[SATLUG] Deli owner wishes to set up own hotspot cheaply

Samuel Leon leon36 at gmail.com
Tue Sep 4 14:40:41 CDT 2007 

On 9/2/07, Aaron Hackney <aaron at aaronhackney.com> wrote:
>
> Samuel Leon wrote:
> >
> >
> > Bruce Dubbs wrote:
> >> Samuel Leon wrote:
> >>
> >>
> >>> Speaking of security, I have a question.  Are there any
> >>> applications/tools available to help prevent people from running ARP
> >>> spoofing attacks inside a wireless lan?  I find that this is a common
> >>> method for gathering user names and passwords.  There are many simple
> >>> GUI apps out there that make these style of attacks/packet sniffing
> >>> very
> >>> easy to carry out.  There used to be a video on a website of a guy
> >>> running ettercap and sniffing out user names and passwords from
> various
> >>> SSL protected webmail sites.
> >>
> >> I don't know how sniffing at the Link level is any different from the
> >> Network level.  If you can read the frames, you can read the packets.
> >> The only difference is the data link header and trailer which has no
> >> security info.
> Exactly. Framing encapsulation happens after packet encapsulation. So a
> frame contains the packet info along with all of the upper layer data.
> >>
> >> The comment about sniffing names/passwords over SSL just doesn't ring
> >> true.  The encryption is done before the packet is encapsulated.  The
> >> listener would have to be able to crack the encryption to get any
> useful
> >> info.
> >>
> >>   -- Bruce
> >>
> >
> > Not sure I follow your link level vs network level comment.  Maybe I
> > will have to pull out my ccna book...
> >
> > As far as the SSL sniffing, the encryption is not really cracked.  A
> > fake certificate is sent to the victim.  From the ettercap man page:
> >
> > "SSL MITM ATTACK
> >       While performing the SSL mitm attack, ettercap substitutes the
> > real ssl
> >       certificate with its own. The fake certificate is created  on
> > the  fly
> >       and  all  the fields are filled according to the real cert
> > presented by
> >       the server. Only the issuer is modified and signed with the
> > private key
> >       contained  in  the etter.sll.crt file. If you want to use a
> > different
> >       private key you have to regenerate this file"
> >
>
> > I haven't figure out how to do it yet though.
> >
> > Sam
> >
> Interesting. I was wondering how they did that.
>
> This doesn't apply to ssl but there are also some interesting attacks
> with secured APs. ie: sending a disconnect message to the client, when
> the client attempts to reconnect they reconnect to your box spoofing the
> AP. You get the user's sign in credentials then disconnect again and let
> them reconnect to the real AP.
> --
> _______________________________________________



Yea there is some nasty stuff out there.  I have always wondered exactly how
secure ISP networks like roadrunner are also...

Sam

More information about the SATLUG mailing list