Jump to content

Clarification Needed On Wireless Mitm


Recommended Posts

First I would like to say hey to everyone on my first post. Quick question that I hope someone can help clarify for me.

I have used Ettercap and a single wireless NIC many times to demo a MITM attack for coworkers or fellow students.

For some reason I keep going back and forth on the exact path of the packets in a configuration of one AP, and

2 wireless clients, one being the attacker. No rouge AP involved here, as I said the attack PC has one wireless

NIC and is running Ettercap just as you would in a wired switched environment.

Question; once you have successfully ARP poised the wireless client, and the AP, does the wireless client then

communicate directly with the attacker, or do the packets still have to go through the AP? In my head, your hub and spoke

pattern, the AP being the hub and the two clients being the spokes, now would look like you are the hub and the

wireless client victim and the AP are the spokes.

So, the way I see it, you need to have a good wireless connection not only with the AP when using this type of attack,

but also with the client. Does this sound correct? I do this in a lab environment so this is never an issue, but I have

this question come up every once in a while and would like to answer it correctly. No luck finding a diagram of this

with wireless clients. Thanks for the help.

Link to comment
Share on other sites

Guest leg3nd

Basically the arp poisoning attack is giving out false information saying that your the router, so what happens is the packets will flow to you, then you will forward them on to the router, who will then forward it to the correct destination. This is why in linux you must enable ipv4 forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward). If you run a route -n on a linux box while being attacked, you can see it in action. ;)

As with all electronics really, yes the connection will only run as fast as the slowest component, if you have a bad connection to the wireless AP then your going to bottleneck everything thats going through you.

The diagram is really just a tool to explain it, if your arp posioning them it goes: VICTIM > ATTACKER MACHINE > ROUTER > INET

While normally it SHOULD go: VICTIM > ROUTER > INET

Hence the term "man in the middle". Hope this clears things up for you. :)

Edited by leg3nd
Link to comment
Share on other sites

What leg3nd explained to you so far is correct, whether you are on a wired or wireless network, it won't really matter.

If you are the attacker or the man in the middle, all traffic coming from the victim computer will pass straight through your computer and then forwarded onto the real gateway.

So you are now officially the default gateway for the victim, the victim does not know the attack took place, as it all happens transparently on the background.

Best way to mitigate this attack is to set the default gateway MAC address on your computer statically. And deploy ArpON in your computer.

Edited by Infiltrator
Link to comment
Share on other sites

Actually it does matter to some extent depending on the hardware involved. Some wireless routers have a feature called AP Isolation, where they separate the nodes from wireless and wired clients, so they can't speak to or see each other on layer 2. This can cause MITM attacks to not work when enabled since it essentially breaks the bridging in the router so mac addresses on the wireless side can't speak to other wireless devices nor wired side at layer 2. It also prevents broadcasts from forwarding. At least that is what I have read in some places.

A normal MITM requires each node to have access and association with the router. From there, the attacker spoofs his mac to the client as the router, and spoofs his mac as the client to the router. If AP isolation is involved, you only flow through the router, by which the router will know who everyone is speaking with and will filter the MITM. If however AP Isolation is off, then the MITM should work as usual, which is the same on wired and wireless networks, although on wired networks, when the router does an ARP update, it tends to hose the network up, as where when on wireless it seems to work more often than on physically switched networks.

Link to comment
Share on other sites

Guest leg3nd

Some wireless routers have a feature called AP Isolation

Ah yea, what a great feature. I see more and more open APs implementing this now.

One solution would be to whip out my pineapple and deauth them into the ground and onto my layer 2 network. :D

I was working on a project like this a few weeks ago, I ended up porting a ubuntu image over to my droid 1 and throwing some backtrack tools and fluxbox on it. Its functionality involves alot of what Echelon was asking, requiring a good wireless connection to not lag out everyone.

Kinda a nice little inconspicuous sniffer though for pentests. Tape it under a desk by the router for 5-6 hours, then SSH into it and grab the logs. :ph34r:


Edited by leg3nd
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...