Wireless Attacks Unleashed 2023

In this article we will learn about Wireless Attacks Unleashed.

Introducton to Wireless Attacks Unleashed:

As we all know, wireless networks are spread in every part of the world, starting from personal home to corporate environments, schools/universities, coffee shops, etc. The main advantage of wireless networks is to eliminate large and messy cables, which saves space and does not spoil the appearance of your workspace. But as we all know, every coin has two sides. Wireless networks also have their drawbacks. It comes with a high possibility of attacks on it. In this article, I will describe the different attack techniques on wireless networks and what we should do to prevent them.

Also Read:Theoretical Methodology for Detecting ICMP Reflected Attacks: SMURF Attacks 2023

Let’s start with the WLAN protocol, also known as the 802.11 protocol, commonly used for wireless networks. The main function of this protocol is to connect more than one device. It uses spread spectrum signals. The functionality of these signals is based on high-frequency communication, where a network is created between two point-to-point terminal devices consisting of a transmitter and a receiver. In this mechanism, participants (in terms of end devices) must have transmitters and receivers to transmit and receive signals.

To connect to a wireless network, each participant must have a wireless AP (Access Point – also known as a Wi-Fi hot-spot) along with a wireless adapter. The AP works as a walkie-talkie. Converts radio signals to digital and vice versa. When an AP transmits signals, those signals have an SSID, known as a service set identifier and network identification information. The receiver detects the signals and displays a list of available wireless networks around it along with the signal strength. Not only that, it also identifies if the AP uses any security and if so, what level of security it is. As a wireless network, it allows more than one node to join the network, so authentication is important to ensure that there is no malicious internet user lying on that network. This responsibility rests with the AP agency.

Wi-Fi security

If you look at the wireless network protocol architecture as shown in the figure below, you will see that there is no built-in security.

Figure: 802.11 Protocol Architecture

So researchers implemented techniques like authentication and encryption on top of the 802.11 protocol stack. These techniques are WEP and WPA, respectively known as “Wireless Equivalent Privacy” and “Wi-Fi Protected Access”. Unlike wired networks, wireless network signals can be easily intercepted and manipulated. So encryption and authentication is a must for wireless networks.

Creating a wireless network using the pre-shared authentication technique

In order to successfully establish a connection, we know that the client will need access to the AP. So the client sends a request to the AP for authentication. Then the AP sends a challenge to the client: the client will have to encrypt the text with a pre-configured key and also send it back to the AP. The AP decrypts it with the key, and if it matches, the connection is established; otherwise the connection will be broken. I wrote this key exchange and confirmation process in a very simplified way. In real life it works as shown in Figure 2 below.

Figure: Pre-shared Authentication Process

A newer version of the protocol consists of an SSID with a combined shared key. The WEP key uses the RC4 algorithm, but the WEP key is completely corrupted. Therefore, large IT companies do not use the WEP key in order not to compromise their organization’s wireless network. We now fully understand what Wi-Fi is, how it works, and what protocols are in action. Now we move on to security attacks in Wi-Fi networks.

Passive attack: These attacks are not harmful to networks; are conducted for the purpose of gathering information. A malicious user simply listens to all incoming and outgoing wireless network traffic. As we know, traffic consists of packets and each packet contains juicy information such as packet sequence numbers, MAC address and many more. The nature of these attacks is silent, making them difficult to detect. Using this attack, a malicious attacker can perform an active attack on a wireless network. Sometimes malicious users use packet decryption tools to steal information by decrypting data from them. Decrypting packets in WEP is really easy because WEP security is very low and easy to crack. Sometimes this technique is also called WARN DRIVING. If you want to know how war management is possible and practically done, you have to look at the reference at the end, which has a report that describes the whole way.

Active attack: Since the attacker is doing a passive attack to get information about the wireless network, he will now do an active attack. Active attacks are mostly IP spoofing and Denial of Service attacks.

IP Spoofing: In this attack scenario, an attacker accesses an unauthorized wireless network. Not only that, but it also creates packets to impersonate the authorization of that server or network.

Denial of Service Attack: Here an attacker attacks a specific target by flooding packets to the server. In most cases, SYN packets are used because they have the ability to generate a flooding storm.

MITM Attack: Here the attacker accesses the AP information of any active SSID. This is where dummy APs are created. An attacker listens to communication between endpoints. Suppose a client has a TCP connection to any server, then the attacker will be a man in the middle and s/he will split this TCP connection into two separate connections, the common node of which will be the attacker himself. So the first connection is from the client to the attacker and the second connection will be from the attacker to the server. So every request and response will go between the client and the server through the attacker. An attacker can thus steal information that passes through the air between them.

Figure : MITM attack scenario

Wireless jamming attack: Wireless radio signals are used in this attack scenario. The attacker may have a stronger antenna for the signal generator. First, the attacker identifies the signals around him or the target AP. It then creates radio signals with the same frequency and starts broadcasting through the air to create a wireless network signal tornado. As a result, the target AP gets stuck. In addition, the legitimate user node is also jammed with signals. It disables the AP connection between the legitimate user of the wireless network and the network itself. The blocking of a wireless network can mainly have three reasons:

Fun – Prevent a legitimate user from receiving any data from the Internet.
Spy – A delay in the deployment of a packet to a legitimate user can give an attacker more time to decipher the packet to steal information.
Attack – An attacker can spoof packets and send them to a victim to take control of a user’s computer or network.
This is a type of DOS attack on wireless networks. This attack occurs when any spurious or spoof RF frequencies cause problems with the legitimate operation of a wireless network. In some cases, these are false positives, such as a cordless phone using the same frequency as the wireless network. So in that case, you may see some results in your wireless monitoring software or mechanism, but it’s not actually signal interference. This isn’t a very common attack because it requires a ton of capable hardware.

Figure 4. Access Points, Transmitters and Jammers

Figure 4 above describes the architecture of the launched attack, in which there are various access points, jammers and legitimate transmitters. The main function of a jammer is to disrupt wireless communication.

Pre-Shared Key Guessing: As we all know, pre-shared key is used by both AP and node to encrypt data communication. Administrators of these Wi-Fi networks generally do not change the default key in place. Professional hackers always try to find the wireless access point manufacturer to get the default ID and password. There are some websites that provide a list of router manufacturer default names, their admin IDs and passwords. Some of them are listed below:

http://www.routerpasswords.com/
http://www.phenoelit.org/dpl/dpl.html
http://www.similarsites.com/goto/defaultpassword.com?searchedsite=routerpasswords.com&pos=2
This web page displays a list of password IDs for various router administrator accesses and access to configuration settings. However, an attacker will need access to Wi-Fi to connect to this part. Nowadays, every router is equipped with encryption technology and most all routers use WEP key. The full form of WEP is Wired Equivalent Privacy, which is the default standard protocol for 802.11 wireless networks. It is based on the RC4+XOR algorithm to convert plaintext to ciphertext using a 40-bit key along with a 24-bit initialization vector. Below, Figure 5 shows the standard WEP encryption process using the RC4 algorithm along with the XOR technique.

Figure 5. Standard WEP Encryption Process using RC4 algorithm with XOR operation

However, research shows that this encryption mechanism has many weaknesses and is therefore completely cracked. Research also says that it takes more than 40,000 packets of data to crack WEP in a matter of minutes. There are some other techniques like dictionary attack and statistical key guessing attack that can be used to crack WEP key in no time.

There are also some other attacks that are a potential threat to wireless networks. These attacks are mentioned and described below. Before we can understand the different attacks on wireless networks, we need to know where an attacker can launch an attack on wireless networks. See Figure 6 below for illustration.

Figure 6. Places where wireless attacks can be performed

Frame Injection Attacks on 802.11: In order to perform this kind of attack, an attacker must have a deep understanding and knowledge of the protocol. Any professional hacker will perform this method to perform an injection attack on wireless networks. First, it will passively collect information about this network. The attacker then creates wireless protocol frames to send to the target network. There are basically two ways to do this. One can either create a fake packet and inject it into this network. The second way is to sniff network traffic. Once these packets are sent to the server, the response from that wireless network is intercepted, intercepted, and modified by the attacker to perform a man-in-the-middle attack. This is hard to detect because it happens at layer two. An illustration of this process is shown below in Figure 7.

Figure 7. Frame Injection & MITM attack scenario in wireless networks

Denial of Sleep Attack: Sometimes wireless networks do not use radio transmission. So to reduce the consumption, it regulates the communication of that particular node. This mechanism can be exploited by a malicious user. An attacker can deplete the power of the sensor device to greatly reduce the lifetime of the node, or attack the MAC layer to reduce the sleep time. If the number of exhausted nodes increases, the entire network may be disrupted. Only the MAC protocol has the ability to create a longer sleep time. Without it, you cannot extend the life of your wireless network.

Collision Attack: In this type of attack, the attacker tries to corrupt the packets to be transmitted to the receiver. So when the attacker is successful, the resulting checksum of the packet is not expected at the receiver’s end. As a result, the entire packet will be dropped at the recipient node. Now retransmitting this packet consumes high energy of that particular sensor node. The second approach to the collision attack can be defined as follows: Sometimes messages are transmitted on a node at the same frequency and this can also cause a collision. An illustration of the same frequency problem can be understood in the figure below.

Figure 8. Channel Overlapping Scenario

As you can see in the picture, the yellow area shows that the channel two signals overlap with the channel one working area. Both channels will suffer in communication.

Desynchronization attack: In this attack, an attacker tries to modify check flags and sometimes sequence numbers to falsify packets or messages. As a result, the attacker restricts the legitimate user from exchanging messages between the server and the client. It will continuously require you to resend these messages. This attack causes an infinite retransmission cycle. He gets a lot of energy. We can also say that an attacker disrupts the established connection between two endpoints.

Flooding Attack: There are a lot of DoS attacks that reduce network lifetime in various ways. One common method is a Denial of Service attack. The attacker sends a huge number of packets to prevent the network from communicating with different nodes. The main goal of this attack is to exhaust resources on the victim’s computer.

Figure 9. Flooding in Wireless Network

Replay Attack: In this process, the transmission data is maliciously replayed. The attacker intercepts the data in order to transmit it further. It is part of a spoofing attack that can be taken away by replacing the IP packet. This can be attacked with a stream cipher.

Figure 10. Replay Attack Process Flow

The attacker repeats copies of the victim’s packets to deplete the energy or power source. This kind of attack has the ability to crash applications that are poorly designed.

Selective Redirection Attack: May also be referred to as a “grey hole attack”. In this form of attack, an attacker can stop a node from traversing packets by forwarding or dropping these messages. In one form of a selective forwarding attack, a node selectively rejects packets by dropping them from entering that network from an individual node or a group of individual nodes.

Figure 11. Selecting Forwarding Attack Scenario

The image above illustrates this attack. Here you can see that the malicious node is selectively dropping packets from a particular node or group of nodes. It can do this or forward it somewhere else, which creates no reliable routing information due to forwarding packets to any wrong path on the network.

Unauthorized Routing Update Attack: There are many components in the routing process, such as hosts, base station, access points, nodes, routing protocols, etc. A malicious user can try to update all these information to update the routing table. It is possible that some nodes become isolated from the base station due to this attack. A network partition can also be created due to this attack. After the TTL expires, packets may be dropped. Packets can be forwarded to any unauthorized user. All these incidents are the fallout of this attack.

Wormhole attack: In this type of attack, the attacker copies the entire packet or message by tunneling it to another network from the originator. The attacker then transfers them to the target node. When an attacker transmits copied messages or packets to a target node, he transmits them quickly in such a way that the copied packets reach the target node before the original packets (from the legitimate user) reach it. For this, the attacker uses a wormhole tunnel. Wormhole nodes are fully invisible.

Figure 12. Wormhole Attack Scenario

As an example, the impact of a wormhole attack on routing protocols is shown in Figure 12. An adversary establishes a wormhole connection between nodes s9 and s2 using a low-latency connection. When node s9 broadcasts its routing table as in distance vector routing protocols, node s2 hears the wormhole broadcast and assumes it is one hop away from s2. Similarly, neighbors of s2 modify their own routing tables and route through s2 to reach any of nodes s9, s10, s11, and s12.

Sinkhole Attack: This is a special kind of selective redirection attack that draws attention to the compromised node. A compromised node attracts all the maximum possible network traffic. It then places the malicious node on the nearest base station and enables a selective redirection attack. It’s a very complex attack. Sinkhole attack detection is very difficult and affects higher layer applications. The figure below illustrates the architecture of a sinkhole attack.

Figure 13. Sinkhole Attack Scenario

The interesting thing is that a sinkhole attack can also be done with a wormhole attack. The image below illustrates this scenario where one malicious node collects all network traffic (sinkhole attack) and tunnels (Wormhole attack) with another node to reach the base station.

Figure 14. Sinkhole Attack with Wormhole Attack

Impersonation Attack and Sybil Attack: This attack is very common and well known. An attacker can obtain the IP address or MAC address of a legitimate person to steal their identity and make it their own. The attacker can then attack another victim and do a lot of things with this new stolen identity of the legitimate user. A Sybil attack is an advanced version of an impersonation attack in which a malicious user (attacker) can steal multiple identities. Technically speaking, a malicious node impersonates itself to other nodes by assuming multiple identities. The effects will be the same as when mimicking an attack.

Traffic Analysis Attack: Here the attacker gets information about the network traffic as well as the behavior of the nodes. Traffic analysis can be done by checking the length of the message, the pattern of the message, and the time it remained in the session. An attacker could then associate all of this inbound and outbound traffic with any custom router, which could compromise members’ privacy due to the association with these messages. Sometimes an attacker may be able to connect two nodes with unrelated connections within a network.

References

[1] Brownfield, M.; Yatharth Gupta; Davis, N., “Wireless sensor network denial of sleep attack,” Information Assurance Workshop, 2005. IAW ’05. Proceedings from the Sixth Annual IEEE SMC , vol., no., pp.356,364, 15-17 June 2005

[2]  Raymond, David R.; Midkiff, S.F., “Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses,” Pervasive Computing, IEEE , vol.7, no.1, pp.74,81, Jan.-March 2008

[3]  Oberg, L.; Youzhi Xu, “Prioritizing Bad Links for Fast and Efficient Flooding in Wireless Sensor Networks,” Sensor Technologies and Applications, 2007. SensorComm 2007. International Conference on , vol., no., pp.118,126, 14-20 Oct. 2007

[4]  Zi Feng; Jianxia Ning; Broustis, I.; Pelechrinis, K.; Krishnamurthy, S.V.; Faloutsos, Michalis, “Coping with packet replay attacks in wireless networks,” Sensor, Mesh and Ad Hoc Communications and Networks (SECON), 2011 8th Annual IEEE Communications Society Conference on , vol., no., pp.368,376, 27-30 June 2011

[5]  How 802.11 Wireless Works. (2003, 03 28). Retrieved from Resources and Tools for IT Professionals | TechNet: http://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx

[6]  Deciphering Encoding: Packet Analyzation Tools. (2012, 02 09). Retrieved from Stack Overflow: http://stackoverflow.com/questions/541517/deciphering-encoding-packet-analyzation-tools

[7]  Shared Key Authentication . (2013, 08 04). Retrieved from the Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/aa916565.aspx

[8]  Pre-shared key – Wikipedia, the free encyclopedia. (2013, 11 14). Retrieved from Wikipedia, the free encyclopedia: http://en.wikipedia.org/wiki/Pre-shared_key

[9]  Alejandro, P., & Loukas, L. (n.d.). Selective Jamming Attacks In Wireless Networks.

[10] Authentication with Private Pre-Shared Key. (n.d.). Retrieved from Aerohive Networks Wireless WLAN Controller-less | AerohiveWorks.com: http://www.aerohiveworks.com/Authentication.asp

[11] Burak, & Ustun. (n.d.). Security Services in Group Communications over Wireless Infrastructure, Mobile Ad Hoc, and Wireless Sensor Networks.

[12] Chintan, G. (2013, 07 01). MITM ATTACK – Configuration to Exploit. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/07/mitm-attack-configuration-to.html

[13]Chintan, G. (2013, 06 02). MITM Attack Scenario. Retrieved from Information Security Aficionado: http://infosecninja.blogspot.co.uk/2013/06/mitm-attack-scenario.html

[14] Christoph, H., & Rafael, W. (n.d.). IP SPOOFING.

[15] Deng, J., & Mishra, R. H. (n.d.). Countermeasures Against Traffic Analysis Attack in Wireless Sensor Networks. Colorado.

[16] Different routing attacks on WSNs. (n.d.). Retrieved from http://www.hindawi.com/journals/ijdsn/2013/802526/fig9/

[17] Garret. (2011, 09 05). Another DNS Attack – And why you need secureauth.. Retrieved from http://www.secureauth.com/blog/another-dns-attack-and-why-you-need-secureauth/

[18] Hardy, L., & Gafen, M. (2009, 07 21). Mesh wireless sensor networks: Choosing the appropriate technology. Retrieved from http://industrial-embedded.com/article-id/?4098

[19] Higgins, T. (2010, 01 24). When Wireless LANs Collide: How To Beat The Wireless Crowd . Retrieved from http://www.smallnetbuilder.com/wireless/wireless-howto/31190-when-wireless-lans-collide-how-to-beat-the-wireless-crowd

[20] Johnson, D. (n.d.). Wireless Pre-shared Key Cracking(WPA, WPA2).

[21] Lehembre, G. (n.d.). Wi-Fi security – WEP, WPA and WPA2. Hackin9.

[22] Lemhachheche, R., & Hong, J. (n.d.). Project : WEP Protocol Weaknesses and Vulnerabilities . Retrieved from Riad Lemhachheche, Oregon State University, Information Systems Engineering – Industrial and Manufacturing Engineering: http://www.mobilelife.eu/OSU/ece578/report.htm

[23] Mdscott. (n.d.). Wireless man-in-the-middle attack. Retrieved from http://itlaw.wikia.com/wiki/Wireless_man-in-the-middle_attack

[24] mister_x. (2011, 01 16). Aircrack-ng. Retrieved from http://www.aircrack-ng.org/doku.php?id=aircrack-ng

[25] Mustafa, H. (n.d.). THE SYBIL ATTACK IN SENSOR NETWORK.

[26] Ou, G. (2007, 04 5). German researchers put final nail in WEP. Retrieved from http://www.zdnet.com/blog/ou/german-researchers-put-final-nail-in-wep/464

[27] Poovendran, R., & Lazos, L. (2006, 05 08). A graph theoretic framework for preventing the wormhole attack. Retrieved from http://www2.engr.arizona.edu/~llazos/research.php

[28] Qijun, G., & Peng, L. (n.d.). Denial of Service Attacks.

[29] Soni, V., Modi, P., & Chaudhri, V. (n.d.). Detecting Sinkhole Attack in Wireless Sensor.

[30] Vader, G. D. (n.d.). Wardriving Manual.