Detecting a large set of attacks by a WIDS requires studying and developing the attacker’s methods and strategies. We discuss in this post the typical attacks and malicious events. Use of a wireless network may involve an attacker connecting to the Internet or to the corporate network that lives behind the AP. Illicit use is a passive attack that does not cause damage to the physical network. It includes following attacks:
Wireless network sniffing:
When wireless packets traverse the air, attackers equipped with appropriate devices and software can capture them. Sniffing attack methods include:
This attack aims at listening to each channel. It can be done without sending information. For example, some radio frequency monitors can allow copying frames on a channel.
Service set identifier (SSID) detection:
This consists in retrieving SSID by scanning frames of the following types:
beacon, probe requests, probe responses, association requests, and re-association requests.
MAC addresses collecting:
To construct spoofed frames, the attacker has to collect legitimate MAC addresses, which can be used for accessing AP filtering out frames with non registered
MAC addressesTo capture wireless packets, specific equipments should be used by the attackers, depending on the targeted wireless network.
Probing and network discovery:
This attack aims to identify various wireless targets. It uses two forms of probing: active and passive. Active probing involves the attacker actively sending probe requests with no identification using the SSID configured in order to solicit a probe response with SSID information and other information from any active AP. When an attacker uses passive probing, he is listening on all channels for all wireless packets, thus the detection capability is not limited by the transmission power.
The attacker can inspect network information using tools like Kismet and Airodump. He could identify MAC addresses, IP address ranges, and
Spoofing purpose is to modify identification parameters in data packets. New values of selected parameters can be collected by sniffing.
Man in the Middle Attacks
This attack attempts to insert the attacker in the middle (man in the middle [MITM]) of a communication for purposes of intercepting client’s data and modifying them before discarding them or sending them out to the real destination.