Master in Cybersecurity: Secure Communications

Lesson 3: WLAN security

Course 2022-2023

Antonio Pastor [email protected]

 Lesson outline
1. Wireless LANs (WLANs):
v Definitions
v IEEE 802.11
v Scanning, Authentication and Association.
2. Wired Equivalent Privacy (WEP):
v WEP objectives.
v Encryption & Integrity.
v Why WEP is not secure.
3. Wi-Fi Protected Access (WPA):
v WPA key hierarchies.
v EAPOL-Key 4-way and Group Key Handshakes.
v Temporal Key Integrity Protocol (TKIP).
4. IEEE 802.11i/WPA2:
v AES-CCMP.
v attacks
5. WPA3:
v SAE
v PMF
v OWE
6. WLAN attacks:
v Attacker tools.
2
 Bibliography

Jon Edney and William A. Arbaugh. “Real 802.11 Security:

Wi-Fi Protected Access and 802.11i”. Addison-Wesley
Professional. 2003.

William Stallings. “Cryptography and Network Security:

Principles and Practice”, Fifth Edition. Prentice Hall. 2011.
L/S 003.26 STA

3
 WLAN definitions
u Wireless LAN (WLAN): Short range, high speed
radio networks:
v E.g. ALOHAnet, ETSI HiperLAN , IEEE 802.11.
u IEEE 802.11: Technical specification of a WLAN
protocol being standardised by the IEEE-802 group.
Actually, a family of standards:
v IEEE 802.11a/b/g/i/n/ac/ax
u Wi-Fi: Industrial standard for interoperable products
based on IEEE 802.11 as defined by the Wi-Fi
Alliance.

4
 OSI Layers

Upper
layers

802.2 LLC (Link Layer Protocol)

Data Link
802.11 MAC (Medium Access Control Layer
802.3

802.11ax
802.11 802.11 802.11 802.11a 802.11b 802.11g 802.11n 802.11ac OFDM
PHY OFDM OFDM Physical
ir FHDSS DSSS OFDM HR-DSSS OFDM +4MIMO +8MIMO +
MU-MIMO Layer

5
 IEEE 802.11 Amendments
u IEEE 802.11 has evolved over time increasing
the data rate from the original 1 Mbps to
almost 7 Gbps!
Max. Real
Frequency Bandwidth stream stream Range
Standard PHY bands (MHz) throughput throughput (in/outdoors)
802.11 FHSS/DSSS/Ir 2.4GHz 22 2 Mbps 0.9 Mbps 20/100m

802.11a OFDM 5 GHz 20 54 Mbps 23 Mbps 35/120m

802.11b HR-DSSS 2.4 GHz 22 11 Mbps 4.3 Mbps 38/140m

802.11g OFDM 2.4 GHz 20 54 Mbps 19 Mbps 38/140m

802.11n OFDMx4MIMO 2.4/5 GHz 20/40 150 Mbps 74 Mbps 70/250m

802.11ac OFDMx8MIMO 5 GHz 20/40/80/160 866.7 Mbps 433 Mbps 90/300m

802.11ax OFDMA 2.4/5 GHz 20/40/80/160 6.97Gbps 600 Mbps 70/240m

OFDM = Orthogonal Freq. Division Multiplexation

HR-DSS= High Rate Direct Sequence Spread Spectrum (DSSS)
ODMA = Orthogonal Frequency-Division Multiple Access
MIMO = Multiple input multiple output 6
FHSS = Frequency Hopping Spread Spectrum
 802.11 Evolution
Source: https://arxiv.org/ftp/arxiv/papers/1806/1806.05908.pdf

Short range & Directional

High capacity high-dense
deployment
scenarios

> speed

Good balance
Most adopted

> distance

Long distance Focuses on STA’s

Low transmisiton rate Wifi Halow power-saving

7
 Ad-hoc & Infrastructure
modes
u Infrastructure mode:
v Basic Service Set (BSS):
ü A single Access Point (AP) and its
associated stations.
ü Stations (STAs) can only communicate
through the AP.
v Extended Service Set (ESS):
ü Several APs interconnected through a
Distribution System (DS), typically an
Ethernet LAN
ü WLAN Controller employs CAPWAP
protocol [RFC5416] to control APs.
ü WDS introduce Wireless DS
ü Wifi mesh (802.11s)
u Ad-hoc mode:
v Independent BSS (IBSS)
ü No AP, stations communicate directly.
u Service Set Identifier (SSID)
v To identify the BSS/ESS/IBSS. 8
 IEEE 802.11 frame format

Scenario to DS from DS Addr 1 Addr 2 Addr 3 Addr 4

Ad-hoc mode 0 0 DA SA BSSID -
Infrastructure mode, from AP 0 1 DA BSSID SA -
Infrastructure mode, to AP 1 0 BSSID SA DA -
Infrastructure mode, within DS* 1 1 RA TA DA SA
*The four addresses are only needed for wireless distribution systems

Source: http://www.wildpackets.com/resources/compendium/wireless_lan/wlan_packets 9
 IEEE 802.11 frame types

u Three types of 802.11 frames:

v Management frames (Type=00):
ü Association Request/Response (Subtype=0000/0001).
ü Reassociation Request/Response (Subtype=0010/0011).
ü Probe Request/Response (Subtype=0100/0101).
ü Beacon (Subtype=1000).
ü Disassociation (Subtype=1010).
ü Authentication (Subtype=1011).
ü Deauthentication (Subtype=1100).
v Control frames (Type=01):
ü Power Save (PS) poll (Subtype=1010).
ü Ready to Send (RTS) (Subtype=1011).
ü Clear to Send (CTS) (Subtype=1100).
ü Acknowledgement (ACK) (Subtype=1101).
v Data frames (Type=10):
ü LLC [+ SNAP] + Payload (Subtype=0000).

10
 IEEE 802.11 Medium
Access Control (MAC)
u Centralised, polling-based:
v Point Coordination Function (PCF): Never implemented.
u Distributed, contention-based:
v Distributed Coordination Function (DCF): Best-effort.
v Enhanced Distributed Channel Access (EDCA) [802.11e]: QoS.
u DCF implements (Virtual) Carrier Sense Multiple Access with
Collision Avoidance (CSMA/CA):
DIFS
RTS Data Time
Sender
SIFS SIFS
CTS SIFS ACK
Receiver
Contention
NAV (RTS)
Window
NAV (CTS)
DIFS
Other stations Data

Short Interframe Space (SIFS) < PCF Interframe Space (PIFS) < DCF Interframe Space (DIFS)
12
 IEEE 802.11 Channel
Scanning
u Passive scanning: Station waits for Beacon frames that are periodically
broadcast by APs:
ü Timestamp: AP uptime measured in microseconds.
ü Beacon interval: 100 ms by default:
Ø x11 channels to scan à >1 sec
ü AP capabilities: e.g. Ad-hoc/infrastructure, WEP support, QoS support.
ü Information Elements (extensible TLV format):
Ø Service Set Identifier (SSID): It can be disabled (i.e., hidden WLAN) to avoid
“Wardriving” = Mapping WLANs to GPS coordinates à Bad idea!.
Ø Supported rates: e.g. 1, 2, 5.5, 11 Mbps.
Ø Radio parameters: Current RF channel.
Ø Power Save flags: STAs with pending frames.
Ø +Robust Security Network (RSN): 802.11i/WPA info.
Ø…
u Active scanning: Station sends Probe Request frames and wait for
Probe Responses from the AP:
v Probe Request: Only contains Information Elements: e.g. supported rates.
ü Privacy problem: It may include all hidden SSIDs known by the STA!
v Probe Response: Similar to Beacon (without Power Save flags).

13
Source: Wikipedia
 IEEE 802.11 Authentication
u Two Authentication methods:
v Open system Authentication:
ü Always succeeds.
v Shared key (WEP) Authentication:
1. AP sends a challenge.
2. STA encrypts challenge with WEP key and
sends it back.
3. AP decrypts challenge to authenticate STA
(i.e. it knows the WEP key).
4. Return Success/Failure (decryption oracle!).
u WEP Authentication is broken !!!
v No mutual authentication nor random nonces:
ü Attacker posing as AP may ask STAs to encrypt
anything! à Chosen paintext/ciphertext
attack!
v WiFi Alliance only supports Open AuthN:
ü Data frames are encrypted and its integrity is
protected with WEP anyway (isn’t it?).
u Authentication is followed by a Association
Request/Response exchange:
v Contain capabilities, supported rates, and
SSID information elements (even in hidden 14
WLANs).
 WEP Objectives
u Wired Equivalent Privacy (WEP) objectives set by IEEE (1999):
v It is reasonably strong: The security afforded by the algorithm relies on the difficulty of discovering
the secret key through a brute-force attack. This in turn is related to the length of the secret key and
the frequency of changing keys. WEP allows for the changing of the key (K) and frequent changing
of the Initialization Vector(IV).
v It is self-synchronizing: WEP is self-synchronizing for each message. This property is critical for a
data-link-level encryption algorithm, where "best effort" delivery is assumed and packet loss rates
may be high.
v It is efficient: The WEP algorithm is efficient and may be implemented in either hardware or
software.
v It may be exportable: Every effort has been made to design the WEP system operation so as to
maximize the chances of approval, by the U.S. Department of Commerce, of export from the U.S. of
products containing a WEP implementation. However, due to the legal and political climate toward
cryptography at the time of publication, no guarantee can be made that any specific IEEE 802.11
implementations that use WEP will be exportable from the USA.
v It is optional: The implementation and use of WEP is an IEEE 802.11 option.
u A RC4 stream cipher with 40 bit keys (later 104 bits), plus a 24 bit Initialization Vector (IV)
that changes with every packet, were chosen for implementing the XOR-based WEP cipher:
v Included into original IEEE 802.11 specification without public scrutiny.

15
 WEP Privacy & Integrity

u WEP keys (40 or 104 bits):

v Default Key: All stations share the same key (for
multicast/broadcast frames):
ü Up to 4 keys to allow key rollover à 4 Key IDs.
ü Any STA can decrypt data encrypted with the Default key.
v Key Mapping Keys: Each STA shares a different key
with the AP (for unicast frames):
ü No key exchange method was proposed à Never used
u WEP encryption + CRC-based Integrity Check
Value (ICV) to “protect” 802.11 frame payload:
Unencrypted Encrypted = WEP(IV+Kid, DATA | ICV)

3 bytes 6 bits 2 bits 0 - 2304 bytes 4 bytes

802.11 Header IV Pad Key ID DATA ICV FCS
WEP=1

CRC-32(DATA) 16
 Why WEP is insecure
u Bad key management:
v User keys should not be employed directly, but derived into session keys.
v Encryption keys should not be reused for authentication.
u No replay prevention:
v Sequence number in 802.11 header, but not covered by ICV à it can be
trivially modified by an attacker.
u No ‘true’ integrity protection:
v CRC is not a Message Integrity Code (MIC) algorithm but a linear method
à attacker knows which bits to flip in ICV (because bit flipping survives
XOR encryption) [1]:
ü E.g. Just change destination IP address to receive the unencrypted datagram!
u WEP encryption weaknesses:
v IV reuse: XOR encryption must NEVER reuse the same keystream, but IV
is only 24 bits long (i.e. IV reused by STA in 7 hours with 500 frames/sec):
C1 = P1 XOR KSIV+K
C2 = P2 XOR KSIV+K
C1 XOR C2 = (P1 XOR KSIV+K) XOR (P2 XOR KSIV+K) = P1 XOR P2
v RC4 weak keys: RC4 was a very good PRNG… if you skip the first 256
bytes à WEP does not do that.
[1] N. Borisov, I. Goldberg, D. Wagner. “Intercepting mobile communications: the insecurity of 802.11”. Mobile computing
and networking (MobiCom '01), pp.180-189, Rome (Italy), 16-21 July 2001. DOI: 10.1145/381677.381695 17
 WEP Attacks
u Fluhrer-Mantin-Shamir (FMS) attack [2] finds one byte of
the key after capturing just 60 frames with predictable
plaintext (e.g. LLC+SNAP frame starts with 0xAA) using a
weak RC4 IV+Key:
v Linear method: A 102 bit key only takes 2.5 times more than a
40 bit key.
v 4,000,000 to 6,000,000 packets to succeed with 50% success
probability.
u KoreK attack [3, 4] further improves FMS attack:
v 700,000 packets for 50% success probability.
u Pyshkin-Tews-Weinmann (PTW) attack [5] even further:
v 35,000 to 40,000 packets for 50% success probability.
v 60 seconds in busy WLAN !!!
[2] S. R. Fluhrer, I. Mantin, A. Shamir “Weaknesses in the Key Scheduling Algorithm of RC4”. Workshop on Selected Areas in
Cryptography (SAC '01), pp. 1-24. Toronto (Canada), 16-17 August 2001. DOI: 10.1007/3-540-45537-X_1
[3] KoreK. “chopchop”. http://netstumbler.org/unix-linux/chopchop-experimental-wep-attacks-t12489.html, 2004.
[4] KoreK. “Next generation of WEP attacks?” http://www.netstumbler.org/news/next-generation-of-wep-attacks-t12277.html, 2004.
[5] E. Tews, R. P. Weinmann, and A. Pyshkin. “Breaking 104 bit wep in less than 60 seconds”. 8th Workshop on Information
Security Applications (WISA 2007), Jeju Island (Korea), August 27-29, 2007. DOI: 10.1007/978-3-540-77535-5_14 18
 WiFi Protected Access
(WPA)
u WEP problems were only know after a huge base of
Wi-Fi APs and STAs was already deployed:
v IEEE started 802.11i to completely replace WEP to create
a Robust Security Network (RSN) à WPA2.
v Wi-Fi Association designed WPA to be backwards
compatible with legacy WEP designs (i.e. RC4 hardware).
u Wi-Fi Protected Access (WPA) tries to address
WEP weaknesses:
v Key hierarchy.
v Key distribution (EAPOL-Key).
v EAP-based Authentication (EAPOL+RADIUS) with 802.1x
Access Control.
v Temporal Key Integrity Protocol (TKIP).
19
 WPA Key Hierarchies
u Pairwise Keys: Each STA shares a different
temporal key with the AP for unicast data
frames:
v Pairwise Master Key (PMK) of 256 bits: Either an NEVER transmitted!!
(expanded) Pre-Shared Key (PSK) or (truncated)
from Enterprise AAA.
v A Pairwise Transient Key (PTK) of 512 bits (384
bits for WPA2 AES-CCMP) is derived from PMK One direction
during the EAPOL-Key 4-way handshake, then split
into:
ü Data encryption Temporal Key (TK) - 128 bits.
ü Data integrity key (for Michael MIC) - 128 bits.
Ø In AES-CCMP: Single data encryption/integrity key
(128 bits).
ü EAPOL-Key Encryption Key (KEK) - 128 bits.
ü EAPOL-Key Confirmation Key (KCK) - 128 bits.
u Group keys: Shared by all STAs for MIC
multicast/broadcast frames, but it can be
changed by the AP whenever a STA leaves:
v AP creates a random Group Master Key (GMK).
v A Group Transient Key (GTK) of 256 bits is derived
from GMK and split in: Protect EAPOL Protect user data
ü Group encryption key (128 bits).
ü Group integrity key (128 bits).
Ø In AES-CCMP: Single group encryption/integrity key
(128 bits).
20
 WPA Key Hierarchies
u Key derivation is computed using a Pseudo-
Random Function (PRF) based on keyed-
hashing for message authentication (HMAC-
SHA1)
v Objective: Generate random stream of bytes, from
160bit block from HMAC-SHA1

PRF ( K, A, B, Len ) {
R = 0;
for (i=0; i<(Len+159)/160); i++)
R = R || HMAC-SHA1(K, A||0||B||i);
return trunc(R, Len);
}
Where:
K (Hashing key)
A (the application-specific text)
B (Special data, text string)
Len (Desired length) 21
 EAPOL-Key 4-way and
Group Key handshakes
u EAPOL-Key message format:

Scanning + Open AuthN. + Assoc.

EAPOL-based Authentication

AP 802.1x controlled port blocked

U1. EAPOL-Key(ANonce)
U2. EAPOL-Key(SNonce, MIC)

U3. EAPOL-Key(Install, MIC)

u Mutual authentication by means of MIC: U4. EAPOL-Key(ACK, MIC)

EAPOL-Key.MIC = HMAC-MD5(KCK, EAPOL-Key msg)
AP 802.1x controlled port
u PTK is derived from PMK based on EAPOL-Key 4-way
handshake (all data is public but PMK): unblocked for unicast traffic
Nonce = PRF(Rand, “Init Counter”, MAC||Time,
256); G1. EAPOL-Key(RC4(GTK), MIC)
PTK = PRF(PMK, “Pairwise key expansion”,
MAC1||MAC2||Nonce1||Nonce2, 512);
G2. EAPOL-Key(ACK, MIC)
u Then GTK is computed and sent to STA encrypted with
RC4(PTK+IV):
GTK = PRF(GMK, “Group key expansion”, Data session
MAC||GNonce, 256);
22
 Example of WPA/WPA2
Authentication with PEAP

802.11 / EAPOL / EAP

802.11 / EAPOL / EAP / TLS

EAP-TLS

802.11 / EAPOL / EAP / TLS / EAP

PEAP

802.11 / EAPOL-Key PEAP(MS-CHAPv2) = EAP-TLS / EAP(MS-CHAPv2)

PEAP(EAP-TLS) = EAP-TLS / EAP-TLS(client cert.)

Source: https://aswinchandran.wordpress.com/eap/ 23
 Temporal Key Integrity
Protocol (TKIP)
u TKIP was created to solve WEP problems by just changing the
firmware of legacy RC4 encryption hardware:
v Prevent replay attacks:
ü Use IV as replay counter: IV++ per frame.
v Prevent IV reuse:
ü Increase the size of IV: 24 à 48 bits.
ü Make IV to depend on MAC address, i.e. different in each direction.
ü Construct IV to avoid a well-know class of weak keys for Fluhrer-Martin-Shamir
(FMS) attacks.
v New simple Message Integrity Code (MIC) à Michael:
ü Objective: compatible with old AP. No crypto algorithms with multiplication
ü Vulnerable to brute force attacks.
ü Countermeasure: Block STA for 60s and rekey whenever a MIC fails.
v Per-Packet Key Mixing: Use a different RC4 key for each frame.

24
 WPA Frame Format

u MIC is computed by device driver at MSDU level (i.e. from/to OS):

v Destination Address (DA).
v Source address (SA).
v Upper layer Data.
u TKIP encryption is performed at MPDU level (e.g. 802.11 frames
and fragments):
v Also covers MIC and old WEP ICV.
IV, DA, Data encryption key

Key DA+SA+Data, Data integrity key

mixing

IV, Per-packet encryption key Michael

PRNG Key stream XOR Data+MIC+ICV

IV+Key ID Ext IV
802.11 Header DATA MIC ICV FCS
(Ext IV=1) (IV++)
4 bytes 4 bytes 0 - 2292 bytes 8 bytes 4 bytes
25
 IEEE 802.11i / WPA2

u Long-term solution to WEP problems is IEEE

802.11i (a.k.a. WPA2 by Wi-Fi Alliance):
v Not backwards compatible with legacy hardware as WPA.
u IEEE 802.11i/WPA2 features:
v Maintains EAPOL-based authentication and key
distribution, as well as 802.1x access control:
ü Encrypted GTK is also sent in U3 of WPA2 4-way handshake.
v Replaces RC4 stream cipher by AES-128 block cipher:
ü Requires new hardware.
v Replaces Michael with AES-CCMP mode for integrity
protection:
ü AES-CCMP provides both privacy and integrity protection.
v (Slightly) modifies WPA Key hierarchy:
ü Single PTK and GTK for Data encryption and MIC.

26
 AES-CCMP

u AES Counter Mode CBC-MAC Protocol (AES-CCMP):

v Specifically developed for 802.11i, now standardized by NIST.
v Encryption: AES 128-bit key with Counter Mode (CTR).
v Integrity protection: Cipher Block Chaining - Message Authentication Code (CBC-MAC).
u WPA2 frame format:
v CCMP header contains a 48-bit Packet Number (PN) against replay attacks.

DATA MIC
PL(i)=[MAC|PN|i]
PL(1) PL(2) … PL(n) PL(0)

AES(K) AES(K) … AES(K) AES(K)

128 bits 128 bits 128 bits 64 bits
CCMP Header
802.11 Header DATA MIC FCS
(Key ID, PN++)
8 bytes 0 - 2293 bytes 8 bytes
128 bits 128 bits 128 bits 128 bits 128 bits
…

AES(K) AES(K) AES(K) AES(K) AES(K) AES(K)

IV 64 64
27
 WPA/WPA2 brute force
attacks
u Capture info un 4-handsake
Capture 4-
v SSID
handshake
v ANonce, Snonce
Extract
MIC+nonce+SSID v MAC addresses (Authenticator and
Supplicant)
Guess PSK’
(dictionary)
v Message's MIC computed with a valid PTK
derive
MIC’ u Guess process:
No
v Use a guess phrase (dictionary)
MIC’ = MIC

Yes
v Compute PMK’ -> PSK’ -> MIC’
PSK v Compare MIC’ = MIC
v If match Bingo!! I have the key
v If not take next guess phrase
28
 WPA2 specific attacks

u Attacks are based on:

v vulnerabiities sw/hw
ü Kr00k (CVE-2019-15126) Broadcom
ü http://i.blackhat.com/USA-20/Thursday/us-20-Lipovsky-
Kr00k-Serious-Vulnerability-Affected-Encryption-Of-
Billion-Wi-Fi-Devices-wp.pdf
v Use weak keys (brute force)
ü key reinstallation in 4-handshake or KRACK attack
(https://www.krackattacks.com/)
ØForce U.3 msg EAPOL-key replay with fresh nonce
ü PMKID attack (https://hashcat.net/forum/thread-7717.html)
ØDirect attacker to AP ( no need for 4-handshake)
ØUse PMKID for roaming, based in PMK
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA

29
 WPA3
u Released in June 2018 by Wi-Fi Alliance
v backwards compatible with legacy hardware as WPA2. (emulating)
u WPA3-Personal
v A more secure Simultaneous Authentication of Equals (SAE)
handshake
ü No more Open System Authentication
u WPA3-Enterprise
v 802.11w or Protected Management Frames (PMF)
v From 128bits to 192bit encryption security suite (optional)
ü AES-GCM (Galois/Counter Mode Protocol)
v Offer new Authentication (EAP-TLS) with 384bit Elliptic Curve Digital
Signature Algorithm (ECDSA)
u Public Wifi
v Opportunistic Wireless Encryption (OWE) as RFC8110
ü unauthenticated encryption for open networks
u Specific Attacks:
v Transition mode WPA2/WP3 use same password.
ü Solution: AP only offer mode learnt on first time access of a STA
v Side and time channel attacks (Dragoonblood)
v Online dictionary attack
ü Try and error against AP 30
 Simultaneous Authentication
of Equals (SAE)

u Replace for WPA2-PSK

u Based on DragonFly protocol
(RFC7664)
u Security improvements:
v New type of Authentication
v Eliminate offline dictionary attack for
weak password
ü PMK is independent of user password
ü password-derived information is never sent
over the air
v Includes forward secrecy

Source: https://mrncciew.com/2019/11/29/wpa3-sae-mode/

31
 Protected Management
Frames (PMF)
u IEEE 802.11w (2008)
u Provide protection for specific unicast
management Frames
ü Using same keys than data frames
ü Dissassociation, deauthentication, and more..

u New key for Broadcast/multicast management

frames :
v Integrity Group Temporal Key (IGTK)
ü Generated in step 3 (U.3) of 4-handshake
v Provide data integrity, data origin authenticity, and
replay protection through MIC IE

32
 Opportunistic Wireless
Encryption (OWE)
u Defined in RFC8110
u Substitute WPA2-PSK ( aka. WPA3-Personal)
u Concept:
v PMK generated with Diffie-Hellman using Association
Request/response messages
u Pro:
v Encryption better than plaintext
u Cons:
v No AP authentication -> MiTM (rogue AP)

33
 Generic WLAN Attacks
u Which Wi-Fi standard to use?
v WEP is broken, WPA also have issues, WPA2/WPA3 is your best bet, but please use a good password
(brute force attacks) in WPA2
u Wi-Fi Protected Setup (WPS): Vulnerable to brute force attack against WPS PINs disable WPS!
v PIN validation employs two EAP messages, a late NAK shows first half of the PIN is OK.
v 8-digt PIN (but last one is just a checksum) à 104+103 = 11,000 attempts instead of 107.
u War driving: Look for 802.11 Beacons to get information about WLANs (SSID, AP MAC) and its
GPS coordinates:
v Common nowadays for Wi-Fi-based location services.
v SSID un-hiding would require active probing, although clients transmit it.
u MAC Access Control Lists are quite useless:
v MAC addresses are unencrypted in 802.11 header and thus are trivial to spoof.
u False Deauthentication/Disassociation: Management frames are not protected (only on
WPA3-enterprise):
v Cell-wide DoS by sending broadcast Deauthenticate/Disassociate frames.
v Hidden SSID: Disassociate an STA and wait for the SSID in a Probe or Association Request.
u DoS based on TKIP Michael countermeasures standard:
v Modify the MIC of a STA and the AP will block it during 60s each.
u Rogue APs: The attacker deploys an AP advertising the target SSID and waits:
v PEAP mutual authentication prevents Man-in-the-Middle (MitM) attacks …
v … but only if AAA Server certificates are properly configured in STAs.
v Otherwise: Downgrade attacks (e.g. PAP), or MSCHAPv2 cracking (= DES cracking).
u RF Jamming DoS: Impossible to stop:
v Some vendors have Rogue AP and Jamming alerts in its WLAN Management tools.
34
 Attacker Tools

u Kismet, NetStumbler (win), inSSIDer:

v War driving.
v GPS-enabled maps: WiGLE
u Aircrack-ng:
v STA/broadcast Deauthentication/Disassociation DoS attacks.
v WEP key cracking using FMS and PTW attacks.
v Brute force WPA-PSK key cracking.
u Reaver:
v WPS PIN Attack.
u Hashcat
v Bruteforce based on local GPUs
u Webbased:
v CloudCracker.com (crack.sh)
ü Brute force WPA/WPA2-PSK key cracking (dictionary-based).
ü WPA/WPA2-Enterprise PEAP(MS-CHAPv2) key cracking :
Ø Clients MUST validate RADIUS server certificate, or attacker may use a rogue
AP+RADIUS server to request PAP credentials, or crack MS-CHAPv2 ones (100%).
v https://www.onlinehashcrack.com
v https://gpuhash.me/

35