A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Author: Wei-Lin Chen Po-Kang Chen Quincy Wu
Outline � Introduction � Motivation � Related Works � Authentication of Public WLAN � Implementation & Experiment result � Conclusion 2
Introduction � A lot of public areas begin to provide the Wireless LAN for users, it is called Public WLAN (PWLAN). � PWLANs are usually provided by Wireless Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs. 3
Introduction � Nowadays it is easy to find PWLAN service in a coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places. � According the TWNIC (Taiwan Network Information Center) reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher. 4
Figure 1. January 2010 Taiwan Internet using frequency report 5 http://www.twnic.net.tw/download/200307/200307index.shtml
Motivtion 6
Motivation � More and more people are utilizing the PWLANs. � Traditionally, we rely WEP or WPA-PSK to protect our WLAN. � Readily available tools to crack the WEP or WPA-PSK secret keys . 7
Motivation � Therefore, most PWLANs now use a new secure mechanism, called Captive Portal. � It was widely accepted by WISPs. 8
Motivation Figure 2. Login webpage 9
Motivation � A new standard IEEE 802.1X is proposed to replace the Captive Portal. � But the 802.1X standard is more complicated than Captive Portal, so 802.1X is not widely deployed in PWLANs. � We shall show that for PWLANs which are guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs. 10
Related Work 11
ARP (Address Resolution Protocol) � ARP To convert IP address to MAC address in order to communicate in Ethernet communications 12
ARP (Address Resolution Protocol) � Broadcast ARP Request message to ask for the MAC address associated with the destination IP address � The host sends a unicast ARP Reply message to sender with the IP-MAC address pairing � Update the ARP cache after receiving ARP Reply 13
ARP Spoof � The malicious user sends ARP Reply with fake IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network. � ARP Spoof can perform Man-In-The-Middle (MITM) attacks or Denial of Service (DoS) attacks. 14
MITM � Before the network does not occur the MITM attack, the hosts has correct MAC address for both, they communicates with each other directly. � After the network occur the MITM attack, the dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host. 15
MITM Figure 3. MITM attack 16
Authentication of Public WLAN 17
Figure 4. PWLANs architecture 18
Figure 5. Captive Portal process 19
Implementation & Experiment result 20
Implementation Figure 6. MITM in Captive Portal (1/2) 21
Victim packets Attacker packets 22 Figure 7. MITM in Captive Portal (2/2)
Implementation Data TCP/UDP : checksum TCP/UDP/ICMP IP IP : source IP address & checksum ETHERNET Figure 8. To modify of masquerade packet 23
Experiment Result Eee PC 701 Lenovo X200 Remote FTP (victim) (attacker) server CPU Intel Celeron M Intel Core2 Intel Pentium processor Duo CPU Dual CPU 900MHz P8600 E2200 2.40GHz 2.20GHz Memory 512MB 4GB 2GB Operating Windows XP Windows 7 32- Ubuntu 9.10 System 32-bit bit TCP buffer 65,535 65,535 65,535 size (bytes) Table 1. Implementation spec. 24
Figure 9. Implementation environment 25
Figure 10. Download 10MB files 26 Figure 11. Download 20MB files
Experiment & Result File size Average Download Speed Performance (Kbps) without relay with relay 10MB 241.55 234.06 97% 20MB 243.34 235.72 97% Table 2. Experiment result 27
Conclusion 28
Conclusion � We knew how ARP Spoof can be used to launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs. � We advise the WISPs can deploy the network devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X. 29
Thank you for your listening 30
Recommend
More recommend