cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Ettercap Detection

During a test, a client performed a MITM attack on a wireless network using ettercap. The Sandblast client did not detect the attack. Should Sandblast have seen the attack (Based on the MAC of the gateway changing)?

4 Replies
Admin
Admin

Re: Ettercap Detection

A MAC address change doesn't necessarily mean a MITM.

For example, if you visit many Starbucks locations, you'll see different MAC addresses for each location, but they all have the same SSID.

The MITM detection in SandBlast can be configured by dashboard admin and is related to checking HTTPS traffic.

To edit the settings click on Settings -> Policy Settings ->WIFI Network

  • SSL Striping - MITM attack - intercepts all network traffic redirection from HTTP to HTTPS and "strips" the HTTPS call leaving the traffic as HTTP.
  • SSL Interception (Basic) - MITM attack - intercepts HTTPS traffic by using an invalid certificate that does not exist on the device's trusted certificates or not trusted by a root CA.
  • SSL Interception (Advanced) - MITM attack - intercepts HTTPS traffic by using a valid certificate that does not match the certificate of the server.

You can also configure the specific HTTPS URLs that can be checked as well.

Re: Ettercap Detection

Many Wi-Fi network's captive portals behave in a way that could sometimes be considered a MITM attack when the device connects to it, but stop the behaviour once the user authenticates to the portal. Does Sandblast generate alerts to users in this case?

The Administration guide does not seem to have any guidance for these cases. It does indicate it is possible to add your organization's certificate to prevent MITM detection when you are using SSL interception. However, generally, you will not be able to control the captive portal's people are using nor have the certificates of these portals.

Any thoughts?

Employee+
Employee+

Re: Ettercap Detection

Hi Ken, how are you?

It's very nice to e-meet! My name is Daniel Dor and I'm assisting our customers and partners worldwide to test and use the product. Optimally, such attacks should have been detected. However, sometimes, the SandBlast Mobile App is not installed correctly or configured correctly, and therfore doesn't detect the security event.

Please send me an email (danieldor@checkpoint.com) with 3 details, and I will try to assist:

1. Your SandBlast MObile dashboard URL

2. The attack's scenario

3. Your specific device ID (take it from the SBM dashboard)

Thanks!

D

Re: Ettercap Detection