4.3
- Web session hijacking over wireless with MITM attack
- To
demonstrate this practice, let's start up the Apache server at "kali"
machine to have a look at the default page:
- Writing
127.0.1.1 as URL, the Apache default page appears. It will be useful
for comparing it with later web search by "roch":
- In
order to launch the Web session hijacking attack, the attacker needs
to send fake DNS responses that will resolve IP addresess from "roch"
to "kali"s own IP. For that purpose, the command dnsspoof
is available. As the victim "roch" (192.168.0.15) sends DNS
requests (to DNS server 24.159.40.53 provided for the ISP), the
attacker records everything at its terminal:
- Now,
let's see what happens now when the victim "roch" tries to
connect again to "www.ual.es". Because the session is
hijacked by DNS spoofed responses, "roch" is able to see
only what "kali" allows him to see. In this case, the
default page of the Apache server:
- The
victim "roch" sends an HTTP request for "www.ual.es",
but it actually receives the "kali"s Apache server default
page":
- The
conclusion of this practice is that the attacker is able to modify
data when relaying responses to the victim, being this one unaware of
the suffered attack. The tool dnsspoof running on attacker's
laptop sends DNS responses to the victim with its own IP address,
faking the original one. The victim accepts this responses and sends
HTTP requests to the attacker's IP address on port 80. What the
responses contains is up to him, whatever the attacker wants the
client to believe, maybe a masquerade web site imitating the original
or legitimate one, so that the victim introduces credentials, maybe
spoofed email, ... , or simply breaking options for the victim to
connect to the Internet, in which last case it would be considered a
Denial of Service attack.
