802.11 Wireless Attacks  Home ToC Prev Up Next 
802.11
Attacks
O/S/M Vulnerabilities
WEP Encryption
Passive Attacks
Active Attacks
IV Reply Attack
Bit-flipping Attack
ManInTheMiddle
+MITM Attack
Cisco LEAP
LEAP weaknesses
LEAP attack
ICV issue
Passive WPA PSK
WPA PSK attacks
PSK attack tools
Conclusion
  

MITM Attack

  1. The attacker knows (=is able to find out) the victim wireless parameters (the MAC address, ESSID/BSSID, number of channel)

  2. The attacker sends (via broadcast or unicast) a DEAUTH request to the victim (on the same channel as the victim) with the spoofed source address of the victim's AP

  3. The victim is deauthenticated and starts to search all channels for a new valid AP

  4. The attacker spoofs on a new channel his forged AP with the original MAC address (BSSID) and ESSID of the victim's AP. The forged AP responses to all victim's AUTH, AS_RQ and REAS_RQ frames needed for the victim's authentication/association

  5. After the successful victim's authentication/association to the forged AP, the attacker spoofs on the original victim's channel the victim's MAC address and associates to the original victim's AP (the AP supposes the associated client is the victim, not attacker)

  6. The attacker is in the middle of the victim and his AP
Copyright © 2005 Pavol Lupták, OpenWeekend 2005  Prev Next