Vulnerabilities with Wireless Access Points

7 minutes
Share the link to this page
You need to purchase the class to view this lesson.
One-time Purchase
List Price:  $139.99
You save:  $40
List Price:  د.إ514.18
You save:  د.إ146.92
List Price:  A$181.98
You save:  A$51.99
List Price:  ৳11,872.75
You save:  ৳3,392.45
List Price:  CA$178.62
You save:  CA$51.04
CHF 88.77
List Price:  CHF 124.29
You save:  CHF 35.51
List Price:  kr859
You save:  kr245.44
List Price:  €115.50
You save:  €33
List Price:  £102.02
You save:  £29.15
List Price:  HK$1,085.16
You save:  HK$310.07
List Price:  ₹10,221.51
You save:  ₹2,920.64
List Price:  RM566.32
You save:  RM161.82
List Price:  ₦53,336.19
You save:  ₦15,240
List Price:  kr1,206.99
You save:  kr344.87
List Price:  NZ$194.67
You save:  NZ$55.62
List Price:  ₱6,731.95
You save:  ₱1,923.55
List Price:  ₨22,489.39
You save:  ₨6,426
List Price:  S$185.89
You save:  S$53.11
List Price:  ฿4,198.23
You save:  ฿1,199.58
List Price:  ₺1,032.99
You save:  ₺295.16
List Price:  B$756.27
You save:  B$216.09
List Price:  R2,127.09
You save:  R607.78
List Price:  Лв226.18
You save:  Лв64.62
List Price:  ₩154,907.51
You save:  ₩44,262.45
List Price:  ₪457.19
You save:  ₪130.63
Already have an account? Log In


This is the wireless access point for my little office here, total seminars. And we're not that big of an office. So we only need one AP. And this guy's passing out an SSID of private say, and it works great. We've got WPA two encryption on there big, long shared keys. So it's very, very hard to crack them.

But what would happen if somebody came into the office, you know that Bob over in sales, and he doesn't like how good of a signal he's getting over there, and he doesn't want to bother the IT department, Bob's not evil. Bob's just a little dumb. So Bob comes in and he gets one of these little home routers from his local computer store. And he takes this and he plugs it in to my wired network. Now think about that for a minute. Now, again, Bob's not evil, he's just dumb.

But what you've just done is you've given people access to the network via an unauthorized access point. So we call this a rogue AP. So a rogue AP is nothing More than an unauthorized access point. So they happen innocently enough and it does happen. Now, if this happened, we would know fairly quickly. Number one, Bob would be shooting out an SSID of Linksys or whatever the default SSID is there.

This thing's probably got a built in DHCP server be messing up the network, passing out some crazy like 192 168 dot one IP address range, and we would yell at Bob shake his finger and make him buy lunch the next day. But what if we took it another step? What if we took this access point? And instead of just innocently plugging it in? What if we intentionally gave it the SSID of private? Well, you now have what's known as an evil twin.

Now, rogue access points and evil twins don't have to be devices like this, as long as you have some type of internet service. So people don't know that they're on the wrong thing. You can get away with that. I can take this phone right here, make it a hotspot and give it an SSID of private people could get on the internet with this thing, they couldn't get to my actual network because it's not plugged into my network. And whoever has this phone is going to get a really big bill. But this could easily be an evil twin.

It can also be a rogue access point if you don't do it on purpose. So what I want to talk about is some of the fun that we can have with evil twins in particular. Now, what I've got here is, so I've got my access point. And I've got my laptop right here that's running Kali Linux and built into Kali Linux are a lot of tools that again, assuming you have the right network card, I can make this thing look at bark smell taste, like an access point, everything I need. The problem that I have here is that everybody's still connecting to this physical access point. So a really easy way to take care of that is to get one of these.

This is what we call an 802 11 jammer. Okay, it's not an 802 11 jammer. It's really just a piece of styrofoam with a stick stuck in it. And the reason it is is because 802 11 jammers are completely illegal in the United States. So, I don't have one but here's a picture of a few, so you get an idea of what they look like. Now, if I have one of these jammers, I can do some very interesting things.

These jammers, for example, can be programmed a million different ways. I can set this jammer up to jam the entire 2.4 gigahertz spectrum. And if everybody was running just on 2.4 gigahertz, you've got the best denial of service you've ever seen in your life, I could knock everybody off completely, but we can do stuff that's a little bit more sophisticated. One of the things that we can do is I can take this jammer and I can program it to be on Channel six. So I can do a quick survey using either my phone or a regular laptop and I can see that private is currently on Channel six. So as long as I'm close enough to jam the signal, I can drop this jammer down and jam up Six.

In the meantime, my little laptop over here, who's an evil twin of private is now on Channel, say channel one. And any wireless device is designed that if a particular channel messes up, it jumps and looks for the SSID on a different channel. Now, if I don't have the username and passcode, no big deal, all I'm going to have to do is what as soon as they link into this, I can have a redirect page pop up, it says, Welcome to private, please enter the passcode and count on at least 15% of all people to not realize that that's not the right way to do it. Bingo, I've got myself the code. The cool part about this is that I will again I'll provide Internet access here just as well. So I can put a cellular wind card in here, whatever I might want to do.

And for a lot of people, they're not going to realize that they're not on the correct wireless network anymore. And I have now generated what's known as an absolute perfect man in the middle attack. Absolutely go onto Google Do whatever you want to do. In the meantime, I'm running Wireshark, or something like that, and monitoring everything that's taking place in terms of traffic between you and whoever else you might want to talk to. The downside to this type of attack is that it needs one of these and wireless jammers really are difficult to get here in the United States. They are federally illegal, but you don't really need it, we can get rid of this completely, and instead do something called a D authentication attack.

Let me show you how that works. So here's my little network. Here's my wireless access point that's broadcasting out on say channel six, and the SSID is stuff. Now right here is just one of my many clients and he's made a good connection to this guy. And what I can do is using the right tools, so let me go ahead and bring in my evil Kali laptop that's running with the cool wireless Nic. I can actually run programs that will show me all of the clients that are authenticated to that solution.

Ticular wireless access point. And I can then use that information to send out what are known as D authentication or more quickly known as D off commands. These commands basically tell those clients that they do get off of this wireless network, they'll get off the network. And then what we want them to do is then to connect to us. And then once again, our man in the middle attack is running perfectly rogue access points our real problem, whether it's an unintentional innocent rogue access point, or somebody doing something very dangerous by creating an evil twin, they can be a real problem on our wireless networks.

Sign Up


Share with friends, get 20% off
Invite your friends to LearnDesk learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.