Wireless Security - Launch Wireless Attacks


All kinds of wireless attacks may be divided into 2 categories − Passive Attacks and Active Attacks. Most often, a Passive Attack (or rather passive information gathering) is the 1st step before launching the wireless attack itself (active part of the attack).

Passive attacks are all the ones which do not require the attacker to communicate with any other party or inject any traffic. During passive attacks, a victim has no way to detect your activity (because you are not acting), you are just hiding and listening to radio frequencies.

Passive attacks are not considered a law violation itself, however the use of information you got by passive attacks may be treated as a violation. For example, you are free to sniff (listen to) unencrypted traffic, collect it together and see that in fact, this is conversation between 2 people, but reading it and using the information included in this private conversation in some places of the world is a violation of the law.

Examples of Passive Attacks

Let us now take a look at some of the examples of passive attacks −

Breaking WEP Encryption

Behind the scenes to break a WEP encryption, one has to sniff a large volume of data packets. The next step is to get the same IV vector inside the wireless frames, and the last step is to break the WEP encryption model offline. There is no single step in the attack that requires the attacker to communicate with victim in any way.

Breaking WPA/WPA2 Encryption

To break a WPA/WPA2 encryption, one needs to sniff EAP 4-way handshake between a wireless client and the AP. Afterwards, an offline dictionary (or offline brute-force attack) is conducted on the collected encrypted packets. If you are lucky enough, you might not communicate with the victim at all, and the attack is considered a pure passive attack.

However, you may find a situation where the victim was authenticated to AP long before you came into play, and you don't want to wait any longer. Then, you may use an "Active Attack Step" in your general passive attack - inject wireless de-authentication frames, forcing the wireless victim to de-authenticate and then re-authenticate again, thus sniffing the new authentication 4-way handshake.

Sniffing the traffic between communicating parties

Assuming that you somehow know the encryption key, you may sniff the communication between parties (for example with Wireshark), and then decode the conversation (since you know the keys). Assuming that parties were not using any protocols that is natively using encryption (for example cleat text HTTP), you are free to see what the user was doing and track his moves on the internet.

Active attacks on the other hand are the ones, that require active participation in the wireless traffic forwarding or in injection of the wireless frames that affects WLAN operation. Performing active attacks leave tracks of malicious activity, therefore in some specific situation, the dumps collected by a victim (using Wireshark) or dumps from a WLAN card by forensic investigator regarding your activity may be a valid evidence in the court against you. If you decide to use your knowledge in a malicious way.

Examples of Active Attacks

Here are some example of active attacks −

  • Injection of Wireless Traffic − A classic example of Layer 2 DoS, used by flooding of de-authentication frames. The attacker is directly injecting wireless packets that affect the wireless client (telling them to de-authenticate), resulting in constant flapping of the state of wireless users from authenticated to de-authenticated and making the overall wireless experience very bad.

  • Jamming Attacks − As you remember, this is a type of Layer 1 DoS attack. Jamming devices are used to create interferences with a valid RF of Wi-Fi network, thus leading to WLAN service degradation. It is a type of active attack, since the attacker is directly affecting the wireless behavior.

  • Man-in-the-Middle Attack − The attacker is equipped with two wireless network cards and may use one of them to connect to the original AP as the client; and use the second wireless card to broadcast some fake SSID using software emulating AP (airbase-ng software tool). That way, client associates to "fake AP" that the attacker has just created and all the client traffic going to the internet is directly forwarded through attacker equipment (attacker might do anything with this data then).

Most of the attacks, you will ever see, would be a combination of the passive and the active steps. Passive ones are always a good starting point to understand the environment, to make a homework and get as many information about the potential victim as possible, etc.

The same approach corresponds to any type of hacking you may see, whether it is a web application hacking or social engineering hack or any other hacking approach. At least 80% of your time would be used in passive information gathering about your target and collecting the data that would be valuable to you in the next steps of your attack. Then, the active attack itself is the last 20% of your overall "attack" time.