This week I finished up the section of the course regarding basic network hacking. I learned some more about man-in-the-middle attacks, and got started with Wireshark to start actually analysing the data packets flowing through the network. Combined with attacks to make users use HTTP instead of HTTPS, that made target data (including usernames and passwords) totally readable and even searchable.
The obvious next step was “honeypot” attacks, creating a fake wi-fi access point using mana-toolkit. Combined with methods I learned earlier, this would make every user’s data transmitting through my fake network openly visible. Once again I am struck by how easy all of this is, with freely available easy-to-use software and a cheap USB wi-fi device. I am right next to a luxury marina and I have excellent mobile internet; it would be trivial to set up a fake hotspot to appear to be set up by the town for foreign visitors, and then ultimately read the visiting yacht owners’ data.
Having covered attacks and basic fake access point creation, I learned about preventing these sorts of attacks, for example by using Wireshark to look for unusual network activity and using XArp to detect ARP poisoning. It was interesting to get a better look at more good reasons why the sysadmins of an organisation with a medium-sized or larger pool of devices face challenges protecting all their devices – hardly convenient to make the ARP tables static for hundreds of devices at once without good scripting and a good deployment system.
I have noted before that people and organisations in general seem to have a more lax view of data security than I would be comfortable with, but here at the system level, it feels a little more disturbing. Perhaps I’m missing something, but I would think standard mass-market OSes like Windows, Ubuntu, Android, and such ought to have built-in tools for monitoring network safety and at least natively allow pop-up messages to show that your router appears to have changed its MAC address or that there are duplicates in the ARP table? Microsoft regularly gets a lot of criticism for its update services, but how can their multi-GB updates not include simple utilities for guarding against MITM attacks?
By coincidence I’m looking into appropriate hardware for better internet connections on my boat, like a powerful active wi-fi range extender combined with mobile internet connections bridged into a router with failover. If I’m going to be setting up a powered wi-fi antenna on the masthead, perhaps I should look at getting one with AP and Monitor mode capability…