Attackers have many reasons for targeting wireless networks. They might want to access resources on a network, such as confidential files. Many organizations focus on perimeter defenses and are rather open after an attacker gets through them. A wireless network might represent the easiest attack avenue to the inside if adequate defenses are not in place. Other attackers might simply want to use a wireless site's network. This could be as simple as a traveler not wanting to pay for network access while on the road, or it could be as nefarious as a spammer wanting to send millions of objectionable e-mails that won't be traced back to him, or a virus writer wanting a good anonymous location from which to launch the latest worm. Finally, it could be an attacker wanting to disrupt a wireless network, whether for simple vandalistic glee, for revenge, or to harm a competitor in some way. Sometimes these attacks can be combined. For example, an attacker could execute a denial-of-service (DoS) attack against the legitimate wireless infrastructure to redirect clients to a rogue AP that the attacker controls. Attack trees illustrate these goals and some of the methods that an attacker uses to achieve them.
Attackers follow a process when they attack networks. Usually there is an initial reconnaissance phase, followed by the actual attack. In the reconnaissance phase, an attacker discovers the presence of the network and then explores potential targets within it. This chapter considers three main goals that attackers have when attacking wireless networks: denying service, gaining read access, and gaining write access. It also considers the fourth goal of reconnaissance, which is a necessary subgoal of the main three goals. The attack trees illustrate each of these goals.
Introduced by Bruce Schneier, attack trees are a means of describing vulnerabilities in a system. They can also be used as analysis tools to assist in planning defenses against those vulnerabilities. Each tree starts with a goal, which is broken into subgoals. Subgoals can be broken down further. At each node, the attack tree creator denotes whether all the steps must be taken ("AND") or whether any one of them will do ("OR"). The best way to illustrate this is with a simplified example:
GOAL: Rob bank. OR Bribe guard for entry during off hours. Become trusted employee of the bank and embezzle. AND Get hired by bank. Work long enough to learn system and gain trust. Conduct an armed robbery. AND Obtain weapons. Plan carefully.
This tree shows that the bank robber has three OR subgoals, any one of which will get him the money. He can choose the easiest one. The embezzlement subgoal has two AND subgoals. If he chooses embezzlement, he must perform both of these to be successful. From a defensive perspective, a bank must prevent all branches of the tree from succeeding. The defender must prevent all OR branches, which in this example means preventing all three avenues of attack. Where there are AND branches, the defender only has to prevent one from succeeding. Thus, in this example, the bank can either improve its interview screening or institute an oversight system for its trusted employees to prevent the embezzlement option from succeeding.
An attacker must discover a target network before attacking it. This can be a targeted attack in which an attacker goes after a particular organization or user, or it could be an attack of convenience in which an attacker just looks for the first network that meets his criteria. Such criteria include proximity, fast bandwidth, and of course, the presence of vulnerabilities.
In the wired networking world, intrusion-detection systems or firewalls can often detect this reconnaissance activity. In the wireless world, portions of the discovery can be completely passive and undetectable. There could, however, be active components to a wireless attack reconnaissance, such as network scans, which would be detectable. Attack Tree 1 outlines reconnaissance attacks:
Attack Tree 1 GOAL: Discover target network. AND Discover presence of a network. OR Conduct wardriving. Passive sniffing of specific targets ("parking lot sniffing"). Discover more information about the network. OR Conduct active host and port scanning. Conduct passive sniffing.
DoS is an attack on network availability that can serve several purposes for an attacker. These purposes range from disruption to assisting man-in-the-middle attacks (MitM) and are explored later in this chapter. An attacker might want to set up wireless equipment to take over the communications path for legitimate clients. By disrupting particular parts of the network, an attacker can remove interference from the legitimate equipment and have the rogue path be the only one available. Attack Tree 2 describes these goals:
Attack Tree 2 GOAL: Deny wireless service. AND Discover target network (using Attack Tree 1). Deny service. OR Deny service to an entire network. OR Use radio jamming equipment. Continually broadcast frames to fill up network bandwidth. Disassociation/deauthentication attack against all users. Conduct transmit duration attack. Flood associations to fill up access point tables. Set up a rogue access point and associate users to a bogus network. Deny service to a particular user. Conduct disassociation/deauthentication attack against a user.
The most frequent goal of a network attacker is to gain either read access or write access to a network. Read access includes the capability to intercept and read traffic from the network and includes attacks on encryption, authentication, and other protection methods. Write access includes the capability to send traffic to a network entity and usually implies read access because the attacker often needs to read response packets to communicate over some network protocols. However, in some cases, an attacker can place packets on a network without being able to decode any of the return traffic.
Attack Tree 3 describes read-access goals:
Attack Tree 3 GOAL: Gain read access. AND Discover target network (using Attack Tree 1). Read traffic. OR Read unencrypted traffic. Capture traffic using sniffer. Read encrypted traffic. AND Capture encrypted traffic using sniffer. Gain key material. OR Recover keys. Recover keystream. Set up rogue access point and control network parameters, such as encryption keys (most feasible as a man-in-the-middle). AND Compromise client. Penetrate client via ad-hoc network via misconfiguration or unpatched operating system vulnerability. Install spying software on client. Spying software forwards data to attacker by some means
Attack Tree 4 describes write-access goals:
Attack Tree 4 GOAL: Gain write access. AND Discover target network (using Attack Tree 1). Bypass authentication schemes to gain network access privileges. OR Network has no authentication. No bypass needed. Use MAC address spoofing to evade MAC-based filtering. Use shared-key authentication bypass attack. If network is using 802.1x for authentication, use LEAP dictionary attack or PEAP man-in-the-middle attack documented later in this attack tree. Inject data packets. OR Network is not using encryption. Inject the data. Write encrypted data by replaying captured keystream. Recover keystream. Encrypt data with key and write it to network. Recover key. Penetrate client via ad-hoc network. Install malicious code on client, which writes your traffic using the client's credentials. Perform LEAP dictionary attack. AND Capture a LEAP session. Run an offline dictionary attack to recover the password. Authenticate using the captured credentials. Once authenticated, write your data. Perform PEAP man-in-the-middle attack. AND Set up rogue AP to which the client can connect. Establish session to real AP. Capture client credentials and use them to authenticate to the back- end server. Take over the connection in place of the client. Write the data.
The rest of this chapter expands on the attacks described in the attack trees.