CURSO BÁSICO DE

CIBEROPERACIONES DE INTRUSIÓN
DE SISTEMAS

WIRELESS LAN SECURITY

Netlab
WLAN – IEEE 802.11

• Introduction to WLAN
• IEEE 802.11 WLAN standards
• IEEE 802.11 architecture
• Wi-Fi Alliance
• Certification programs
• Wi-Fi Security

Netlab
WLAN: Introduction
• First instance: Delivering connectivity "on the road" in airports, hotels, Internet
cafes, and shopping malls
• Their goal was to provide web browsing, email and, for business users, access to the
office network through Virtual Private Network (VPN) applications.
• Later, wireless LAN moved firmly into the home and home office environment
• Now, available in many devices: computers, printers, games consoles, media
servers, scanners
• from devices as small as a smartphone or as large as the screen in an auditorium

Netlab
WLAN: Introduction
• Advantages compared to wired networks
• Ubiquity
• Mobility
• improves productivity with real-time access to information, regardless of worker location
• Robustness
• disaster (earthquake, fire)
• users who accidentally get unplugged
• WLANs are simple to install
• Cost-effective network setup for hard-to-wire locations such as older buildings
and solid wall structures
• Reduced cost of ownership, particularly in a dynamic environment requiring
frequent modification due to minimal wiring and installation costs per device
and per user
• WLANs provide high-speed, reliable data communications in a building or
campus environment as well as coverage in rural areas

Netlab
WLAN: Introduction

• Disadvantages compared to wire networks

• Interference inter and intra system
• Caused by simultaneous transmission in the shared frequency band and by multipath
fading
• Security
• Radio waves are not confined to the boundary of buildings or campuses
• There exists the possibility of eavesdropping and intentional interference
• Data privacy over a radio medium is usually accomplished by using encryption
• Power consumption
• WLANs are typically related to mobile applications
• In these applications, battery power is a scarce resource
• Therefore, the devices must be designed to be energy efficient

Netlab
WLAN: Introduction

• Disadvantages compared to wired networks

• Quality of service
• Less bandwidth
• Higher BER
• Higher delay and jitter
• Limited range
• Frequency allocation
• Operation of a wireless network requires that all users operate in a common frequency
band. The frequency band must be approved in each country
• Standardization takes time
• Products must complain the restrictions imposed by each country
• Find a global solution is a long and complex process

Netlab
WLAN: IEEE 802.11 Standard
• Born in 1997, its last revision was published in 2016 (IEEE
802.11-2016)
• The standard describes the functions and services that a
device must implement to be integrated in a 802.11
network. 802.11 standard focuses on the bottom two
layers:
• Physical layer (PHY)
• Data link layer (DLL)
• Particularly, Medium Access Control sublayer (MAC)
• The network communications take place in the IMS band
• Both the 2.4 GHz and 5 GHz bands have been designated as
license free by the International Telecommunications Union
(ITU), and are available as license free in most countries of the
world.
• The bands are designated as license free, but transmission
power is regulated.
• Modern technologies (802.11n, 802.11ac) use the 5 GHz ISM
band, looking for more bandwidth

Netlab
WLAN: IEEE 802.11 Standard

802.11ah 802.11ax
OFDM, OFDMA,
900MHZ 1 GHz- 6 GHZ
Low power, long High Efficiency
range Wi-Fi (HEW)
(Wi-Fi HaLow)

802.11e
QoS
802.11be
OFDMA,
1 GHz- 6 GHZ
802.11i (in development)
Security

802.11u
Discovery

Netlab
WLAN: IEEE 802.11 Standard
• Services
• Support asynchronous data transfers that refer to the traffic that is relatively insensitive to
time delays such as electronic mail and file transfers
• Optionally, can also support the traffic, which is bounded by the specified time delay, to
achieve an acceptable quality of service (QoS), such as packetized voice and video
• Includes procedures for authentication and encryption of communications to ensure
privacy
• Architecture
• Two network architectures are defined
• Infrastructure network
• Point-to-point (ad hoc) network

Netlab
WLAN: IEEE 802.11 Standard

Netlab
WLAN: IEEE 802.11 Architecture

1. Infrastructure network
• AP-based technology uses access points to bridge
traffic onto a wired (typically Ethernet) or a wireless
backbone.
• AP enables a wireless client device to communicate
with any other wired or wireless device on the
network.
• Each AP manages communications within its range
• medium access control functions
• mobility management functions
• authentication functions
• This way wireless devices can be equipped with minimal
functionality

Netlab
WLAN: IEEE 802.11 Architecture

1. Infrastructure network
• Station (STA)
• Computer with access mechanism to
the wireless medium and by this radio
connection to the AP
• Access Point (AP)
• Station which is integrated both in the
radio and the wired network
(distribution system)
• Basic Service Set (BSS)
• Group of stations incl. the AP within
an AP transmission range
• Portal
• Gateway to another fixed network
• Distribution system
• Connection of different AP areas to
one logical network (EES: Extended
service set).

Netlab
WLAN: IEEE 802.11 Architecture

1. Infrastructure network
• AP range from 20 to 500 meters.
• AP can support between 15 to 250 users, depending on technology,
configuration, and use.
• Like cells in a cellular network, multiple APs can support handoff from one AP
to another as the user moves from area to area. This can allow the wired LAN
to be extended to cover a much larger area than the existing coverage by the
use of multiple APs.
• A wireless AP can monitor movement of a client across its domain and permit
or deny specific traffic or clients from communicating through it.
• AP-based topology is more commonly used and demonstrates that the WLAN
does not replace the wired LAN, it extends connectivity to mobile devices.

Netlab
WLAN: IEEE 802.11 Architecture

2. Point-to-point (ad hoc) network

• WLAN can be used as stand-alone network anywhere to link multiple
computers together without having to build or extend wired networks.
• Many times such connectivity -the network itself- is ephemeral and/or
spontaneous.
• In p-t-p topology, client devices within a cell communicate directly to each other.
• There is not AP
• Nodes must be in the same transmission range
• To reach further, forwarding of data is required

• Multihop wireless networks:

• Mobile ad hoc network (MANET) [IETF RFC 2501] proposes a flat architecture where
every wireless node has routing capabilities, extending the range of its transmissions
beyond its own radio coverage. Routing at the network layer.
• Mesh Wireless Network (IEEE 802.11s) introduces a hierarchy in the wireless network
architecture with the implementation of dedicated mesh nodes –stationary backbone of
wireless brouters- operating as bridges in a switched LAN (only a broadcast domain),
but also routing at the Link/MAC layer.
• Nodes are more complex since they need to incorporate management, forwarding and
routing functions

Netlab
WLAN: Wi-Fi Alliance
• Product certification IEEE 802.11 {a b g n ac ax}
• Interoperability
• Security

Certification laboratory in Spain:

DEKRA (Málaga)
More than 500 members

Netlab
WLAN: Wi-Fi Alliance

• Certification programs
• Wi-Fi products based on IEEE radio standards - 802.11a, 802.11b, 802.11g,
802.11n,802.11ac, …
• Wi-Fi WPA/WPA2/WPA3
• Wi-Fi WMM (QoS)
• Wi-Fi Protect Setup
• Wi-Fi Direct
• Wi-Fi Miracast (Display)
• Wi-Fi Passpoint
• Wi-Fi Aware
• Wi-Fi Location
• Wi-Fi EasyMesh
•…
Netlab
WLAN Security

• WLAN Security threats

• Interference in the wireless medium
• DoS attacks leveraging the use of a free space for communication
• Eavesdropping communications
• Limit the access to the network is difficult
• Use of unauthorized resources
• Wardriving/warchalking
• Deception attacks
• Credential theft pretending to be an Access Point
• Open networks without any security
• Network is monitored and all the interesting information is stolen

Netlab
Attack techniques in WLANs: A generic overview

• Attacking with management frames: If management frames (beacon, probe,

association/disassociation, authentication/disauthentication, etc.) are neither encrypted
nor integrity protected, anyone can forge them. And this can be easily used to implement
MitM or DoS attacks.
• Replay attack: This is to capture a frame and resending it as it is or in part. And it can be
used, for instance, to get unauthorized access to the network.
• MAC spoofing: Reconfiguring an attacker's MAC address to pose as an authorized AP or
STA.
• Denial of Service: Try to prevent authorized users from accessing network resources. (Eg.
flooding the network with packets, or sending disassociation frames by spoofing AP MAC
address).
• Offline cracking of encryption keys or passwords using brute force (trying all possible
combinations) or dictionary attacks (trying a reduced set of ASCII character strings).
• Man in the Middle attack aims to introduce an evil station between two others,
intercepting the traffic between them but without interrupting the communication,
acting as a relay.

Netlab
WLAN Security

• Official Countermeasures
• Wired Equivalent Privacy (WEP)
• The solution the standard was born with
• WEP2, WEP Plus, dynamic WEP
• Actually, one of the worst security solutions ever designed
• Wi-Fi Protected Access (WPA)
• Interim solution –defined by WiFi Alliance- to patch the
disaster while the IEEE 802.11i working group did not close
its standard
• IEEE 802.11i and WPA2
• The current standard and its implementation guidelines
according to Wi-Fi Alliance (WPA2)
• WPA3
• Officially delivered on 26/06/2018

Netlab
WLAN Security
• Specific Countermeasures
• Access control
• Disabling SSID
• Filtering MAC addresses
• Authentication using a common secret
• Shared Key (WEP)
• PSK: Pre-Shared Key (WPA/2-Personal)
• SAE: Simultaneous Authentication of Equals (WPA3-Personal)
• dot1x Authentication using AAA server (WPA/2/3-Enterprise)
• Authentication using captive portals
• Disable WPS PIN mode in your AP
• Data communications confidentiality and integrity
• RC4 and CRC (WEP)
• Temporal Key Integrity Protocol (TKIP) and “Michael” MIC (WPA)
• AES-CCMP: AES-CTR (Advanced Encryption Standard in Counter mode) with AES-CBC-
MAC (AES in Cipher-Block-Chaining mode as Message Authentication Code) Protocol (IEEE
802.11i and WPA2/3)

Netlab
Captive portals

• The objective is to locate an authentication website between the

access point and the rest of the resources.
• Working:
1. After associating with the AP (usually, an open netwok) and obtaining its network
configuration, the client device couldn´t access any other resource as AP would be doing
some kind of dynamic MAC/IP filtering
2. When the user tries to access any resource (usually, beginning to surf the web), it is
automatically redirected to an authentication website using the client browser.
• http redirect, ip redirect (icmp), dns redirect/dns poisoning
3. Then the user must provide a login / password.
4. If the authentication is successful, then the rest of the resources become available.
• Normally, the user must keep the browser window open to guarantee that the
authenticated session is active.

Netlab
Captive portals

• Commonly used by ISPs to provide access to the Internet through

access points known as hotspots.
• Drawbacks
• Usually, the rest of the communication is not encrypted.
• IP/MAC spoofing using addresses of an already authenticated device.
• Masquerading several devices behind one with forwarding capability.
• If the AP only redirect initial http requests to the authentication website, and
do not filter other ports (TCP 3128, TCP 22, UDP 53) the authentication could
be bypassed using an external server, where the user should have configured
a proxy http (for web surfing), or the other end of a ssh or iodine tunnel.

Netlab
Robust Security Network Association
• The standard IEEE 802.11i (2004, July) introduced the concept Robust Security
Network Association:
• The type of association used by a pair of stations if the procedure to establish
authentication or association between them includes the 4-way handshake or Fast
Transition protocol.

• Pre-RSNA (WEP):
• Station Authentication:
• Open System: There is no authentication at all, only MAC filtering, if it has been activated
• Shared Key: Challenge based authentication:
• AP sends a clear text message (challenge) that is encrypted by STA using shared WEP key. After receiving the encryped challenge, AP
encrypts the original one and compares.
• There is really no authentication of the device, only the proof that the WEP key is known.
• Encryption
• RC4 Stream cipher
• C=K(P|ICV), where ICV/MIC= CRC32(P)

Netlab
Robust Security Network Association
• RSNA:
• Authentication:
• PSK (PreShared Key): 4-way handshake protocol (only proves PSK knowledge). Also known as WPA/2-Personal.
• 802.1x using EAP and Authentication Server, providing mutual authentication (between supplicant and AAA
server). Also known as WPA/2/3-Enterprise.
• Integrity and Encryption mechanisms:
• Mandatory: CCMP/AES encryption and MIC
• AES requieres special hardware absent in legacy NICs (Pre-RSNA)
• Optional: TKIP encryption and “Michael” MIC: only recommended for patching pre-RSNA equipment
• Procedures for the establishment and management of dynamic temporal keys:
• The 4-way handshake protocol also provides:
• New temporal integrity and encryption keys every time the station attaches to the netwok. Moreover,
temporal keys must be renewed every so often.
• Different integrity/encryption temporal keys for every station, providing some internal
confidentiality/protection against devices attached to the same WLAN.
• The AP manages one temporal encryption key and one temporal integrity key, per station, for unicast
traffic; and a Group Temporal Key for multicast/broadcast transmissions. If Robust Management Frames
functionality is activated, an integrity group temporal key (IGTK) for broadcasting some management
frames is also defined.
• All the keys are derived from the Pair Master Key (PMK) – 256 bits
• With PSK authentication, PMK = PSK = PBKDF2(PassPhrase, ssid, 4096, 256), and is the same
for all stations (clients).

• If 802.1X authentication is activated, the 4-way handshake phase is also executed inmediately after the dialogue
between the supplicant and the authentication server.
• In this case the PMKSTA is different for every station, and is generated in the AAA server which must
distribute it securely to the authenticator (AP) and to the corresponding supplicant (STA)

Netlab
WPA/2-Personal

Netlab
4-Way Handshake
Supplicant Authenticator (AP)
(STA)
PMK PMK

Generate random NAP

1.EAPoL-Key(Reply Required, Unicast, NAP, ¿¿PMKID?? )

Generate random NSTA
Calculate PTK
PTK = PRF-X( PMK , “…”, AddrAP | AddrSTA | NAP | NSTA)
2.EAPoL-Key(Unicast, NSTA, MIC , RSN IE)

Calculate PTK
Generate GTK, if needed

3.EAPoL-Key(Reply Required, Install PTK,

Unicast, Encrypted GTK , RSN IE, MIC )

4.EAPoL-Key(Unicast, MIC )
Install PTK and Install PTK
GTK Netlab
Key hierarchy

• Pairwise Master Key (PMK): The key derived from an EAP method
or obtained directly from a preshared key (PSK).
• Pairwise Transient Key (PTK): A concatenation of session keys
derived from the PMK. Its components are a Key Confirmation Key
(KCK), a Key Encryption Key (KEK), and a Temporal Key (TK),
which is used to protect information exchanged over the link.

256 bits

384 bits

128 bits 128 bits 128 bits

TK: in AES-CCMP, just one key, for both integrity protection and encryption
KEK & KCK used for GTK distribution during 4-way handshake and Group key handshake

Netlab
WPA/2/3-Enterprise

802.1x/EAP/RADIUS arquitecture

AAA
server
802.1x +
RADIUS
EAP module

AP EAP over
RADIUS

EAPoL
(EAP
CLIENT STA
over 802.1x + Radius +
LAN)
Radius EAP module
Netlab
Operation 802.1x/EAP/RADIUS

AS generates random
MSKSTA , that is
transmitted securely to
STA derives PMKSTA STA, inside the TLS
tunnel; and to AP in the
using MSKSTA
last RADIUS packet (with
RADIUS security)

AP derives PMKSTA
using MSKSTA
Netlab
Authentication through TLS tunnel
• Most likely, user credentials (username/password) are vulnerable to dictionary attacks.
• Transmitting this information inside a TLS tunnel will prevent the attacker from even
accessing said credentials

User authentication
Server authentication
Protected by Tunnel

TLS tunnel
`

802.1X Client EAP RADIUS Server

• The TLS tunnel is established using the server certificate, authenticating in a first moment
that end of the connection. Afterwards, the encrypted tunnel is used to send client´s
credentials (certificate, username/password, OTP, etc) securely.
• In WPA/2/3-Enterprise the authentication server generates a random MSKSTA (Master
Session Key) and send it to the supplicant/STA securely, inside the tunnel. Such MSKSTA
determines the PMKSTA that such a station will use exclusively in its 4-way-handshake

Netlab
TLS based EAP authentication mechanisms

• EAP-TLS (EAP Transport Layer Security) [RFC 5216]

• Mutual authentication during the initial handshake that establishes the TLS
tunnel: X509 certificates are required in both sides (AAA server and supplicant)

• EAP-TTLS (EAP Tunneled Tranport Layer Security) [RFC 5281]

• Mutual authentication: Only the AAA server needs a X509 certificate. Usually , the
authentication of the client side is carried out using shared passwords (PAP, CHAP,
MS-CHAPv2, EAP-MD5). As they travel protected inside the tunnel there is no
problem with the weakness of user credentials, which even could be tunneled in
clear text.
• PEAP (Protected EAP)
• Conceptually, the same as EAP-TTLS
• The supplicant authentication mechanism uses EAP to transport client´s
credentials (usually, EAP-MS-CHAPv2 –peapv0- or EAP-GTC –peapv1)
• One of the most used. Considered by IETF for standardization [RFC ???]

Netlab
Robust Management Frames

• Introduced by IEEE 802.11w addendum in 2009.

• Before PTK establishment, the control frames needed to begin
network association cannot be neither encrypted nor integrity
protected; so an attacker can easily forge them.
• Beacon, Probe request/reply (active scanning), Authentication request/reply,
Association request/reply.
• Specially important are deauthentication and disassociation frames,
as they could be forged to either implement a DoS attack, or force the
victim to do a new 4-way handshake (to collect data and attempt an
offline PassPhrase uncovering; to try a key reinstallation attack; etc).
• With this functionality, disassociation and deauthentication frames are
encrypted and integrity protected with the individual temporal key
(TK) that every STA negotited with AP at time to attach to the wifi (or
in its last renewal). So they could no be easily forged!
• A new Integrity Group Temporal Key (IGTK) is also established
during 4-way handshake to integrity protect some AP
broadcast/multicast transmissions.

Netlab
WPA3
• PMF (Protected Management Frames) is mandatory.
• Silmultaneous Authentication of Equals (SAE) instead of PSK
for WPA3-Personal
• SAE Authentication instead of Open Authentication in the first phase of
STA attachment
• Different (temporal) PMKSTA for every association between AP and
STA, and established with privacy (within an ephemeral Diffie-Hellman
handshake).
• Offline dictionary attack resistance (Authentication is a “zero-knowledge-
proof”)
• Initial password is not used for keys derivation
• Key recovery resistence
• If password is discovered there is no possibility to get the session keys,
providing forward secrecy.
• Natural password use
• WPA3-SAE Transition Mode

Netlab
SAE

IEEE-802.11s Simultaneous Authentication of Equals Netlab

WPA3
• Opportunistic Wireless Encryption (OWE)
• Open networks (not authenticated) but with encryption

• 256-bit Galois/Counter Mode Protocol (AES-GCMP-256) for authenticated

encryption in WPA-Enterprise
• Key strength equivalent to 192 bits
• AES blocks can be calculated in paralell; and just one AES box per data chunk
• EAP cipher suites to establish TLS tunnel restricted to:
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (mandatory).
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (optional).
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (optional).

• Wi-Fi Device Provisioning Protocol (DPP)

• Replacement of WPS
• Simplified, secure configuration and onboarding for devices with limited or no display interface

Netlab
4-way handshake vulnerabilities
• Messages in 4-way handshake are transmitted fully or partially in cleartext. The first one,
not even integrity protected at all.
• An attacker can obtain NAP, NSTA, AddrAP, and AddrSTA just eavesdropping
• If the attacker is an insider and knows the PMK (PSK authentication), it can derive the negotiated PTK
between AP and victim, and so, it can decrypt whichever message the victim transmit/receive. It can
even spoof their MAC addresses and forge arbitrary frames with source/destination the victim STA.
• If the attacker has not access to the closed network (does not know PSK/PMK) it can try an offline
dictionary attack (the PSK comes from a PassPhrase) or even use rainbow tables. Countermeasures:
• With PSK authentication, use a large enough sequence of random hexadecimal numbers as passphrase; and
• do not use a default SSID; particularize your own to try to avoid precomputed rainbow tables to be used in your wifi
network.
• With WPA3-personal and WPA/2/3-Enterprise the PMKSTA is configured securely (either by the implicit
DH exchange at the very first stage of WPA3, or by the AAA server in Enterprise versions). It does not
come from human interaction, so brute force is an unpromising solution.
• Instead, in Enterprise versions, a MitM attack impersonating both AP and AAA server can lead to the theft of client
credentials if supplicant is not right configured.
• Evil twin attacks to WPA/2/3 Enterprise
• If the attacker did not arrive on time, it can try to forge deauthentication frames (without
Robust Management Frames, IEEE 802.11w, control frames are neither encrypted nor
protected even if the wifi is closed) to force STA to repeat the association and complete a
new 4-way handshake.

Netlab
Wireless Protected Setup

• WPS addresses the user experience of automated Wi-Fi setup (also called Wi-Fi Simple
Configuration)
• Three logical entities: AP, Registrar, Enrollee
• Registrar: an entity with the authority to issue and revoke domain credentials; it can be implemented
either in the AP ("internal Registrar") or in an external device, e.g., a laptop, ("external Registrar").
• Enrollee: a device seeking to join a WLAN domain.
• AP and client device may change roles (i.e., AP acting as an Enrollee and client device as a Registrar):
• When WPS is used to configure the AP.
• When an Enrollee pretends to be an external Registrar and pulls WLAN credentials from AP for its own setup.
• In the most usual configuration the AP acts as an Enrollee, and uses an static internally configured PIN
that must be introduced in client device (acting as the Registrar).
• The apparently most natural configuration (i.e, AP as the registrar) is designed for headless devices.
• The device has a static internally coded PIN –printed in an outer label/sticker- that must be introduced –using the AP web
interface- in the access point.
• In some scenarios the AP is just an authenticator (proxy) allowing the communication between the
Enrollee and an external Registrar.

Netlab
Wireless Protected Setup (vulnerability)

• Several methods to configure a network:

• PIN (8-digit number, Personal Identification Number): Device password
obtained from the Enrollee that must be entered into the Registrar (either
manually, using a keypad, or using an out-of-band channel) to mutually
authenticate both ends prior wifi configuration data transmission.
• In the ideal case it should be a random number for using just once, but the
implementation of various WPS scenarios does not allow it.
• Diffie Hellman exchange with handshake protocol to authenticate both ends (Enrollee
and Registrar) using EAP-WSC, to finally transmit securily the configuration parameters
of the wlan (SSID, PSK, encrytion mode…).
• But online and offline brute force attacks have demonstrated the weakness of PIN
mode.
• PIN is really a 7-digit number. Online brute force would requiere –worst case- 10 million
attempts to find it, but a disastrous design makes it possible in less than 11000
• Do not use WPS with PIN. Deactivate this option in your AP.
• PBC (Push-Button Configuration)
• NFC
• QR code

Netlab
Man in the Middle in WLANs
• The MitM always tries to go unnoticed.
• MitM can be used for eavesdropping, to collect credentials, to manipulate frames, to try to break a TLS connection (TLS
stripping, …), etc
• Depending on the situation of the intruder (whether or not it is attached to the targeted wifi), its knowledge of access
credentials, or even its objectives (eg., guessing/cracking the unknown PSK), there are different strategies and techniques:
• If the attacker is connected to the same wifi where the victim is browsing, impersonating certain network services could do the job
(arp / dhcp / dns / mdns spoofing)
• If an attacker -without access credentials- is connected using ethernet technology to the distribution system behind the AP, the
techniques just mentioned may also rule even if the wifi network is closed (encryption on) as the AP will decrypt all the traffic for the
black hacker
• Other common techniques aim to supplant the original AP proposing the attacker itself as a new one:
• offering a new open wireless network –with better signal quality- that could capture unsuspecting individuals (Rogue AP);
• or by trying to knock out the original AP (eg., with a parallel targeted DoS attack or interfering the channel where the wifi is located) to impersonate
it (broadcasting beacon frames with the same SSID and spoofing the true AP MAC address) on a different channel (Evil Twin).

• Countermeasures:
• If the attacker is an insider … difficult to detect!
• Are you experiencing any extra delay in the communications?
• IDS/IPS (hosted at stations or wireless appliance)
• Do not use open networks (neither without serious encryption – nothing weaker than AES-CCMP)
• Configure your wireless device to avoid the attachment to wireless networks automatically
• If it is possible, use robust mutual authentication (WPA-Enterprise)
• Use an “over the top” secondary authentication and encryption technology (VPN) where possible

Netlab
MitM example
ARP spoofing/ARP cache poisoning

I am 192.168.1.1 and I am 192.168.1.23 and

my HW addr is my HW addr is
68:5b:35:94:0c:7a 68:5b:35:94:0c:7a

FAKE ARP replies

Station MitM attacker AP

STA IP 192.168.1.23 AP IP 192.168.1.1
STA MAC 32:00:10:66:c0:00 AP MAC c8:e0:eb:4b:64:81
GW 192.168.1.1

IP MAC IP MAC
192.168.1.1 c8:e0:eb:4b:64:81 192.168.1.23 32:00:10:66:C0:00
68:5b:35:94:0c:7a MitM IP 192.168.1.10 68:5b:35:94:0c:7a
MitM MAC 68:5b:35:94:0c:7a

DHCP spoofing: the attacker would forge a dhcp reply packet configuring in STA a
fake GW (the ip of the mitm itself) or a fake DNS server
Netlab
Attack techniques in WLANs: A Taxonomy

Access control attacks

War Driving Discovering wireless LANs by
listening to beacons or sending
probe requests, thereby providing
launch point for further attacks.
Rogue Access Points Installing an unsecured AP inside
firewall, creating open backdoor
into trusted network.
Ad Hoc Associations Connecting directly to an
unsecured station to circumvent
AP security or to attack station.
MAC Spoofing Reconfiguring an attacker's MAC
address to pose as an authorized
AP or station.
802.1X RADIUS Cracking Recovering RADIUS secret by brute
force from 802.1X access request,
for use by evil twin AP.
Airmon-ng, DStumbler, KisMAC,
MacStumbler, NetStumbler,
Wellenreiter, WiFiFoFum
Any hardware or software AP
Any wireless card or USB adapter
MacChanger, SirMACsAlot, SMAC,
Wellenreiter, wicontrol
Packet capture tool on LAN or
network path between AP and
RADIUS server

Netlab
Attack techniques in WLANs: A Taxonomy
Confidentiality attacks
Eavesdropping Capturing and decoding bsd-airtools, Ettercap, Kismet,
unprotected application traffic to Wireshark, commercial analyzers
obtain potentially sensitive
information.
WEP Key Cracking Capturing data to recover a WEP Aircrack-ng, airoway, AirSnort,
key using passive or active chopchop, dwepcrack, WepAttack,
methods. WepDecrypt, WepLab, wesside
Evil Twin AP Masquerading as an authorized AP cqureAP, D-Link G200, HermesAP,
by beaconing the WLAN's service Rogue Squadron, WifiBSD
set identifier (SSID) to lure users.
AP Phishing Running a phony portal or Web Airpwn, Airsnarf, Hotspotter,
server on an evil twin AP to "phish" Karma, RGlueAP
for user logins, credit card
numbers.
Man in the Middle Running traditional man-in-the- dsniff, Ettercap-NG, sshmitm
middle attack tools to intercept
TCP sessions or SSL/SSH tunnels.

Netlab
Attack techniques in WLANs: A Taxonomy
Integrity attacks
802.11 Frame Injection Crafting and sending
forged 802.11 frames.
802.11 Data Replay Capturing 802.11 data
frames for later (modified)
replay.
802.1X EAP Replay Capturing 802.1X
Extensible Authentication
Protocols (e.g., EAP
Identity, Success, Failure)
for later replay.
802.1X RADIUS Replay Capturing RADIUS Access-
Accept or Reject messages
for later replay.
Airpwn, File2air, libradiate,
void11, WEPWedgie, wnet
dinject/reinject
Capture + Injection Tools
Wireless Capture +
Injection Tools between
station and AP
Ethernet Capture +
Injection Tools between AP
and authentication server
Netlab
Attack techniques in WLANs: A Taxonomy
Authentication attacks
Shared Key Guessing Attempting 802.11 Shared Key Authentication WEP Cracking Tools
with guessed, vendor default or cracked WEP
keys.
PSK Cracking Recovering a WPA/WPA2 PSK from captured key coWPAtty, genpmk, KisMAC, wpa_crack
handshake frames using a dictionary attack tool.
Application Login Theft Capturing user credentials (e.g., e-mail address Ace Password Sniffer, Dsniff, PHoss, WinSniffer
and password) from cleartext application
protocols
Domain Login Cracking Recovering user credentials (e.g., Windows login John the Ripper, L0phtCrack, Cain
and password) by cracking NetBIOS password
hashes, using a brute-force or dictionary attack
tool.
VPN Login Cracking Recovering user credentials (e.g., PPTP password ike_scan and ike_crack (IPsec), anger and THC-
or IPsec Preshared Secret Key) by running brute- pptp-bruter (PPTP)
force attacks on VPN authentication protocols.
802.1X Identity Theft Capturing user identities from cleartext 802.1X Capture Tools
Identity Response packets.
802.1X Password Guessing Using a captured identity, repeatedly attempting Password Dictionary
802.1X authentication to guess the user's
password.
802.1X LEAP Cracking Recovering user credentials from captured Anwrap, Asleap, THC-LEAPcracker
802.1X Lightweight EAP (LEAP) packets using a
dictionary attack tool to crack the NT password
hash.
802.1X EAP Downgrade Forcing an 802.1X server to offer a weaker type File2air, libradiate
of authentication using forged EAP-
Response/Nak packets.

Netlab
Attack techniques in WLANs: A Taxonomy
Availibility attacks
AP Theft
Queensland DoS
802.11 Beacon Flood
802.11 Associate / Authenticate Flood
802.11 TKIP MIC Exploit
802.11 Deauthenticate Flood
802.1X EAP-Start Flood
802.1X EAP-Failure
802.1X EAP-of-Death
802.1X EAP Length Attacks
Physically removing an AP from a public space. "Five finger discount"
Exploiting the CSMA/CA Clear Channel An adapter that supports CW Tx mode, with a
Assessment (CCA) mechanism to make a channel low-level utility to invoke continuous transmit
appear busy.
Generating thousands of counterfeit 802.11 FakeAP
beacons to make it hard for stations to find a
legitimate AP.
Sending forged Authenticates or Associates from FATA-Jack, Macfld
random MACs to fill a target AP's association
table.
Generating invalid TKIP data to exceed the target File2air, wnet dinject, LORCON
AP's MIC error threshold, suspending WLAN
service.
Flooding station(s) with forged Deauthenticates Aireplay, Airforge, MDK, void11, commercial
or Disassociates to disconnecting users from an WIPS
AP.
Flooding an AP with EAP-Start messages to QACafe, File2air, libradiate
consume resources or crash the target.
Observing a valid 802.1X EAP exchange, and then QACafe, File2air, libradiate
sending the station a forged EAP-Failure
message.
Sending a malformed 802.1X EAP Identity QACafe, File2air, libradiate
response known to cause some APs to crash.
Sending EAP type-specific messages with bad QACafe, File2air, libradiate
length fields to try to crash an AP or RADIUS
server. Netlab
Netlab