Wireless networks are prone to sniffing. Anyone within the range of the wireless network can sniff the data passing through the network. Capturing the traffic on a wireless network is a passive attack, whereas the manipulation of the traffic requires an attacker to be in the middle of the communication. There are many ways to perform MITM attacks. In this chapter, we have chosen to create a virtual access point, and whenever a victim connects to our network, we have forwarded the traffic to and from the Internet while silently capturing the traffic in background. These kinds of passive attacks are not easily detectable.
Once a MITM platform is set up, there are endless possibilities to attack the client. We saw how to extract usernames and password flowing through plain text protocols, such as HTTP. Although an attack is easy to set up, it can lead to a full compromise of the target network. Credential harvesting was also performed by poisoning the DNS of the client and directing it to a website locally hosted on the attacker machine. Even if we are unable to capture the user's credentials directly, we can possibly still hijack the user session by stealing cookies from the victim. Using stolen cookies, the attacker can access the website and carry out many functions posing as the victim. We also saw how SSL stripping can be effective in degrading the use of HTTPS, forcing the client to use HTTP instead. If successful, this attack can enable the attacker to capture sensitive data that was intended to be sent over a secure channel using HTTPS.
Browser-based attacks are quite commonly used by black hats and white hats alike in order to take advantage of weaknesses in either the browser or the browser add-ons. Exploit kits, where these browser-based attacks are bundled together, typically target outdated plug-ins in the browser, such as Flash, Adobe Acrobat, or Silverlight. We saw how one can use the browser_autopwn module included with the Metasploit framework to deliver these exploits automatically based on the client's web browser.
If you are able to successfully position yourself between the target network or the Internet and the clients that regularly access these networks, you will find that there are many possibilities of capturing sensitive information or targeting the clients themselves.
In the next chapter, we will be looking at the extraction of potentially sensitive information from the traffic that you are able to capture from the target wireless network, including traffic that was captured in an encrypted manner.