“Man In The Middle” (MITM) attack on a Wi-Fi network

Many have already heard of such an attack as the “man in the middle,” or, in another way, the MiTM attack . However, the theory is dead without practice. Therefore, in the article I would like to talk about how I implemented this attack on a wireless network. It turned out, however, primitive, but oh well.

Source network


There is a regular router that distributes the Internet to its customers, forming a wireless Wi-Fi network.

I act as an attacker who, like everyone else, is an ordinary client with an ordinary PC. On my machine, the operating system is Windows 7. Also, I have installed a network sniffer (network traffic analyzer) WireShark (shark) .

Additionally, the method I propose makes sense if it is possible to connect to the router’s “web muzzle”, or as an alternative, if it is possible to force the router to temporarily shut down, fail and reboot (see DDos attack on the router).

So, my goal: To organize a “wiretap” of traffic from clients on the network. To do this, "stand in the middle."

The tasks are divided into four steps:
1. Preparation of the double of this access point.
2. Permission to access the Internet on the created wireless network interface.
3. Rebooting the router as an administrator, or DDOS attack on the router.
4. At the time of sagging of this router, use a double.

First step. You must prepare an access point. To do this, use the netsh program built into Windows.

In my case, the SSID of the real access point is Rostelecom_16 and, since I am a client of the network, I know the password to the real access point. We create an access point with the same name and the same password:

netsh wlan set hostednetwork mode = allow ssid = "Rostelecom_16" key = "password of this AP" keyUsage = persistent

A new wireless interface will appear in network connections.



We are not in a hurry to launch this connection!

Note: if nothing appears in network connections, restarting the Wi-Fi adapter will help.

Second step. We make the Internet from Rostelecom_16 common to the created (but not yet launched!) Connection:



The third step. As I already noted, in my case there is the possibility of administering the router. By the way, it is no secret that one of the most common vulnerabilities is passwords and default settings. For routers by default, login and pass: admin are most often set.

In the settings of the router always have a button to "reset" . We will use it to temporarily reset all customers.



Fourth step.When the reset begins (at this very moment!), You need to activate the access point of the double.

Command: netsh wlan start hostednetwork

To make sure that “you are in the middle” , we look at our customers with the command: netsh wlan show hostednetwork



All! What happened It is easy to guess that we took advantage of the downtime moment and made the substitution of the real server, moving the real server to the background. During the reset (reboot) of the router, it disappears from the field of view, therefore, at the beginning of the reset, all clients disconnected from the network, but when they found the same SSID (our double), they immediately picked up, it would seem, back. But in fact, to the server is a double, which also distributes the Internet, so ordinary users will not even notice this substitution, what can we say about ordinary users when wireless devices do not notice the substitution. Personally, this is strange to me.

In the end, in order to finally achieve our goal, we launch the so-called WireShark shark program and listen to traffic from customers.

Good luck

Also popular now: