Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures,

like AP MAC filters and 802.1X port access controls.

Type of Description Methods and Tools Attack War Driving Discovering wireless LANs Airmon-ng, DStumbler, by listening to beacons or KisMAC, MacStumbler, sending probe requests, NetStumbler, thereby providing launch Wellenreiter, point for further attacks. WiFiFoFum Rogue Access Installing an unsecured AP Any hardware or Points inside firewall, creating software AP open backdoor into trusted network. Ad Hoc Connecting directly to an Any wireless card or Associations unsecured station to USB adapter circumvent AP security or to attack station. MAC Reconfiguring an attacker's MacChanger, Spoofing MAC address to pose as an SirMACsAlot, SMAC, authorized AP or station. Wellenreiter, wicontrol 802.1X Recovering RADIUS secret Packet capture tool on RADIUS by brute force from 802.1X LAN or network path Cracking access request, for use by between AP and evil twin AP. RADIUS server Confidentiality attacks These attacks attempt to intercept private information sent over wireless associations, whether sent in the clear or encrypted by 802.11 or higher layer protocols.

Type of Attack Description Methods and Tools Eavesdropping Capturing and decoding bsd-airtools, Ettercap, unprotected application Kismet, Wireshark, traffic to obtain potentially commercial analyzers sensitive information. WEP Key Capturing data to recover Aircrack-ng, airoway, Cracking a WEP key using passive or AirSnort, chopchop, active methods. dwepcrack, WepAttack, WepDecrypt, WepLab, wesside Evil Twin AP Masquerading as an cqureAP, D-Link G200, authorized AP by HermesAP, Rogue beaconing the WLAN's Squadron, WifiBSD service set identifier (SSID) to lure users. AP Phishing Running a phony portal or Airpwn, Airsnarf, Web server on an evil twin Hotspotter, Karma, AP to "phish" for user RGlueAP logins, credit card numbers. Man in the Running traditional man- dsniff, Ettercap-NG, Middle in-the-middle attack tools sshmitm on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels. Integrity attacks These attacks send forged control, management or data frames over wireless to mislead the recipient or facilitate another type of attack (e.g., DoS).

Type of Description Methods and Tools Attack 802.11 Crafting and sending forged Airpwn, File2air, Frame 802.11 frames. libradiate, void11,

Injection 802.11 Data Replay 802.1X EAP Replay 802.1X RADIUS Replay

WEPWedgie, wnet dinject/reinject Capturing 802.11 data frames Capture + Injection Tools for later (modified) replay. Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, Failure) for later replay. Capturing RADIUS AccessAccept or Reject messages for later replay. Wireless Capture + Injection Tools between station and AP Ethernet Capture + Injection Tools between AP and authentication server

Authentication attacks Intruders use these attacks to steal legitimate user identities and credentials to access otherwise private networks and services.

Type of Attack Shared Key Guessing

Description

Attempting 802.11 Shared Key Authentication with guessed, vendor default or cracked WEP keys. PSK Cracking Recovering a WPA/WPA2 PSK from captured key handshake frames using a dictionary attack tool. Application Capturing user credentials (e.g., Login Theft e-mail address and password) from cleartext application protocols. Domain Recovering user credentials Login (e.g., Windows login and Cracking password) by cracking NetBIOS

Methods and Tools WEP Cracking Tools

coWPAtty, genpmk, KisMAC, wpa_crack Ace Password Sniffer, Dsniff, PHoss, WinSniffer John the Ripper, L0phtCrack, Cain

password hashes, using a bruteforce or dictionary attack tool. VPN Login Recovering user credentials ike_scan and Cracking (e.g., PPTP password or IPsec ike_crack (IPsec), Preshared Secret Key) by anger and THCrunning brute-force attacks on pptp-bruter (PPTP) VPN authentication protocols. 802.1X Capturing user identities from Capture Tools Identity Theft cleartext 802.1X Identity Response packets. 802.1X Using a captured identity, Password Password repeatedly attempting 802.1X Dictionary Guessing authentication to guess the user's password. 802.1X LEAP Recovering user credentials Anwrap, Asleap, Cracking from captured 802.1X THC-LEAPcracker Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash. 802.1X EAP Forcing an 802.1X server to offer File2air, libradiate Downgrade a weaker type of authentication using forged EAP-Response/Nak packets. Availability attacks These attacks impede delivery of wireless services to legitimate users, either by denying them access to WLAN resources or by crippling those resources.

Type of Attack Description Methods and Tools AP Theft Physically removing an AP "Five finger from a public space. discount" Queensland DoS Exploiting the CSMA/CA An adapter that Clear Channel Assessment supports CW Tx (CCA) mechanism to make mode, with a low-

level utility to invoke continuous transmit 802.11 Beacon Generating thousands of FakeAP Flood counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP. 802.11 Associate Sending forged FATA-Jack, Macfld / Authenticate Authenticates or Flood Associates from random MACs to fill a target AP's association table. 802.11 TKIP MIC Generating invalid TKIP File2air, wnet Exploit data to exceed the target dinject, LORCON AP's MIC error threshold, suspending WLAN service. 802.11 Flooding station(s) with Aireplay, Airforge, Deauthenticate forged Deauthenticates or MDK, void11, Flood Disassociates to commercial WIPS disconnecting users from an AP. 802.1X EAP-Start Flooding an AP with EAP- QACafe, File2air, Flood Start messages to libradiate consume resources or crash the target. 802.1X EAPObserving a valid 802.1X QACafe, File2air, Failure EAP exchange, and then libradiate sending the station a forged EAP-Failure message. 802.1X EAP-of- Sending a malformed QACafe, File2air, Death 802.1X EAP Identity libradiate response known to cause some APs to crash. 802.1X EAP Sending EAP type-specific QACafe, File2air, Length Attacks messages with bad length libradiate fields to try to crash an AP

a channel appear busy.

or RADIUS server. Note: Many of these tools can be found in the BackTrack Auditor Security Collection, a live CD open source toolkit intended for use during penetration testing and vulnerability assessment.