Tuesday, 6 September 2011

Wireless Session Hijacking

Wireless session hijacking is the act usurping the connection between the victim’s system and the wireless access point, typically known as MiTM, ‘man-in-the-middle’ (or ‘monkey-in-the-middle’) attacks.

In this post we will look at a few of the most widely used session hijacking tools for wireless. This list is by no means complete, but is based on some of my favourites.

AirJack is a suite of tools that performs wireless session hijacking. It does this by combining the functionality of three tools:
  • WLAN-jack – creates a wireless DoS by sending de-authentication frames to a target system or to a broadcast address, while spoofing the MAC address of the access point with the goal of knocking the wireless client(s) off the network.
  • ESSID-jack – discovers the ESSID by sending de-authentication frames to all clients on the network, then sniffing for association frames when the legitimate clients attempt to re-connect and pulling the ESSID from these frames.
  • Monkey-jack – ‘man-in-the-middle tool that implements the session hijacking.


Monkey-jack is the tool that combines WLAN-jack and ESSID-jack functionality in order to establish the session hijack. It does this in the following manner:
  • Sends wireless de-authentication frames with a spoofed MAC address of the access point to knock legitimate clients off the network.
  • Sniffs the wireless network for association frames that clients will send when re-establishing connectivity with the wireless access point. The ESSID is included in these frames.
  • Using the sniffed ESSID information, Monkey-jack injects a response to the victim and poses as the access point by spoofing the ESSID and MAC address of the legitimate access point on a different channel (at least 5 channels away).
  • The victim associates with the attacker’s system that is running Monkey-jack.
  • The attacker’s system then associates with the legitimate access point, posing as the client using the client’s MAC address.
Once the associations are completed, all traffic from the client and access point flows through the attacker’s system that is running Monkey-jack. The traffic can now be logged or manipulated in any fashion.

Access Point Impersonation

The majority of wireless clients today use a function named the Preferred Network List (PNL). When a wireless client associates with an access point, it will save the ESSID and MAC address of the wireless access point so that it can automatically connect to it in the future without any user intervention. Most wireless clients will also rotate through the PNL periodically and send probes, typically when booting, resuming from hibernation, or after a signal is lost. Some clients will also cycle through the PNL even when associated with an access point.
Some operating systems (Windows Vista, Windows 7) will not send these probes unless beacons are detected for a given SSID. Windows XP does send these probes, but can be patched so that it prevents information leakage like Windows Vista and Windows 7. If a wireless client does send these probes, it is susceptible to access point impersonation.


Karma is a wireless attack tool that sniffs the wireless network looking for PNL probes so that it can impersonate an access point and attempts to associate with the wireless client. Karma does this in the following manner:
  • Karma running on an attacker’s machine sets the wireless card in monitor mode, watching for probe packets.
  • When a probe is detected, Karma changes the wireless card to master mode and sends a response with the ESSID it discovered in the probe request and spoofs the MAC address of the access point it’s impersonating.
  • The client and Karma authenticate and associate (using no encryption).
  • When the client sends a DHCP request, Karma responds with a configuration that sends all traffic to the attacker system running Karma.
  • When the client runs an application that Karma supports, it will respond to the request, allowing the attacker to deliver exploits, harvest account information, etc.
Karma supports the following services which are built in to the tool:
  • DHCP – services client DHCP requests sending ip address, netmask, default gateway (Karma system IP), and DNS server configuration (Karma system IP).
  • DNS – The DNS service resolves all requests for hostnames back to the system running Karma.
  • HTTP – Karma will masquerade as every known web server, and serve up web page(s) of the attacker’s choice, including exploits.
  • FTP – Karma will masquerade as every known FTP server and will harvest account credentials, storing them in a file
  • POP3 – Acting as a POP3 server, Karma will log all usernames and passwords sent by the client over the Post Office Protocol (POP).
  • SMB – Karma will act as Windows files shares or print shares, collecting the client’s challenge/response transactions for later cracking.

Karma Metasploit Integration

A great feature of some Metasploit versions is its built-in integration of Karma. This is commonly referred to as “Karmetasploit” or “Karmasploit”. This built-in version of Karma has all of Karma’s functionality whilst also being able to be served up from within the Metasploit interface. This provides a simple delivery platform for the transfer and deployment of exploits for client browsers and other various client-side applications.

No comments: