Monthly Archives: May 2012


MiTM attacks on Open WiFi Hotspots

Since it is so trivial to set WiFi Hotspots as open networks in order to reduce the complexity of the infrastructure setup; A question arises how one can remain safe from MiTM attacks which takes advantage of the inherent trust between the connecting client and the Access Point. As Vivek Ramachandran in his series of WiFi security primer video says there is no way for the client to authenticate the Access Point to which it is connecting to.

If you are a novice in wireless security, then first para might sound like selvaraghavan’s movie;  I’ll explain how MiTM attacks are performed on open (networked) Access Points [WiFi Hotspots to be in precise].

MiTM is popularly called as Man in the Middle Attack or you can use Hak5 Darren’s expansion Monkey in the Middle Attack. In case of a open network all the data as well as management 802.11 (wifi) packets traveling around you in the air are unencrypted, though the management packets  are unencrypted even in WEP and WPA networks, but that’s a different story.

Few of the Management Packets are

* Beacon Packet
* Probe Request, Response
* Authentication Request, Response
* Association Request, Response
* Disassociation Request, Response
* De Authentication Request, Response

In order to perform a MiTM attack the attacker must make the clients connected to the original AP to connect to him. The attacker can achieve this by keep on performing a Deauth attack on the access point, thereby disconnecting all legitimate clients from the legitimate AP and use airbase-ng to setup a fake AP in the same name as the legitimate AP thereby attracting the users towards him. Signal strength need not to be higher than the legitimate AP, because the legitimate AP is hammered by a continuous deauth attack.

Assume that the WiFi Hotspot’s network is like this and the network name is freewifi, At normal working case, the client happily connects to the free wifi access point and transfers data


The Attacker may start sending De Auth Broadcast Management packets for the bssid of free wifi thereby making all the clients to disconnect from freewifi Access point.

Next the Attacker sets up his own Access Point by the name of freewifi, but with a different bssid using airbase-ng, since the attacker’s fake AP advertises itself as freewifi, the client goes ahead and connects to the attacker’s AP. This is where the inherent trust of the client over AP is exploited.

Now that the client is connected to us believing that we are the freewifi access point and sends data(unencrypted) to us and we happily intercept the data monitor it and forward it to internet through our  source either using a 3G phone or a data card. We have the option to tamper, monitor, modify the user’s data.

Detecting MiTM Attacks:

So now,  if we have something in the host(client) computer that verifies the AP’s BSSID (mac id), it would be easy to find out a MiTM attack. You may think “Mac spoofing is a peice of cake and what if the attacker launches his duplicate AP with the same bssid (mac id) as the legitimate ones, The Verification mechanism will be rendered useless right?” My answer is Yes, but No. If the attacker changes the BSSID of the fake AP which he created using airbase-ng as the same one as legitimate AP’s he would end up deauthenticating his fake AP aswell as both have same SSID. so technically, unless the attacker has a high gain, directional antennae, he would not change the BSSID of his fake AP to reflect the original AP.

Now, i plan to follow up this with a python daemon program, which manages a file with list of AP’s along with its BSSID’s, so whenver you are connected to a network it checks whether you had previously connected to that network or not. if yes, it checks the BSSID which will be different in case of a MiTM and same in case of Normal usage.