Wireless Eavesdropping using MITM

 

In the previous lab, we have learned how to create a setup for MITM. Now we will look at how to do Wireless Eavesdropping with this setup.

The whole lab revolves around the principle that all the victim's traffic is now routed through the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from the victim's machine over wireless.

Time for action – wireless eavesdropping

Follow these instructions to get started:

1. Replicate the entire setup as in the previous lab. Fire up Wireshark. It would be interesting to note that even the mitm-bridge shows up. This interface would allow us to peer into the bridge traffic, if we wanted to:
   

   

   
   


2. Start sniffing on the at0 interface, so that we can monitor all traffic sent and received by the wireless client:
   

   (Move the mouse over the image to enlarge it.)

   
   

   

   
   


3. On the wireless client, open up any web page. In my case, the wireless access point is also connected to LAN and I will open it up by using the address: http://192.168.0.1

1. Sign in with my password and enter the management interface.
   

   

   
   


2. In Wireshark, we should be seeing a lot of activity:
   

   (Move the mouse over the image to enlarge it.)

   
   

   

   
   

• 
  

  Set a filter for HTTP to see only the web traffic:

  
  

 

• We can easily locate the HTTP post request, which was used to send the password to the wireless access point:

 

• Next is a magnified look at the preceding packet:

 

• Expanding on the HTTP header, allows us to see that actually the password we entered in plaintext was not sent as is, but instead, a hash has been sent. If we look at packet no 64 in the preceding screenshot, we see that a request was made for /md5.js, which makes us suspect that it is a md5 hash of the password. It is interesting to note here that this technique may be prone to a replay attack, if a cryptographic salt is not used on a per session basis in the creation of the hash. We leave it as an exercise for the user to find out the details, as this is not part of wireless security and hence beyond the scope of this article.
  

  

  
  


• This shows how easy it is to monitor and eavesdrop on traffic sent by the client during a Man-In-The-Middle attack.

      What just happened?

 

The MITM setup we created is now allowing us to eavesdrop on the victim's wireless traffic without the victim knowing. This is possible because in an MITM all the traffic is relayed via the attacker machine. Thus all of the victim's unencrypted traffic is available for eavesdropping for the attacker.

 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.