Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13.

Published byHarriet Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13."— Presentation transcript:

1 A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13

2 Outline  Introduction  Motivation  Related Work  Authentication of Public WLAN  Implementation & Experiment result  Conclusion 2

3 Introduction  The Internet has become more important and wireless network is more convenient. A lot of public areas begin to provide the Wireless LAN for users, it is called Public WLAN (PWLAN).  PWLANs are usually provided by Wireless Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.  The users can sign a contract with the WISP or buy the pre-paid cards for using PWLAN. 3

4 Introduction  Nowadays it is easy to find PWLAN service in a coffee shop or a fast food restaurant, people enjoy this convenience to access Internet in these public places.  According the TWNIC reports the sample survey on January 2010, the frequency of using the Internet service in public areas which becomes higher. 4

5 Figure 1. 2010 年 1 月台灣網路使用調查報告 ( 單位:相對次數 ) http://www.twnic.net.tw/download/200307/200307index.shtml 5

6 Outline  Introduction  Motivation  Related Work  Authentication of Public WLAN  Implementation & Experiment result  Conclusion 6

7 Motivation  As more people are utilizing the PWLANs, the security of PWLANs is more important than the past.  Traditionally, we rely WEP or WPA-PSK to protect our WLAN. The vulnerability of WEP and WPA-PSK has been pointed out.  The malicious user uses the readily available tools to perform Caffe Latte Attack which can crack the WEP or WPA-PSK secret keys within a tea break time. 7

8 Motivation  Therefore, most PWLANs now use a new secure mechanism, called Captive Portal.  The Captive Portal uses a webpage to authenticate users.  It was widely accepted by WISPs as a useful mechanism to ensure that all users must be authenticated before accessing Internet via the WLAN. 8 Figure 2. Login webpage

9 Motivation  Although a new standard IEEE 802.1X is proposed to replace the Captive Portal, the 802.1X standard is more complicated than Captive Portal, so 802.1X is not widely deployed in PWLANs.  We shall show that for PWLANs which are guarded by Captive Portal will be vulnerable to Man-In-The-Middle attacks, so that unauthenticated users can access Internet via the PWLANs. 9

10 Outline  Introduction  Motivation  Related Work  Authentication of Public WLAN  Implementation & Experiment result  Conclusion 10

11 ARP  ARP (Address Resolution Protocol)  To convert IP address to MAC address in order to communicate in Ethernet communications  Broadcast ARP Request message to ask for the MAC address associated with the destination IP address  The host sends a unicast ARP Reply message to sender with the IP-MAC address pairing  It update the ARP cache after receiving ARP Reply 11

12 ARP Spoof  The malicious user sends ARP Reply with fake IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.  ARP Spoof can perform Man-In-The-Middle (MITM) attacks or Denial of Service (DoS) attacks. 12

13 MITM  Before the network does not occur the MITM attack, the hosts has correct MAC address for both, they communicates with each other directly.  After the network occur the MITM attack, the dynamic IP-MAC pairing will be modified in ARP cache for both hosts. The attacker can receive the packet from one side host and forward it to other host.  The MITM often use to sniff the sensitive information in network. 13

14 MITM 14 Figure 3. MITM attack

15 Outline  Introduction  Motivation  Related Work  Captive Portal in Public WLANs  Implementation & Experiment result  Conclusion 15

16 Captive Portal  The Captive Portal deploys the authentication architecture which has the Access Controller, Web Application Server and RADIUS server.  If the unauthenticated users tries to access the Internet, the Access Controller responds the packet with HTTP status code 302 to redirect the users.  The user must be authenticated with a correct username/password provided by the WISPs. 16

17 17 Figure 4. PWLANs architecture

18 18 Figure 5. Captive Portal process

19 Outline  Introduction  Motivation  Related Work  Authentication of Public WLAN  Implementation & Experiment result  Conclusion 19

20 Implementation 20 Figure 6. MITM in Captive Portal (1/2)

21 21 Figure 7. MITM in Captive Portal (2/2) Victim packets Attacker packets

22 Implementation Data TCP/UDP/ICMP IP ETHERNET TCP/UDP : checksum IP : source IP address & checksum 22 Figure 8. To modify of masquerade packet

23 Experiment & Result Eee PC 701 (victim) Lenovo X200 (attacker) Remote FTP server CPUIntel Celeron M processor 900MHz Intel Core2 Duo CPU P8600 2.40GHz Intel Pentium Dual CPU E2200 2.20GHz Memory512MB4GB2GB Operating SystemWindows XP 32-bitWindows 7 32-bitUbuntu 9.10 TCP buffer size (bytes) 65,535 23 Table 1. Implementation spec.

24 24 Figure 9. Implementation environment

25 25 Figure 11. Download 20MB files Figure 10. Download 10MB files

26 Experiment & Result File sizeAverage Download Speed (Kbps)Performance without relaywith relay 10MB241.55234.0697% 20MB243.34235.7297% 26 Table 2. Experiment result

27 Outline  Introduction  Motivation  Related Work  Authentication of Public WLAN  Implementation & Experiment result  Conclusion 27

28 Conclusion  We demonstrate how ARP Spoof can be used to launch MTIM attack in PWLANs, the unauthenticated users can access Internet via the PWLANs.  We advise the WISPs can deploy the network devices that support the intrusion detection feature, or re-design the PWLANs architecture and authenticate users by 802.1X. 28

Download ppt "A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13."

Similar presentations

ARP Spoofing.

ARP Spoofing.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.

1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.

 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
Copyright 2009 Kenneth M. Chipps Ph.D. www.chipps.com Host Addressing Last Update 2009.07.14 1.1.0 1.

Copyright 2009 Kenneth M. Chipps Ph.D. Host Addressing Last Update
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.

Similar presentations

Ads by Google