What Is MITM? – In this Blogs, we will take a look at how we can conduct advanced attacks using what we have learned so far. We will primarily focus on the Man-in-the-Middle (MITM) attack, which requires a certain amount of skill and practice to conduct successfully. Once we have done this, we will use this MITM attack as a base from which to conduct more sophisticated attacks such as eavesdropping and session hijacking.
A Man-in-the-Middle attack
MITM attacks are probably one of the most potent attacks on a WLAN system. There are different configurations that can be used to conduct the attack. We will use the most common one—the attacker is connected to the internet using a wired LAN and is creating a fake access point on his client card. This access point broadcasts an SSID similar to a local hotspot in the vicinity. A user may accidently get connected to this fake access point (or can be forced to via the higher signal strength theory we discussed in the previous chapters) and may continue to believe that he is connected to the legitimate access point.
The attacker can now transparently forward all the user’s traffic over the internet using the bridge he has created between the wired and wireless interfaces.
In the following lab exercise, we will simulate this attack.
Follow these instructions to get started:
- To create the MITM attack setup, we will first create a soft access point called mitm on the hacker laptop using airbase-ng . We run the following command: airbase-ng –essid mitm -c 11 wlan0mon
- It is important to note that airbase-ng , when run, creates an interface at0 (a tap interface). Think of this as the wired-side interface of our software-based access point mitm :
- Let’s now create a bridge on the hacker’s laptop, consisting of the wired ( eth0 ) and wireless interface ( at0 ). The succession of commands used for this is as follows:
brctl addbr mitm-bridge
brctl addif mitm-bridge eth0
brctl addif mitm-bridge at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
- We can assign an IP address to this bridge and check the connectivity with the gateway. Please note that we can do this using DHCP as well. We can assign an IP address to the bridge interface with the following command:
ifconfig mitm-bridge 192.168.0.199 up We can then try pinging the gateway 192.168.0.1 to ensure that we are
connected to the rest of the network.
- Let’s now turn on IP forwarding in the kernel, so that routing and packet forwarding can happen correctly, using the following command: echo 1 > /proc/sys/net/ipv4/ip_forward
The output of the command is as follows:
- Now let’s connect a wireless client to our access point mitm . It will automatically get an IP address over DHCP (the server running on the wired-side gateway). The client machine in this case receives the IP address 192.168.0.197 . We can ping the wired-side gateway 192.168.0.1 to verify connectivity:
- We can see that the host responds to the ping requests, as shown here:
- We can also verify that the client is connected by looking at the airbase-ng terminal on the hacker’s machine:
- It is interesting to note here that, because all the traffic is being relayed from the wireless interface to the wired-side, we have full control over the traffic. We can verify this by starting Wireshark and sniffing on the at0 interface:
- Let’s now ping the gateway 192.168.0.1 from the client machine. We can see the packets in Wireshark (apply a display filter for ICMP), even though the packets are not destined for us. This is the power of MITM attacks:
We successfully created the setup for a wireless MITM attack. We did this by creating a fake access point and bridging it with our Ethernet interface. This ensured that any wireless client connecting to the fake access point will perceive that it is connected to the internet via the wired LAN.
In the previous exercise, we bridged the wireless interface with a wired one. As we noted earlier, this is one of the possible connection architectures for an MITM. There are other combinations possible as well. An interesting one would be to have two wireless interfaces, one that creates the fake access point and the other interface that is connected to the authorized access point. Both these interfaces are bridged. So, when a wireless client connects to our fake access point, it gets connected to the authorized access point through the attacker’s machine.
Please note that this configuration would require the use of two wireless cards on the attacker’s laptop.
Check whether you can conduct this attack using the in-built card on your laptop along with the external one—bear in mind, you may not have the injection drives required for this activity. This should be a good challenge!
Hope You Love This Blog For More Blogs Please Comment Down And For More Hacking Content Click Here