4.2
- Wireless Eavesdropping with MITM attack
- The
first step in this attack, as usual, is the attacker creating a
virtual monitoring interface mon0 attached to the physical interface
wlan0.
- Then,
a fake AP called "mitm" is created using airbase-ng,
broadcasting its beacon frames everywhere in the channel 6:
- After
running airbase-ng there is a new interface called at0 (tap
interface), that could be considered as the wire-side interface of
the virtual fake AP. In contrast with mon0, that would be the
wireless side interface:
- The
next step consists of establishing a bridge called "puente"
between at0 and the physical Ethernet interface eth0:
- Interfaces
eth0 and at0 are added to the bridge "puente":
- Both
interfaces are turned on:
- Verifying
that the bridge "puente" has been correctly created:
- The
bridge "puente" is assigned an static IP 192.168.0.50 (also
it could be do dynamically with DHCP):
- A
very important step is to prepare the attacker "kali "for
being able to route and forward packets, turning IP Forwarding on:
- At
this moment of the attack, let's consider that the victim "roch"
connects to the fake AP "mitm":
- airbase-ng
immediately detects that "roch" (28:C6:8E:63:15:6B) has
connected to "mitm":
- One
interesting aspect of the connection is that the victim
"roch"automatically gets a dynamic IP, because at the
wired-side the legitimate AP is running the DHCP service. So, as the
victim connects to the network (through the fake AP), it is also
considered a host of the network with the right of being assigned an
IP and DNS services:
- Now,
the victim "roch" can ping the default gateway of the
network 192.168.0.1:
- Also,
the victim "roch" has got access to the Internet pinging
Google's public DNS 8.8.8.8:
- Because
the attacker "kali" is located in the middle of the victim
and the legitimate AP, he is able to sniff, see and analyze all the
traffic sent and received by "roch". Let's see what happens
when the victim "roch" decides to connect to www.ual.es:
- "kali"
runs Wireshark, which allows the "Follow TCP stream" option
to see all packets from a single TCP stream displaying them in
order:
- Applying
that option, the filter "tcp.stream eq 18" is
generated automatically. Then, the whole conversation between the
victim "roch" and "www.ual.es" is available for
the attacker "kali" to be analyzed and eavesdropped.
- At
next screenshot, "roch" (192.168.0.15) and "www.ual.es"
(193.147.117.18) establish a TCP and HTTP session, what is being
captured by the attacker "kali":
- It
can be checked that 193.147.117.18 corresponds to www.ual.es:
- Also with whois:
