Man-in-the-middle (MITM) attack refers to the situation where an attacker on host X inserts X between all communications between hosts B and C, and neither B nor C is aware of the presence of X. All messages sent by B do reach C but via X, and vice versa. The attacker can merely observe the communication or modify it before sending it out. An MITM attack can break connections that are otherwise secure. At the TCP level, SSH and VPN, e.g., are prone to this attack.

Wireless MITM

Assume that station B was authenticated with C, a legitimate AP. Attacker X is a laptop with two wireless cards. Through one card, he will present X as an AP. Attacker X sends Deauthentication frames to B using the C’s MAC address as the source, and the BSSID he has collected. B gets deauthenticated and begins a scan for an AP and may find X on a channel different from C. There is a race condition between X and C. If B associates with X, the MITM attack succeeded. X will re-transmit the frames it receives from B to C, and the frames it receives from C to B after suitable modifications.

The package of tools called AirJack (http://802.11ninja.net/airjack/) includes a program called monkey_jack that automates the MITM attack. This is programmed well so that the odds of it winning in the race condition mentioned above are improved.

ARP Poisoning

ARP cache poisoning is an old problem in wired networks. Wired networks have deployed mitigating techniques. But, the ARP poisoning technique is re-enabled in the presence of APs that are connected to a switch/hub along with other wired clients.

ARP is used to determine the MAC address of a device whose IP address is known. The translation is performed with a table look-up. The ARP cache accumulates as the host continues to network. If the ARP cache does not have an entry for an IP address, the outgoing IP packet is queued, and an ARP Request packet that effectively requests “If your IP address matches this target IP address, then please let me know what your Ethernet address is” is broadcast. The host with the target IP is expected to respond with an ARP Reply, which contains the MAC address of the host. Once the table is updated because of receiving this response, all the queued IP packets can now be sent. The entries in the table expire after a set time in order to account for possible hardware address changes for the same IP address. This change may have happened, e.g., due to the NIC being replaced.

Unfortunately, the ARP does not provide for any verification that the responses are from valid hosts or that it is receiving a spurious response as if it has sent an ARP Request. ARP poisoning is an attack technique exploiting this lack of verification. It corrupts the ARP cache that the OS maintains with wrong MAC addresses for some IP addresses. An attacker accomplishes this by sending an ARP Reply packet that is deliberately constructed with a “wrong” MAC address. The ARP is a stateless protocol. Thus, a machine receiving an ARP Reply cannot determine if the response is due to a request it sent or not.

ARP poisoning is one of the techniques that enables the man-in-the-middle attack. An attacker on machine X inserts himself between two hosts B and C by (i) poisoning B so that C’s IP address is associated with X’s MAC address, (ii) poisoning C so that B’s address is associated with X’s MAC address, and (iii) relaying the packets X receives.

The ARP poison attack is applicable to all hosts in a subnet. Most APs act as transparent MAC layer bridges, and so all stations associated with it are vulnerable. If an access point is connected directly to a hub or a switch without an intervening router/firewall, then all hosts connected to that hub or switch are susceptible also. Note that recent devices aimed at the home consumer market combine a network switch with may be four or five ports, an AP, a router and a DSL/cable modem connecting to the Internet at large. Internally, the AP is connected to the switch. As a result, an attacker on a wireless station can become a MITM between two wired hosts, one wired one wireless, or both wireless hosts.

The tool called Ettercap ((http://ettercap.sourceforge.net) is capable of performing ARP poisoning.

Session Hijacking

Session hijacking occurs in the context of a “user”, whether human or computer. The user has an on-going connection with a server. Hijacking is said to occur when an attacker causes the user to lose his connection, and the attacker assumes his identity and privileges for a period.

An attacker disables temporarily the user’s system, say by a DoS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attack, and lets the user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds. Such hijacking can be achieved by using forged Disassociation DoS attack.

Corporate wireless networks are often set up so that the user is directed to an authentication server when his station attempts a connection with an AP. After the authentication, the attacker employs the session hijacking described above using spoofed MAC addresses.