Admin: /* Rogue AP Attacks */

2016-08-19T08:31:07Z

Rogue AP Attacks

← Older revision		Revision as of 08:31, 19 August 2016
Line 30:		Line 30:

	The Rogue AP attack tricks the sheep into thinking that a random access point is actually the sheep's (for example) home network, for which the encrypted passphrase is saved so the sheep can quickly and conveniently connect to their home wifi network when they get home after a long day of doing sheep stuff from 9 to 5. The phone does not question whether the wifi network is in the right place - it just checks that the MAC address (easily spoofed) is correct.		The Rogue AP attack tricks the sheep into thinking that a random access point is actually the sheep's (for example) home network, for which the encrypted passphrase is saved so the sheep can quickly and conveniently connect to their home wifi network when they get home after a long day of doing sheep stuff from 9 to 5. The phone does not question whether the wifi network is in the right place - it just checks that the MAC address (easily spoofed) is correct.


			=Flags=

			{{KaliAttackLayersFlag}}

Admin: Created page with "=Data Layer 2 Attacks= ==Review== Let's review the network stack before we launch into network layer attacks. {{NetworkStack}} Layer 3 is the Network layer. It handles IP..."

2016-08-19T08:29:56Z

Created page with "=Data Layer 2 Attacks= ==Review== Let's review the network stack before we launch into network layer attacks. {{NetworkStack}} Layer 3 is the Network layer. It handles IP..."

New page

=Data Layer 2 Attacks=

==Review==

Let's review the network stack before we launch into network layer attacks.

{{NetworkStack}}

Layer 3 is the Network layer. It handles IP addresses and translating between MAC addresses and IP addresses.

==Scenario==

Suppose you're attacking a sheep that's on a foreign network, and you have zero information about the sheep and/or about the sheep's network. Where does that leave you? Fortunately, given the volume of information publicly broadcasted by devices, you've got plenty to go on.

The Data layer is synonymous with the MAC addresses of machines. This is the basic way that computers are able to create data channels among themselves - it all begins with the unique device identifiers called MAC addresses. These identifiers are like hardware fingerprints. (Changing your mac address with a tool like [[Macchanger]] is akin to changing your fingerprints, and can potentially raise Hell on a network.) MAC addresses usually encode information about the manufacturer in the first 6 hex digits; for example, most or all Apple computers share a set of MAC prefixes. These prefixes can be looked up online or using software libraries in the kernel, and will tell you the manufacturer of a given device.

Attacks in Layer 2 are valuable because they require no prior information about a sheep, a network, etc. Because Layer 2 information (unique identifiers/MAC addresses) provides the most basic foundations of a communication system, this information is not private or encrypted - in fact it is publicly broadcast. This is perhaps the most startling thing about using the aircrack tool - the wealth of information that is continuously being broadcast by a huge number of devices.

Devices like routers are continually broadcasting advertisements with their MAC address and SSID (network name). Networks need to publicly advertise their MAC addresses in order for clients to send connection requests.

Client devices are also continually sending their own MAC address, as they need to include a "return address" on all packets they transmit. Every device in the vicinity will receive these packets - the 802.11 protocol simply dictates that radios be polite and not read other people's mail, and packets not intended for the host machine are discarded at the hardware level and never reach the CPU. By putting a wifi card in monitor mode, you are turning off that discard mechanism, and every single packet you hear is processed by the CPU.

==Deauth Attacks==

Because Layer 2 is where basic channels of data are created, everything must be public. This includes the handshake process - which is where the main weakness of WPA lies. The handshake process must take place publicly, and according to the WPA protocol, the encrypted handshake is sent in a packet that anyone can read. Thus, someone listening with software like [[Aircrack]] can capture these handshake packets, and obtain an encrypted passphrase for a given network. With tools like [[John]], these encrypted passphrases can be cracked.

==Rogue AP Attacks==

Another type of trickery that can occur at Layer 2 is a Rogue AP, namely, a fake AP that is created with the intention of tricking clients into revealing wifi credentials. This attack is also a Layer 2 attack, because it takes advantage of the fact that devices are often set to automatically send an encrypted handshake packet to any wifi network that claims to be a "remembered" wifi network. Of course, the names of these "remembered" networks are also broadcast, so it isn't like it's a secret or anything.

The Rogue AP attack tricks the sheep into thinking that a random access point is actually the sheep's (for example) home network, for which the encrypted passphrase is saved so the sheep can quickly and conveniently connect to their home wifi network when they get home after a long day of doing sheep stuff from 9 to 5. The phone does not question whether the wifi network is in the right place - it just checks that the MAC address (easily spoofed) is correct.

Kali/Layer 2 Attacks - Revision history

Admin: /* Rogue AP Attacks */

Admin: Created page with "=Data Layer 2 Attacks= ==Review== Let's review the network stack before we launch into network layer attacks. {{NetworkStack}} Layer 3 is the Network layer. It handles IP..."