Here are some examples of attacks if you manage to listen in on the victim's network traffic:
- Capture credentials in unsecured transmission (ex: HTTP, FTP, ...).
- Fake web portal that will be requesting the victims to enter their password.
deauthentication framefrom the access point to a station to inform a rogue station that they have been disconnected from the network.
- The protocol does not require any encryption for this frame.
- The attacker only needs to know the victim's MAC address (network sniffing), then spoof the MAC address.
- The attacker creates a
evil twin access point(clone of victim's acces point, same SSID and BSSID).
- The attacker conducts a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.
- Capture network packets transferred between the victim client and our evil twin access point.
- Vulnerable client devices broadcast a "preferred network list" (PNL) - which contains the SSIDs of previously connected AP with automatic reconnection enabled.
- These broadcasts are not encrypted and hence may be received by any WiFi access point in range.
- Create an Evil Twin based on the SSIDs present in the PNL.
In order to obtain the password of a WPA/WPA2 WiFi, you need to :
- Capture the WIFI Handshake
- Perform a dictionary or bruteforce attack
- Bruteforce WPS PIN in order to retrive the PSK.
WPS PIN Bruteforce
A major security flaw was revealed in December 2011 that affects wireless routers with the WPS PIN feature, which most recent models have enabled by default.
The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key (PSK).
Users have been urged to turn off the WPS PIN feature, although this may not be possible on some router models
The attacker needs to obtain the WPA 4-way handshake (at least a part of it) to be able to crack it later.
You can use the deauthentication attack to force the victim to disconnect. Then wait for the victim to reconnect to capture the handshake.
- If there is no client connected to the access point, you cannot perform the attack.
- This attack can take some time.
There’s no interaction between the attacker and client stations, but just between the attacker and the AP, interaction which, if the router is vulnerable, is almost immediate!
Many routers cache PMKID of exchange process in a collection of information PMKSA, so that the next time client de and re-authenticates 4-way handshake won’t be done again and router would directly ask the client for PMKSA, verify it and he would be re-associate it back with an access point.
PMKSA = PMKID + Lifetime of PMK + MAC addresses + other variables
PMKID is a hashed value of another hashed value (PMK) with 2 MACs and a fixed string.
PMKID = HMAC-SHA1-128(PMK, “PMK Name” + MAC (AP) + MAC(Supplicant))
If we are able to retrieve the PMKID from an Access Point, we’d get a hold of a hashed value containing the password. PMKID attack directly targets a single RSN IE frame. Since the PMKID is derived from PMK, a fixed string and 2 MACs. We know now how PMK is created.
To brute force PMKID, we need the following parameters:
- WiFi password (passphrase) – guess
- WiFi SSID – known
- Length of SSID – known
- MAC of Authenticator and Supplicant – known
- PMK Name – known
- Client-less attack
- Only the routers that have roaming feature enabled or present are vulnerable