Got it
Huawei Enterprise Support Community
Community Forums Security
Main Wireless Networks at...

Main Wireless Networks attacks Highlighted

Latest reply: Oct 11, 2021 13:48:25 678 9 5 0 0
View the author 1#

Introduction

Hello!

Today we will look at the main types of threats in wireless networks. I will cover the topic of protection against these threats in the next publication. Let's start by defining what types of threats we may face, and then consider each of them in more detail. And, of course, let's take a look at specific attacks on wireless networks.

If you enlarge the types of attacks on wireless networks, then the following types can be distinguished (according to the HCIP-Security CTSS V3.0 course):

  • Access control attacks

  • Confidentialy Attacks

  • Availability attacks

  • Integrity attacks

  • Authentication attacks

Access control attacks

This type of attack is aimed at gaining access to a protected network bypassing its defenses.

Let's start with war driving and war walking. The simplest attacks. Their essence is to collect information about your wireless network. Just by being close to it, you can gather a lot of useful information for future attacks. The principle of the attack is to receive all wireless packets that reach the attacker's device.

What information can be collected:

  • The SSID of location-specific wireless networks. For example, you can make a map of wireless networks.

  • The protocols used to protect the network. Knowing by what methods the network is protected, it is easier to prepare for its hacking.

  • Network congestion. The more congested the network, the more it is obviously used and, probably, more attractive to hack.

  • The number of wireless clients on the network. If an attacker wants to block the network in the future, he will be able to assess the effect of this.

  • MAC addresses of the access point and network clients. According to them, you can determine the manufacturer and possibly an approximate release date. Knowing this information, you can search for vulnerabilities in the equipment of a particular manufacturer.

  • Approximate location of access points.

To carry out this attack, you can use, for example, the following software: inSSIDer, Airmon-ng, DStumbler and other funny programs.

Rogue devices

Let's move on to a more malicious attack — Rogue AP. This is an Access Point that someone has independently connected to your network. For example, he brought a home router, connected it to a wired network and uses it to get Internet on a smartphone. This is dangerous because the network administrator ceases to control the devices connected to the network. The router will completely hide all its client devices for it. But at the same time, these devices themselves will have access to your network. In addition, if this network becomes available to an attacker, he can easily penetrate your network with its help.

Another attack can be considered under the same name — an attacker installing an access point with the same SSID as in the attacked network. It is discussed below under the title Evil Twin AP.

Ad-hoc. If someone sets up such a connection of his, for example, a laptop connected to a wired network, with an additional device, he not only opens the network for attacks from the connected device. Due to the usually low security of such a connection, it exposes all transmitted traffic.

Rogue clients. These are devices that try to connect to a wireless network without permission. For example, they are trying to guess a password. Or they send messages to block your network (special messages to block some kind of connections, or just a lot of messages in order to take up all the air).

This also includes a rogue wireless bridge — illegitimate wireless bridges that can be used to connect additional segments of a wired network that are connected to the main network via Wi-Fi. In this case, some new devices gain access to the protected network.

And the last attack in this category aimed at interrupting the provision of service is Fake AP. Its action is to "create" a huge number of SSIDs with the name of the "legal" wireless network, so that the user could not find the right one among them. This is done using software that constantly sends out wireless network announcement frames (beacons) with the victim's SSID (or even using the SSID list file).

Confidentialy Attacks

The purpose of these attacks is to collect information transmitted in the attacked network. And the first thing you can do to do this is just wiretap the network. To do this, you can use various software, for example, Wireshark. To do this, you need to switch the wireless adapter to the "monitor" mode, after which all transmitted packets will be captured by your software for further analysis. If the wireless network is open (security type open), then the transmitted data in it is not encrypted. In this case, everything that is transmitted without additional protection at higher levels (for example, HTTP instead of HTTPS) can be read without additional computational costs. These can be files, mail, passwords, bank card data (although they shouldn't). It is very important not to transfer anything important without additional encryption.

The next attack option is cracking WEP passwords. As we remember, WEP is wired equivalent protection. That is, the protection is similar to the one we connected the attacker with a wire to our network. The problem is that WEP does not use a cryptographically strong security algorithm. Its shortcomings allow it to be hacked, that is, to obtain a password to access the network and decrypt the data transmitted in it. The aircrack-ng software can be used to hack the network.

Using the same utility aircrack-ng, you can also hack a WPA-protected network. Nothing personal, just old defenses. The attack methods are called FMS (https://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_attack) and KoreK. WPA is also cracked with them. To carry out these attacks, you need to "collect" a certain number of wireless packets from "legal" clients. After that, these packets are subjected to brute-force decryption attempts. If you try to guess the password directly on the access point, it will respond slowly, and the guessing will take a long time (and most likely will be detected). In the case of guessing a password on the collected data, the attacker can do it as quickly as possible.

I have bad news for anyone using WPA2 and WPA3. You don't have "absolute protection" either. There is a KracK attack for WPA2 (https://www.krackattacks.com/). Fortunately, not all devices are affected. And for WPA3 — DragonBlood (https://habr.com/ru/company/jetinfosystems/blog/447628/). Hence the conclusion: passwords must be strong, and sites must be encrypted over HTTPS.

Let's consider another variant of this type of attack — Evil Twin AP. It is based on the inclusion of an access point with the "SSID-twin" of the attacked network. Moreover, the access point can be located somewhere far from the original network. The purpose of this attack is to force a legitimate user to connect to the attacker's access point. This mainly concerns networks without the use of security protocols (open). As soon as the client connects to such an access point, his device detects the presence of the Internet and begins a "normal" exchange of information in it — checking mail, social networks, and so on. But all this traffic goes through an attacker-controlled channel. And all data can be collected and read. Of course, using HTTPS will increase the difficulty of decrypting your data, but it needs to be used everywhere. This attack is applicable, for example, to public networks of airports, shopping centers and subways. Did you know that similar technologies are used to track your movement? Advertising agencies use hotspots with their standard SSIDs near highways, placing them on billboards and counting whoever tries to connect to them. If this person has already been authenticated earlier via SMS, then he will be tracked — when and where he goes and goes. The protection in this case is as follows: cleaning the saved public networks so that your device does not try to connect to them by itself, and turning off Wi-Fi when it is not needed (at the same time, the battery will stay alive longer).

But it is not only unsecured networks that are vulnerable to this attack. If the network is protected, then when trying to connect to it, the client and the access point will mutually check the network password. Having received the data with the password from the client, you can start cracking it. There may not be a mathematical quick method (unless you are using a very simple defense), but the "brute force method" has not been canceled. Enumerating passwords and comparing the result with the data received from the client will give an exact answer — whether the password came up or not. And it doesn't matter to us whether there is an access point nearby, whether it limits the number of password attempts, and whether the administrator will see these attempts. The attacker calculates them on his own equipment with maximum speed. But there are still a lot of password options and the time to solve this problem may be too long, especially if passwords change from time to time. But the problem is that, firstly, passwords are not always changed often enough, and, secondly, passwords usually contain deliberate words, which allows you to try not all password variants, but to use dictionaries.

Now let's look at Phishing AP. It's simple: we create our own open network, disguising it as a public one. And on the basis of our network, we set up authorization through the portal site. And this site should entice the user with his data. The main thing is that the user does not understand that he is on a phishing site.

Man in the middle (MITM) attacks. Their task is to integrate into the data transmission chain between the attacked user and the attacked network. That is, to act as a repeater. This enables the collection of transmitted data. The main task is to force the user to consider the attacking device "legal", then he will create a "secure connection" with it, which will be difficult for another attacker to hack, but the attacker in question will receive decrypted traffic.

Availability attacks

Denial of service DoS attacks are extremely dangerous. Their task is to make it impossible to work on a wireless network.

  • The Queensland attack sends out control frames, which indicate that right now it is necessary to free the radio channel to transmit important information from someone else. These are standard frames from the CSMA/CA media access standard and are not used in the way prescribed by the standard. As a result of the attack, no one will have the right to transmit anything on the wireless network.

  • Beacon flooding creates a huge number of bogus wireless networks with the same SSID as the attacked network. The task is to confuse the user and prevent him from choosing the desired network normally. Achieved by constantly sending out wireless beacon frames.

  • Association flooding. Whenever you see "flooding" in the name of an attack, know that it consists of massive actions of the same type. In this case, the attacker generates random MAC addresses and connects with each of them to the wireless network. Or trying to do it. For each such fictitious address, the access point will be forced to spend computing resources. The challenge is to either overload the access point with the useless work of checking new clients, or overflow the wireless client table.

  • Deauthentication information flooding. Sending frames on behalf of the access point that the wireless client needs to disconnect from it right now. That is, the attacker spoofs his MAC address and, on behalf of the BSSID of the attacking network, sends its clients a request to disconnect. Clients think they are kicked out and disconnected, but then they find this network again and connect to it again. After that, they again receive frames from the attacker.

  • EAP-start flooding. Authentication attack using a RADIUS server. Initialization of many security checks. The task, as always, is to overflow the resource pool of the access point or RADIUS server.

  • Attacks with the wrong EAP message length send messages to the RADIUS server with the wrong length (not what the standard should be). The task is to cause an error when processing invalid packets.

Integrity attacks

The essence of these attacks is to modify the transmitted information. This could be the injection of new packets, or the memorization and repetition of previously transmitted packets. This can be regular data or connection/authentication data. The task is to confuse everyone.

Authentication attacks

Cracking or intercepting passwords for network access is the task of authentication attacks. Having decrypted the password once, you can then use it many times. Any passwords can be cracked. If there are no known vulnerabilities that allow you to quickly find the password mathematically, you can use the brute force method — the usual search for all possible passwords. If your password is "admin" then I have bad news for you...

Instead of a conclusion

Hacking other people's wireless networks is a bad business. But you can use it to test the resilience of your own network. Many different utilities are used for various attacks. A large number of them work on the Linux command line. So you need to prepare for this. If you want to try yourself in the role of a "hacker", you can try the Kali Linux distribution, which contains a large number of different kinds of utilities that can help you.

WLAN SecurityWLAN attackDDoS

The post is synchronized to: Author group

Like (5) Dislike (0) Favorite(0) Share Report
Previous: Introduction to Huawei NGFW
Next: AI for Cybersecurity
(1) (0)
2#
LilStylz237
Created May 3, 2021 19:36:13

very informative, thanks
View more
  • x
  • convention:
(1) (0)
3#
Irina
Admin Created May 11, 2021 08:47:51

Thank you very much for the high quality article, once again!

Did you ever personally experience some of those attacks at your workplace?
View more
  • x
  • convention:

Peterhof
Peterhof Created May 16, 2021 09:21:27 (0) (0)
Hello, Irina!
I am sorry for late answer. You allready find it:
https://forum.huawei.com/enterprise/en/deauth-attack-experiments-with-huawei-access-poin/thread/733437-867  
Irina
Irina Reply Peterhof  Created May 17, 2021 07:28:42 (1) (0)
Yeah, you're right  
(1) (0)
4#
LucianoNhantumbo
Created May 16, 2021 05:12:40

Any computer equipment that is attacked one of the tips is to reset the network equipment then is reset the operating system on the computers, because the pirates have access to it before being reinstalled the system.
View more
  • x
  • convention:
(0) (0)
5#
futurework
Created Jun 3, 2021 04:25:37

good
View more
  • x
  • convention:
(0) (0)
6#
andersoncf1
MVE Author Created Jul 2, 2021 21:08:00

Thanks for sharing knowledge
View more
  • x
  • convention:
(0) (0)
7#
NTan33
Created Jul 6, 2021 01:45:35

An excellent overview of a sub-set of threats.
View more
  • x
  • convention:
(0) (0)
8#
adrian_alucard
Moderator Created Oct 11, 2021 13:48:25

Thanks for sharing this knowledge
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.