0

I'm doing some researches for university and, before wasting a lot of time into it, I'd like to know if what I've got in my mind can be done.

I'm talking about a simple MITM attack but, in my scenario, the victim is forced to use a VPN to access the internet.

So here's a quick overview of the scenario:

An open WiFi network (let's call it WIFIUniversity) (gateway is at 192.168.1.1)

A VPN server (IP = 160.97.10.10) which seems to be not reachable from outside the WiFi (or at least it rejects my ping requests)

I've thought to 2 kind of attacks that may work, but the last one seems really unrealistic while I'm writing.

  1. Using an ARP POISONING tool to make every client think that my PC is the VPN server. This means that I've got to install and setup a VPN server on my PC (OpenVPN seems good) and act as a server. This will lead to this "chain": victim -> me -> real vpn server -> network. This may lead to some kind of fake certificate warning, but I can forge a fake certificate that looks like the university one and the user will accept it without thinking that he may be victim of an attack. (Provided that the victim is NOT an IT expert but an ordinary user which doesn't know what a certificate is). So, after all this stuff, the victim's traffic will be redirected to my VPN and this means that I can get the HTTP response from the real VPN and I can change it before encrypting and sending it back to the victim.
  2. If the VPN uses a gateway that is on my same subnet, I can Arp poison the VPN server to let it think that I'm his gateway to the network and so it'll give me his decrypted requests and I can edit the responses before passing them back to he VPN server. Something like victim -> real vpn server -> me as a fake gateway -> network.

I've tried to summarize them as I'm not an expert of this kind of things and I just want to know if my ideas are right before starting and investigating on how to do these attacks.

So, please, before linking some long pdf, just reply as straight as possible by saying something like:

Yeah, you're right, point 1 may work

or just

Go and study as you don't know anything about VPN and network security

Thanks in advance!

:)

Community
  • 1
StepTNT
  • 123
  • 1
  • 7

2 Answers2

1

If you can forge certificates as you say and make user believe he's connecting to the right VPN server, first attack would work. And of course the second attack is the same but on the VPN server side, which is also possible.

Certificates are the only thing that keeps trust system working. If you can forge certificates you can impersonate the real VPN server and no one really notices.

Another thing is, when there is a secret key (with or without certificates) in use between server and client. You then, of course need to know it. You then basically create a VPN proxy (which is non-sense in secure network). It's like a HTTPS proxy, you accept connection from a client, disguise yourself as a VPN server and connect to the VPN server and disguise yourself as the real VPN client.

Moreover, client could have certificates too, in which case you would need to fool server too.

Kveri
  • 161
  • 4
0

Have you at least read the Wikipedia article about MitM? MitM means that you encrypt to the wrong key (and/or accept signatures from the from key). If you use public keys for a VPN then this is theoretically possible (but I assume that every serious VPN software takes care about that).

You cannot compromise key validation by ARP spoofing.

Hauke Laging
  • 5,157
  • 2
  • 23
  • 40
  • As I wrote in the question, key validation is not an issue as my "targets" are people who don't know anything about security and stuff like that, so it'll be enough to have "facebook", "google" or the university name somewhere in the certificate to let them trust it, despite all the browser's warnings. – StepTNT Mar 16 '13 at 15:15