Earlier I wrote a journal entry about BSSID and the information about them. And I wanted to take a closes look on what types of attacks can be made on just knowing the BSSID and the information surrounding the Access Point.
A little background on how wireless technology works. All data traffic is sent in frames to the AP, and this is done with the 4-way handshake (similar to the TCP 3-way handshake). A part of this handshake is authentication, and by reading these frames you can easily see the BSSID of the AP and the MAC address of the device. So how can this be done for a Man-in-The-Middle Attack (MITM)?
By this I am using Fluxion and the Alfa AWUS036ACH as accesspoint with the possibility to go into monitor mode.
By having my station first doing a MAC spoofing of the devices connected to the victim AP, I am able to send deauthentication frames to the AP and effectively throwing all devices off the AP. Now, I could just be doing this as a simple DOS attack, but at the same time my AP is sending out a fake AP pretending to the be the victim AP. The users then will receive a notification saying they are no longer connected, and that they will have to log back in. using the previous information gathered by the BSSID-lookup, I am able to create a login screen for the users to enter their password. This password is then checked against the victim AP and depending on it being correct – it gives the user back its access. By doing this, the password has been sent in plain text to my station.
From this point on I have full access to the victim network, and from here there are many more things I can do. I can search the devices connected for exploits using armitage, capture packets or I can tunnel the traffic through my fake AP to force non-encrypted connections.