valid AP and begins forwarding all traffic so authentication (if used as in WPA
or RSN) completes. This process is shown in Figure 15.6. The attacker now has complete control over
the traffic stream between the STA and its valid AP. If encryption is not used,
then the attacker can modify packets before forwarding. If encryption is used,
packets can be denied or delayed. They can also be modified to assist in other
attacks, as we'll see later in this chapter.
ARP Spoofing
ARP spoofing has been a plague on wired networks for some time;
and while there are some limited countermeasures available to prevent and
identify ARP attacks, an ARP attack can still succeed more often than not. ARP
identifies the MAC address for a given IP address. A client or STA wanting to
communicate with a specific IP address issues an ARP-Request as a broadcast
packet on the LAN asking to learn the MAC address of the given IP address.
Because ARP packets do not have any integrity protection, anyone (even attackers
with access to LAN) can respond with incorrect or malicious information,
effectively poisoning the ARP cache of the requestor. Thus, from that point
until the cache entry times out, the client uses an improper MAC address for the
given IP address, causing all traffic to go to the attacker rather than the real
recipient.
There is an important distinction between using management
frames (as described in the previous section) and using ARP spoofing for
establishing MiM attacks. With ARP spoofing, the attacker must have access to
the link layer, whereas using management frames does not have this requirement.
If encryption is being used, the attacker must first break the encryption (or be
able to forge packets) before he can perform a successful ARP spoofing attack.
With WEP-based networks, breaking the encryption, as we have seen, is a small
problem. But with WPA- or RSN-based networks, this is a significant (and
hopefully impossible) hurdle.
Sections
Archive
Syndication
