The grip of WLANs or Wireless Local Area Networks is tightening in university campuses, private institution networks etc. The security standards of WLANs are constantly changing with time. One of the most lethal attacks in WLAN is Man in the Middle attack (MITM). A new way of doing MITM is Stealth Man in the Middle attack (SMITM), using ARP poisoning. The attack is performed by exploiting WPA2 key management and by modifying the frame structure of ARP response packet. A Wireless Intrusion Detection System (WIDS) has been proposed in the paper "Detection of Stealth Man-In-The-Middle Attack in Wireless LAN". Their proposed scheme works correctly only when the attacker is static and is in the region of only one sensor node when the attack is taking place. In this paper we modify and enhance the performance of WIDS.
Keywords
WLAN, Man-in-the-middle attack, ARP Poisoning, Hole-196
1. Introduction
IEEE 802.11 based standard WLAN has found a widespread use nowadays for deployment, maintenance and low end user cost [1]. The infrastructure mode and the Ad Hoc mode are two ways in which IEEE 802.11 can be deployed. In Ad Hoc networks, the clients maintain a connection among themselves and there is no involvement of Access Points. In Infrastructure mode, the Access Points (APs) are connected to a distributed system. APs provide network access to end users. In this paper, infrastructure mode of WLANs is considered.
The main reason for constant changes in WLAN standards is its security. WLAN has inherent security vulnerabilities because of its broadcast communication nature. Every data packet sent in a wireless medium is broadcast and can be captured by any end user in the communication range. There are several security standards of WLANs such as Wired Equivalence Privacy [2], Wireless Protected Access (WPA and WPA2) [3].The latest security standard in WLAN is WPA2[4 - 6]. WPA2 uses 2 keys for mutual authentication between end users and access points namely the Pairwise Transition Key (PTK) and the Group Temporal Key (GTK). PTK is used for encrypt and decrypt unicast packets whereas GTK is used for broadcast packets.
A conventional MITM attack [7] is shown in Figure 1. In this attack, when AP sends a ARP probe message, the attacker forges an ARP reply to the AP as a false gateway [8]. Based on stealth ARP Poisoning, WPA2 is vulnerable to SMITM attack [9] [10]. In SMITM, the attacker does not reply to AP directly. The attacker comes in between two victim clients, forwarding all packets from one victim to another. One of the victims could be an end user and another one could be the actual network gateway. SMITM attack is shown in Figure 2. In conventional MITM attack, ARP frames are visible to a wired tool and can be detected by it. In SMITM, transmitted frames are not visible to APs and hence cannot be detected using a wired tool.
C:\Users\Prince\Desktop\Capture.JPG
Figure 1 Conventional Man-in-the-middle attack
C:\Users\Prince\Desktop\Capture2.JPG
Figure 2 Stealth MITM attack
The circular shift vulnerability of WLAN frame structure is exploited in SMITM attack. WLAN frame structure and its circular shift vulnerability has been briefly discussed in the following explanation. WLAN frame structure consists of the following basic components [1]:-
MAC header: Comprises frame control, duration, address, and sequence control information, and, for QoS data frames, QoS control information.
Frame body of variable length
A Frame Check sequence (FCS), which contains 32-bit Cyclic Redundancy Code (CRC).
Figure 3 shows a general frame format of a MAC header in WLAN. The four types of MAC addresses in WLANs are - source address, destination address, receiver address (MAC address of the station in BSS that has to receive the frame), transmitter address (MAC address of the station which has transmitted frame inside BSS). Let BSSID denote BSS identifier, a unique ID to differentiate between BSSs. The four addresses used in MAC header depending on ToDS and FromDS bits in the control field are as follows:-
Address 1 is always the recipient address i.e. address of station in BSS who is immediate recipient of the packet. If ToDS is 1, this is the address of AP. If ToDS is 0, this is the address of end station.
Address 2 is always the transmitter address i.e. address of station in BSS who is transmitting the packet. If FromDS is 1, this is the address of AP. If FromDS is 0, this is the address of end station.
Address 3 is original source address if FromDS is 1. If ToDS is 1, then this is the original destination address.
Address 4 is used for transmission between one AP and another. Both ToDS and FromDS are 1 and the address is the source address.
C:\Users\Prince\Desktop\Capture4.JPG
Figure 3 MAC Frame Structure of WLAN
C:\Users\Prince\Desktop\Capture3.JPG
Table 1 MAC Header Addresses
The address along with ToDS and FromDS are shown is Table 1. The traffic in BSS from AP to station is called downlink traffic. The traffic from station to AP is called uplink traffic. The circular shift vulnerability in WLAN is based on the fact that a right circular shift on FromDS, ToDS bits and address 1, address 2, address 3 may change frame direction. For example, if ToDS is 0 and FromDS is 1, then a right circular shift makes transmitter address the recipient address and vice versa. Circular shift over address 1, address 2, address 3 changes direction of frame from uplink to downlink. The above vulnerability can be used to launch a SMITM attack using the following steps:-
A forged ARP frame is prepared by the attacker.
Attacker performs right circular shift operation and changes the frame direction from uplink to downlink.
Using hole 196 attack, ARP frame is encrypted with GTK.
The ARP frame is transmitted to the victim.
Victim updates his cache according to the received frame and victim cache gets poisoned.
A wireless intrusion detection system (WIDS) has been proposed in [our]. WIDS successfully detects SMITM and other similar MITM attacks. Sensor node which can detect the transmissions occurring between APs and stations are placed in each of the BSS. Sensor nodes are equipped with WIDS. By analyzing the frames overheard at the sensors, WIDS detects possible attacks. The proposed WIDS system works correctly when the attacker is static and in the range of only one sensor throughout the attack period.
2. Proposed Methodology
A sensor node capable of hearing all transmissions is placed in the BSS. The sensor node is equipped with WIDS. Four tables are maintained in the WIDS namely PTab, VTab, OTab, BLTab. AP maintains AP_PTab. The tables are described as follows:-
VTab (Verification Table): Consists of verified IP-MAC pairs in the BSS.
PTab (Probing Table): Table has 3 tuples. First tuple is a nonce kept to map incoming probe response with probe request. Second tuple is the IP address and third tuple is the MAC address for which probing request has been sent.
OTab (Other Probing Table): Keeps IP-MAC pair against which another IP-MAC pair, having same IP but different MAC, has been probed by this WIDS node and its response is not received yet.
BLTab (Blocked Table): Keeps IP-MAC pairs detected as possible attacks or have been negatively responded by the AP.
AP_PTab (Access Point Probing Table): Keeps 5 tuples. The first tuple contains another table with sensor id and node pair for received probe request of IP-MAC pair. The second tuple is the IP address and the third tuple is the MAC address of node which is being verified by the AP. The fourth tuple keeps time at which probe request was received. The fifth tuple is a flag set to 1 when a positive reply for IP-MAC pair is received, otherwise set to 0.
3. Working of WIDS
WIDS system uses six algorithms. The symbols used in various algorithms and the overall system are as shown table 2. A negative probe reply indicates IP-MAC pair is not genuine, and a positive reply indicates IP-MAC pair is genuine.
SHORT-FORM
ALGORITHM MEANING
ARP_SIP
Source IP of ARP Request / Response captured at sensor node
ARP_SMAC
Source MAC of ARP Request / Response captured at sensor node
PRsnl
A random nonce received with Probe Response
PRsIP
IP address received with Proble Response
PRsMAC
MAC address received with Proble Response
PRqnl
A random nonce received with Probe Request
PRqIP
IP address received with Proble Request
PRqMAC
MAC address received with Proble Request
PIPi
IP at the ith level of PTab
PMACi
MAC at the ith level of PTab
VIPi
IP at the ith level of VTab
VMACi
MAC at the ith level of VTab
BLIPi
IP at the ith level of BLTabie
BLMACi
MAC at the ith level of BLTab
OIPi
IP at the ith level of OTab
OMACi
MAC at the ith level of OTab
N
total number of entries
Vcount
Counter value for VTab
Blcount
Counter value for BLTabie
ARP_RIP
IP received from ARP Reply to AP
ARP_RMAC
MAC received from ARP Reply to AP
Time_Dif ferencei
Current Time - Fourth tuple in AP PTab
Waiting_Treshold
Time duration for which AP have to wait for ARP reply after forwarding ARP Request
IP_AP
IP address of AP
MACAP
MAC address of AP
Table 2 Variables in Algorithms
On capturing ARP request/response packet, algorithm 1 (Attack Detector) checks whether ARP_SIP-ARP_MAC pair exists in PTab to avoid re-probing. If both exist, it does nothing. If ARP_SIP exists with a different MAC, it keeps ARP_SIP-ARP_MAC pair in OTab. If ARP_SIP-ARP_MAC pair is not in PTab, it checks BLTab to check whether it has been blocked. If ARP_SIP-ARP_MAC pair is found in BLTab, then this means attacker is retrying the attack on the same victim. If only ARP_SMAC is in the BLTab then attacker is attacking other victims. In this case, algorithm 3(Check SMITM) is called which checks for repetition of this in BLTab and VTab and generate an alarm if found.
If ARP_SIP-ARP_MAC pair is searched in BLTab. If not found it is searched in VTab. If ARP_SIP-ARP_MAC pair is found in VTab, then ALGORITHM 3 (Check SMITM) is called and alarm is raised accordingly. If only ARP_SIP is found in VTab, then an alarm of IP Spoofing is raised. If none is found, it calls algorithm 2 (Verifier) is called. It generates a nonce and for ARP_SIP-ARP_MAC pair sends a probe request to AP with the generated nonce. It then makes an entry in PTab with nonce n1 for ARP_SIP-ARP_MAC pair.
AP runs algorithm 5 (AP Probe Handler) executed on receipt of a probe request from sensor node. Algorithm 5 (Probe Response Handler) is executed when the sensor overhears a probe response from AP. On receiving the probe request from the AP, if PRqIP and PRqMAC belong to the AP, then it sends a positive probe reply. If only PRqIP belongs to AP but not PRqMAC, then AP sends a negative probe response. If none belong to AP, then it sends an ARP request for PRqIP and waits for a reply. The reply is handled in algorithm 6 (AP Probe Responder). There may be five different cases as follows:-
Victim and Attacker both reply for the ARP Request.
Only victim replies.
Neither victim nor attacker reply for the ARP Request.
Attacker blocks the victim to send a reply. After blocking victim, attacker himself replies.
Only victim replies and there is no attacker.
In the first 3 cases, the ARP_SIP-ARP_MAC pair is not genuine and the from AP is negative. In case 4 and 5, the reply is positive (Case 4 is taken care by algorithm 1). In cases 1 and 2, AP immediately sends a negative reply as they are clearly attacks. In case 3, Waiting_Threshold is doubled and ARP request is sent again to account for heavy traffic. In cases 4 and 5, on receiving ARP reply, AP checks whether the row in AP_PTab that corresponds to (PRqn1, PRqIP, PRqMAC) is older than the Waiting_Threshold. Then the AP waits to account for the case when attacker has sent a reply and a genuine station replies after that.
At sensor node, algorithm 4 receives a probe response from AP and checks whether the reply is negative or positive. In case of positive reply, an entry of PRsIP-PRsMAC pair is made in the VTab. Otherwise the sensor node checks for SMITM using algorithm 3. If SMITM attack is detected, SMITM alarm is raised, otherwise IP Spoofing alarm is raised. An entry is made in BLTab for PRsIP-PRsMAC pair. It then checks existence of PRsIP in OTab. If found, it calls algorithm 1 (Verifier) for the PRsIP-PRsMAC pair and deletes it from the OTab. For each of the captured ARP packets at the sensor node, the above cycle is repeated.
4. Results
There can be 3 possible cases based on positions of attacker, victims and sensor node:-
Both attacker and victim are static, and in the range of same sensor node.
Attacker is static and in sensor's range, victims are in range of different sensor nodes.
The attacker is mobile. Attacker performs ARP poison attack on victim-a under the range of one sensor node, and then moves to another sensor's range and performs ARP poison attack on victim two.
WIDS works only when the attacker is static i.e. under the range of only one sensor node. When the attacker is mobile, synchronization between two sensors is required.
