Wireless session hijacking is the act usurping the connection between the victim’s system and the wireless access point, typically known as MiTM, ‘man-in-the-middle’ (or ‘monkey-in-the-middle’) attacks.In this post we will look at a few of the most widely used session hijacking tools for wireless. This list is by no means complete, but is based on some of my favourites.
AirJack is a suite of tools that performs wireless session hijacking. It does this by combining the functionality of three tools:
- WLAN-jack – creates a wireless DoS by sending de-authentication frames to a target system or to a broadcast address, while spoofing the MAC address of the access point with the goal of knocking the wireless client(s) off the network.
- ESSID-jack – discovers the ESSID by sending de-authentication frames to all clients on the network, then sniffing for association frames when the legitimate clients attempt to re-connect and pulling the ESSID from these frames.
- Monkey-jack – ‘man-in-the-middle tool that implements the session hijacking.
- Sends wireless de-authentication frames with a spoofed MAC address of the access point to knock legitimate clients off the network.
- Sniffs the wireless network for association frames that clients will send when re-establishing connectivity with the wireless access point. The ESSID is included in these frames.
- Using the sniffed ESSID information, Monkey-jack injects a response to the victim and poses as the access point by spoofing the ESSID and MAC address of the legitimate access point on a different channel (at least 5 channels away).
- The victim associates with the attacker’s system that is running Monkey-jack.
- The attacker’s system then associates with the legitimate access point, posing as the client using the client’s MAC address.
Some operating systems (Windows Vista, Windows 7) will not send these probes unless beacons are detected for a given SSID. Windows XP does send these probes, but can be patched so that it prevents information leakage like Windows Vista and Windows 7. If a wireless client does send these probes, it is susceptible to access point impersonation.
- Karma running on an attacker’s machine sets the wireless card in monitor mode, watching for probe packets.
- When a probe is detected, Karma changes the wireless card to master mode and sends a response with the ESSID it discovered in the probe request and spoofs the MAC address of the access point it’s impersonating.
- The client and Karma authenticate and associate (using no encryption).
- When the client sends a DHCP request, Karma responds with a configuration that sends all traffic to the attacker system running Karma.
- When the client runs an application that Karma supports, it will respond to the request, allowing the attacker to deliver exploits, harvest account information, etc.
- DHCP – services client DHCP requests sending ip address, netmask, default gateway (Karma system IP), and DNS server configuration (Karma system IP).
- DNS – The DNS service resolves all requests for hostnames back to the system running Karma.
- HTTP – Karma will masquerade as every known web server, and serve up web page(s) of the attacker’s choice, including exploits.
- FTP – Karma will masquerade as every known FTP server and will harvest account credentials, storing them in a file
- POP3 – Acting as a POP3 server, Karma will log all usernames and passwords sent by the client over the Post Office Protocol (POP).
- SMB – Karma will act as Windows files shares or print shares, collecting the client’s challenge/response transactions for later cracking.