Overview common Wi-Fi attacks
1 Sniff Wi-Fi traffic (AND) 2 Gain access (OR) 2.1 Connect to unencrypted network (OR) 2.2 Connect to encrypted wireless network 2.2.1 WPS attack 126.96.36.199 Break WEP encryption 188.8.131.52.1 FMS attack 184.108.40.206.2 Korek's chop-chop 220.127.116.11.3 PTW attack 18.104.22.168.4 Caffe Latte attack 22.214.171.124 Break WPA encryption 126.96.36.199.1 Beck-Tews attack 188.8.131.52.2 Halvorsen-Haugen attack 184.108.40.206.3 Brute force PMK 2.2.2 ARP/MAC spoofing (MitM) 3 Denial of Service 3.1 Jam radio signal 3.2 Flood with broadcast of frames 3.3 Disassociation/deauthentication attack
WEP was the standard before WPA. The WEP encryption process uses the RC4 stream cipher. RC4 is a symmetric key cipher used to expand a short key into an infinite pseudo-random keystream.
A number of flaws in the WEP algorithm seriously undermine the security claims of the system. Possible attacks are:
Passive attacks to decrypt traffic based on statistical analysis.
Active attack to inject new traffic from unauthorised mobile stations, based on known plaintext.
Active attacks to decrypt traffic, based on tricking the access point.
Dictionary-building attack that, after analysis of about a day’s worth of traffic, allows real-time automated decryption of all traffic.
Key reuse in the encryption stream (24-bit IV) makes it vulnerable to cracking, as well as to fragmentation
and replay attacks.
aireplay-ng can be used to generate IV samples and
decipher the secret key. You can also use wifite to conduct attacks against WEP.
WPA and WPA2
WPA was introduced as an interim replacement for WEP and did not require consumers to replace hardware to support the new security measure. Instead, most vendors released software/firmware updates that could be installed on existing devices. There are multiple flavors of WPA based on the 802.11i wireless security standard: WPA, WPA2, and WPA3.
WPA increased from 63-bit and 128-bit encryption in WEP to 256-bit encryption technology. WPA implemented the Temporal Key Integrity Protocol (TKIP) after WEP encryption was broken. TKIP is symmetric encryption that still uses the same WEP programming and RC4 encryption algorithm, but it encrypts each data packet with a stronger and unique encryption key. It also includes some additional security algorithms made up of a cryptographic message integrity check, IV sequence mechanism that includes hashing, a rekeying mechanism to ensure key generation after 10,000 packets, and to increase cryptographic strength, it includes a per-packet key-mixing function.
These were designed to add protection against social engineering, replay and injection attacks, weak-key attacks, and forgery attempts.
WPA2 introduced the use of the Advanced Encryption Standard (AES) instead of TKIP. After 2006, all new devices bearing the Wi-Fi trademark required mandatory WPA2 certification. WPA and WPA2 use a four-way handshake to establish connection.
Like WPA2, WPA3 uses AES and a four-way handshake. Its main difference with WPA2 is that it is designed for perfect-forward secrecy. This means that the encryption key changes such that its compromise will not result in a breach of data encrypted before that compromise took place. IOW, a privacy feature that prevents older data from being compromised by a later attack.
Additionally, WPA3 uses Simultaneous Authentication of Equals (SAE) in an attempt to solve WPA and WPA2’s vulnerability to dictionary attacks. SAE is a type of key exchange also referred to as Dragonfly.
WPA3 is weak to downgrade attacks and timing attacks. The Dragonblood vulnerabilities target the Dragonfly key exchange.