A Proof of MITM Vulnerability in Public WLANs Guarded by Captive - - PowerPoint PPT Presentation

▶

Feb 24, 2024 110 likes •433 views

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Author: Wei-Lin Chen Po-Kang Chen Quincy Wu Outline Introduction Motivation Related Works Authentication of Public WLAN Implementation &

SLIDE 1

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal

Author: Wei-Lin Chen Po-Kang Chen Quincy Wu

SLIDE 2

Outline

Introduction Motivation Related Works Authentication of Public WLAN Implementation & Experiment result Conclusion

SLIDE 3

Introduction

A lot of public areas begin to provide the

Wireless LAN for users, it is called Public WLAN (PWLAN).

PWLANs are usually provided by Wireless

Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.

SLIDE 4

Introduction

Nowadays it is easy to find PWLAN service in

a coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places.

According the TWNIC (Taiwan Network

Information Center) reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher.

SLIDE 5

Figure 1. January 2010 Taiwan Internet using frequency report

http://www.twnic.net.tw/download/200307/200307index.shtml

SLIDE 6

Motivtion

SLIDE 7

Motivation

More and more people are utilizing the

PWLANs.

Traditionally, we rely WEP or WPA-PSK to

protect our WLAN.

Readily available tools to crack the WEP or

WPA-PSK secret keys .

SLIDE 8

Motivation

Therefore, most PWLANs now use a new

secure mechanism, called Captive Portal.

It was widely accepted by WISPs.

SLIDE 9

Figure 2. Login webpage

Motivation

SLIDE 10

Motivation

A new standard IEEE 802.1X is proposed to

replace the Captive Portal.

But the 802.1X standard is more complicated

than Captive Portal, so 802.1X is not widely deployed in PWLANs.

We shall show that for PWLANs which are

guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs.

SLIDE 11

Related Work

SLIDE 12

ARP (Address Resolution Protocol)

ARP To convert IP address to MAC

address in order to communicate in Ethernet communications

SLIDE 13

Broadcast ARP Request message to ask for

the MAC address associated with the destination IP address

The host sends a unicast ARP Reply

message to sender with the IP-MAC address pairing

Update the ARP cache after receiving ARP

Reply

ARP (Address Resolution Protocol)

SLIDE 14

ARP Spoof

The malicious user sends ARP Reply with

fake IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.

ARP Spoof can perform Man-In-The-Middle

(MITM) attacks or Denial of Service (DoS) attacks.

SLIDE 15

MITM

Before the network does not occur the MITM

attack, the hosts has correct MAC address for both, they communicates with each other directly.

After the network occur the MITM attack, the

dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host.

SLIDE 16

MITM

Figure 3. MITM attack

SLIDE 17

Authentication of Public WLAN

SLIDE 18

Figure 4. PWLANs architecture

SLIDE 19

Figure 5. Captive Portal process

SLIDE 20

Implementation & Experiment result

SLIDE 21

Implementation

Figure 6. MITM in Captive Portal (1/2)

SLIDE 22

Figure 7. MITM in Captive Portal (2/2) Victim packets Attacker packets

SLIDE 23

Implementation

Data TCP/UDP/ICMP IP ETHERNET

TCP/UDP : checksum IP : source IP address & checksum

Figure 8. To modify of masquerade packet

SLIDE 24

Experiment Result

Eee PC 701 (victim) Lenovo X200 (attacker) Remote FTP server CPU Intel Celeron M processor 900MHz Intel Core2 Duo CPU P8600 2.40GHz Intel Pentium Dual CPU E2200 2.20GHz Memory 512MB 4GB 2GB Operating System Windows XP 32-bit Windows 7 32- bit Ubuntu 9.10 TCP buffer size (bytes) 65,535 65,535 65,535

Table 1. Implementation spec.

SLIDE 25

Figure 9. Implementation environment

SLIDE 26

Figure 11. Download 20MB files Figure 10. Download 10MB files

SLIDE 27

Experiment & Result

File size Average Download Speed (Kbps) Performance without relay with relay 10MB 241.55 234.06 97% 20MB 243.34 235.72 97%

Table 2. Experiment result

SLIDE 28

Conclusion

SLIDE 29

Conclusion

We knew how ARP Spoof can be used to

launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs.

We advise the WISPs can deploy the network

devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X.

SLIDE 30

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal

Author: Wei-Lin Chen Po-Kang Chen Quincy Wu

Outline

Introduction Motivation Related Works Authentication of Public WLAN Implementation & Experiment result Conclusion

Introduction

A lot of public areas begin to provide the

Wireless LAN for users, it is called Public WLAN (PWLAN).

PWLANs are usually provided by Wireless

Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.

Introduction

Nowadays it is easy to find PWLAN service in

a coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places.

According the TWNIC (Taiwan Network

Information Center) reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher.

Motivtion

Motivation

More and more people are utilizing the

PWLANs.

Traditionally, we rely WEP or WPA-PSK to

protect our WLAN.

Readily available tools to crack the WEP or

WPA-PSK secret keys .

Motivation

Therefore, most PWLANs now use a new

secure mechanism, called Captive Portal.

It was widely accepted by WISPs.

Motivation

Motivation

A new standard IEEE 802.1X is proposed to

replace the Captive Portal.

But the 802.1X standard is more complicated

than Captive Portal, so 802.1X is not widely deployed in PWLANs.

We shall show that for PWLANs which are

guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs.

Related Work

ARP (Address Resolution Protocol)

ARP To convert IP address to MAC

address in order to communicate in Ethernet communications

the MAC address associated with the destination IP address

message to sender with the IP-MAC address pairing

Reply

ARP (Address Resolution Protocol)

ARP Spoof

The malicious user sends ARP Reply with

fake IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.

ARP Spoof can perform Man-In-The-Middle

(MITM) attacks or Denial of Service (DoS) attacks.

MITM

Before the network does not occur the MITM

attack, the hosts has correct MAC address for both, they communicates with each other directly.

After the network occur the MITM attack, the

dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host.

MITM

Authentication of Public WLAN

Implementation & Experiment result

Implementation

Implementation

Data TCP/UDP/ICMP IP ETHERNET

Experiment Result

Eee PC 701 (victim) Lenovo X200 (attacker) Remote FTP server CPU Intel Celeron M processor 900MHz Intel Core2 Duo CPU P8600 2.40GHz Intel Pentium Dual CPU E2200 2.20GHz Memory 512MB 4GB 2GB Operating System Windows XP 32-bit Windows 7 32- bit Ubuntu 9.10 TCP buffer size (bytes) 65,535 65,535 65,535

Experiment & Result

File size Average Download Speed (Kbps) Performance without relay with relay 10MB 241.55 234.06 97% 20MB 243.34 235.72 97%

Conclusion

Conclusion

We knew how ARP Spoof can be used to

launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs.

We advise the WISPs can deploy the network

devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X.

Thank you for your listening