Tip
"Security is just as strong as the weakest link."
Famous Quote in Information Security Domain
Most penetration testers seem to give all the attention to the WLAN infrastructure and don't give the wireless client even a fraction of that. However, it is interesting to note that a hacker can gain access to the authorized network by compromising a wireless client as well.
In this chapter, we will shift our focus from the WLAN infrastructure to the wireless client. The client can be either a connected or isolated un-associated client. We will look at various attacks, which can be used to target the client.
We will cover the following:
- Honeypot and Mis-Association attacks
- Caffe Latte attack
- De-Authenticaton and Dis-Association attacks
- Hirte attack
- AP-less WPA-Personal cracking
Normally, when a wireless client such as a laptop is turned on, it will probe for the networks it has previously connected to. These networks are stored in a list called the Preferred Network List (PNL) on Windows-based systems. Also, along with this list, it will display any networks available in its range.
A hacker may do either of two things:
- Silently monitor the probe and bring up a fake access point with the same ESSID the client is searching for. This will cause the client to connect to the hacker machine, thinking it is the legitimate network.
- He may create fake access points with the same ESSID as neighboring ones to confuse the user to connect to him. Such attacks are very easy to conduct in coffee shops and airports where a user might be looking to connect to a Wi-Fi connection.
These attacks are called Honeypot attacks, which happen due to Mis-Association to the hacker's access point thinking it is the legitimate one.
In the next exercise, we will do both these attacks in our lab.