|
|
MITM Attack
The attacker knows (=is able to find out) the victim wireless parameters (the MAC address, ESSID/BSSID, number of channel)
The attacker sends (via broadcast or unicast) a DEAUTH request to the victim (on the same channel as the victim) with the spoofed source address of the victim's AP
The victim is deauthenticated and starts to search all channels for a new valid AP
The attacker spoofs on a new channel his forged AP with the original MAC address (BSSID) and ESSID of the victim's AP. The forged AP responses to all victim's AUTH, AS_RQ and REAS_RQ frames needed for the victim's authentication/association
After the successful victim's authentication/association to the forged AP, the attacker spoofs on the original victim's channel the victim's MAC address and associates to the original victim's AP (the AP supposes the associated client is the victim, not attacker)
The attacker is in the middle of the victim and his AP
|