adam's notes

Wireless Network Attacks

Rogue Access Points

rogue access point is one that has been installed on the network without authorization, whether with malicious intent or not.

  • can be as basic as a smartphone with tethering capabilities
  • can be setup on accident
  • if connected to LAN without security,
    • can create a backdoor to attack the network

Evil Twins

An evil twin is a rogue AP masquerading as a legitimate one.

  • might advertise a similar network name (SSID) to the legitimate one
  • might spoof the SSID and BSSID (MAC address) of an authorized access point
  • might use DoS technique to overcome the legitimate AP
    • users will be forced to disconnect from the network and then manually attempt to reconnect
    • clients may associate with the evil twin AP and submit the network passphrase or their credentials for authentication
  • to mitigate
    • use EAP-TLS security
      • so authentication server and clients perform mutual authentication
    • various scanners and monitoring systems that can detect rogue APs
      • called wireless intrusion detection systems (WIDS) or wireless intrusion prevention system (WIPS)

Deauthentication Attacks

Wireless DoS attack is designed to prevent clients from connecting to the legitimate access point.

Deauthentication attack spoofs frames to disconnect a wireless station to try to obtain authentication data to crack

  • aka disassociation attack
  • sends a stream of spoofed management frames to cause a client to deauthenticate from an AP
  • allow the attacker to
    • interpose the evil twin
    • sniff information about the authentication process
    • or perform a DoS attack against the wireless infrastructure
  • mitigated by management frame protection (MFP)
    • both AP and clients must be configured to support MFP

Wireless Replay and Key Recovery

 Replay attacks aim to capture the hashes used when a wireless station associates with an access point.

  • Once the hash is captured,
    • it can be subjected to offline brute force and dictionary cracking
  • A KRACK attack uses a replay mechanism that targets the WPA and WPA2 4-way handshake
    • is effective regardless of whether the authentication mechanism is personal or enterprise

Graph View

Backlinks