them the information, which may in itself be valuable, or gets them access to a system
on the network. It’s so important to keep in mind the goal of the attacker. When we’re
testing, we need to make sure we’re not testing just for the sake of testing, though that
could be entertaining; we’re making sure that our testing targets aren’t exposed to
potential attack. The objective of your testing is to improve the security posture,
remember, and not just to knock things over.
802.11 Terminology and Functioning
Before we start in on various attacks, we should probably review the terminology and
functioning of 802.11. First, there are two types of 802.11 networks: ad hoc networks
and infrastructure networks. In an
ad hoc network
, clients connect directly to one
another. There can be multiple systems within an ad hoc network, but there is no
central device through which the communication happens. If there is an access point
(AP) or base station, the network is considered an
infrastructure network
. Devices
that connect through the AP are clients. APs will send out messages over the air indi‐
cating their presence. This message is called a
beacon
.
The process clients use to get connected to a WiFi network is to send out a message
probing for wireless networks. Whereas wired systems use electrical signals to com‐
municate, wireless systems use radio communications, meaning they have transmit‐
ters and receivers. The probe frame is sent out using the radio transmitter in the
device. Access points in the vicinity, receiving the probes, respond with their identify‐
ing information. The client, if told to by the user, will attempt to associate with the
AP. This may include some form of authentication. The authentication does not nec‐
essarily imply encryption, though WiFi networks are commonly encrypted in some
manner. This may or may not be true when it comes to public networks, such as
those in restaurants, airports, and other open spaces.
An enterprise environment may have several access points, all shar‐
ing the same service set identifier (SSID). Attacks against the wire‐
less network will be targeted at individual AP devices/radios, but
the end result, if successful, will land you on the enterprise net‐
work, regardless of which AP you are targeting.
Once the client has been authenticated and associated, it will then begin communicat‐
ing with the AP. Even if devices are communicating with others on the same wireless
network, all communication will still go through the AP rather than directly from
peer to peer. Certainly, there are far more technical details to 802.11 networks, but
this suffices for our purposes, to set the stage for later discussions.
When we do testing over the network, often the network interface needs to be put
into promiscuous mode in order to ensure that all traffic is passed up through the
network interface and to the operating system. When it comes to WiFi, we need to be
