Echelon Posted April 6, 2011 Share Posted April 6, 2011 First I would like to say hey to everyone on my first post. Quick question that I hope someone can help clarify for me. I have used Ettercap and a single wireless NIC many times to demo a MITM attack for coworkers or fellow students. For some reason I keep going back and forth on the exact path of the packets in a configuration of one AP, and 2 wireless clients, one being the attacker. No rouge AP involved here, as I said the attack PC has one wireless NIC and is running Ettercap just as you would in a wired switched environment. Question; once you have successfully ARP poised the wireless client, and the AP, does the wireless client then communicate directly with the attacker, or do the packets still have to go through the AP? In my head, your hub and spoke pattern, the AP being the hub and the two clients being the spokes, now would look like you are the hub and the wireless client victim and the AP are the spokes. So, the way I see it, you need to have a good wireless connection not only with the AP when using this type of attack, but also with the client. Does this sound correct? I do this in a lab environment so this is never an issue, but I have this question come up every once in a while and would like to answer it correctly. No luck finding a diagram of this with wireless clients. Thanks for the help. Quote Link to comment Share on other sites More sharing options...
Guest leg3nd Posted April 8, 2011 Share Posted April 8, 2011 (edited) Basically the arp poisoning attack is giving out false information saying that your the router, so what happens is the packets will flow to you, then you will forward them on to the router, who will then forward it to the correct destination. This is why in linux you must enable ipv4 forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward). If you run a route -n on a linux box while being attacked, you can see it in action. ;) As with all electronics really, yes the connection will only run as fast as the slowest component, if you have a bad connection to the wireless AP then your going to bottleneck everything thats going through you. The diagram is really just a tool to explain it, if your arp posioning them it goes: VICTIM > ATTACKER MACHINE > ROUTER > INET While normally it SHOULD go: VICTIM > ROUTER > INET Hence the term "man in the middle". Hope this clears things up for you. :) Edited April 8, 2011 by leg3nd Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 9, 2011 Share Posted April 9, 2011 (edited) What leg3nd explained to you so far is correct, whether you are on a wired or wireless network, it won't really matter. If you are the attacker or the man in the middle, all traffic coming from the victim computer will pass straight through your computer and then forwarded onto the real gateway. So you are now officially the default gateway for the victim, the victim does not know the attack took place, as it all happens transparently on the background. Best way to mitigate this attack is to set the default gateway MAC address on your computer statically. And deploy ArpON in your computer. Edited April 9, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
digip Posted April 9, 2011 Share Posted April 9, 2011 Actually it does matter to some extent depending on the hardware involved. Some wireless routers have a feature called AP Isolation, where they separate the nodes from wireless and wired clients, so they can't speak to or see each other on layer 2. This can cause MITM attacks to not work when enabled since it essentially breaks the bridging in the router so mac addresses on the wireless side can't speak to other wireless devices nor wired side at layer 2. It also prevents broadcasts from forwarding. At least that is what I have read in some places. A normal MITM requires each node to have access and association with the router. From there, the attacker spoofs his mac to the client as the router, and spoofs his mac as the client to the router. If AP isolation is involved, you only flow through the router, by which the router will know who everyone is speaking with and will filter the MITM. If however AP Isolation is off, then the MITM should work as usual, which is the same on wired and wireless networks, although on wired networks, when the router does an ARP update, it tends to hose the network up, as where when on wireless it seems to work more often than on physically switched networks. Quote Link to comment Share on other sites More sharing options...
Guest leg3nd Posted April 9, 2011 Share Posted April 9, 2011 (edited) Some wireless routers have a feature called AP Isolation Ah yea, what a great feature. I see more and more open APs implementing this now. One solution would be to whip out my pineapple and deauth them into the ground and onto my layer 2 network. :D I was working on a project like this a few weeks ago, I ended up porting a ubuntu image over to my droid 1 and throwing some backtrack tools and fluxbox on it. Its functionality involves alot of what Echelon was asking, requiring a good wireless connection to not lag out everyone. Kinda a nice little inconspicuous sniffer though for pentests. Tape it under a desk by the router for 5-6 hours, then SSH into it and grab the logs. http://info-s3curity.com/blogg/?p=110 Edited April 9, 2011 by leg3nd Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.