A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal

In this paper, A lot of public areas provide the WLAN service for nomadic users so that they can finish the tasks even when they are out of office. Therefore, the security of public WLANs is more important than past. Nowadays many public WLANs service providers the Captive Portal to authenticate users. The Captive Portal uses a webpage to request a user to authenticate himself by providing his own username and password. This security mechanism proved to be simple and effective because users cannot access Internet before they get authenticated. However, in this paper, we shall illustrate that for public WLANS which are guarded by Captive Portal, will be vulnerable to man-in-the-middle attacks. Therefore, a hacker can careful send out some spoofing packets and take advantage of the public WLAN to access Internet without being authenticated. We show the vulnerability by both protocol analysis and a real implementation in C programs.


I TRODUCTIO
Because Internet has become more important and wireless network is more convenient, a lot of public areas begin to provide the Wireless Local Area Network (WLAN) for users.It is called Public WLAN (PWLAN).PWLANs are provided by Wireless Internet Service Providers (WISPs) which manage the payment mechanism of PWLANs.If users want to use it, they can sign a contract with the WISP and buy the pre-paid cards.Because nowadays it is easy to find PWLAN service in a coffee shop or a fast food restaurant, many people enjoy this convenience to access Internet and continue their work in these public places.
As more people are utilizing the PWLANs, the security of PWLANs is more important than past.Traditionally, we rely WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) to protect our WLAN.However, the vulnerability of WEP and WPA has been pointed out [1].If PWLANs keep using these two security mechanisms, it will face big challenges.Malicious users can crack the keys for authentication further steal other users' privacy information.Therefore, most PWLAN now use a new secure mechanism, called Captive Portal [2].The Captive Portal uses a webpage to authenticate users.If an unauthenticated user tries to access the Internet, his/her web browser will be redirected to the login page.The user must be authenticated with a correct username/password provided by the WISP.Captive Portal was widely accepted by WISPs as a useful mechanism to ensure that all users must be authenticated before accessing Internet via the WLAN.As long as the login process is transported over a secure connection like TLS [3], it will be difficult for malicious users to intercept other users' login information.Some recent research [4] shows that Captive Portal is vulnerable and a new standard IEEE 802.1X is proposed to solve this problem [5].However, the 802.1X standard is more complicated than Captive Portal, so 802.1X is not widely deployed in PWLANs (although it might be a good solution in private WLANs).Another advantage of Captive Portal is that users need not install software it their mobile device.All they need to do is start a web browser to authenticate themselves.This convenience makes Captive Portal more popular than 802.1X in PWLAN deployment.
Address Resolution Protocol (ARP) [6] is used by computers to map IP addresses to MAC addresses.That can be used with any network layer protocol.In a PWLAN, each computer uses ARP to query the destination MAC address.Without enabling suitable protection, ARP has a well-known vulnerable.Therefore, in a local area network a malicious computer can attack the other computers by ARP Spoof attack.The ARP Spoof attack allows attackers to capture users' important information.There are methods to protect the computers from ARP Spoof.However, the protections often focus on wired LANs instead of WLAN.In this paper, we shall demonstrate how ARP Spoof can be utilized to perform a MITM (Man in the Middle) attack, so that unauthenticated users can access Internet via the PWLAN.

Address Resolution Protocol (ARP)
In the current network we often use the TCP/IP model (see Fig. 1) to transfer information.In the network, each host has an IP address that designate the source and destination addresses in communication.However, when we send data over Ethernet, the IP address must be converted to a MAC address.In Ethernet communications, as each frame that has a MAC address, MAC address is a unique identifier assigned to most network interface cards (NICs).When host receive the frame, they will check the MAC address.If the MAC address is correct, they will accept it, if not, they will drop it.So we use the ARP to map IP address to MAC address.Given the IP address of a host, ARP is used to obtain the host's MAC address so that the frame can be delivered on the network.

Figure 1. TCP/IP model
ARP is a simple protocol that works as follows.First, the host sends the ARP Request message to all the other hosts on network that using broadcast, "Who has a 192.168.0.104?Tell 192.168.0.100".This purpose is to learn the MAC address of target host.All the other hosts in LAN receive the request.The host with the given IP address answers back in a unicast ARP Reply message "192.168.0.104 is at XX:XX:XX:XX:XX:XX".The host will update the ARP cache (ARP table) after receive the reply.The ARP cache entries set to automatically expire after a period of time.If the ARP cache has been expired, the host that issued the request cache the IP-MAC pairing in a local ARP cache so that it does not have to send the same request in the recent.Because the ARP cache does not has the appropriate checking mechanism.The host just receives the ARP reply, it has update the ARP cache.Therefore, the attack is occurred cause of this vulnerable, called ARP Spoof.

ARP Spoof
ARP Spoof (also called ARP Poison) [7] is a common attack technique.The attacker sends the ARP Reply with fake IP-MAC pairing, in an attempt to spoof the ARP cache of other hosts on the network.A malicious host can make an unsuspecting host modify its ARP cache to update an entry with an IP-MAC pairing to enable the attacker to impersonate another host.And the attacker can capture the data that send from other host, perform MITM attacker.If the host adds an incorrect IP-MAC pairing to its ARP cache, the victim cannot send packets to correct host location, perform Denial of Service (DoS) attacker.In this paper, we propose to use MITM attacker to proof the vulnerability in PWLAN environment guarded by Captive Portal.

Man in the Middle
In this part, we go deep into the MITM for investigation.Before the network does not occurring the MITM attack, the situation is as (a) which is shown in Fig. 2. Alice and Bob has correct MAC address for both, they communicates with each other directly.No other hosts in the middle.If Alice and Bob are spoofed from attacker, the dynamic IP-MAC pairing will be modified in ARP cache.Hence, the packet messages forward will be changed as (b).The attacker receives the packet from Alice, and forwards it to Bob.The attacker is able to capture all the packet traffic sends in both directions.In tradition, MITM most used to sniff.But, we use it to masquerade our packet to use the PWLAN for free.

PUBLIC WLA ARCHITECTURE & SYSTEM EXPERIME TS
In this section, we describe in detail of Captive Portal technique.And exploit MITM attack in this environment which is our purpose in this paper.

Captive Portal
Normally, we always select the appropriate authenticate method to protect wireless networks.Such as WEP or WPA.But since 2001, several serious weaknesses were in existence that today a WEP connection can be cracked with readily available tools within a tea break time.For example, using Aircrack-ng to perform Caffe Latte Attack [8].The cracker can obtain the key to use wireless network.In 2003, the WEP had been superseded by WPA.It still remains vulnerable to password cracking attack.Despite both ways are convenience to use, but they are insecurity in public environment, like coffee shop or fast food restaurant.Hence, WISP will choose Captive Portal rather than choose the WEP or WPA to guard for PWLAN.

3.
In this step, attacker as well as sends the request for accessing the Internet.The packet messages are intercepted by sniff network card which is built on self laptop.Then the attacker masquerades as victim IP address.For example, the IP address 192.168.0.100 is sent from attacker and it is intercepted himself.That will be masqueraded as IP address 192.168.0.102, and then send the request to Access Controller.

4.
Access In the step3, the attacker modified the packets except the source IP address, as well as handle checksum of IP header and TCP/UDP header [11] (see Fig. 6).To avoid the packet get incorrect messages on forwarding.

THE RESULT OF THE EXPERIME T
A careful crafted MITM attack in the PWLAN will not let normal user notice his/her laptop had been spoofed.In our experiment, we assume the normal user is running FTP to download ten 10MB and 20MB files, and the download speed for each file is calculated.As shown in TableⅠ, no matter without relay or with relay from attacker, we can observe that the download speed does not change dramatically.The result as well as shown in Fig. 7 and Fig. 8.This implies that the MITM attack will not seriously affect the download speed, so the normal users will not easily detect that his laptop has been spoofed.

Figure 6 .
Figure 6.The field is needed to modify of masquerade packet Controller receives three requests from attacker.One is 192.168.0.100, others are 192.168.0.102.Because the IP address 192.168.0.102 is allowed to access the Internet.Hence, the Access Controller will respond the request of IP address 192.168.0.102 and the response messages includes attacker and victim packets that they requests.This response also sends to attacker.Attacker receives the response from Access Controller and uses port to check the packets which from victim or himself.If the packets are sent by self, attacker will accept it and modify an IP address from 192.168.0.102 to 192.168.0.100.The packet does not forward it to victim.If not, attacker forwards packets to victim.7. Finally, the attacker can access the Internet in Public WLAN guarded by Captive Portal.

Table 1 . The download speed of victim Figure 7. Download 10MB files Figure 8. Download 20MB files 5. CO CULSIO
In this paper, we described how ARP Spoof can be used to launch MITM attacks in PWLAN.Because Captive Portal is convenient, it is widely used in many PWLANs.Many technique to manage the WLANs in their campuses.We demonstrated that in such a PWLAN environment, Captive Portal vulnerable to MITM attacks by ARP Spoofing.Although a WISP can deploy expensive network devices that support the intrusion detection feature, such as Cisco 5500 series Wireless Controller.Another approach is to re-design the PWLAN architecture and authenticate users by 802.1X.Both ways are appropriate choices to avoid this vulnerable in the PWLAN, but they are expensive.Before the security of these PWLAN networks is improved, users are advised to use PWLAN with care, and should avoid transmitting sensitive information in PWLAN environment.