Man-in-the-Middle Attack

Introduction

The vast majority of modern wireless networks operate over the IEEE 802.11 protocol suite, most commonly known as Wi-Fi. This technology usually requires the presence of the wireless access point (AP) to which the wireless clients connect. Alternatively, wireless devices can communicate with each other over the ad-hoc connection. Given the intangible nature of the wireless media, the security issues in 802.11 networks could be more severe compared to the wired telecommunication setup. The Wi-Fi networks are especially susceptible to the man-in-the-middle attacks. According to Pfleeger and Pfleeger (2011), such attacks imply the interception of the data exchange between two legitimate parties (p. 487). Upon intercepting the traffic, the intruder might filter or modify the data before sending it further. This paper explores the most widely used “man-in-the-middle” intrusion techniques.

Man-in-the-Middle Attack

The ARP poisoning is a popular hackers’ approach intended at intercepting the data packets. The network nodes exchange the ARP (Address Resolution Protocol) requests and responses in order to determine the MAC (Media Access Control) addresses associated with the IP addresses. In case of the ARP poisoning, the attacker modifies the MAC address within the fake ARP response so that the IP address points to a different computer (Ciampa, 2011, p. 101). Assuming that the attacker is a wireless node, there is a possibility to intercept the variety of the traffic types. In order to intercept the data exchange between two wired nodes, the attacker would send an ARP reply to Host A, substituting the MAC address of a legitimate Host B. If Host A does not accept unsolicited ARP replies, it could be tricked into an ARP discovery by the ICMP echo request. In both cases, the attack will result in all traffic from Host A to Host B going first to the impostor node. The same scenario applies for the traffic interception between a wireless and wired nodes. Even in case of a genuine ARP request, the victim node can be slow with the reply, in which case the attacker’s ARP response will be accepted. In order to intercept the traffic between two wireless nodes operating in an ad-hoc mode, the attacker can send a fake session termination command to one of them. Then he will use the ARP poisoning to impersonate the node that went off the air. Another scenario for the ad-hoc connection envisages sending the revised traffic via different network path, much like the source routing exploit in wired networks (Pfleeger and Pfleeger, 2011, p. 491).

The variation of the man-in-the-middle is a replay attack, during which the intruder captures 802.11 packets and retransmits them with possible modifications (Fette et. al, 2007, p. 274). Such an attack can be launched using a fake AP positioned between a wireless node and a legitimate AP. The attacker can set up a software-based wireless access point (SoftAP) to capture the traffic. It can be achieved using a new Microsoft Windows 7 function “Hosted Network”, which emulates multiple virtual wireless NICs using a single physical wireless card (Ciampa, 2011, p. 325). Once the SoftAP is set up, the attacker would make sure that its signal is stronger than that of a legitimate AP. The roaming mechanism will force the attacked wireless node to switch to the rogue AP automatically.

Conclusion

The ARP poisoning and the fake AP are the main hacker’s approaches for the man-in-the-middle attack in a wireless environment. Other techniques, such as DNS spoofing and source routing could be used when the attacker has an access to the wired part of the network infrastructure. The only security measure that can prevent the ARP poisoning is the MAC addresses’ filtering on the AP level. The fake APs threat could be diminished applying an enhanced WPA2 encryption protocol instead of the weak WEP mechanism.