On 5/7/07, Matthew R. Dempsky <[EMAIL PROTECTED]> wrote:
Suppose I setup a wireless network and use authpf to restrict access
to some resource (e.g., Internet access) to registered users. It
seems there's a fairly simple man-in-the-middle attack:
An attacker sets up a system with two wireless NICs: one associated to
my network and another configured as an access point pretending to be
an access point for my network. He runs a DHCP server on the AP
interface and NATs traffic to my network. (I can imagine a
sufficiently clever bridge setup that would be even harder to detect,
but I don't know for certain if it could work.)
A legitimate user (e.g., a university student) sits down somewhere in
range of the fake AP but outside of range of any legit APs (in a part
of campus not yet with wifi access, or where the signal is low, or
where the attacker has unplugged the APs), and connects his laptop to
my network via the attacker's fake network. The user ssh's to
authpf.mydomain.com, but his connection is NAT'd via the attacker's
system, and so my gateway now assumes all traffic from the attacker's
IP belongs to the duped user.
Is there anything I'm forgetting that makes this attack infeasible?
SSH makes provisions for detection/prevention of MITM attacks by
cryptographically verifying host identities. Assuming you use SSHv2
and the client verifies the fingerprint of the server's public key is
accurate, identity of the destination system can be assured.
DS
