Hacking Wireless Networks - Wireless Threats

What access control attack can reconfigure a MAC address to appear as an authorized AP to a host on a trusted network? The attacker may use tools such as SMAC to perform this kind of attack.

MAC spoofing

What access control attack can have the entire network be exposed to vulnerabilities and attacks if a user improperly configures any of the critical security settings at any of the APs?

AP misconfiguration

What AP access control attack can allow an attacker to configure APs to broadcast SSIDs to authorized users? All AP models have their own default SSID, and APs with default configurations using default SSIDs are vulnerable to brute-force dictionary attacks. Even if users enable WEP, an unencrypted SSID broadcasts the password in plaintext.

SSID broadcast

What AP access control attack involves network administrators incorrectly using SSIDs as basic passwords to verify authorized users? SSIDs act as rudimentary passwords and help network administrators recognize authorized wireless devices in the network.

Weak password

What AP access control attack includes errors made during installation, configuration policies on an AP, human errors made while troubleshooting WLAN problems, and security changes not implemented uniformly across an architecture?

Configuration error

What AP access control attack does not require an AP to relay packets?

Ad hoc associations

What AP access control attack has an attacker exploit the behavior of 802.11 wireless cards: they always attempt to find a stronger signal to connect? An attacker places an AP near the target Wi-Fi network and gives it a common SSID, offering an irresistibly stronger signal and higher speed than the target Wi-Fi network.

Promiscuous client

What allows an attacker to transmit target network traffic through a fake AP? It is very similar to the evil-twin threat on wireless networks, in which an attacker launches an AP that poses as an authorized AP by beaconing the WLAN's SSID.

Promiscuous client

What AP access control attack may intentionally or accidentally connect or associate with an AP outside the legitimate network because the WLAN signals travel through the air, walls, and other obstructions and leads to access-control attacks?

Client mis-association

What AP access control attack involves an attacker setting up a rogue AP outside the corporation’s perimeter and learns the SSID of the target wireless network? Using a spoofed SSID, the attacker may send beacons advertising the rogue AP in order to lure clients to connect. The attacker can use the rogue AP as a channel to bypass enterprise security policies. Once a client connects to the rogue AP, an attacker can retrieve sensitive information such as usernames and passwords by launching MITM, EAP dictionary, or Metasploit attacks to exploit client mis-association.

Client mis-association

What AP access control attack has two forms: accidental association and malicious association? An attacker performs malicious association with the help of soft APs instead of corporate APs. The attacker creates a soft AP, typically on a laptop, by running a tool that makes the laptop’s NIC appear as a legitimate AP.

Unauthorized association

What involves changing or altering data during transmission? Attackers send forged control, management, or data frames over a wireless network to misdirect wireless devices and perform another type of attack such as a DoS attack

Integrity attacks

What integrity attack constructs and sends forged 802.11 frames?

Data-Frame Injection

What method/tool is used in a data-frame injection attack?

Airpwn-ng and Wperf

What integrity attack constructs and sends forged WEP encryption keys?

WEP Injection

What method/tool is used in a WEP Injection attack?

WEP cracking + injection tools

What integrity attack captures the frame and flipping random bits in the data payload, modifying the ICV, and sending it to the user?

Bit-Flipping Attacks

What integrity attack captures 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, and Failure) for later replay?

Extensible AP Replay

What method/tool is used in an Extensible AP Replay?

Wireless capture + injection tools between client and AP

What integrity attack Captures 802.11 data frames for later (modified) replay?

Data Replay

What method/tool is used in a Data Replay attack?

Capture + injection tools

What integrity attack Derives the keystream by sending a plaintext message?

Initialization Vector Replay Attacks

What integrity attack captures RADIUS Access-Accept or Reject messages for later replay?

RADIUS Replay

What method/tool is used in a RADIUS Replay attack?

Ethernet capture + injection tools between AP and authentication server

What integrity attack can provide an attacker with a simple method to compromise APs?

Wireless Network Viruses

What attack attempts to intercept confidential information sent over a wireless network, regardless of whether the system transmits data in cleartext or an encrypted format?

Confidentiality Attack

What confidentiality attack captures and decodes unprotected application traffic to obtain potentially sensitive information.

Eavesdropping

What method/tools is used to perform an eavesdropping attack?

Wireshark, Ettercap, Kismet, commercial analyzers

What confidentiality attack infers information from the observation of external traffic characteristics?

Traffic Analysis

What method/tools is used to perform a traffic analysis attack?

Wireshark, Ettercap, Snort

What confidentiality attack Captures data to recover a WEP key using brute force or Fluhrer-Mantin-Shamir (FMS) cryptanalysis?

Cracking WEP Key

What method/tools is used to perform a cracking WEP key attack?

Aircrack-ng, WEPCrack

What confidentiality attack poses as an authorized AP by beaconing the WLAN's SSID to lure users?

Evil Twin AP

What method/tools is used to perform an Evil Twin AP?

Hostapd, EvilTwinFramework, Wifiphisher

What confidentiality attack sets an AP’s SSID to be the same as that of a legitimate AP?

Honeypot AP

What method/tool is used to perform a Honeypot AP attack?

Manipulating SSID

What confidentiality attack manipulates the network such that the attacker's host appears to be the desired destination?

Session Hijacking

What method/tool is used to perform a session hijacking attack?

Manipulating

What confidentiality attack pretends to be an authorized user to gain access to a system?

Masquerading

What method/tool is used to perform a masquerading attack?

Stealing login IDs and passwords, bypassing authentication mechanisms

What confidentiality attack runs conventional MITM attack tools on an evil-twin AP to intercept TCP sessions or Secure Sockets Layer (SSL)/Secure Shell (SSH) tunnels?

MITM Attack

What method/tool is used to perform a MITM attack?

dsniff, Ettercap, aLTEr attack

What aims at obstructing the delivery of wireless services to legitimate users, either by crippling WLAN resources or by denying them access to these resources?

Availability Attacks

What availability attack physically removes an AP from its installed location?

Access Point Theft

What method/tool is used to perform an access point theft attack?

Stealth and/or speed

What availability attack destroys the connectivity between an AP and client to make the target unavailable to other wireless devices?

Disassociation Attacks

What method/tool is used to perform a Disassociation Attack?

Destruction of connectivity

What availability attack observes a valid 802.1X EAP exchange and then sending the client a forged EAP-Failure message?

EAP-Failure

What method/tool is used to perform an EAP-Failure attack?

Airtool Pi

What availiability attack generates thousands of counterfeit 802.11 beacons to make it difficult for clients to find a legitimate AP?

Beacon Flood

What availability attack exploits the carrier-sense multiple access with collision avoidance (CSMA/CA) clear channel assessment (CCA) mechanism to make a channel appear busy?

Denial-of-Service

What method/tool is used to perform a DoS attack?

An adapter that supports the CW Tx mode, with a low-level utility to invoke continuous transmissions

What availability attack floods client(s) with forged de-authenticates or disassociates to disconnect users from an AP?

De-authenticate Flood

What method/tool is used to perform a De-authenticate Flood attack?

AirJack

What availability attack distributes routing information within the network?

Routing Attacks

What method/tools is used to perform routing attacks?

RIP protocol, exploiting Ad-Hoc On-Demand Distance Vector (AODV) and Dynamic Source Routing (DSR) protocols using wormhole and sinkhole attacks

What availability attack sends forged authenticates or associates from random MACs to fill a target AP's association table?

Authenticate Flood

What method/tool is used to perform an authenticate attack?

AirJack

What availability attack creates many attack vectors?

Address Resolution Protocol (ARP) Cache Poisoning Attacks

What availability attack transmits a spoofed traffic indication map (TIM) or delivery TIM (DTIM) to a client in the power-saving mode, making the client vulnerable to a DoS attack?

Power Saving Attacks

What availability attack generates invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service?

TKIP MIC Exploit

What attack steals the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources?

Authentication Attacks

What authentication attack recovers a WPA PSK from captured key handshake frames using a dictionary attack tool?

PSK Cracking

What method/tool is used to perform a PSK (Pre-shared key) cracking attack?

Cowpatty, Fern Wifi Cracker

What authentication attack recovers user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash?

LEAP Cracking

What method/tool is used to perform Leap Cracking attacks?

Asleap, THC-LEAPcracker

What authentication attack gains user credentials (e.g., Point-to-Point Tunneling Protocol (PPTP) password or Internet Protocol Security (IPsec) pre-shared secret key) using brute-force attacks on virtual private network (VPN) authentication protocols?

VPN Login Cracking

What method/tool is used to perform a VPN Login Cracking attack?

ike_scan and IKECrack (IPsec), Anger and THC-pptp-bruter (PPTP)

What authentication attack recovers user credentials (e.g., Windows login and password) by cracking NetBIOS password hashes with a brute-force or dictionary-attack tool?

Domain Login Cracking

What method/tool is used to perform a Domain Login Cracking attack?

John the Ripper, L0phtCrack, THC-Hydra

What authentication attack exploits the four-way handshake of the WPA2 protocol?

Key Reinstallation Attack

What method/tool is used to perform a Key Reinstallation Attack?

Nonce reuse technique

What authentication attack captures user identities from cleartext 802.1X Identity Response packets?

Identity Theft

What method/tool is used to perform an Identity Theft attack?

Packet capturing tools

What authentication attack is used to attempt 802.11 shared key authentication with the vendor default or cracked WEP keys?

Shared Key Guessing

What method/tool is used to perform shared key guessing?

WEP cracking tools, Wifite

What authentication attack repeatedly attempts 802.1X authentication using a captured identity to guess the user's password?

Password Speculation

What method/tool is used to perform a Password Speculation attack?

Password dictionary

What authentication attack captures user credentials (e.g., email address and password) from cleartext application protocols?

Application Login Theft

What method/tool is used to perform an Application Login Theft attack?

Ace Password Sniffer, dsniff, Wi-Jacking Attack

What AP attack transmits a stronger beacon signal than legitimate APs so that NICs searching for the strongest available signal may connect to the rogue AP?

Honeypot AP Attack

What attack exploits dynamic routing protocols such as Dynamic Source Routing (DSR) and the Ad-Hoc On-Demand Distance Vector (AODV)? An attacker locates themselves strategically in the target network to sniff and record ongoing wireless transmissions.

Wormhole Attack

What attack is a variant of the selective forwarding attack in which the attacker advertises a compromised or malicious node as the shortest possible route to the base station? The attacker places the malicious node near the base station and attracts all the neighboring nodes with fake routing path information and further performs a data forging attack. Attackers use the compromised node to sniff and manipulate all ongoing network transmissions.

Sinkhole Attack

What attack exploits the underlying vulnerabilities in wireless chips that handle wireless communications such as Bluetooth and Wi-Fi? Attackers leverage combo chips to exploit one chip to steal the data from another chip and make lateral moves to exploit other chips

Inter-Chip Privilege Escalation/Wireless Co-Existence Attack