This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ken_Dickey
Explorer
‎2018-03-28 07:50 AM

Ettercap Detection

During a test, a client performed a MITM attack on a wireless network using ettercap. The Sandblast client did not detect the attack. Should Sandblast have seen the attack (Based on the MAC of the gateway changing)?

4 Replies
PhoneBoy
Admin
Admin
‎2018-03-28 08:48 PM

A MAC address change doesn't necessarily mean a MITM.

For example, if you visit many Starbucks locations, you'll see different MAC addresses for each location, but they all have the same SSID.

The MITM detection in SandBlast can be configured by dashboard admin and is related to checking HTTPS traffic.

To edit the settings click on Settings -> Policy Settings ->WIFI Network

  • SSL Striping - MITM attack - intercepts all network traffic redirection from HTTP to HTTPS and "strips" the HTTPS call leaving the traffic as HTTP.
  • SSL Interception (Basic) - MITM attack - intercepts HTTPS traffic by using an invalid certificate that does not exist on the device's trusted certificates or not trusted by a root CA.
  • SSL Interception (Advanced) - MITM attack - intercepts HTTPS traffic by using a valid certificate that does not match the certificate of the server.

You can also configure the specific HTTPS URLs that can be checked as well.

Javier_Fdez-San
Participant
‎2018-04-19 08:13 AM
In response to PhoneBoy

Many Wi-Fi network's captive portals behave in a way that could sometimes be considered a MITM attack when the device connects to it, but stop the behaviour once the user authenticates to the portal. Does Sandblast generate alerts to users in this case?

The Administration guide does not seem to have any guidance for these cases. It does indicate it is possible to add your organization's certificate to prevent MITM detection when you are using SSL interception. However, generally, you will not be able to control the captive portal's people are using nor have the certificates of these portals.

Any thoughts?

Daniel_Dor
Employee Alumnus
Employee Alumnus
‎2018-04-25 01:47 AM

Hi Ken, how are you?

It's very nice to e-meet! My name is Daniel Dor and I'm assisting our customers and partners worldwide to test and use the product. Optimally, such attacks should have been detected. However, sometimes, the SandBlast Mobile App is not installed correctly or configured correctly, and therfore doesn't detect the security event.

Please send me an email (danieldor@checkpoint.com) with 3 details, and I will try to assist:

1. Your SandBlast MObile dashboard URL

2. The attack's scenario

3. Your specific device ID (take it from the SBM dashboard)

Thanks!

D

XBensemhoun
Employee
Employee
‎2018-05-01 05:57 PM

Hi https://community.checkpoint.com/people/ken.d8ce8e28f-4fbb-3a75-8e4c-5d24bd9eaa4f : does your issue can now be explained?

Information Security enthusiast, CISSP, CCSP
Upcoming Events

    CheckMates Events