A wi-fi man-in-the-middle attack that cannot be ignored

Man-in-the-middle attack Concept

The man-in-the-middle attack concept should be first defined in cryptography, so it is nothing new. The principle of man-in-the-middle attack can be used to represent:

For example in cryptography, Alice, Bob, and Eve are usually used. We also follow this habit. Alice wanted to communicate with Bob, but she did not expect that the communication link was intentionally cut off by attackers Eve. At the same time, Eve pretended that Bob had established a communication link with Alice, assume that Alice has established a communication link with Bob, and Alice and Bob are completely unaware of this, that is, Eve is transparent to Alice and Bob. In this way, Eve can legally store Alice's data sent to Bob and then re-transmit it to Bob, which in turn is the same for the data sent to Alice by Bob. Of course you know what happened.

Reasons why Wi-Fi is vulnerable to man-in-the-middle attacks

From the man-in-the-middle attack concept, you will find that two technical conditions are required to achieve man-in-the-middle attack, first, we need to let the data traffic of the two sides that should communicate with each other forward or relay from the attacker. We call it traffic redirection. Second, if the traffic is diverted, attackers need to leave no doubt on the communication sides. This is called Identity disguise.
In a wired network environment, traffic redirection is not easy. ARP spoofing is required in Lan, while DNS Spoofing is required in wide area networks to be easily protected and discovered.
In a Wi-Fi environment, you will find that it is very easy to meet the aforementioned man-in-the-middle attack technical conditions. Attackers only need to use the same SSID as the valid Access Point (if encrypted, the authentication/encryption algorithms are the same and the pre-shared keys are the same. Then, the power of the forged access point is greater than that of the valid Access Point (compared to the attacker. The attacker connects to a valid access point as a client, and transmits the traffic between the attacker and the valid access point in the middle. The data can be listened in plain text, or more advanced attack means can be further implemented.
 

Low-cost Wi-Fi man-in-the-middle attack practices

1. OPEN Wi-Fi
In Linux (dual-wireless network card), use hostapd and dhcpd software to build forged access points. The attacker first uses wireless network interface card 1 to connect to a valid access point, and then configures the SSID of hostapd to be the same as that of a valid access point. Then, the attacker enables wireless network interface card 2 to the access point mode. When the attacker is close to the victim, the attacker will automatically choose to access the attacker if the attacker feels that the access point provided by the attacker has a strong signal. The attacker forwards data between the attacker and the legal access point, and uses wireshark software to dump the data in plaintext. You can use wireshark's byte search function to filter out user names/passwords and cookies transmitted in plaintext.

2. WPA2-PSK (CCMP + AES) encrypted Wi-Fi
You can still use the hostapd and dhcpd software in the Linux system (dual-wireless network adapter) to build forged access points. However, Windows provides a more convenient way, that is, in Windows (single-wireless network adapter) use the netsh wlan command to build a forged access point. The attacker first connects to a valid access point, and then uses the netsh wlan command to configure the SSID and pre-shared secret key, which are the same as the valid access point, to enable a virtual wireless access point. When the attacker is close to the victim, the attacker will automatically choose to access the attacker if the attacker feels that the access point provided by the attacker has a strong signal. Attackers can still use wireshark software to perform plaintext dump of data during data forwarding between attackers and legitimate access points. However, in Windows, attackers can also use more convenient cain and abel software, you can directly obtain the user name/password for plaintext transmission and the cookie list.

3. HTTPS listeners
In Linux (dual-wireless network card), use hostapd and dhcpd software to build forged access points. The attacker first uses wireless network interface card 1 to connect to a valid access point, and then configures the SSID of hostapd to be the same as that of a valid access point. For encrypted Wi-Fi, you also need to configure the authentication/encryption mode and pre-shared key to be the same as the valid access point, and enable the wireless network interface card 2 to the access point mode. When the attacker is close to the victim, the attacker will automatically choose to access the attacker if the attacker feels that the access point provided by the attacker has a strong signal. Attackers can forward data between attackers and legitimate access points, and use sslsniff to launch man-in-the-middle attacks on HTTPS traffic. HTTPS data is dumped in plain text and the user name/password can be searched in logs, and parse the HTTP content.
It should be noted that HTTPS can be easily attacked by man-in-the-middle because of insufficient user security awareness or insufficient security considerations of user terminal software. Attackers cannot forge a valid digital certificate. The forged certificate uses another set of public keys and private keys, which are generally self-signed. A secure browser will prompt the user that the Peer digital certificate is untrusted, but the user usually chooses to click Continue, otherwise the user will not be able to access it. In this case, the user's business needs are greater than the security considerations. Browser software of some smart mobile terminals, which has insufficient security considerations. If there is no security prompt, the communication will continue, and users may suffer more severe threats.

Security Protection Solution

Because Wi-Fi itself does not have more security mechanisms, it is important for Wi-Fi service providers to consider using VPN encryption on the top of Wi-Fi. In this way, even if the user accesses a forged access point, the data can be protected without being eavesdropped.
 

Considering the maturity and wide applicability of the solution, L2TP Over IPSec VPN is a good solution. Because terminal products such as Windows, Mac, iOS, and Android all support the L2TP Over IPSec VPN Client function by default, no additional client software installation is required. At the same time, the L2TP Over IPSec VPN Server function is also widely supported by Firewall vendors, and Wi-Fi service providers can have more options.