Chapter 7. Wireless Client Attacks
So far, we have covered attacks against WEP and WPA/WPA2 protocols, access points, and network infrastructure. In this chapter, we treat attacks targeting the clients, whether they are connected or not to a Wi-Fi network. We will cover the following topics in this chapter:
Honeypot access points and Evil Twin attacks
Man-in-the-middle attacks
Caffe Latte and Hirte attacks
Cracking WPA keys without the AP
Honeypot access points and Evil Twin attacks
In the last chapter, we have seen how to set up a rogue access point, which is part of the local wired network. An attacker can also set up a fake AP that appears to be legitimate to the client but is not connected to the local network. This kind of AP is called a honeypot AP, because it lures clients to associate with it. A honeypot AP that impersonates a genuine one, standing in its proximity, can be used to conduct the so-called Evil Twin attack. Indeed, the honeypot AP spoofs the SSID (and eventually the MAC address) of the real AP, advertising it in the beacon frames it sends. The operating system of a wireless client typically keeps track of the networks to which the client has already connected in the past. The client can be configured to automatically connect to such networks when it is in their range and the signal is strong enough. So, if the fake AP is closer to the client than the legitimate one, and therefore its signal is stronger...
Man-in-the-middle attacks
A man-in-the-middle (MITM) attack is a kind of attack where an attacker interposes itself between two communicating parties, typically (but not necessarily) a client and a server, and relays the exchanged messages transparently, making the parties believe that they are directly talking to each other.
In our case, the MITM attack is a honeypot software AP that lures the clients to connect to it, believing it is the legitimate one. In this way, all the network traffic sent and received by the client passes through the fake AP and the attacker can sniff and manipulate it, retrieving passwords and sensitive information, altering data, and hijacking sessions.
For example, the attacker can eavesdrop and sniff the traffic using network sniffers such as tcpdump, Wireshark, and Ettercap. Ettercap is not only a sniffer but also a tool for launching MITM attacks that provides a GUI and supports many network protocols. For more information about it, refer to Appendix, References...
In Chapter 4, WEP Cracking, we covered how to crack the WEP keys when the client is connected to the AP, injecting ARP request packets and capturing the generated traffic to collect a consistent number of IVs and then launching a statistical attack to crack the key.
Two wireless security researchers, Vivek Ramachandran and MD Sohail Ahmad, presented a new attack called Caffe Latte at the Toorcon 2007 conference that allows you to retrieve the WEP key from a client even when it is not connected and it is distant from the network.
The attack has been given this name because the authors demonstrated that the time required to complete it is (almost) as short as to take a cup of coffee in a coffee shop or in a restaurant (two classical locations for this kind of attack)!
To perform the attack, we must induce the isolated client to generate enough encrypted WEP data packets. Operating systems such as Windows cache the WEP shared keys along with the relative network details...
The Hirte attack extends the Caffe Latte attack in the sense that it also allows the use of any IP packets and not only of gratuitous ARP packets received from the client.
By bit-flipping these packets, we generate the ARP requests to send back to the client and then perform the attack. Another difference with Caffe Latte is that Hirte also uses packet fragmentation to send ARP requests to the client.
More technical details about this attack can be found on the Aircrack-ng Wiki at http://www.aircrack-ng.org/doku.php?id=hirte.
In practice, launching the Hirte attack is almost identical to launching the Caffe Latte attack; the only difference is the use of the -N
option, specific for this attack, instead of the -L
option:
For those who prefer using a graphical, automated tool, both the Caffe Latte and Hirte attacks can be performed with Fern WiFi Cracker, which we have already covered in Chapter 4, WEP Cracking.
These attacks...
Cracking WPA keys without the AP
The Caffe Latte and Hirte attacks allow us to crack the WEP key in the absence of the target AP, attacking the disconnected client.
In this section, we will see that it is also possible to crack a WPA key, being in this situation.
Recall from Chapter 5, WPA/WPA2 Cracking, that to crack a WPA key, we must capture a WPA four-way handshake to retrieve all the required parameters to run the cracking process: the A-nonce, the S-nonce, the client, the AP MAC addresses, and the MIC (Message Integrity Check).
It is worth noting that it is not necessary to complete the four-way handshake, as all these parameters are exchanged in the first two packets and the AP does not need to know the preshared key, as we can see in the following diagram:
Therefore, we can set up a honeypot AP with the WPA protocol and the same SSID of the target network with the following command:
Here, the -z
option stands for WPA and the value...
In this chapter, we have analyzed the most common attacks against wireless clients, covered how to set up a honeypot AP that impersonates a legitimate one and induces the clients to connect to it (Evil Twin attack). We have also covered the MITM attacks against connected clients and the attacks to recover the WPA and WEP keys (Caffe Latte and Hirte attacks) when the client is isolated from the network.
The next chapter will cover the reporting phase, which will show how to write smart and effective reports of our penetration test.