Man-in-the-Middle Attacks, Wireless MITM, Gorvam saddar

Man-in-the-Middle Attacks

Man-in-the-middle (MITM) attack refers to the situation where an attacker on host X inserts X between all communications between hosts B and C, and neither B nor C is aware of the presence of X.  All messages sent by B do reach C but via X, and vice versa.  The attacker can merely observe the communication or modify it before sending it out.  An MITM attack can break connections that are otherwise secure.  At the TCP level, SSH and VPN, e.g., are prone to this attack.

8.1           Wireless MITM

Assume that station B was authenticated with C, a legitimate AP.  Attacker X is a laptop with two wireless cards.  Through one card, he will present X as an AP.  Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected.  B gets deauthenticated and begins a scan for an AP and may find X on a channel different from C. 
 There is a race condition between X and C.  If B associates with X, the MITM attack succeeded.  X will re-transmit the frames it receives from B to C, and the frames it receives from C to B after suitable modifications. 

The package of tools called AirJack (http://802.11ninja.net/airjack/) includes a program called monkey_jack that automates the MITM attack.  This is programmed well so that the odds of it winning in the race condition mentioned above are improved.

8.2           ARP Poisoning

ARP cache poisoning is an old problem in wired networks.  Wired networks have deployed mitigating techniques.  But, the ARP poisoning technique is re-enabled in the presence of APs that are connected to a switch/hub along with other wired clients.

ARP is used to determine the MAC address of a device whose IP address is known. The translation is performed with a table look-up.   The ARP cache accumulates as the host continues to network.  If the ARP cache does not have an entry for an IP address, the outgoing IP packet is queued, and an ARP Request packet that effectively requests “If your IP address matches this target IP address, then please let me know what your Ethernet address is” is broadcast. The host with the target IP is expected to respond with an ARP Reply, which contains the MAC address of the host.  Once the table is updated because of receiving this response, all the queued IP packets can now be sent. The entries in the table expire after a set time in order to account for possible hardware address changes for the same IP address. This change may have happened, e.g., due to the NIC being replaced. 

Unfortunately, the ARP does not provide for any verification that the responses are from valid hosts or that it is receiving a spurious response as if it has sent an ARP Request. ARP poisoning is an attack technique exploiting this lack of verification.  It corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. An attacker accomplishes this by sending an ARP Reply packet that is deliberately constructed with a “wrong” MAC address.  The ARP is a stateless protocol.  Thus, a machine receiving an ARP Reply cannot determine if the response is due to a request it sent or not. 

ARP poisoning is one of the techniques that enables the man-in-the-middle attack. An attacker on machine X inserts himself between two hosts B and C by (i) poisoning B so that C’s IP address is associated with X’s MAC address, (ii) poisoning C so that B’s address is associated with X’s MAC address, and (iii) relaying the packets X receives.

The ARP poison attack is applicable to all hosts in a subnet. Most APs act as transparent MAC layer bridges, and so all stations associated with it are vulnerable. If an access point is connected directly to a hub or a switch without an intervening router/firewall, then all hosts connected to that hub or switch are susceptible also. Note that recent devices aimed at the home consumer market combine a network switch with may be four or five ports, an AP, a router and a DSL/cable modem connecting to the Internet at large.  Internally, the AP is connected to the switch.  As a result, an attacker on a wireless station can become a MITM between two wired hosts, one wired one wireless, or both wireless hosts.

The tool called Ettercap ((http://ettercap.sourceforge.net) is capable of performing ARP poisoning.

8.3           Session Hijacking

Session hijacking occurs in the context of a “user”, whether human or computer.  The user has an on-going connection with a server.  Hijacking is said to occur when an attacker causes the user to lose his connection, and the attacker assumes his identity and privileges for a period.

An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit.  The attacker then takes the identity of the user.  The attacker now has all the access that the user has.  When he is done, he stops the DoS attack, and lets the user resume.  The user may not detect the interruption if the disruption lasts no more than a couple of seconds.  Such hijacking can be achieved by using forged Disassociation DoS attack.

Corporate wireless networks are often set up so that the user is directed to an authentication server when his station attempts a connection with an AP.  After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.

9.  War Driving

Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving.  War-drivers (http://www.wardrive.net/) define war driving as “The benign act of locating and logging wireless access points while in motion.”  This benign act is of course useful to the attackers.

9.1           War chalking

War chalking is the practice of marking sidewalks and walls with special symbols to indicate that wireless access is nearby so that others do not need to go through the trouble of the same discovery.  A search onwww.google.com with key words “war driving maps” will produce a large number of hits.  Yahoo! Maps can show "Wi-fi Hotspots" near an address you give.

Figure 3: War Chalking Symbols

9.2           Typical Equipment

The typical war driving equipment consists of a laptop computer system or a PDA with a wireless card, a GPS, and a high-gain antenna.   Typical choice of an operating system is Linux or FreeBSD where open source sniffers (e.g., Kismet) and WEP crackers (e.g., AirSnort) are available.  Similar tools (e.g., NetStumbler) that run on Windows are available.

War drivers need to be within the range of an AP or station located on the target network.   The range depends on the transmit output power of the AP and the card, and the gain of the antenna.  Ordinary access point antennae transmit their signals in all directions.  Often, these signals reach beyond the physical boundaries of the intended work area, perhaps to adjacent buildings, floors, and parking lots. With the typical 30mW wireless cards intended for laptops, the range is about 300 feet, but there are in 2004 wireless cards for laptops on the market that have 200mW. Directional high-gain antennae and an RF-amplifier can dramatically extend the range.

Figure 4: War Drivers' Equipment

10.       Wireless Security Best Practices

This section describes best practices in mitigating the problems described above.

10.1     Location of the APs

APs should be topologically located outside the perimeter firewalls.  The wireless network segments should be treated with the same suspicion as that for the public Internet.  Additionally, it is important to use directional antennae and physically locate them in such a way that the radio-coverage volume is within the control of the corporation or home.

10.2     Proper Configuration

Statistics collected by www.worldwidewardrive.org show a distressingly large percentage of APs left configured with the defaults.

Before a wireless device is connected to the rest of the existing network, proper configuration of the wireless device is necessary.  The APs come with a default SSID, such as “Default SSID”, “WLAN”, “Wireless”, “Compaq”, “intel”, and “linksys”. The default passwords for the administrator accounts that configure the AP via a web browser or SNMP are well known for all manufacturers.  A proper configuration should change these to difficult to predict values.

Note that the SSID serves as a simple handle, not as a password, for a wireless network.  Unless the default SSID on the AP and stations is changed, SSID broadcasts are disabled, MAC address filtering is enabled, WEP enabled, an attacker can use the wireless LAN resources without even sniffing. 

The configuration via web browsing (HTTP) is provided by a simplistic web server built into an AP.  Often this configuration interface is provided via both wired connections and wireless connections.  The web server embedded in a typical AP does not contain secure HTTP, so the password that the administrator submits to the AP can be sniffed.  Web based configuration via wireless connections should be disabled.

WEP is disabled in some organization because the throughput is then higher.  Enabling WEP encryption makes it necessary for the attacker intending to WEP-crack to have to sniff a large number of frames.  The higher the number of bits in the encryption the larger the number of frames that must be collected is. The physical presence in the radio range of the equipment for long periods increases the odds of his equipment being detected.  WEP should be enabled.

The IEEE 802.11 does not describe an automated way of distributing the shared-secret keys.  In large installations, the manual distribution of keys every time they are changed is expensive. Nevertheless, the WEP encryption keys should be changed periodically.

10.3     Secure Protocols

If the WEP is disabled, or after the WEP is cracked, the attacker can capture all TCP/IP packets by radio-silent sniffing for later analyses.  All the wired network attacks are possible. There are real-time tools that analyze and interpret the TCP/IP data as they arrive.

All protocols that send passwords and data in the clear must be avoided.  This includes the rlogin family, telnet, and POP3.  Instead one should use SSH and VPN.

In general, when a wireless segment is involved, one should use end-to-end encryption at the application level in addition to enabling WEP.

10.4     Wireless IDS

A wireless intrusion detection system (WIDS) is often a self-contained computer system with specialized hardware and software to detect anomalous behavior.  The underlying software techniques are the same hacking techniques described above.  The special wireless hardware is more capable than the commodity wireless card, including the RF monitor mode, detection of interference, and keeping track of signal-to-noise ratios.  It also includes GPS equipment so that rogue clients and APs can be located.  A WIDS includes one or more listening devices that collect MAC addresses, SSIDs, features enabled on the stations, transmit speeds, current channel, encryption status, beacon interval, etc.  Its computing engine will be powerful enough that it can dissect frames and WEP-decrypt into IP and TCP components.  These can be fed into TCP/IP related intrusion detection systems.

Unknown MAC addresses are detected by maintaining a registry of MAC addresses of known stations and APs.  Frequently, a WIDS can detect spoofed known MAC addresses because the attacker could not control the firmware of the wireless card to insert the appropriate sequence numbers into the frame.

10.5     Wireless Auditing

Periodically, every wireless network should be audited.  Several audit firms provide this service for a fee.  A security audit begins with a well-established security policy.  A policy for wireless networks should include a description of the geographical volume of coverage.  The main goal of an audit is to verify that there are no violations of the policy.  To this end, the typical auditor employs the tools and techniques of an attacker.

10.6     Newer Standards and Protocols

Many improvements in wireless network technology are proposed through proprietary channels (e.g., Cisco Lightweight Extensible Authentication Protocol) as well as through the IEEE.  The new IEEE 802.11i (ratified in June 2004) enhances the current 802.11 standard to provide improvements in security.  These include Port Based Access Control for authentication, Temporal Key Integrity Protocol for dynamic changing of encryption keys, and Wireless Robust Authentication protocol.  An interim solution proposed by vendors is the Wi-Fi Protected Access (WPA), a subset of 802.11i, is only now becoming available in some products.  Time will tell if these can withstand future attacks.

10.7     Software Tools

Below we describe a collection of cost-free tools that can be used both as attack tools and as audit tools.

·         AirJack (http://802.11ninja.net/airjack/) is a collection of wireless card drivers and related programs.  It includes a program called monkey_jack that automates the MITM attack.  Wlan_jack is a DoS tool that accepts a target source and BSSID to send continuous deauthenticate frames to a single client or an entire network (broadcast address). Essid_jack sends a disassociate frame to a target client in order to force the client to reassociate with the network, thereby giving up the network SSID.

• AirSnort (www.airsnort.shmoo.com ) can break WEP by passively monitoring transmissions and computing the encryption key when enough packets have been gathered.
• Ethereal (www.ethereal.com ) is a LAN analyzer, including wireless.  One can interactively browse the capture data, viewing summary and detail information for all observed wireless traffic.
• FakeAP (ww.blackalchemy.to/project/fakeap) can generate thousands of counterfeit 802.11b access points.
• HostAP (www.hostap.epitest.fi) converts a station that is based on Intersil's Prism2/2.5/3 chipset to function as an access point. 
• Kismet (www.kismetwireless.net) is a wireless sniffer and monitor.  It passively monitors wireless traffic and dissects frames to identify SSIDs, MAC addresses, channels and connection speeds.
• Netstumbler (www.netstumbler.com) is a wireless access point identifier running on Windows.  It listens for SSIDs and sends beacons as probes searching for access points.
• Prismstumbler (prismstumbler.sourceforge.net/) can find wireless networks.  It constantly switches channels and monitors frames received.
• The Hacker’s Choice organization (www.thc.org) has LEAP Cracker Tool suite that contains tools to break Cisco LEAP.  It also has tools for spoofing authentication challenge-packets from an AP. The WarDrive is a tool for mapping a city for wireless networks with a GPS device.
• StumbVerter (www.sonar-security.com/sv.html) is a tool that reads NetStumbler's collected data files and presents street maps showing the logged WAPs as icons, whose color and shape indicating WEP mode and signal strength.
• Wellenreiter (http://www.wellenreiter.net/) is a WLAN discovery tool.  It uses brute force to identify low traffic access points while hiding the real MAC address of the card it uses.  It is integrated with GPS.
• WEPcrack (www.wepcrack.sourceforge.net) cracks 802.11 WEP encryption keys using weaknesses of RC4 key scheduling.

11.       Conclusion

This article is an introduction to the techniques an attacker would use on wireless networks.  Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.  In addition, the protocol designs were security-naïve.  We have pointed out several existing tools that implement attack techniques that exploit the weaknesses in the protocol designs.  The integration of wireless networks into existing networks also has been carelessly done.  We pointed out several best practices that can mitigate the insecurities.

GLOSSARY

AP: Access Point.  Any entity that has station functionality and provides access to the distribution services, via the wireless medium for associated stations.

Association Table: The Association table is within an AP and controls the routing of all packets between the Access Point and the wireless devices in a WLAN.

Basic Service Set:  BSS is a collection, or set, of stations that are logically associated with each other and controlled by a single AP. Together, they operate as a fully connected wireless network.

Basic Service Set Identifier (BSSID): A 48-bit identifier used by all stations in a Basic Service Set as part of the frame header.

Beacon: A wireless LAN frame broadcast by access points that signals their availability.

Evil Twin Attack. An unauthorized AP whose goal is to masquerade as an existing legitimate/ authorized AP is called an Evil Twin.  The evil twin AP is designed and located so that client stations receive stronger signals from it.  Legitimate users are lured into the evil twin, and unknowingly give away user IDs and passwords.

Independent BSS: An IBSS is usually an ad-hoc network. In an IBSS, all of the stations are responsible for sending beacons.

IDS: Intrusion detection system.

MITM: Man in the middle.  See Section 8.

Service Set Identifier (SSID): All APs and stations within the same wireless network use an identifier that is up to 32-bytes long.

Social Engineering: Social engineering is a term, coined in jest that refers to all non-technical methods of collecting information about a person so that the passwords the person may use can be predicted.  The methods of collection range from dumpster diving, analyzing the publicly available information to making phone calls impersonating others.

STA: A wireless station.

WEP: Wired Equivalent Privacy (WEP) is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP.

Cross References

The following is a list of other articles in the handbook related to wireless networks.  Article numbers are as in the Handbook TOC.

26. Radio Frequency and Wireless Communications Security
27. Propagation Characteristics of Wireless Channels
43. Wireless Local Area Networks
44. Security Issues in Wireless Sensor Networks
46. Mobile IP (Internet Protocol)
48. TCP (Transmission Control Protocol) over Wireless Links
50. Wireless Internet
56. PKI (Public Key Infrastructure)
67. Wireless Application Protocol (WAP)
68. Wireless Networks Standards and Protocol (802.11)
74. Wireless Information Warfare
142. Hacking Techniques in Wireless Networks (mine)
150. Wireless Threats and Attacks
151. WEP (Wired Equivalent Privacy) Security
152. Wireless Security
153. Cracking WEP (Wired Equivalent Privacy)