MITM Cheat Sheet

We tried to put together all known MITM attacks and methods of protection against these attacks. Here is also contains tools for carrying out MITM attacks, some interesting attack cases and some tricks associated with them.

Note: Almost all attack tools, described here, doesn’t have any sniffer inside. It only provides attack. Tools for sniffing here: Data sniffing.

A cheat sheet for pentesters and defensive teams about Man In The Middle attacks.

Don’t forget to check out the cheet sheat we prepared to use in wifi attacks in our previous article.

Table of Contents

• L2
  • Arp spoofing
  • STP(RSTP, PVSTP, MSTP) spoofing
  • NDP spoofing ⏳
  • VLAN hopping
• L3k
  • SLAAC Attack
  • Hijacking HSRP (VRRP, CARP) ⏳
  • Dynamic routing protocol spoofing (BGP) ⏳
  • RIPv2 Routing Table Poisoning
  • OSPF Routing Table Poisoning ⏳
  • EIGRP Routing Table Poisoning
  • ICMP Redirect
• L4+
  • NetBIOS (LLMNR) spoofing
  • DHCP spoofing
  • Rogue DHCP (DHCPv6)
• Wireless
  • Karma attacks (Wi-Fi)
  • Rogue BTS (GSM) ⏳
• Attack technics ⏳
  • Data sniffing ⏳
  • Injections in data ⏳
    • Malicious JS in HTML ⏳
    • HTA ⏳
  • Data modification ⏳
    • Wsus ⏳
    • DNS hijacking ⏳
• Hacker notes
  • Difference between CPU (or why most of that attack imposible from your notebook)
• SSLStrip, SSLStrip+, HSTS

L2

Arp spoofing

Сomplexity: Low
Relevance: High
Description:
Address Resolution Protocol (ARP) designed for resolving IP addresses to MAC addresses. All network devices that need to communicate in the network use broadcast ARP queries to find out other machines’ MAC addresses.

Almost all arp spoofing tools use a gratuitous arp response. A Gratuitous ARP reply is a reply to without a ARP request.

Despite the effectiveness of gratuitous ARP, it is particularly insecure because it can be used to assure the remote host that the MAC address of a system on the same network has changed and to specify which address is used now.The typical example of arp spoofing attack

Also there is a chance of successful attack in another way. When you will monitor the arp activity in the network segment and suddenly notice the victim’s arp request, you can try send the arp reply to victim faster than addressee of that request. Some vendors can accept this trick.

Attack tools:

• bettercap -T 10.10.10.10 -X --httpd --proxy-https --proxy
  The old version of the tool is simpler, but there is also a new fashionable one written in Go. Note: Bettercap have excelent sniffer inside.
• arpspoof -i eth0 -t 10.10.10.10
• Intercepter-NG (Now it could be installed at Linux)

Attack detection

• arpwatch
  The program monitors all ARP activity on the selected interfaces. When it notices an anomalies, such as a change in the MAC address while saving the IP address, or vice versa, it reports this to the syslog.
• XArp
  Arpwatch for Windows
• remarp Arpwatch via SNMP

Attack prevention

• Manual ARP tables.
  It has limitation because it will cause difficulties in network scalability. And for wireless network this is a challenge and almost like impossible.
• Patching.
  Utilities such as Anticap and Antidote can play a vital role in preventing ARP spoofing where Anticap prevent updating the ARP cache with different MAC with the existing ARP cache which actually prevent the ARP spoofing but it violates the ARP protocol specification which indeed a problem where on the other hand Antidote prevents the ARP poisoning slightly different way. It analyzes the newly received ARP reply with the existing cache. If the new cache differs with the previous then it look for the MAC address if it still alive. If it found the previous cache MAC address alive, rejects the new one and it adds the attacker MAC address in the list of banned MAC address to prevent further attempts from the ARP poisoning on the same target computer.
• Creating a VLAN on the switch.
  A VLAN is created on the switch that contains only the switch itself and a specific network device.
• Creating encrypted connections.
  This method is also suitable for public networks, because all traffic is encrypted and it is impossible to intercept any user data.
• DAI.
  Dynamic ARP inspection in cisco systems helps prevent the man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN. Dynamic ARP inspection intercepts all ARP requests and all replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings via DHCP snooping. Denied ARP packets are either dropped or logged by the switch for auditing so ARP poisoning attacks are stopped. Incoming ARP packets on the trusted ports are not inspected.

STP(RSTP, PVSTP, MSTP) spoofing

Сomplexity: High
Relevance: Moderate
Description:
The spanning tree protocol is designed to detect and prevent loops in the network if there are redundant paths between the switches.

Anyone who can emulate a device with a (lower) root switch identifier (by connecting a new virtual device with a lower priority or using the STP packet generation tool) can partially or completely intercept the virtual network traffic. Typically, an attacker does not have a physical connection with two switches, so the described attack method is hardly possible. However, in wireless networks, the situation is changing, since the cable connection (socket in the office) and the wireless connection (access point) can end on different switches.

Attack tools
Caution: Often this type of attack leads to a denial of service.

• yersinia –G Yersinia has a graphical interface and an interactive console, you need to select network interfaces and launch a MITM attack.
  The graphical interface does not work stably, so you can use the interactive interface: yersinia –I.
• ettercap
  One more tool for Linux. You need to select the interfaces, then tap “stp mangier” plugin and start it.

Defence technics

• Disabling STP on access ports (to stop recieve BDPU from users), enable port security on all user ports, and restricting physical access to network equipment.
• configuration tools that protect STP (Cisco).

NDP spoofing

Сomplexity: Moderate
Relevance: Close to None
Description:
Attack tools
Defence technics

VLAN hopping

Сomplexity: Moderate
Relevance: None
Description:
A virtual LAN (Local Area Network) is a logical subnetwork that can group together a collection of devices from different physical LANs. Larger business computer networks often set up VLANs to re-partition their network for improved traffic management.

VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks.

VLAN hopping is a common name for attacks that involve access to the VLAN, which was initially (before the attack) unavailable to the attacker.It could be performed in two ways:

The Exploit-db doc
The Guide with illustrations and video
VLAN hopping full guide
In-depth article

Attack tools

• yersinia –G Yersinia has a graphical interface and an interactive console, you need to select network interfaces and launch a MITM attack.
  The graphical interface does not work stably, so you can use the interactive interface: yersinia –I.
• Scapy
  Scapy is a Python program that enables the user to send, sniff and dissect and forge network packets. It can be used to create the specially crafted frames needed for processing this attack.
• dtp-spoof.py -i eth0 sends a DTP Trunk packet out eth0 using eth0’s mac address DTP-spoof is a security tool to test the Dynamic Trunking Protocol (DTP) configuration of switches. If the target switch is configured to negotiate the port mode, you can potentially set the target switch’s port to Trunk mode, thereby gaining access to additional VLANs.
  Defence technics

1. The primary VLAN Hopping attack (using DTP)
   It can only be performed when interfaces are set to negotiate a trunk. To prevent the VLAN hopping from being exploited, we can do the below mitigations:
   • Ensure that ports are not set to negotiate trunks automatically by disabling DTP
   • Do not configure any access points with either of the following modes: “dynamic desirable”, “dynamic auto”, or “trunk”.
   • Shutdown all interfaces that are not currently in use.
2. Double Tagging
   To prevent a Double Tagging attack, keep the native VLAN of all trunk ports different from user VLANs.

L3

SLAAC Attack

Complexity: Low
Relevance: High
Description
SLAAC – Stateless Address AutoConfiguration. SLAAC os the one of ways of host network configuration, like DHCPv4. SLAAC provides an IPv6 host prefix value, prefix length and default gateway link-local address without DHCPv6-server which keeps state of the provided addresses (thats why it’s called stateless). The SLAAC process is performed during SLAAC-only and SLAAC+DHCPv6 Stateless configuration.

The main problem of this process is that the attacker can craft the rogue RA to give the hosts his own configuration (e.g., to become a default router on the link). All the hosts, which have IPv6 enabled, are potentially vulnerable to SLAAC attacks. Especially in cases, when IPv6 is enabled is OS by default but organization hasn’t deployed IPv6 in any form.

Another threat in RA comes from the ability to send DNS configuration over RA, so that attacker can spoof it, too: RFC 6106 – IPv6 Router Advertisement Options for DNS Configuration.

Attack Tools

• suddensix
  It’s a script which presets tools used by the security researcher Alec Waters in his post about SLAAC attack. The script is a little bit outdated and working well on Ubuntu 12.04 LTS. It is better to create separated VM for it.
• EvilFOCA
  Amazing tool for windows for IPv6 MITM attacks. A C#-written tool with GUI which allows IPv6 attacks, including SLAAC attack, fake DHCPv6 and even SLAAC DoS which means announcing fake routes in multiple RAs on link.
• THC-IPv6
  A written in C IPv6 attack toolkit which, among many other options, allows to perform attacks with RAs.

Defence technics
The simpliest way to mitigate SLAAC-attacks is to just disable IPv6 on all hosts in the network. But this solution is only suitable for networks where IPv6 stack is not in use and was enabled just due to misconfiguration.Vendors implementation10 basic ideas to solve the problem

Related Monitoring Tools
There are some tools, which can be helpful in rogue RA detection and monitoring:

• NDPMon
  Allows to choose the following configure options before compilation:--enable-mac-resolv
  Determine the vendor by OUI in MAC-address.
  --enable-countermeasures
  Functionality of response to attacks (no described to which ones and how).
  --enable-syslogfilter
  Save syslog to /var/log/ndpmon.lo .
  --enable-lnfq
  Use libnetfilter_queue instead of PCAP (have some requirements to be installed and ip6tables rules).
  --enable-webinterface
  Post html reports (some web server required as nginx/apache).
• Ramond
  Allows to add MAC-address white list of determined legitimate routers, prefix used for 6to4, and unknown prefixes. Based on this configuration the tool monitors RA traffic to find rogue ones.
• 6MoN
  Allows to monitor network state, watching the DAD process and NS messages. DAD stands for Duplicate Address Discovery and it determines if there is and address duplication conflict on the network. NS stands for Neighbor Solicitation(ICMPv6 type 135) and is used to determine a neighbor on the link.

Related RFCs
RFC 6104 – Rogue IPv6 Router Advertisement Problem Statement
RFC 6105 – IPv6 Router Advertisement Guard
RFC 3736 – Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
RFC 4862 – IPv6 Stateless Address Autoconfiguration (SLAAC)
RFC 7113 – Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
RFC 8021 – Generation of IPv6 Atomic Fragments Considered Harmful

Other useful related links
Windows machines compromised by default configuration flaw in IPv6
Why You Must Use ICMPv6 Router Advertisements

Hijacking HSRP (VRRP, CARP)

Сomplexity: High
Relevance: High
Description:
Attack tools Scapy is the easiest way to create PoC and hijack active node status:

#!/usr/bin/env python
from scapy.all import *

if __name__ == "__main__":
    ip = IP(src="10.0.0.100", dst="224.0.0.2")
    udp = UDP(sport=1985, dport=1985)
    hsrp = HSRP(group=1, priority=150, virtualIP="10.0.0.1", auth="cisco")
    send(ip/udp/hsrp, iface="eth1", inter=3, loop=1)

#!/usr/bin/env python
from scapy.all import *

if __name__ == "__main__":
    ip = IP(src="10.0.0.100", dst="224.0.0.2")
    udp = UDP()
    vrrp = VRRP(vrid=1, priority=150, addrlist=["10.0.0.7", "10.0.0.8"], ipcount=2, auth1='cisco')
    send(ip/udp/vrrp, iface="eth1", inter=3, loop=1)

Defence technics

Dynamic routing protocol spoofing (BGP)

Сomplexity: High
Relevance: High
Conditions:
Description:
Attack tools
https://gitlab.com/fredericopissarra/t50
Defence technics

RIPv2 Routing Table Poisoning

Сomplexity: Medium
Relevance: Medium
Conditions:
RIP implemented;
RIPv1 in use;
RIPv2 authentication disabled.
Description:
There are 3 versions of RIP:

• RIPv1: the first version, described in RFC 1058;
• RIPv2: the improved mainly by adding authentication mechanism version, described in RFC 2453;
• RIPv3 or RIPng (next generation): supports IPv6, described in RFC 2080.

The most widely implemented protocol is RIPv2. RIPv1 is not secure at all, as it doesn’t support message authentication. There is a good write up on exploiting RIPv1 by injecting a fake route.

As specified in RFC 2453, RIPv2 router must exchange routing information every 30 seconds. The idea of attack is to send fake RIP Response messages, which contain the route an attacker needs to inject. Though, there is a special multicast for RIPv2 routers – 224.0.0.9, responses, sent as unicast can be accepted, too. This, for example may harden the detection of the attack, comparing to the case of multicast fake routing propagation. There is a good short write up on exploting RIPv2 network with no RIPv2 authentication with Scapy usage example.

Attack tools

• t50 – a multi-protocol tool for injecting traffic and for network penetration testing. Among many other protocols, it supports RIP.

Defence technics
If router is not configured to authenticate RIPv2 messages, it will accept RIPv1 and RIPv2 unauthenticated messages. The most secure configuration in this way is to set up RIPv2 authentication so that router should not be accepting RIPv1 and v2 unauthenticated messages and so making an unauthenticated router unable to inject a route. This mechanism is described in RFC 2082 – RIP-2 MD5 Authentication, but, it describes the usage of MD5, which is acknowledged to be a weak hashing function. The better one, which means the use of SHA-1 is described in RFC 4822 – RIPv2 Cryptographic Authentication.

Unfortunately, RIPv2 supports only Plain-text and MD5 Authentication. The first one is useless in case of sniffing the network, MD5 Auth is better in case of a passive attacker, intercepting packets, as it doesn’t transfer password in plain text.
The Configuration of RIPv2 Authentication guide describes how to set this feature on Cisco devices.
The guide for setting MD5 authentication for Mikrotik is present here. The guide for setting MD5 authentification on Juniper devices is present here.

Also, passive-interface feature should be used on the access interfaces, which communicate to end devices.
Mikrotik’s documentation on setting passive interface feature.
Cisco’s documentation on setting passive interface feature.
Juniper’s documentation on setting passive-interface feature.

Related RFCs:
RFC 1388 – RIP Version 2 Carrying Additional Information
RFC 4822 – RIPv2 Cryptographic Authentication
RFC 2453 – RIP Version 2
RFC 2080 – RIPng for IPv6.

OSPF Routing Table Poisoning

Сomplexity: High
Relevance: High
Conditions:
Description:
Attack tools
Defence technics

EIGRP Routing Table Poisoning

Complexity: Medium
Relevance: Medium
Conditions: EIGRP protocol implemented on the network; no EIGRP messages authentication set up
Description:
EIGRP stands for Enhanced Interior Gateway Routing Protocol. It is a proprietary Cisco’s distance vector routing protocol, relying on Diffused Update Algorithm – DUAL. The main purpose of this protocol is to dynamically update the routing table and propagate the routes to other routers.
The main security issue is possible in case of spoofing data in Update message, e.g. to inject a non-legitimate route. In this case the router’s routing table gets changed to make it pass the traffic through the device, controlled by the attacker and so the MitM attack is present.

Attack tools

• Eigrp Tools
  A perl script which allows to craft EIGRP packets and send them on network. It even allows set the K1-K4 metrics, all the flags and fields of EIGRP packet. The script requires libnet-rawip-perl and libnetpacket-perl packets to be installed. Some examples of usage:./eigrp.pl --sniff --iface eth0
  perform a sniff on eth0 interface
  ./eigrp.pl --file2ip update.dat --source 192.168.7.8
  replay the traffic from file
  ./eigrp.pl --update --external --as 65534 --source 192.168.7.8
  send and Update message
• EIGRP Security Tool
  A python script, which allows to craft and send different EIGRP packets. The problem is that attempts to launch the script were unsuccessful due to lack of scapy_eigrp module which wasn’t found. Also authors didn’t write any documentation for the tool even in the research description.
• t50 – a multi-protocol tool for injecting traffic and for network penetration testing. Among many other protocols, it supports EIGRP traffic manipulating.

Defence techniques
To protect a network from untrusted route propagations, EIGRP provides a mechanism for authenticating router updates. It uses MD5-keyed digest to sign each packet to prevent unauthorized devices from sending updates to the network. It protects legitimate routers from non-legitimate router updates and from router spoofing. The key is just a defined string, which must be set on other devices which are meant to be legitimate. The detailed guide on EIGRP MD5 Authentication setup can be found here.

Unfortunately, MD5 is acknowledged to be a weak hashing algorithm due to hash collisions. Cisco devices also support hmac-sha-256 EIGRP Updates Authentification. The hash collision attack on SHA-256 is much more complex than for MD5. The guide to EIGRP HMAC-SHA-256 Authentication can be found here.

The stub EIGRP routing area can be set up as it let’s determine the types of routes the stub router should receive queries or not. More information on EIGRP Stub Routing can be found here.

Another best practice to reduce unwanted traffic in a network is to set up passive interfaces. passive-interface feature should be set on access interfaces, which communicate not to network devices, but to end devices. The instruction on setting passive-interface on EIGRP and explaination on how it works is presented in Cisco’s documentation page.

ICMP Redirect

Сomplexity: Medium
Relevance: Medium
Description:
One of the purposes of the ICMP Protocol is to dynamically change the routing table of the end network systems. Dynamic remote management routing was originally conceived to prevent possible send a message to a non-optimal route, as well as to increase fault tolerance of the Network as a whole. It was assumed that the network segment can be connected to the Internet through several routers (not through one as it usually happens). In this case, we can address the external network through any of the nearest routers. For example, to some_host.site the shortest route passes through the “router A” and to the another.site – through the “router B”.

If one of the routers fails, communication with the outside world is possible through another router. As the “ICMP Redirest attack”, we change the route to some site (DNS Name) in the routing table of node A (victim) so that the traffic from node A to some site goes through hacker PC

Conditions of success:

• The IP address of the new router must be on the same subnet as the attacked host itself.
• A new route cannot be added for an IP address that is on the same subnet as the host itself.
• OS must support and process ICMP redirect packets. By default ICMP redirect enabled in Windows (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect)
  and in some Linux distros (cat /proc/sys/net/ipv4/conf/all/accept_redirects)

Attack tools

• Responder (example)
• Hping3 (example)
• Mitmf
• Bettercap (documentation)

Defence technics

• Disable icmp redirect (example)

L4+

NetBIOS (LLMNR) spoofing

Сomplexity: Low
Relevance: High
Description:
If a windows client cannot resolve a hostname using DNS, it will use the Link-Local Multicast Name Resolution (LLMNR) protocol to ask neighbouring computers. LLMNR can be used to resolve both IPv4 and IPv6 addresses.

If this fails, NetBios Name Service (NBNS) will be used. NBNS is a similar protocol to LLMNR that serves the same purpose. The main difference between the two is NBNS works over IPv4 only.

The problem of this pretty cool thing is that when LLMNR or NBNS are used to resolve a request, any host on the network who knows the IP of the host being asked about can reply. Even if a host replies to one of these requests with incorrect information, it will still be regarded as legitimate.

The attacker may request NTLM authentication from the victim, which will cause the victim’s device to send an NTLM hash, which can then be used for brute force attack.Also there is a chance to perform WPAD spoofing.

How Microsoft Windows’s name resolution services work and how they can be abused

Attack tools

• Responder
  It can answer LLMNR and NBNS queries giving its own IP address as the destination for any hostname requested. Responder has support for poisoning WPAD requests and serving a valid wpad.dat PAC file.

• Mitm6
  mitm6 is a pentesting tool which is designed for WPAD spoofing and credential relaying.
• Inveigh
  Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. Import-Module .\Inveigh.psd1 Invoke-Inveigh -NBNS Y -mDNS Y -FileOutput Y -ConsoleOutput Y -SMB Y
• Metasploit modules
  auxiliary/spoof/llmnr/llmnr_response,
  auxiliary/spoof/nbns/nbns_response

Defence technics

• Disable LLMNR and NBNS. You can do it using GPO
  (how to do it here)
• Create DNS entry with “WPAD” that points to the corporate proxy server. So the attacker won’t be able to manipulate the traffic.
• Disable “Autodetect Proxy Settings”

DHCP spoofing

Сomplexity: Moderate
Relevance: Moderate
Description:
The purpose of this attack is to use the attacker’s host or device as the default gateway and to force clients to use a false Domain Name Service (DNS) and a Windows Internet name service (WINS server) configured by the attacker. The attacker’s task is to configure a fake DHCP server on the network to provide DHCP addresses to clients and exhausted the pool of IP addresses from other legitimate DHCP servers (DHCP Starvation attack).

Conditions of success:

• The client receives an IP address from a Rogue DHCP server faster than from a legitimate DHCP server.
• The legitimate server has exhausted the pool of addresses to be issued (DHCP Starvation attack).

DHCP Starvation attack:

• The attacker requests an IP address from the DHCP server and receives it
• The MAC address of the attacker changes and it requests the next, different IP address, masked as a new client
• These actions are repeated until the entire pool of IP addresses on the server is exhausted.

Attack tools for DHCP starvation

• DHCPig
• nmap to find DHCP server (nmap -n --script=broadcast-dhcp-discover)
• metasploit modules (example)
• use scapy for DHCP starvation attack (example)

Attack tools for DHCP spoofing

• yersinia
• Ettercap

Defence technics

• Enable DHCP snooping

This is a L2 switch function designed to protect against DHCP attacks. For example, a DHCP spoofing attack or DHCP starvation attack.

On Cisco Switches:

• Switch(config)#ip dhcp snooping vlan 10 – enable DHCP snooping for vlan10
• Switch(config)# interface fa 0/1 – go to the settings of the specific interface
• Switch(config-if)#ip dhcp snooping trust – setting up trusted ports on the interface (by default all ports are unreliable, the DHCP server should not be connected to them).
• Switch(config)#ip dhcp-server 10.84.168.253 – Specify the address of the trusted DHCP server, which is accessible through the trusted port.

Important. By default, after enabling DHCP snooping, the switch is enabled to check for MAC address matching. The switch checks whether the MAC address in the DHCP request matches the client’s MAC address. If they do not match, the switch discards the packet.

• How DHCP works
• DHCP wireshark sample

Rogue DHCP (DHCPv6)

Сomplexity: Low
Relevance: High
Description:
The Ipv6 client sends a Solicit message to the All_DHCP_Relay_Agents_and_Servers address to find available DHCP servers. Any server that can meet the client’s requirements responds with an Advertise message. The client then chooses one of the servers and sends a Request message to the server asking for confirmed assignment of addresses and other configuration information.The server responds with a Reply message that contains the confirmed addresses and configuration.

This schema looks simular to DHCPv4 so the main goal for the attacker is to use fake DHCPv6 server to redirect victims traffic to himself.

The attacker can catch client DHCP solicit message and can actually reply, pretending that he is the DHCPv6 server and assign credentials (such as the DNS address) to be used by victim.

Attack tools

• mitm6
• some scapy python scripts (example)
• snarf

Defence technics

• In cisco devices enable dhcpv6 guard policy (example)
• disable Ipv6 if you don’t use it

Wireless

Karma attacks (Wi-Fi)

Сomplexity: Low
Relevance: High
Description:
The KARMA attack uses the peculiarities of the clients who send requests to determine which wireless networks are nearby.

The Wi-Fi Access Point periodically sends a beacon request indicating the network SSID that identifies the Wi-Fi network. When a client receives a beacon frame with an SSID that it remembers, it can be associated with the wireless network. Vulnerable client devices broadcast a “preferred network list” (PNL), which contains the SSIDs of access points to which they have previously connected and are willing to automatically reconnect without user intervention. These broadcasts may be received by any WiFi access point in range. The KARMA attack consists in an access point receiving this list and then giving itself an SSID from the PNL, thus becoming an evil twin of an access point already trusted by the client.

As a result, the client connects to a different network than the one the user expects. And now the attacker can perform MITM or other attacks on the client system.

However, nowadays, most modern network managers have taken countermeasures against the KARMA attack by switching to passive scanning; instead of arbitrarily sending probe request frames, network managers now wait to receive a beacon frame with a familiar ESSID before associating with a wireless network. While this countermeasure has hampered the effectiveness of the KARMA attack, the second feature exploited by KARMA, the Auto-Connect flag that enables the stations to automatically join previously connected networks, was left intact in almost every modern Operating System.

An attacker that can guess the SSID in the victim device’s Preferred Network List, will be able to broadcast the corresponding beacon frame and have that device automatically associate with an attacker-controlled access point. In a more sophisticated version of the attack, the adversary may use a “dictionary” of common SSIDs, that the victim has likely connected to in the past.

How does a KARMA attack work?

Attack tools

• Wifiphisher
  The Rogue Access Point Framework
• hostapd-mana
  Hostapd-mana is a featureful rogue wifi access point tool. It can be used for a myriad of purposes from tracking and deanonymising devices (aka Snoopy), gathering corporate credentials from devices attempting EAP (aka WPE) or attracting as many devices as possible to connect to perform MitM attacks.
• WIFI PINEAPPLE
  The rogue access point and WiFi pentest toolkit.
  How to reinforce the MK5 Karma attack with the Dogma PineAP module here.
• FruityWIFI
  FruityWiFi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.
  Initialy the application was created to be used with the Raspberry-Pi, but it can be installed on any Debian based system.

Defence technics

• Pay attention to the Wi-Fi networks that your device connects to
• Don’t use open wifi in public areas, or use it very sparingly
• Creating encrypted connections (VPN, etc.)

Attack technics

Data sniffing

Attack tools:

• wireshark
• net-creds

Hacker notes

Difference between technology stack (or why most of that attack imposible from your notebook)

Network equipment has the same general-purpose CPUs. MIPS or ARM for basic SOHO routers, multicore x86 in more serious boxes. It’s the NIC with multiple hardware queues and special methods of NIC<->software communication (explicit ring–buffering, heavy use of DMA) that make a difference.

So you can’t just connect to the network and turn on the spoofing, it can put the network down right away. Your small notebook network adapter simply cannot cope with a large data stream and will start to drop them. You need to choose the optimal number of hosts that you can spoof at the same time(~<4).

Attack device

Possible candidate: MikroTik hAP AC

SSLStrip, SSLStrip+, HSTS

SSLStrip is a technique that replaces a secure (HTTPS) connection with an open (HTTP) connection. This attack is also known as HTTP-downgrading

It intercepted HTTP traffic and whenever it spotted redirects or links to sites using HTTPS, it would transparently strip them away.

Instead of the victim connecting directly to a website; the victim connected to the attacker, and the attacker initiated the connection back to the website. The interceptor made the encrypted connection to back to the web server in HTTPS, and served the traffic back to the site visitor unencrypted

But it doesn’t work anymore with the advent of HSTS. More precisely, it doesn’t work where HSTS is enabled.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks (SSL stripping). It allows web servers to declare that web browsers should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS works by the server responding with a special header called Strict-Transport-Security which contains a response telling the client that whenever they reconnect to the site, they must use HTTPS. This response contains a “max-age” field which defines how long this rule should last for since it was last seen.

Also It has includeSubDomains (optional). If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

But not everyone sets up HSTS the same way.

That’s how SSLstrip++ came about.

It’s a tool that transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.

One of the shortcomings of HSTS is the fact that it requires a previous connection to know to always connect securely to a particular site. When the visitor first connects to the website, they won’t have received the HSTS rule that tells them to always use HTTPS. Only on subsequent connections will the visitor’s browser be aware of the HSTS rule that requires them to connect over HTTPS.

HSTS Preload Lists are one potential solution to help with these issues, they effectively work by hardcoding a list of websites that need to be connected to using HTTPS-only.

Inside the source code of Google Chrome, there is a file which contains a hardcoded file listing the HSTS properties for all domains in the Preload List. Each entry is formatted in JSON.

Attack tools

• sslstrip
  sslstrip is a MITM tool that implements Moxie Marlinspike’s SSL stripping attacks.
• sslstrip2

Defence technics

For developers – The 6-Step “Happy Path” to HTTPS