This attack is based on placing unauthorized devices on the wireless network without going through a security process. Using a laptop or PDA, an attacker tries to connect his wireless client to the base station without any authorization. Base stations should be configured to require a password before allowing access to users, however, the sad reality is that many base stations do not setup one. Without the password, intruders can connect to the internal network with ease, by simply connecting a client to the base station as described above. Thubten Comberford of White Hate Technologies described it best when he used the following analogy: “We came across a company with one of these wireless networks. All their source code, everything was available. This network was beaconing, ‘log onto me'… It basically had its Rolls-Royce parked in the driveway, engine running, with a sign saying ‘steal me'.” A more advanced intruder may physically place a base station on a victims' network to allow remote access via wireless. Base stations and other wireless equipment are now inexpensive and very easily obtainable. Because of the inexpensive equipment to get into wireless, intruders can get easy access to the tools necessary to apply an attack.
If the wireless network used a username and password to allow access to the local network, the attacker can use a Wireless Sniffer for an attack. An attacker can sniff and capture legitimate traffic. Many of the tools that accomplish this are based on capturing the first part of connection session, where the data would typically include the username and password. With this, the intruder can then be disguised as that user by using this captured information.
Wireless sniffing requires the attacker to be within the range of the wireless traffic. This is usually around 300 feet range, but wireless equipment continues to strengthen their signals, pushing the wireless signal further out. On the surface this seems to be a beneficial feature for the user because the user can then access the network or surf the web at a further location from the base-station, but in actuality it creates a greater risk for the user because it allows intruders to attack at a further location as well. If an attacker can sniff the wireless traffic, it is possible to inject false traffic into the connection. The attacker can then hijack the victim's session by issuing commands on behalf of the user.
An attacker can also use a technique called arpspoof, which can trick the network into passing sensitive data from the backbone of the subnet and route it through the attacker's wireless client. This allows the attacker to access the sensitive data that normally would not be sent over wireless and gives him an opportunity to hijack TCP sessions.
One other way attackers can successfully intercept and monitor traffic is by tricking a legitimate wireless client to connect to the unauthorized base station, set up by the intruder. The base-station would need to have a stronger signal within close proximity of the wireless client that mimics a legitimate base station. This will cause unaware users to log into the unauthorized server, setup by the attacker. By using fake login prompts, unsuspicious users unknowingly give away valuable data like passwords.
Basically, an attacker could eavesdrop on a wireless network using a wireless LAN analyzer application. The attack could easily capture the plain and encrypted text of the shared key used for authentication. He can then figure out the authentication response, and then provide a new checksum using another known exploit and connect to the network as a valid user.
There is another type of attack called jamming, which denies service to legitimate users. Legitimate traffic gets jammed because illegitimate traffic overwhelms the frequencies so that legitimate traffic cannot get through. An attacker with the right equipment can easily flood the 2.4 GHz frequency, so that the signal to noise drops so low, that the wireless network ceases to function. Another common problem with jamming, which may not be caused by malicious intents is that fact that more and more technology operates on a 2.4 GHz frequency. It is common to go to the store and find a cordless phone advertising its 2.4GHz frequency in a large flashy manner to attract customers. Not only cordless phones, but baby monitors, and other devices like Bluetooth also operate on 2.4 GHz and can disrupt the wireless network.
Two computers can talk directly to each other by-passing the base station. This is true for wireless clients as well. And because of this, each client must protect itself from other clients.
An attacker can create a denial of service attack on the user by flooding the user's wireless client with phony packets. The attacker can configure their client to duplicate the IP or MAC address of another legitimate client causing disruption on the network.
“War driving”, similar to “war dialing” (dials every number looking for a modem backdoor into a network) is another way intruders can access networks not authorized to them. As people are “war driving”, and locating the access points and recording the GPS coordinates of the access point's location, these access point maps are being shared to any attacker on the Internet. If a company has their access point location and their information revealed on the Internet, their access point becomes a potential target and increases their security risks.
All base station models come with their own default *Server Set ID . Attackers can use these default SSIDs to attempt to penetrate base stations that are still in their default configuration. As an example, the Netgear 802.11b wireless router I bought last week from Amazon had its SSID set as “netgear” by default. Many other companies use simple names as well for their default SSID.
Those with configured SSIDs are still subjected to attacks. Attackers can try to guess the base station password SSID by use of the brute force method of dictionary attacks. This method attempts to guess the SSID with every word possible. This may sound like it can take a long time, but it actually doesn't. There are programs out there that can perform a scan of all the dictionary words quite quickly. On top of that, most users use simple passwords that are easy to remember for convenience. This makes guessing the password for attackers like taking candy away from a baby.
WEP , the encryption standard for 802.11, which almost all wireless routers comes with, only encrypts the data packets not the 802.11 management packets and the SSID is in the beacon and probe management messages. The SSID is not encrypted when WEP is turned on, meaning the SSID goes over the air in plaintext. This makes obtaining the SSID very easy with the methods described above, sniffing 802.11 wireless traffic. Many access points by default have broadcasting the SSID turned on. Sniffers typically will find the SSID in the broadcast beacon packets. Turning off the broadcast of SSID in the beacon message does not prevent attackers from getting the SSID. A sniffer only needs to wait for a valid user to connect to the network to see the SSID, since the SSID is sent in the clear in the probe message.
____________________________________________________________________________________
*Server Set ID (SSID)
SSID is a configurable identification that allows clients to communicate with the appropriate base station. If the configuration is done properly, only clients that are configured with the same SSID can communicate with the base stations having the same SSID. SSID from a security point of view acts as a simple single shared password between the base station and the client.
***WIRELESS HACKING VIDEO***
The following site contains a video on wireless hacking. It introduces some of the attacks described above. Watch video release 0001, must have divx codec to view the video