A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen...
-
Upload
harriet-baker -
Category
Documents
-
view
218 -
download
1
Transcript of A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen...
A Proof of MITM Vulnerability in Public WLANs Guarded by
Captive Portal
Speaker : Po-Kang ChenAdvisor : Quincy WuDate : 2010/06/13
Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion
2
Introduction The Internet has become more important and
wireless network is more convenient. A lot of public areas begin to provide the Wireless LAN for users, it is called Public WLAN (PWLAN).
PWLANs are usually provided by Wireless Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.
The users can sign a contract with the WISP or buy the pre-paid cards for using PWLAN.
3
Introduction Nowadays it is easy to find PWLAN service in a
coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places.
According the TWNIC reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher.
4
Figure 1. 2010 年 1 月台灣網路使用調查報告 ( 單位:相對次數 )http://www.twnic.net.tw/download/200307/200307index.shtml
5
Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion
6
Motivation As more people are utilizing the PWLANs, the
security of PWLANs is more important than the past.
Traditionally, we rely WEP or WPA-PSK to protect our WLAN. The vulnerability of WEP and WPA-PSK has been pointed out.
The malicious user uses the readily available tools to perform Caffe Latte Attack which can crack the WEP or WPA-PSK secret keys within a tea break time.
7
Motivation Therefore, most PWLANs now use a new
secure mechanism, called Captive Portal. The Captive Portal uses a webpage to
authenticate users. It was widely accepted by WISPs as a useful
mechanism to ensure that all users must be authenticated before accessing Internet via the WLAN.
8Figure 2. Login webpage
Motivation Although a new standard IEEE 802.1X is
proposed to replace the Captive Portal, the 802.1X standard is more complicated than Captive Portal, so 802.1X is not widely deployed in PWLANs.
We shall show that for PWLANs which are guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs.
9
Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion
10
ARP ARP (Address Resolution Protocol)
To convert IP address to MAC address in order to communicate in Ethernet communications
Broadcast ARP Request message to ask for the MAC address associated with the destination IP address
The host sends a unicast ARP Reply message to sender with the IP-MAC address pairing
It update the ARP cache after receiving ARP Reply
11
ARP Spoof The malicious user sends ARP Reply with fake
IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.
ARP Spoof can perform Man-In-The-Middle (MITM) attacks or Denial of Service (DoS) attacks.
12
MITM Before the network does not occur the MITM
attack, the hosts has correct MAC address for both, they communicates with each other directly.
After the network occur the MITM attack, the dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host.
The MITM often use to sniff the sensitive information in network.
13
MITM
14Figure 3. MITM attack
Outline Introduction Motivation Related Work Captive Portal in Public WLANs Implementation & Experiment result Conclusion
15
Captive Portal The Captive Portal deploys the authentication
architecture which has the Access Controller, Web Application Server and RADIUS server.
If the unauthenticated users tries to access the Internet, the Access Controller responds the packet with HTTP status code 302 to redirect the users.
The user must be authenticated with a correct username/password provided by the WISPs.
16
17 Figure 4. PWLANs architecture
18 Figure 5. Captive Portal process
Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment
result Conclusion
19
Implementation
20
Figure 6. MITM in Captive Portal (1/2)
21 Figure 7. MITM in Captive Portal (2/2)
Victim packetsAttacker packets
Implementation
Data
TCP/UDP/ICMP
IP
ETHERNET
TCP/UDP : checksum
IP : source IP address & checksum
22Figure 8. To modify of masquerade packet
Experiment & Result
Eee PC 701 (victim)
Lenovo X200 (attacker)
Remote FTP server
CPU Intel Celeron M processor 900MHz
Intel Core2 Duo CPU P8600 2.40GHz
Intel Pentium Dual CPU E2200 2.20GHz
Memory 512MB 4GB 2GB
Operating System
Windows XP 32-bit
Windows 7 32-bit
Ubuntu 9.10
TCP buffer size (bytes)
65,535 65,535 65,535
23Table 1. Implementation spec.
24Figure 9. Implementation environment
25 Figure 11. Download 20MB files
Figure 10. Download 10MB files
Experiment & Result
File size Average Download Speed (Kbps)
Performance
without relay with relay
10MB 241.55 234.06 97%
20MB 243.34 235.72 97%
26Table 2. Experiment result
Outline Introduction Motivation Related Work Authentication of Public WLAN Implementation & Experiment result Conclusion
27
Conclusion We demonstrate how ARP Spoof can be used
to launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs.
We advise the WISPs can deploy the network devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X.
28