[SATLUG] Deli owner wishes to set up own hotspot cheaply

Aaron Hackney aaron at aaronhackney.com
Sun Sep 2 08:32:08 CDT 2007 

Samuel Leon wrote:
>
>
> Bruce Dubbs wrote:
>> Samuel Leon wrote:
>>
>>  
>>> Speaking of security, I have a question.  Are there any
>>> applications/tools available to help prevent people from running ARP
>>> spoofing attacks inside a wireless lan?  I find that this is a common
>>> method for gathering user names and passwords.  There are many simple
>>> GUI apps out there that make these style of attacks/packet sniffing 
>>> very
>>> easy to carry out.  There used to be a video on a website of a guy
>>> running ettercap and sniffing out user names and passwords from various
>>> SSL protected webmail sites.      
>>
>> I don't know how sniffing at the Link level is any different from the
>> Network level.  If you can read the frames, you can read the packets.
>> The only difference is the data link header and trailer which has no
>> security info.
Exactly. Framing encapsulation happens after packet encapsulation. So a 
frame contains the packet info along with all of the upper layer data.
>>
>> The comment about sniffing names/passwords over SSL just doesn't ring
>> true.  The encryption is done before the packet is encapsulated.  The
>> listener would have to be able to crack the encryption to get any useful
>> info.
>>
>>   -- Bruce
>>   
>
> Not sure I follow your link level vs network level comment.  Maybe I 
> will have to pull out my ccna book...
>
> As far as the SSL sniffing, the encryption is not really cracked.  A 
> fake certificate is sent to the victim.  From the ettercap man page:
>
> "SSL MITM ATTACK
>       While performing the SSL mitm attack, ettercap substitutes the 
> real ssl
>       certificate with its own. The fake certificate is created  on  
> the  fly
>       and  all  the fields are filled according to the real cert 
> presented by
>       the server. Only the issuer is modified and signed with the 
> private key
>       contained  in  the etter.sll.crt file. If you want to use a 
> different
>       private key you have to regenerate this file"
>
Interesting. I was wondering how they did that.

This doesn't apply to ssl but there are also some interesting attacks 
with secured APs. ie: sending a disconnect message to the client, when 
the client attempts to reconnect they reconnect to your box spoofing the 
AP. You get the user's sign in credentials then disconnect again and let 
them reconnect to the real AP.
> I haven't figure out how to do it yet though.
>
> Sam
>

More information about the SATLUG mailing list