BackTrack 5: Attacking the Client


(For more resources on BackTrack, see here.)

Honeypot and Mis-Association attacks

Normally, when a wireless client such as a laptop is turned on, it will probe for the networks it has previously connected to. These networks are stored in a list called the Preferred Network List (PNL) on Windows-based systems. Also, along with this list, it will display any networks available in its range.

A hacker may do either of two things:

  1. Silently monitor the probe and bring up a fake access point with the same ESSID the client is searching for. This will cause the client to connect to the hacker machine, thinking it is the legitimate network.
  2. He may create fake access points with the same ESSID as neighboring ones to confuse the user to connect to him. Such attacks are very easy to conduct in coffee shops and airports where a user might be looking to connect to a Wi-Fi connection.

These attacks are called Honeypot attacks, which happen due to Mis-Association to the hacker's access point thinking it is the legitimate one.

In the next exercise, we will do both these attacks in our lab.

Time for action – orchestrating a Mis-Association attack

Follow these instructions to get started:

  1. In the previous labs, we used a client that had connected to the Wireless Lab access point. Let us switch on the client but not the actual Wireless Lab access point. Let us now run airodump-ng mon0 and check the output. You will very soon find the client to be in not associated mode and probing for Wireless Lab and other SSIDs in its stored profile (Vivek as shown):

    (Move the mouse over the image to enlarge.)

  2. To understand what is happening, let's run Wireshark and start sniffing on the mon0 interface. As expected you might see a lot of packets, which are not relevant to our analysis. Apply a Wireshark filter to only display Probe Request packets from the client MAC you are using:

  3. In my case, the filter would be wlan.fc.type_subtype == 0x04 && == 60:FB:42:D5:E4:01. You should now see Probe Request packets only from the client for the SSIDs Vivek and Wireless Lab:

  4. Let us now start a fake access point for the network Wireless Lab on the hacker machine using the command shown next:

  5. Within a minute or so, the client would connect to us automatically. This shows how easy it is to have un-associated clients.

  6. Now, we will try the second case, which is creating a fake access point Wireless Lab in the presence of the legitimate one. Let us turn our access point on to ensure that Wireless Lab is available to the client. For this experiment, we have set the access point channel to 3. Let the client connect to the access point. We can verify this from the airodump-ng screen as shown next:

  7. Now let us bring up our fake access point with the SSID Wireless Lab:

  8. Notice the client is still connected to the legitimate access point Wireless Lab:

  9. We will now send broadcast De-Authentication messages to the client on behalf of the legitimate access point to break their connection:

  10. Assuming the signal strength of our fake access point Wireless Lab is stronger than the legitimate one to the client, it connects to our fake access point, instead of the legitimate access point:

  11. We can verify the same by looking at the airodump-ng output to see the new association of the client with our fake access point:

What just happened?

We just created a Honeypot using the probed list from the client and also using the same ESSID as that of neighboring access points. In the first case, the client automatically connected to us as it was searching for the network. In the latter case, as we were closer to the client than the real access point, our signal strength was higher, and the client connected to us.

Have a go hero – forcing a client to connect to the Honeypot

In the preceding exercise, what do we do if the client does not automatically connect to us? We would have to send a De-Authentication packet to break the legitimate client-access point connection and then if our signal strength is higher, the client will connect to our spoofed access point. Try this out by connecting a client to a legitimate access point, and then forcing it to connect to our Honeypot.

Caffe Latte attack

In the Honeypot attack, we noticed that clients will continuously probe for SSIDs they have connected to previously. If the client had connected to an access point using WEP, operating systems such as Windows, cache and store the WEP key. The next time the client connects to the same access point, the Windows wireless configuration manager automatically uses the stored key.

The Caffe Latte attack was invented by me, the author of this book and was demonstrated in Toorcon 9, San Diego, USA. The Caffe Latte attack is a WEP attack which allows a hacker to retrieve the WEP key of the authorized network, using just the client. The attack does not require the client to be anywhere close to the authorized WEP network. It can crack the WEP key using just the isolated client.

In the next exercise, we will retreive the WEP key of a network from a client using the Caffe Latte attack.

Time for action – conducting the Caffe Latte attack

Follow these instructions to get started:

  1. Let us first set up our legitimate access point with WEP for the network Wireless Lab with the key ABCDEFABCDEFABCDEF12 in Hex:

  2. Let us connect our client to it and ensure that the connection is successful using airodump-ng as shown next:

  3. Let us unplug the access point and ensure the client is in the un-associated stage and searching for the WEP network Wireless Lab:

  4. Now we use airbase-ng to bring up an access point with Wireless Lab as the SSID with the parameters shown next:

  5. As soon as the client connects to this access point, airbase-ng starts the Caffe- Latte attack as shown:

  6. We now start airodump-ng to collect the data packets from this access point only, as we did before in the WEP-cracking case:

  7. We also start aircrack-ng as in the WEP-cracking exercise we did before to begin the cracking process. The command line would be aircrack-ng filename where filename is the name of the file created by airodump-ng:

  8. Once we have enough WEP encrypted packets, aircrack-ng succeeds in cracking the key as shown next:

What just happened?

We were successful in retrieving the WEP key from just the wireless client without requiring an actual access point to be used or present in the vicinity. This is the power of the Caffe Latte attack.

The attack works by bit flipping and replaying ARP packets sent by the wireless client post association with the fake access point created by us. These bit flipped ARP Request packets cause more ARP response packets to be sent by the wireless client. Note that all these packets are encrypted using the WEP key stored on the client. Once we are able to gather a large number of these data packets, aircrack-ng is able to recover the WEP key easily.

Have a go hero – practice makes you perfect!

Try changing the WEP key and repeat the attack. This is a difficult attack and requires some practice to orchestrate successfully. It would also be a good idea to use Wireshark and examine the traffic on the wireless network.


(For more resources on BackTrack, see here.)

De-Authentication and Dis-Association attacks

In the next lab, we will send De-Authentication packets to just the client and break an established connection between the access point and the client.

Time for action – De-Authenticating the client

Follow the instructions to get started:

  1. Let us first bring our access point Wireless Lab online again. Let us keep it running on WEP to prove that even with encryption enabled it is possible to attack the access point and client connection. Let us verify that the access point is up by using airodump-ng:

  2. Let us connect our client to this access point as we verify it with airodump-ng:

  3. We will now run aireplay-ng to target the client and access point connection:

  4. The client gets disconnected and tries to reconnect to the access point, we can verify this by using Wireshark just as before:

  5. We have now seen that even in the presence of WEP encryption, it is possible to De-Authenticate a client and disconnect it. The same is valid even in the presence of WPA/WPA2. Let us now set our access point to WPA encryption and verify the same.

  6. Let's connect our client to the access point and ensure it is connected:

  7. Let us now run aireplay-ng to disconnect the client from the access point:

  8. Using Wireshark we can once again verify that this works as well:

What just happened?

We just learnt how to disconnect a wireless client selectively from an access point using De- Authentication frames even in the presence of encryption schemas like WEP/WPA/WPA2. This was done by sending a De-Authentication packet to just the access point - client pair, instead of sending a broadcast De-Authentication to the entire network.

Have a go hero – Dis-Association attack on the client

In the preceding exercise, we used a De-Authentication attack to break the connection. Try using a Dis-Association packet to break the established connection between a client and an access point.

Hirte attack

More information on the Hirte attack is available on the AIRCRACK-NG website: http:// .

We will now use aircrack-ng to conduct the Hirte attack on the same client.

Time for action – cracking WEP with the Hirte attack

  1. Create a WEP access point exactly as in the Caffe Latte attack using the airbase-ng tool. The only additional option is the -N option instead of the -L option to launch the Hirte attack:

  2. Start airodump-ng in a separate window to capture packets for the Wireless Lab Honeypot:

  3. Airodump-ng will now start monitoring this network and storing the packets in Hirte-01.cap file.

  4. Once the roaming client connects to out Honeypot AP, the Hirte attack is automatically launched by airbase-ng:

  5. We start aircrack-ng as in the case of the Caffe Latte attack and eventually the key would be cracked as shown next:

What just happened?

We launched the Hirte attack against a WEP client which was isolated and away from the authorized network. We cracked the key exactly as in the Caffe Latte attack case.

Have a go hero – practice, practice, practice

We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that you have to reconnect the client to get it to work.

AP-less WPA-Personal cracking

The million dollar questions is—would it be possible to crack WPA-Personal with just the client? No access point!

Let's revisit the WPA cracking exercise to jog our memory.

To crack WPA, we need the following four parameters from the Four-Way Handshake— Authenticator Nounce, Supplicant Nounce, Authenticator MAC, Supplicant MAC. Now the interesting thing is that we do not need all of the four packets in the handshake to extract this information. We can get this information with either all four packets, or packet 1 and 2, or just packet 2 and 3.

In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and when the client connects to us, only Message 1 and Message 2 will come through. As we do not know the passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the information required to begin the key cracking process.

  1. We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab. The -z 2 option creates a WPA-PSK access point which uses TKIP:

  2. Let's also start airodump-ng to capture packets from this network:

  3. Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2 as discussed previously:

  4. But airodump-ng reports that the handshake has been captured:

  5. We run the airodump-ng capture file through aircrack-ng with the same dictionary file as before, eventually the passphrase is cracked as shown next:

What just happened?

We were able to crack the WPA key with just the client. This was possible because even with just the first two packets, we have all the information required to launch a dictionary attack on the handshake.

Have a go hero – AP-less WPA cracking

We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that you have to reconnect the client to get it to work.


In this article, we have learned that even the wireless client is susceptible to attacks. These include the following— Honeypot and other Mis-Association attacks, Caffe Latte attack to retrieve the key from the wireless client, De-Authentication and Dis-Association attacks causing a Denial of Service, Hirte attack as an alternative to retrieving the WEP key from a roaming client, and finally cracking the WPA-Personal passphrase with just the client.

Further resources on this subject:

You've been reading an excerpt of:

BackTrack 5 Wireless Penetration Testing Beginner’s Guide

Explore Title