We’ve talked a couple of times about programs like wireshark. With wireshark you are able to ‘listen’ to all the frames that are transmitting in the air. Another word for this is eavesdropping. This is not per se an attack since you can use wireshark for troubleshooting as well. Sadly, people can misuse wireshark for wrong purposes. With eavesdropping, an attacker can see all the frames, and, when those frames are not encrypted, even read your mail traffic. You, as administrator, don’t know this since you cannot trace a person who listens to all the frames. The only way to protect your network from malicious eavesdropping is a good protection mechanism like CCMP/AES but also a faraday shield will help. Faraday shields is a solution in which the walls are made from some material that blocks RF. Besides eavesdropping, there are other attacks as well.
Before talking about the different attacks, what are the risks that occur when unauthorized users are connected to your Wi-Fi?
Data Theft steals information that is stored in the company, like credit card information or personal information and medical information.
Data Destruction is erasing the data that you have access to. It erases databases or important files.
Loss of Services or disable services in the network. The attacker doesn’t steal any data or destruct the data, but reboot servers or stop services can have impact on the business.
Malicious Data Insertion is uploading viruses to the network that can infect all the computers within the network.
Rogue devices
Wireless or not, in both situations it is possible that there are access points on your network that you are not aware of and shouldn’t be there. These access points are called rogue access points. Sometimes the definition is not clear, because people are calling access points from nearby companies rogue access points, when they are not. Those access points can interfere, but are not connected to your network. Rogue access points are most of the time created unintentionally by the users or customers in your office. They are not aware of the consequences. If you don’t have a good monitor tool in your organization it is possible that those access points will be invisible for you. Those access points are most of the time not secure, and other people that have bad intentions in the building can misuse those access points to connect to them and access your network.
Another example of rogue devices is IBSS. Your computer is connected with a cable to the wired network and your wireless network card is still on. Other people can connect to your wireless network card and create an ad-hoc/IBSS network.
Don’t forget about wireless printers. If they are not secured enough, hackers can connect to the printer and upload their firmware to the printer and use the printer as an ad-hoc network. The printer will be the bridge between the hacker and the wired network.
Social Engineering
Hackers are trying to gather information by asking questions from users. We are sometimes talking about PICNIC (Problem In Chair Not In Computer), which is referencing that the user is the problem and it is not something technical. Also with security, human knows a lot and share things easily, for example by writing passwords down or telling things to their friends about their work.
Hackers can use pretexting what means that the hacker pretends to be someone else, such as someone from the servicedesk that needs your password to test something.
Phishing is a method of sending mails with fake links. You click on the link and some program will install on your laptop or they ask you to fill in your credit card information.
Quid pro Quo means you exchange things. You give something valuable to the hacker and the hacker gives you something back. It sounds like a great deal, but the information is maybe the last piece of a missing puzzle.
Baiting is what it means, you have a hook in your network and you catch the people as a fish to your bait and gather the information that you need.
With dumpster diving you literally go through the trash for papers with information like passwords or credit card information.
RF attacks
In my CWAP blogs you can read that there are multiple interferences. Those interferences can be unintentional or intentional. Unintentional is like a baby phone or a microwave, but if you have a hacker that use a RF jammer he is intentionally interfering your network.
Layer 2 attacks
It is possible as a hacker to inject some frames to de-authenticate clients. This will be used for man-in-the-middle attacks. Also told in the CWAP blogs is the NAV attack, which changes the duration in the frame that stops other clients from transmitting. You can spoof also beacon frames and change the channel to an illegal channel (channel 14 in the USA) or a channel that doesn’t exist. Then you have also probe response flood, where the attacker sends probe responses to clients and the clients will connect those ‘access points’. Attack the association table of an access point, so the table will be full and cannot accept real clients, this is called association flood attack.
Peer-to-Peer
When wireless networks are not configured correctly, it is possible that clients can connect to other clients (ad-hoc networks). If you don’t have a policy that blocks peer-to-peer traffic you make clients vulnerable for attackers. You need to do p2p block/client isolation on your public networks. You see this mostly on hotspots. A form of peer-to-peer is man in the middle. Another option is to protect yourself from peer-to-peer attacks with the personal firewall on your device.
Man in the Middle
The hacker sends to your device a de-authentication frame and the hacker has on his laptop software that acts like an access point. The software access point has a higher signal strength than the access point that you are connected to. After the de-authentication your laptop will connect to the software access point and all your traffic goes through the laptop from the hacker.
Management interface exploits
When you have hardware, the first thing you need to do is change the default username and password. With proper staging, you can prevent management interface exploits. There are lists on the internet with default username and passwords.
