Modified Man-in-the-Middle
Attack
Team Iota
Elizabeth Bartels
Russell Brick
Catherine Caterson
Marcos Hernandez
Ryan Moore
Kevin O’Connor
Josh Shtatman
Team Iota
Modified Man-in-the-Middle Attack
Page 1
Table of Contents
Disclaimer and Implications……………………………………………………………………………………………...Page 3
Hardware and Software Used…………………………………………………………………………………………...Page 4
Performing the Attack……………………………………………………………………………………………………….Page 5
Sources...................................................................................................................................Page 9
Team Iota
Modified Man-in-the-Middle Attack
Page 2
Disclaimer and Implications
This video is for a class project and you should not attempt this on your own; it could
result in severe consequences. The wi-fi Pineapple – a modified Fonera Router - is a special tool
designed to aid penetration testers in vulnerability assessments when permission to do so has
been granted. No one other than the members of our group were involved or affected by this
demonstration.
Depending on the circumstances, you could face:






Fines
Incarceration
A private lawsuit
Being banned from ISPs or email providers
Difficulty finding employment if convicted
Being fired from your current employment
Laws you could potentially be breaking include, but are not limited to:






Team Iota
Invasion of privacy laws
Identity theft laws
Theft of trade secrets (if getting information from a business machine)
Economic espionage act (if you obtain corporate/government information and
try to pass it on to a foreign entity)
State laws (each state has their own laws dealing with computer related crimes)
Computer Fraud and Abuse Act
Modified Man-in-the-Middle Attack
Page 3
Hardware and Software Used
We used multiple tools to complete this project. Below is a brief description of what
they do.
BackTrack Linux - The software we will be using runs on Linux, and this is the flavor we
used.
Aircrack-ng – This is a Linux-based program which will be used to initiate our
deauthentication attack. Specifically we use the Airmon-ng and Aireplay-ng tools.
Jasager - This is the firmware installed on our dual-network interface card portable
router. Jasager is the program used to initiate the handshake which will cause users to
automatically connect to us. It installs on the open-source router firmware, OpenWRT,
using the Karma installation interface. This allows for a man-in-the-middle attack.
Wireshark - Wireshark is a packet capture program. It will allow us to monitor, capture,
and log all packets being sent across the network.
Fonera router - The Fon router contains two NICs allowing for two independent
networks to be bridged. This will be used to conduct our man-in-the-middle attack by
having users connect to us through one interface card while we make a bridge to serve
as a middle-man to the Internet through the second interface card.
Hak5 Pineapple device - This device will be used to create our fake access point, it’s a
prefabricated Fonera router running Open-WRT, Karma, and Jasager
GTKDesktop Record – a desktop recording application for use with Linux based
operating systems.
iMovie – a video editing application available through Mac OS. This was used to create
the documents companion walkthrough video.
Team Iota
Modified Man-in-the-Middle Attack
Page 4
Performing the Attack
Jasager Setup
This will outline how to setup the Pineapple network penetration device. It details how
to setup the modified Fon router that will run the OpenWrt firmware, and how to use the
Jasager device. It also describes how to force connections of new clients searching for wireless
network access to connect to our own network.
Take your Fon powered Wi-Fi Pinapple or other Fonera router running Jasager.
1. Connect power to the Pineapple by using either a direct wall-outlet connection or a
battery pack.
2. Using an Ethernet cable, connect the Pineapple to your machine’s NIC card.
3. Open up Internet Explorer, Firefox, Google Chrome, or any other GUI based browser.
You can also connect using a text based browser; however, this guide only covers the
GUI interface.
4. In your browser’s address bar type in 192.168.1.1, this will connect you to X-Wrt, which
is the end-uUser graphical extension for OpenWrt (the open-source firmware powering
the Fon router).
5. You will be prompted for login information; by default the username is “admin” and the
password is “pineapplesareyummy”.
Figure 1: Login Prompt for X-Wrt
6. By default wireless functionality on the router is disabled, enable it by going to the
“Network” tab
Team Iota
Modified Man-in-the-Middle Attack
Page 5
7. Select the sub-tab “Wireless”.
8. Enable the wireless radio by selecting the “On” option on the “Radio” line under the first
heading “Wireless Adapter wifi0 Configuration”.
Figure 2: Enabling the wireless radio
9. Increase “Tx Power” to 11dbm; this will increase the power output to the wireless
antenna, which increases the Wi-Fi signal strength. This will improve connections and
speeds.
10. Create an ESSID; we used “PineappleWiFi”.
11. Set “Encryption Type” to “Disabled”.
12. Select the “Save Changes” button located on the bottom right of the page.
13. Select “Apply Changes” on the bottom of the page, wait for the device to apply the
settings.
14. In your browser’s address bar type in 192.168.1.1:1471
15. Connect to Jasager using your Pineapple’s username and password
a. Note by default the username is “admin” and password “pineapplesareyummy”
16. By default Karma, the back-end program powering Jasager’s functionality, is turned off.
Enable it by selecting the “Change button” next to the line labeled “Karma is current:
On/Off”
17. Jasager will now begin to automatically scan for computers looking for familiar wireless
networks and initiate a connection with them. On the victim’s end it will appear as if
they are connected to one of their preferred clients.
18. Under the “Connected Clients” section of the Jasager Interface Page you will see all
devices connected to the Pineapple.
Team Iota
Modified Man-in-the-Middle Attack
Page 6
Figure 3: Example of Connected Devices on Jasager
19. Choose a device, and under the “Commands” column select “Portscanner” from the
dropdown list. Hit the “Execute” button.
a. This will run a portscan of the client and the display the results in the log
window, located in the bottom right quadrant.
In the top right quadrant of the Jasager interface, “Status/Main Controls,” you can select
SSIDs to exclude from Jasager’s attack list. This creates safe networks which will not be
mimicked; it is useful for keeping yourself on your own network. From the “Commands”
column of the “Connected Clients” quadrant, select “Add to SSID list” which will
automatically add the SSID the client is connected through to the SSID whitelist.
You can also enable MAC filtering by selecting the “Change” button on the line reading
“MAC address filtering is currently: On/Off”. Below that you can add specific MAC
addresses to the whitelist or select a connected client from the “Commands” column
executing the “Kick MAC” command.
Both methods whitelist a specific machine keeping it from being compromised, which
is useful for keeping specific machines from being attacked.
20. At this point clients connected to the Pineapple are on the same local network as your
machine. This allows for packet sniffing clients like Wireshark to be run, as well as
exploit programs like Metasploit, and other penetration testing methods.
Team Iota
Modified Man-in-the-Middle Attack
Page 7
Disconnecting Devices Currently Connected to a Network
The above section described how to get new clients seeking wireless network access; it does
not force clients already connected to a client to connect to your network. This section outlines
how to use packet injection techniques to send deauthentication packets to clients. These
deauthentication packets disconnect the client from the network they are currently connected
to, forcing them to reconnect. At this point, the Jasager application mimics the client’s most
preferred network forcing it to connect to your network on the Pineapple.
1. Boot up Backtrack Linux Version 4 Revision 2
2. Start the WICD-Curses interface to look for local wireless access points. Open the WICDCurses interface by going to Start -> Software -> Networking -> WICD-Curses
3. You should now see a list of access points in the area as well as some clients connected
to them. The access point will be identified by the MAC address of the access point
which can be found in the column labeled “BSSID”, you should take note of the wireless
channel the device is operating on (1, 5, 6, 11, and 12 are the most common).
4. Place your wireless card into “monitor mode” by using Aircrack-ng
a. Type “airmon-ng start [your NIC’s name – identified with wlan0 for the rest of
the tutorial] –channel of the access point you’re deauthing
5. Begin injecting deauthentication packets to networks.
a. Type “aireplay-ng -0 30 –a XX:XX:XX:XX:XX:XX (–c YY:YY:YY:YY:YY:YY) “interface”
i. The -0 indicates we’re initiating a deauthentication attack
ii. The 30 is the number of deauth packets we’re sending out, this can be
any number (0 will send them out continuously)
iii. –a followed by XX:XX:XX… is the MAC address of the access point you’re
trying to deauthenticate devices from, it is found in the BSSID column
above
iv. You may use the –c YY:YY:YY… (without the parenthesis) operator to
deauthenticate specific clients from the network, useful for targeting a
single machine. Leave out this operator to deauthenticate all connected
clients.
v. “interface” is where the interface name of the card you’re using for the
attack goes. It can be ath0 or mon0 but may vary based on the card
you’re using, - you’ll see the interfaces name listed after running airmonng tool.
6. Either all clients associated with an access point or a targeted machine should now be
disconnected from their current network.
7. The clients will attempt to reconnect to their preferred networks sending out a beacon
request. This sends out packets asking if “is preferred network 1 here?” The Pineapple
running Jasager will respond “yes, I am preferred network 1” and force a connection.
8. You can confirm a client’s connection by going back to the Jasager interface and
checking under the “Connected Clients” section.
Team Iota
Modified Man-in-the-Middle Attack
Page 8
Sources
"Deauthentication [Aircrack-ng] ." Aircrack-ng. N.p., n.d. Web. 7 Feb. 2011.
<http://www.aircrack-ng.org/doku.php?id=deauthentication>.
Gardner, Jason. "Computer Hacking and Unauthorized Access Laws." NCSL Home. NCSL, May
2009. Web. 13 Apr. 2011. <http://www.ncsl.org/default.aspx?tabid=13494>.
IEEE standard for Information technology telecommunications and information exchange
between systems-- local and metropolitan area networks-- specific requirements.. New York,
N.Y.: Institute of Electrical and Electronics Engineers, 2003. Print.
Kitchen, Darren, and Shannon Morse. "Hak5 – Episode 705 – Airport WiFi Challenge and your
Ultra Software Picks." Hak5 – Technolust since 2005. Revision 3 Networks, 17 Mar. 2010. Web.
5 Feb. 2011. <http://www.hak5.org/episodes/episode-705>.
"Main Page - BackTrack Linux." BackTrack Linux – Penetration Testing Distribution. BackTrack
Linux Team, n.d. Web. 5 Feb. 2011. <http://www.backtracklinux.org/wiki/index.php/Main_Page>.
"Main Page - FON Wiki Beta."Main Page - FON Wiki Beta. N.p., n.d. Web. 7 Feb. 2011.
<http://wiki.fon.com/wiki/Main_Page>.
McBride, Thea. "What Trouble Can Computer Hacking Get You Into? | EHow.com." EHow. Web.
13 Apr. 2011. <http://www.ehow.com/facts_5965604_trouble-can-computer-hackinginto_.html>.
Wood, Robin . "Jasager | Karma on the Fon - Installation." DigiNinja. N.p., n.d. Web. 7 Feb.
2011. <http://www.digininja.org/jasager/installation.php>.
"Wireshark · Documentation." Wireshark · Go deep.. N.p., n.d. Web. 7 Feb. 2011.
<http://www.wireshark.org/doc/>.
Team Iota
Modified Man-in-the-Middle Attack
Page 9