For myself, I group types of wifi attacks as follows:
- Hacking WPA/WPA2 passwords
- WEP attack
- Hacking WPS Pin
- WPA downgrade
- Replacing a true access point with a fake
- Scam Access Point
- Attack on WiFi access point from the global and local networks
- Denial of Service Attacks (WiFi DoS)
- Attacks on specific services and functions of routers
Let us characterize each of them in somewhat more detail.
Hacking WPA/WPA2 passwords
This is the most universal attack on WiFi. Its advantage is that it applies to all access points that use WPA / WPA2 (most of them).
There are also disadvantages that arise from the strength (reliability) of WPA / WPA2. They are that:
- To implement an attack, the TD must have connected clients;
- password decryption is carried out by brute-forcing (brute force).
Those. With a strong password, hacking WiFi in a reasonable time will not work.
This group of attacks includes not only the decryption of a password in plain text. For WEP, a number of various attacks are opened and implemented that allow you to get the desired result even without decrypting the passphrase.
Unfortunately, now WEP hacking goes into the background, as the number of APs that use it is constantly decreasing.
Hacking WPS Pin
The situation is similar to WEP. Good for cracking, just recently (less than a year ago) a new hole was revealed, which, instead of the usual hours for breaking into WPS, takes several seconds.
And exactly the same trouble as WEP – the lack of universality. The number of APs in which WPS is enabled is less and less.
Just above, WPA / WPA2 provides sufficiently reliable protection if the user has not selected a simple password. Since from a technical point of view, new methods have not been proposed so far, several methods of social engineering have been implemented. This is one of them.
A permanent deauthentication of Stations and TDs is made by sending WPA encrypted packets. The goal is to convince the user of the WPA protocol malfunction and force it to go to WEP or disable encryption. This attack is implemented in mdk3 . mdk3 will allow clients to work with WEP or without encryption, so there is a chance that the system administrator will simply think “WPA is broken” (which can happen to incompetent employees). This can / should be combined with social engineering.
Replacing a true access point with a fake
The bottom line is that the access point is suppressed by the endless sending of deauthenticated packets . At the same time, the attacker “raises” his TD with similar characteristics and waits for users to connect to it.
Further, under various pretexts, WPA / WPA2 passwords are lured away.
Most finished this attack can realize, for example, wifiphisher .
As in the previous case – this is social engineering. The probability of a successful outcome is proportional to the incompetence of the opposite side.
Scam Access Point
This is not really an attack on WiFi. Rather, it is an attack using WiFi.
The bottom line is that the attacker configures an open point of access to the Internet. Unsuspecting lovers of freebies are connected to it. And the attacker at this time implements all sorts of attacks to intercept passwords, sessions, cookies, or redirect to fraudulent sites.
Attack on WiFi access point from the global and local networks
This is a rather undervalued problem. And you just think, a huge number of people have a wireless router or modem at home. As a rule, few people go further than setting up the Internet and WiFi. Few people care about changing the administrator password, and very few people update their device firmware in time.
And all this set of devices with admin: password credentials are beautifully visible to scanners on a local or global network … (there are exceptions, for example, devices with gray addresses, behind NAT, etc. are not visible. Ie they are not visible from the global network, but no one has canceled their visibility in local networks).
And there are already implementations of a mass attack on default credentials and known router vulnerabilities: Router Scan by Stas’M .
The situation is similar to the anecdote: “The Gestapo overlaid all exits, but Stirlitz went out through the entrance .”
And every year the number and types of devices that are connected to the network, only increases. A natural consequence of this is the increase in the number of devices that are not configured by anyone at all. Web cameras, file servers, TVs with WiFi (and with built-in video cameras, by the way), as well as various other elements of the smart home, are added to these devices.
Denial of Service Attacks (WiFi DoS)
this type of wifi attacks is quite simple and very effective. Its meaning is the endless sending of deauthentication packets .
You can protect yourself from such an attack only by connecting to the router via a wire. As with all other DoS attacks, data leakage does not occur. Only broken normal work. Similar to other DoS attacks, after its termination, everything starts working on its own in normal mode.
Attacks on specific services and functions of routers
Modern advanced routers have USB ports to which you can connect flash drives, hard drives, 3G modems and other peripherals. Routers, besides their usual functions, can be file servers, web servers, torrent clients, etc.
There are two dangers here: the vulnerability of a secondary service, or incorrect configuration (for example, factory passwords), which will allow an attacker to seize control.