Performing Man in the Middle Attacks Within a Wireless Local

Area Network
This paper was downloaded from TechRxiv (https://www.techrxiv.org).

LICENSE

CC BY-NC-SA 4.0

SUBMISSION DATE / POSTED DATE

21-09-2022 / 28-09-2022

CITATION

Buckle, Reece (2022): Performing Man in the Middle Attacks Within a Wireless Local Area Network.
TechRxiv. Preprint. https://doi.org/10.36227/techrxiv.21176347.v1

DOI

10.36227/techrxiv.21176347.v1
 Performing Man in the Middle Attacks Within a
Wireless Local Area Network
Reece Buckle
Department of Electronics and Computer Science
University of Southampton
Southampton, UK
[email protected]

Abstract—This paper explores the ease of us of standard Kali Regarding the VPN server, a static DNS address (with NoIP)
Linux tools to analyse network activity, and conduct a series of was used to enable remote access from any network.
man-in-the-middle attacks within a wireless local area network.
These tests primarily include ARP poisoning, deauthentication
attacks and finally cloning a rogue access point to carry out
further social engineering attacks and web browser control (with
BeEF). Lastly this paper explores the usage of VPNs to protect
a user’s privacy as it is difficult to prevent packet sniffing and
man-in-the-middle attacks outright.
Index Terms—WLAN, Wi-Fi, Rogue Access Points, ARP
Poisoning, Deauthentication, Evil Twin Attack, MitM, Packet
Sniffing, Nmap, Wireshark, Tcpdump, Ettercap, Wifipumpkin3,
Aircrack-ng, BeEf, VPN, PiVPN, OpenVPN, WireGuard
Fig. 1. Equipment Used
I. I NTRODUCTION
Despite the existence of Wi-Fi security protocols, such as
WPA2-PSK (Wi-Fi Protected Access 2 with Pre-Shared Key
III. PACKET S NIFFING WITH W IRESHARK & T CPDUMP
authentication), an adversary can still probe network devices
and intercept and sniff traffic within a wireless local area
Traffic intercepted (from ARP spoofing or rogue APs) can be
network (WLAN). In a coffee shop style scenario, an adversary
captured and analysed with Tcpdump or Wireshark. Tcpdump is
could deploy low budget remote access tools to disconnect
a command line interfance (CLI) tool which is suited for remote
users from an access point (AP), clone the AP, and trick a
SSH. Packet information can be saved to a pcap file with the
user into joining the cloned AP. Such as example is the evil
following command: ‘tcpdump -w output.pcap -i eth0’ where
twin attack (ETA) which is designed to circumvent WPA2-PSK
eth0 is the Ethernet interface the Raspberry Pi is listening
protection by sniffing the 4-way handshake that occurs during
on. However, Wireshark is a graphical tool which is more
authentication, and using social engineering to capture login
appropriate when using RDP.
details directly. However, even if an adversary cannot gain
access into a WLAN, they can still perform man-in-the-middle HTTP and Telnet are examples of deprecated non-encrypted
(MitM) attacks such as ARP cache poisoning to intercept andprotocols in which no privacy is offered and a MitM can ‘sniff’
easily. HTTP is an original protocol used to transfer web-page
sniff user traffic. This report investigates the usage Kali Linux
tools to perform network analysis and MitM attacks such as data whereas Telnet is used for remote access, similar to SSH.
ARP poisoning and ETA. Following this, a VPN server was HTTP websites are denoted with ‘Not secure’ in the web
established to compare its effect on intercepted traffic. browser as they lack any authentication certificate provided by
the web server.
II. S ETUP HTTPS (Hypertext Transfer Protocol Secure) protocol is a
To perform several MitM attacks, analyse and manipulate direct upgrade to HTTP, in which a secure connection to the
traffic, the following equipment was used: web server is made with SSL (Secure Sockets Layer), or TLS
• Raspberry Pi 3 Model B+ (Pi VPN server)
(Transport Layer Security) [1]. To successfully decrypt HTTPS
traffic, an adversary must obtain the certificate key generated
• Raspberry Pi 4 Model B (with Kali Linux)
during the TLS handshake. However, this is crytographically
• TurboTenna Wi-Fi Antenna (2200mW, 802.11n) - capable infeasible, and generally the information they acquire is trivial
of monitor mode, hosting APs and packet injection) in most cases. Alternatively, an adversary could use SSLStrip
Both Raspberry Pis were configured with SSH and Xrdp to downgrade a website from HTTPS to HTTP (e.g., a login
for remote desktop protocol (RDP). This allows deployment page), and then redirect the user to the HTTP version. This
and remote access from a computer within the same WLAN. can then be used to ‘sniff’ login details in plain-text.
 IV. ARP C ACHE P OISONING B. ARP Poisoning with Ettercap
Address Resolution Protocol (ARP) is used to map a device’s Ettercap can facilitate a variety of MitM attacks, including
physical MAC address to its IP address [2]. ARP packet are ARP poisoning. Regarding Figure 2, Ettercap was used to
broadcast to all devices within a network, which instructs poison the iPad’s ARP cache, and then spoof the MAC address
them to respond with their MAC address. These mappings of the router to re-route traffic through the Raspberry Pi. This
are then stored in a device’s ARP cache which enables the was achieved with: ‘ettercap -T -S -i eth0 -M arp:remote
device to communicate with other devices directly (e.g., to /192.168.1.254// /192.168.1.161// ’ where:
the router); this means the device does not need to broadcast • -T enables a command line input (not using the GUI)
their activity to all other devices within a WLAN. However, • -S instructs to not use SSL
because a router may assign new IP addresses dynamically • -i specifies the network interface (Ethernet)
(e.g., when restarting), entries in the ARP cache are deleted • -M arp:remote instructs the usage of ARP poisoning
after 20 minutes [2]. • 192.168.1.254 is the router’s IP address
An ARP poisoning attack works by listening for ARP • 192.168.1.161 is the iPad’s IP address
requests and then responding with a ‘spoofed’ MAC address To sniff this traffic in Wireshark, packet information from
(namely that of another device) [3]. An adversary can then use the iPad can be filtered out with ‘ip.addr == 192.168.1.161’,
this to position themselves between the two communicating and chained with ‘&& HTTP’ to present non-encrypted HTTP
devices by imposing the MAC address of each device. Figure packets.
2 demonstrates this attack, which was carried out with Nmap
and Ettercap. C. ARP Poisoning Mitigations & Prevention
• VPN tunnelling can be used to encrypt all intercepted
traffic. This is shown later on with the Pi VPN server.
i Pad Router • Static IP addresses can be assigned to each device such that
192.168.1.161 192.168.1.254
each ARP mapping has one unique IP address. However,
this is more challenging to maintain than using Dynamic
Host Configuration Protocol (DHCP).
• ARP spoofing detection tools can be used (e.g., XArp).
However, these can often return false positives and usually
only detect ARP spoofing (without prevention).
• Secure ARP [5] is a proposed solution which extends
A RP Attack upon the ARP protocol by incorporating an authentication
scheme in ARP responses (using public key cryptography).
This should prevent an attacker from being able to spoof
their MAC address and poison an ARP cache.

V. ROGUE ACCESS P OINTS

Raspberry Pi Rogue APs can be designed to replicate free public Wi-Fi
192.168.1.183 APs. These can then be used to capture Wi-Fi traffic, login
Fig. 2. ARP Poisoning Attack details and even infect the client’s web browser. In these
situations, the rogue AP is acting as a MitM.
To determine if a device’s ARP cache has been ‘poisoned’,
a user can enter ‘arp -a’ in the command line to view the A. Evil Twin Attack
mappings for internet addresses to physical addresses. If there An evil twin attack uses social engineering to discover a
are duplicate MAC addresses (mapped to different IP addresses), network password if Wi-Fi security (e.g., WPA2-PSK) cannot
then it is likely the device’s cache has been temporarily be broken [6]. In this example, an attacker can forcefully
poisoned. deauthenticate a connection between a targeted device and an
AP so that user will attempt to reconnect. During this time, the
A. Network Discovery with Nmap attacker can ‘sniff’ the 4-way handshake that occurs during
Nmap is a networking tool which can be used to discover re-connection, and clone the AP to present a fake ‘twin’ with
the MAC address, IP address, device type and even operating a phishing page asking for the network password. The attacker
systems of devices which are actively connected to a WLAN. can then compare the password given to the hash captured
This can be done with: ‘nmap -sn 192.168.1.0/24’, where ‘- during the 4-way handshake. This ensures the correct password
sn’ designates a ping scan (and not to port scan the hosts is captured without needing to crack the 4-way handshake [7].
after discovery). This is useful for basic network reconnais- The key difference between a rogue AP and this attack, is that
sance without attracting too much attention [4]. To save this a rogue AP may already be connected to the network target
information to a file, add the following flag: ‘-oN output.txt’. whereas an evil twin is used to obtain entry.
B. Evil Twin Attack Detection • Run: ‘airmon-ng start wlan1’ to put the wlan1 interface
[8] proposes a multi-hop detection protocol, WiFiHop, into monitor mode
• Run: ‘airodump-ng wlan1’ to scan for nearby APs. Unlike
to detect evil twin attacks. WiFiHop works by sending a
‘watermark’ packet sequence through an AP the client is Nmap, this reveals the channel it’s operating on, the
connected too, and then switching to a different channel to security used (typically WPA2-PSK with a CCMP cipher),
detect the transmission of this watermark. If this watermark is and the distance from the AP (denoted by the number of
then detected through other channels, (e.g., between the client beacon frames received)
• Run ‘aireplay-ng –deauth 0 -c XX:XX:XX:YY:YY:YY -a
and twin AP, and the evil twin AP and legitimate AP), then
the presence of an evil twin has been detected. XX:XX:XX:YY:YY:YY wlan1’ to start the attack, where -c
and -a are the MAC addresses of the target client and AP
C. Creating a Rogue Access Point respectively. ‘0’ instructs the attack to run infinitely
Wifipumpkin3 can be used to scan networks, perform Note the first 3 sections of a MAC address represent
deauthentication attacks and create rogue APs. Wifipumpkin3 the model of Wi-Fi card whereas the last 3 sections refer
also provides support for custom plugins and proxies (such to that unique device. For privacy they are omitted. Using
as injecting a BeEF hook). To create a rogue AP with a fake the TurboTenna Wi-Fi antenna, 128 deauth frames were
login portal: injected and sent to both the AP and iPad directly (64 each).
However, very few frames were delivered and a successful
1. Set the interface to host the AP - textit‘set interface wlan’
deauthentication was not achieved. [9] suggests that this
2. Assign an SSID -‘set ssid Free Wi-Fi’
issue may arise from the Wi-Fi technology used (802.11n
3. Load the captiveflask proxy - ‘set proxy captiveflask’
vs 802.11ac), or the power ability of the antenna. This entire
4. Chose a template type e.g., ‘set captiveflask.facebook true’
process can be observed in Wireshark with: ‘(wlan.fc.type eq
5. Start hosting the AP - ‘start’
0) && (wlan.fc.type subtype eq 12)’ [11].
Figure 3 presents a deauthentication attack, paired with a
rogue AP, using Wifipumpkin3 and Aircrack-ng. Aircrack-ng E. Deauthentication Attack Mitigations
is used for ‘packet capturing of raw 802.11 frames’ [9], and Because deauthentication attacks exploit Wi-Fi management
when paired with the TurboTenna antenna in monitor mode, frames (responsible for initiating and closing wireless network
can detect all Wi-Fi activity within range. connections), [12] introduces Management Frame Protection
(MFP) for wireless APs. This IEEE standard was amended to
802.11w and works by adding encryption to dissociation and
deauthentication frames; this prevents an adversary from being
able to spoof them in a deauthentication attack. However, this
standard is still not present in many legacy devices.
Access Poi nt F. Web Browser Control (with BeEF)
D eauthenti cati on BeEF is a browser exploitation framework which can be used
Attack to execute HTML or JavaScript within a victim’s web browser,
take control, key-log, phish and even escalate privileges.
By creating a rogue AP with Wifipumpkin3, an attacker
can inject a BeEf hook directly into the victim’s browser
whenever they load a web page. This can be done by adding
BeEF as a tunnelling proxy: ‘set pumpkinproxy.beef hook url
http://Host IP:3000/hook.js’.
VI. C REATING A P I VPN S ERVER
Rogue A P A virtual private network (VPN) routes all traffic through ‘an
encrypted virtual tunnel’ by establishing a secure connection
Fig. 3. Deauthentication Attack & Rogue AP to the internet, and also disguising the device’s IP address [13].
Figure 4 demonstrates this process with PiVPN, OpenVPN
D. Deauthentication Attack or WireGuard. Although OpenVPN provides more flexibility
A Wi-Fi deauthentication attack is a denial-of-service attack as it can utilise TCP and UDP, and all encryption algorithms
which exploits Wi-Fi management frames to disconnect a provided by the OpenSLL library, WireGuard is a newer, faster
device from an AP. In this example, an adversary can flood and more efficient protocol. Installation process:
disassociation and deauthentication frames to both devices [10]. 1. Install PiVPN with ‘curl -L https://install.pivpn.io | bash’
As management frames are sent before the 4-way connection 2. Choose a VPN server authority (WireGuard or OpenVPN)
handshake can occur, these are typically unprotected. To 3. Set the device’s IP address to static and disable DHCP
perform the attack: so that access to the Pi server remains consistent
 4. Set the communication protocol. UDP is recommended as required due to the lack of an official power adapter. This
it transmits packets without waiting for a response which could explain the WiFi antenna’s inability to cause a successful
is faster than TCP (albeit with some packet loss) deauthentication attack. However, this is more likely due
5. Set the inbound/outbound port number to operate on (1194 to technology incompatibilities (e.g., 802.11ac opposed to
for OpenVPN or 51820 for WireGuard) 802.11n), or simply because the MFP-IEEE 802.11w standard
6. Assign a DNS provider, e.g., Google, which translates was implemented in all devices tested.
domain names to IP addresses Regarding the Pi VPN server, although the client’s IP address
7. Assign a static DNS server address (NoIP) which enables is masked, traffic is still ‘single hopped’ through a VPN server
the VPN to be accessed from outside the LAN within the same WLAN. This means the router’s public IP
8. Set port-forwarding rules for the device’s IP address, address is visible when analysing traffic remotely. Furthermore,
inbound & outbound port, and the protocol used (UDP) Raspbian’s typical firewall policy is to allow all inbound and
9. Use the command ‘pivpn -a’ to generate a key certificate outbound packets across all ports (viewable with the command:
which can then be distributed to clients ‘iptables -L’). To strengthen security, the firewall policy can be
configured to block traffic on all ports except the ports used.
No V PN Access Poi nt I nternet
D evi ce VIII. C ONCLUSION
WPA2-PSK was identified as most common security pro-
tocol used in access points. However, even with this secure
authentication protocol, it is still easy for an adversary to
deploy a low power Wi-Fi adapter, in monitor mode, and begin
V PN probing network activity in the 2.4 GHz and 5 GHz frequency
D evi ce Si ngl e
H op ranges. An adversary can sniff personal traffic with MitM
attacks such as ARP cache poisoning without having to crack
WPA2-PSK, or rely on social engineering to create rogue APs.
As a solution to this, it is recommended to always use a VPN
- especially when connected to a public AP. However, using a
Unencrypted VPN does come with a connection speed overhead which can
Pi V PN
Encrypted Tunnel be problematic when connected to an AP with an already low
connection speed.
Fig. 4. Encrypting Traffic with a Pi VPN Server
R EFERENCES
A. Evaluation [1] “What is HTTPS?” Accessed: 30-05-2021. [Online]. Available:
https://www.cloudflare.com/en-gb/learning/ssl/what-is-https/
With OpenVPN or WireGuard, all traffic becomes ob- [2] “Address Resolution Protocol,” Accessed: 30-05-2021. [Online].
fuscated, showing only the OpenVPN/WireGuard protocol Available: https://www.ibm.com/docs/en/aix/7.2?topic=protocols-address-
and destination/source address in Wireshark. This means resolution-protocol
[3] “Man-in-the-Middle: ARP Cache Poisoning,” Accessed: 30-05-2021.
an adversary cannot observe the TCP/UDP communication [Online]. Available: https://attack.mitre.org/techniques/T1557/002/
process, handshakes or insecure websites (e.g., HTTP). [4] “Nmap - Linux Man Page,” Accessed: 30-05-2021. [Online]. Available:
Regarding performance, the Raspberry Pi 3 offers a max- https://linux.die.net/man/1/nmap
[5] D. Bruschi, A. Ornaghi, and E. Rosti, “S-arp: a secure address resolution
imum throughput of 300Mbps over Ethernet. This means protocol,” in 19th Annual Computer Security Applications Conference,
150Mbps is the theoretical maximum speed when functioning 2003. Proceedings. IEEE, 2003, pp. 66–74.
as a VPN server as packets must enter and leave through the [6] “CAPEC-615: Evil Twin Wi-Fi Attack,” Accessed: 30-05-2021. [Online].
Available: https://capec.mitre.org/data/definitions/615.html
same Ethernet interface. WireGuard performed the strongest [7] Kody, “Stealing Wi-Fi Passwords with an Evil Twin
with only a 22% speed loss whereas OpenVPN had a speed Attack,” 2019, Accessed: 30-05-2021. [Online]. Avail-
loss of 53% (Table I). able: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-
passwords-with-evil-twin-attack-0183880/
TABLE I [8] D. Mónica and C. Ribeiro, “Wifihop-mitigating the evil twin attack
A C OMPARISON OF VPN P ERFORMANCE through multi-hop detection,” in European Symposium on Research in
Computer Security. Springer, 2011, pp. 21–39.
[9] “Airodump-ng Documentation,” Accessed: 30-05-2021. [Online].
Download Speed Upload Speed Ping/Latency Available: https://www.aircrack-ng.org/doku.php?id=airodump-ng
(Mbps) (Mbps) (ms) [10] “CAPEC-604: Wi-Fi Jamming,” Accessed: 30-05-2021. [Online].
No VPN 137.09 29.30 7.99 Available: https://capec.mitre.org/data/definitions/604.html
[11] “Analyzing Deauthentication Packets With Wireshark,” Accessed:
WireGuard 107.35 29.17 8.48
30-05-2021. [Online]. Available: https://www.yeahhub.com/analyzing-
OpenVPN 64.42 28.97 9.10 deauthentication-packets-wireshark/
[12] “IEEE Standard - 802.11w-200 Specifications Amendment 4: Protected
Management Frames,” 2009.
VII. C ONSIDERATIONS [13] “Kaspersky - What is VPN?” Accessed: 30-05-2021. [Online]. Available:
https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn
Regarding the deauthentication attack carried out, it is
possible that the Pi 4 was operating with less power than