In this chapter, we covered many options available to an attacker if they share the same wireless network with their intended targets. MAC spoofing and ARP poisoning are two attacks that go hand in hand to get between a client and the router on a wireless network. The victim is tricked into sending their outbound traffic through the attacker and the router is also tricked into sending traffic destined for the victim through the attacker in kind. This attack can be very effective for clients that are already connected to a wireless network that an attacker also has access to, such as a public hotspot or after an attacker has defeated a pre-shared key authentication technique on WPA-personal or WPA2-personal networks. DHCP and DNS were also demonstrated as services that can be manipulated by an attacker to either redirect traffic through your attacking workstation to capture sensitive traffic or to unwittingly redirect a target's browser or command-line tools to where you may be able to capture an authentication attempt or unencrypted traffic.

Lastly, you might not even need to directly interact with your target's workstation to get it to give up sensitive information. With the right tools, you will be able to capture broadcast or multicast traffic that the workstations send out on their own and use that information to determine username/password combinations or directly reuse to authenticate as the targeted user.

Manipulation of the network services utilized by wireless users is not the only way that an attacker can set up a man-in-the-middle attack. A much more effective way is to actually become the device that users communicate through, essentially becoming part of the network.

In the next chapter, we will look at ways an attacker can configure their device to emulate an access point and have the targeted clients connect to them, hence reducing the effort required to redirect traffic to them.