TCP stream injection on unencrypted wireless

Question

I may be misunderstanding something, but wouldn't TCP stream injection be terribly easy on an unencrypted LAN? My University's campus-wide WiFi is unencrypted (bad, I know) and all I have to do is bring up Wireshark and I can see a crapload of TCP sessions and exactly what their current sequence numbers are.

Most people worry about the fact that their data is unencrypted - but imagine no longer being able to trust an HTTP server's response. It would be trivial to inject a response with the correct SEQ and ACK, IP src, dst, ports, etc. in time before the server responds with the valid data, since you're so much closer. Once the client ACK's your fake packets, it's going to cause some trouble, but I can see a small GIF or IM being accepted as legit with no ARP poisoning or anything like that...

The only problem I can think of is that in 802.11 Managed Mode, all packets must be sent to the AP first, so maybe the router would see the fake source IP, notice it is outside of the network and drop it.

My guess is that the campus wide WiFi network you're referring to is a segregated wireless network for the students and the network admins don't care what happens. Could that be the case? — joeqwerty, Jan 26 '11 at 12:39

score 2 · Accepted Answer · answered Jan 26 '11 at 08:37

2

It's not just an unencrypted network, it's a shared medium. You can do basically anything, as long as you are faster than the other server. The encryption offers little protection against this.

Managed mode offers no protection, since the frames are trivally spoofed, especially with a second wifi card.

One such project is airpwn, which was revealed to the public in a most hilarious way at a security conference. They injected background images into html (yes, in the middle of the stream).

Note that in that other "fully shared medium" that wired ethernet once was (coax rings and hubs), Kevin Mitnick himself used this technique to hijack tcp sessions and gain admin rights.

answered Jan 26 '11 at 08:37

Joris

5,969
1
16
13

Yeah, in local networks there is much more trust, but as I understand it WPA creates an encrypted session between each client and the AP, basically creating a "switched" network, in which sniffing SEQ#s would be impossible, right? That project looks incredible, I might have some fun with that... Awesome reply by the way, thank you – Caleb Hearon Jan 26 '11 at 08:55
WPA does that indeed, if it weren't trivial to break. WPA2 offers some protection, but even then it's fairly easy to force clients off one AP to another. Wifi security is still a bit of a mess :( – Joris Jan 26 '11 at 09:34
Wow, I don't understand how this isn't a bigger deal! Thanks for the response. – Caleb Hearon Jan 26 '11 at 17:23
I don't understand that either. Really, once you start looking into security you don't really sleep at night ;-) – Joris Jan 26 '11 at 19:17

TCP stream injection on unencrypted wireless

1 Answers1