In our opinion (and we hope you agree with us), planning and building a secure WLAN is not possible without the understanding of various attack methods and their workflow. In this topic, we will give you an overview of how attackers work when they are hacking WLANs.
After refreshing our knowledge about wireless threats and Wi-Fi security mechanisms, let's have a look at the attack methodology used by attackers in the real world. Of course, as with all other types of network attack, wireless attack workflows depend on certain situations and targets, but they still align with the following general sequence in almost all cases:
Let's have a closer look at the most interesting parts of the active attack phase—WPA-PSK and WPA-Enterprise attacks—in the following sections.
As both WPA and WPA2 are based on the 4-way handshake, attacking them doesn't differ—an attacker needs to sniff a 4-way handshake in a moment, establishing a connection between an access point and an arbitrary wireless client and brute forcing a matching PSK. It does not matter whose handshake is intercepted, because all clients use the same PSK for a given target WLAN.
Sometimes, attackers have to wait long until a device connects to a WLAN to intercept a 4-way handshake and of course they would like to speed up the process when possible. For that purpose, they force an already connected device to disconnect from the access point sending control frames (deauthentication attack) on behalf of a target access point. When a device receives such a frame, it disconnects from the WLAN and tries to reconnect again if the "automatic reconnect" feature is enabled (it is enabled by default on most devices), thus performing another 4-way handshake that can be intercepted by an attacker.
Another possibility to hack a WPA-PSK protected network is to crack a WPS PIN if WPS is enabled on a target WLAN.
Attacking becomes a little bit more complicated if WPA-Enterprise security is in place, but could be executed in several minutes by a properly prepared attacker by imitating a legitimate access point with a RADIUS server and by gathering user credentials for further analysis (cracking).
To settle this attack, an attacker needs to install a rogue access point with an SSID identical to the target WLAN's SSID and set other parameters (like EAP type) similar to the target WLAN to increase chances of success and reduce the probability of the attack to be quickly detected.
Most user Wi-Fi devices choose an access point for a connection to a certain WLAN by a signal strength—they connect to that one which has the strongest signal. That is why an attacker needs to use a powerful Wi-Fi interface for a rogue access point to override signals from legitimate ones and make devices connect to the rogue access point.
A RADIUS server used during such attacks should have the capability to record authentication data, NTLM hashes, for example.
From a user perspective, being attacked in such way looks like just being unable to connect to a WLAN for an unknown reason and could even be not seen if a user is not using a device at that moment and is just passing by a rogue access point. It is worth mentioning that classic physical security or wireless IDPS solutions are not always effective in such cases. An attacker or a penetration tester can install a rogue access point outside of the range of a target WLAN. It will allow the hacker to attack user devices without the need to get into a physically controlled area (for example, an office building), thus making the rogue access point unreachable and invisible for wireless IDPS systems. Such a place could be a bus or train station, parking lot, or a café where a lot of users of a target WLAN go with their Wi-Fi devices.
Unlike WPA-PSK with only one key shared between all WLAN users, the Enterprise mode employs personified credentials for each user whose credentials could be more or less complex depending only on a certain user. That is why it is better to collect as many user credentials and hashes as possible, thus increasing the chances of successful cracking.
3.145.175.243