<img height="1" width="1" src="https://www.facebook.com/tr?id=3323484487762706&amp;ev=PageView&amp;noscript=1">
Blog Post, Sonar

Types of Basic Wireless Attacks

Jan 19, 2021
LEARN MORE ABOUT SONAR

Recent Content

When it comes to information security, it feels like there's a million and one things to learn. The most important thing to get a grasp on is what types of attacks exist - knowing what tools are at a hacker's fingertips will help you know what to defend against in the future. In this article, you will learn about the common types of attacks that affect wireless networking, and some tips on how to avoid them.

 

Common Wireless Attacks

Evil Twin

Evil Twin - Pretending to be the network somebody intended to connect to.

An Evil Twin attack is when an attacker creates an access point with the same SSID as a legitimate network with the intention of having unsuspecting users who are attempting to connect to the legitimate network instead connect to the Evil Twin. This is commonly used by attackers to pretend to be a popular coffee shop's wi-fi or other publicly available wi-fi.

This attack typically mimics open, insecure networks, or the attacker must know the legitimate password and authentication protocol for the network they're mimicking. If a user has stored the authentication protocol and credentials for the network previously, and the password does not match what they had stored, authentication protocol is different, or sometimes when a different channel is used, most modern devices will ask you to enter the password for the network. You will also typically see multiple SSIDs with the same name if a different authentication protocol is used. This should (hopefully) tip off users looking to connect to the legitimate network, but can be easily overlooked if you're not careful.

Evil Twin attacks will also often exploit the fact that your device will connect to the AP with the strongest signal for the network you're trying to connect to, boosting it's signal as high as possible to give a strong signal strength.

 

De-authentication

De-authentication - Kicking devices off the network that they're authenticated to.

A de-authentication attack, often referred to as a "deauth", is when an attacker kicks a device off the network it's authenticated to with the intention of having the device connect to a different access point or capture sensitive data related to authentication when the device reconnects.

If a device can be successfully de-authenticated from a network, and there is an Evil Twin access point present with a stronger signal strength, the de-authenticated device will often try to connect to the Evil Twin.

If a device is set to connect automatically, a de-authenticated device will usually automatically try to reconnect back to the network after being kicked off. This is beneficial to the attacker if they can capture, or "sniff", the re-authentication process between the access point and device; a process which can be automated. If the packets that make up the authentication process, or "handshake", can be captured, the hash of the password to connect to the network can sometimes be derived - all unbeknownst to the user.

If the password for the network is weak and the hashed password can be cracked, an attacker may be able to connect to the network using legitimate authentication.

 

Rogue Access Point

Rogue Access Point - Any unauthorized access point in a network.

A rogue access point is any illegitimate or unauthorized access point that provides access to a legitimate network. This is often not intended to be malicious, for example if an employee is trying to provide easy access to a guest or another device using wi-fi tethering from their cell phone. Rogue access points often do not follow company security policies and may be a glaring security hole into the network.

This can also be an access point created by an attacker that already has access to your network or your physical location. For example, an attacker enters an office under the guise of an employee or other worker, and connects an access point to an Ethernet jack to allow them to connect wirelessly.

 

Man-in-the-middle (MITM)

Man-in-the-middle (MITM) - Eavesdropping or manipulating traffic between two network devices.

A Man-in-the-middle attack is the manipulation or viewing of traffic or information sent from or received by a victim device. Targeted devices are typically a computer or phone. This is often transparent to the victim unless explicitly looked into, as the MITM will forward outbound and inbound traffic to the proper addresses.

An MITM attack could be used to view data such as passwords or credit card info entered into a legitimate website, or to read sent and received emails belonging to the victim. This attack can also be used to manipulate data such as changing a wire transfer amount or the email address the victim uses to sign up for an account. An attacker could also use this to redirect traffic, such as having a victim log in to a fake bank website made to look like the real website.

This attack is not unique to wireless network, but instead the concept affects networking in general. This attack is also typically used in tandem with other attack types; this could be an end-goal for an attacker that has gained access to a network and is looking to gather or manipulate information.

It should also be noted that using encrypted protocols such as HTTPS and/or TLS make this attack much more difficult, and can even render the attack completely useless.

 

Denial of Service

Denial of Service - Disallowing access to a network.

A denial of service attack is a means of keeping devices off of a network or doing just as the name states: denying service to devices. This is often done by repeatedly making requests or unsolicited contact with a networking device, such as a wireless router, with the intention of making the router so busy that it cannot handle requests.

This is another attack that is not unique to wireless network, but instead affects networking in general. Denial of service attacks are typically performed against a targeted web server, and come from many attacking machines simultaneously and in quick succession, making legitimate web page requests take a long time or not complete at all.

 

MAC Address Spoofing

MAC Address Spoofing - Pretending to be a device with a different MAC address.

MAC address spoofing is the act of either masking the MAC address of a device with the intention of pretending to be a different device or hiding the true identity of a device. This attack can be used to receive traffic not intended for the device, for example pretending to be a router, switch, or other device on the network.

MAC address spoofing is a common technique used in MITM attacks. The MITM will claim to have the MAC address of the victim device when packets are being received to the router, or will pretend to be the router when the victim device is sending packets out. When these packets are sent or received, the MITM attacker will view or manipulate the data and then forward it along to the device with the actual MAC address that the MITM is pretending to have.

Understanding some of the basic types of wireless attacks will help you better defend against them, increasing your overall security.

Steve Steinberg

Steve Steinberg

Steve is a Security Consultant and leads DevOps Engineering at Pulsar Security. Steve values continued education and development, having earned Network+, Security+, GIAC Security Essentials, GIAC Python Coder, GIAC Penetration Tester, GIAC Web App Penetration Tester, and Offensive Security Certified Professional (OSCP) certifications.