Wi-Fi intrusion tests always begin with a limited target knowledge and without credentials to simulate an opportunistic attacker. They are simulating real attacks on the wireless network. The classical approach using key research and spoofing is currently limited by the technology itself, it is often asked in a second time to use a corporate workstation having a wireless access in order to enhance the attack scenario quality with a better knowledge of the target infrastructure.
Penetration test – Wi-Fi
Wi-Fi intrusion tests always begin with a limited target knowledge and without credentials to simulate an opportunistic attacker. They are simulating real attacks on the wireless network. The classical approach using key research and spoofing is currently limited by the technology itself, it is often asked in a second time to use a corporate workstation having a wireless access in order to enhance the attack scenario quality with a better knowledge of the target infrastructure.
The wireless network evaluation tests the networks from the perspective of a malicious user attempting to access the internal infrastructure. This evaluation is performed using tools and specialized equipment, and aims to identify accessible vulnerabilities that can represent a real risk of exploitation.
From an attacker’s point of view, the Wi-Fi is an external target that gives an internal network access without being in the building of the company in case of a compromise. All the attacks can be performed without a physical presence in the offices.
Client isolation
One of the main differences between Ethernet and Wi-Fi is the client isolation. Unlike Ethernet, all the communications are made by radio wave, which implies that the client isolation is logical and not physical. As the channels of communications can be intercepted and modified on the fly, it is possible to pretend to be another device. Many server and client-side attacks are based on these principles.
Attacks on Access Point (AP)
There is two angles of attack regarding the AP itself: an unauthenticated and an authenticated point of view.
Regarding the unauthenticated point of view; The goal is to establish unauthorized connections to the access points located in the targeted premises gathering as much information as possible within the existing communications. These details include the private key exchange, the defined service (SSID), if possible usernames and passwords, and encryption systems deployed. With this information, several attacks are possible as establishing an unauthorized wireless connection to the access points breaking the encryption scheme in use or breaking an existing connection or impersonating a valid user.
From an authenticated point of view, the segregation between clients or networks can be tested. By identifying the machines connected in the same network, it is possible to capture communications over the network.
Client-side attacks
In some cases, attacks on AP can be fruitless. However, it is still possible to target the clients. Here, the goal is to force a client to connect to a fake AP. It can be achieved with tools by exploiting technical vulnerabilities or using social engineering technics by abusing the vulnerabilities of the human being. Generally, a combination of both technics gives a higher percentage of success for client-side attacks.
Attacks
Evil twin attack
An evil twin is a malicious Wi-Fi AP that seems to be legitimate, set up to eavesdrop on wireless communications.
Fake access points are set up by configuring a wireless card to act as an access point (known as HostAP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network.
Here, the evil twin AP must be connected to the legitimate AP and pretend to be this AP. The evil twin disassociates the victim of the legitimate AP by using the same channel of communication of the previous channel. Once connected to the evil twin AP, all victim’s communication is placed into a Man-In-The-Middle (MiTM) attack.
This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there.
KARMA
KARMA stands for «Karma Attacks Radio Machines Automatically». The target can simply be a smart-phone, tablet, laptop or any Wi-Fi enabled device. It is a MiTM attack that creates a fake AP in order to intercept the entire traffic passing from the AP.
A tool like «mana» can discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically). Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.
MiTM
In a MiTM position, the victim may be invited to log into the attacker’s server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until well after the incident has occurred.
When users log into unsecured (non-HTTPS) web services, the attacker intercepts the transaction, since it is sent through their equipment. The attacker is also able to connect to other networks. Note that a misconfiguration of a web site regarding the setup of the TLS protocol can lead to a TLS interception.
Conclusion
Although the attacks targeting the AP are not often efficient, it can reveal misconfiguration, weak passwords or outdated equipment. On the other hand, the client-side attacks are more efficient changing the scope from a Wi-Fi penetration test to an internal penetration test.
