The next copy of this packet on the air will have Mallory's MAC address as the source and transmitter address, Bob's MAC address as the destination address, and the AP's MAC address as the receiver address: Receiver address: 00:15:6d:85:e0:c9įinally, the AP will retransmit the packet with Bob's MAC address as the receiver and destination address, Mallory's MAC address as the source address, and its own MAC address as the transmitter address: Receiver address: 00:15:6d:85:e0:c6 Then, Mallory will forward the packet to Bob. Then the AP will forward the packet to Mallory, with its own MAC address as the transmitter address, Alice's MAC address as the source address, and Mallory's MAC address as the receiver address and the destination address: Receiver address: 00:60:b3:25:c0:37Īs far as the AP is aware (from the Layer 2 headers), Mallory is the final destination for this packet, so the AP will use Mallory's key to encrypt the packet and she will be able to decrypt it and see its contents. (Mallory will forward the traffic, so that neither side is aware that she is intercepting it.)įor example, suppose the four nodes have the following MAC addresses:Ī packet from Alice to Bob will be transmitted over the air four times, with different addresses in the Layer 2 header each time.įirst, it will be sent with Alice's MAC address as the source and transmitter address, Mallory's MAC address as the destination address (since Alice believes this to be Bob's MAC address), and the AP's MAC address as the receiver address (since all traffic goes through the AP when operating in infrastructure mode): Receiver address: 00:15:6d:85:e0:c9 Then, when Alice and Bob communicate, they will unwittingly treat Mallory as the destination for all of their traffic, and send their entire communication through her. In our experiment, however, the attacker (Mallory) will send gratuitous ARP messages to Alice, giving its own MAC address as the physical address for Bob and similar ARP messages to Bob, giving its own MAC address as the physical address for Alice. Under normal circumstances, they will use ARP requests and replies to find out the physical address (MAC address) to which to direct their traffic. In this experiment, Alice and Bob are connected to a WiFi hotspot, and wish to communicate with one another. The attack we're going to try involves a different approach, using a technique known as ARP spoofing or ARP poisoning. Other clients on the same access point can capture the traffic, but can't necessarily decrypt it - to decrypt the traffic, a malicious attacker would have had to either capture the initial handshake between client and AP (when the keys were set up), or force the client to disconnect and reconnect, and capture the new handshake between client and AP. When data is sent over a WiFi network using WPA-PSK or WPA2-PSK security, it is encrypted at Layer 2 with per-client, per-session keys, and may be decrypted only by its destination. This experiment shows how a malicious attacker can act as a "man in the middle" to capture traffic on a WiFi hotspot, including potentially sensitive material such as login credentials and private web browsing.Ī man in the middle (MITM) attack is one where the attacker (in our example, Mallory) secretly captures and relays communication between two parties who believe they are directly communicating with each other (in our example, Alice and Bob.) (Alternatively, you can use "sb4" testbed at ORBIT, with some modifications to the instructions.) Finally, you must have reserved time on either the outdoor testbed at ORBIT or the WITest testbed, and you must run this experiment during your reserved time. The project lead of the project you belong to must have enabled wireless for the project. You should have already uploaded your SSH keys to the portal. To reproduce this experiment on GENI, you will need an account on the GENI Portal, and you will need to have joined a project. This experiment uses wireless resources (specifically, the "outdoor" testbed on ORBIT, or the WITest testbed), and you can only use wireless resources on GENI during a reservation. It should take about 60-120 minutes to run this experiment, but you will need to have reserved that time in advance. This experiment shows how an attacker can use a simple man-in-the-middle attack to capture and view traffic that is transmitted through a WiFi hotspot. Menu Run a Man-in-the-Middle attack on a WiFi hotspot Fraida FundĠ6 March 2016 on education, security, wireless, 802.11
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |