A look at the client side of Wifi Security; Evil Twin and Man in the Middle Attacks

![](https://www.hackread.com/wp-content/uploads/2014/01/security-risks-round-up-of-public-wi-fi-networks.jpg)

### Definition:
* AP - Access point
* SSID - Wireless network 'name'
* WiFi clients - Laptops, tablets, phones etc.
* BSSID - Hardware address of your AP also known as a MAC
* PNL - Preferred Network List (list of AP's that are trusted by your client)

## Summary
So in the last post [http://steemd.com/security/@steempower/wifi-security-and-techniques-to-protect-your-network--part-1](http://steemd.com/security/@steempower/wifi-security-and-techniques-to-protect-your-network--part-1) we looked at security from the AP point of view and putting in place some best practices for securing your WiFi network; in this chapter we are going to look at a common attacks against the WiFi clients and what they might mean for your wireless security. 
There are a number of attacks against clients and we are going to focus on an effective technique called the 'evil twin' attack and look at what might happen once you are compromised. These attacks are dangerous as they are easy to execute with common hardware; be on the look out for these types of attacks at cafes, restaurants, train ride's any situation where an attacker could stay close enough to you to be in network range without drawing suspicion to himself.


## Broadcast Probes and Automatic connection for your convenience
When you arrive at home or work or any other place that you have previously been connected to a wireless network; your device will automatically connect to the previously configured wireless network unless you have told it not too; this convenience happens because the network is in your Preferred Network List (PNL) this can be a great time saver but is also the basis for an attack called 'evil twin'; the other issue here is depending on how your phone goes about discovering this network it may send out what are call broadcast probes; broadcast probes are common and there intention is to find a network that matches the network name (SSID) of a previously connected AP in your PNL. This can leak information about where you have been connected as it is literally yelling out the names of your previously connected wireless networks to anyone that is listening.
This is particularly dangerous when your device is configured to automatically connect to a public hotspot or Free WiFi; generally these WiFi AP's are configured in 'Open' mode and do not require a pass phase and do not encrypt the traffic being transmitted. Not only is this dangerous for your unencrypted information when you are connected it leave you vulnerable when you leave as well. 

## Evil Twin Attack
![](https://dalewifisec.files.wordpress.com/2013/05/eviltwin_ap1.png)
### Against an Open WiFi network
If you are sending out broadcast probes looking for an Open network; all the attacker needs to do is instruct his wireless card to emulate and AP with a name matching the name you are looking for; at that point you client will connect; sound simple? it is!. There are even tools that will listen out for probes, spawn and AP of that name and send out a beacon to alert you client and attempt to connect you automatically.

### Against a protected network WPA/WPA2
Just like we discussed in the previous chapter; to crack WPA and WPA2 WiFi network's; 1 method available to the attacker is to capture a 4 way handshake; but what if i told we only need half that. Even if your AP is not available the attacker's can get the first 2 EAPOL packets of the handshake by pretending they are your genuine access point. Your client connects to the attackers AP and it send's you a challenge this is known as an "A Nonce" you will use your saved valid pass phase to generate a response known as an "S Nonce" + Message Integrity Check (MIC) and send the response back; this response is your challenge to the AP, but the attacker will not be able to perform the 3rd part of the 4 way handshake as he does not know the pass phrase to generate the required Group Temporal Key (GTK) + MIC response your client needs to validate the connection; but with the 2 packet's he has captured he has enough information to preform a brute-force/dictionary attack against your pass phase. Once armed with the pass phase he can pretend to be your encrypted access point and you client would connect and have a trusted connection with the attacker.

## Evil Twin Attack successful - client connected to Attackers Fake AP
### Direct Attacks against your client
Once you are connected to the attackers network they will be able to scan your computer for vulnerable services; these services that you have running on your machine may be exploitable and depending on the exploit this may provide the attacker and entry into your computer with user or system level privileges; from here they can do a number of nasty things to you computer such as ex-filtrate data, plant back doors for future access; encrypt or destroy you files; the list goes on.
If your client is connected to a wired network and a wireless network at the same time the attacker can use this control as a 'pivot' and start scanning your wired network for further vulnerabilities and attempt to exploit them to gain further access into your network this is termed 'lateral movement'


### Man in the Middle Attacks against your communications
In a Man in the Middle attack, the attacker will route your communications to the internet via the attackers machines; this will mean that your client will have full internet connectivity but all traffic will be routed via the attackers machine and he will be eavesdropping on all your communications. Any plain-text traffic is easily captures and manipulated but its worth noting that SSL / HTTPS connections are also susceptible for decryption through a verity of means.

## Prevention / TL;DR
It's hard to prevent these sorts of attacks and that why they are so effective; the client is just operating with its normal behaviour; look for AP on PNL, once found attempt connection. 
Therefore they way to stop these attacks at least the simplest of these attacks in not leave Open WiFi networks in your PNL; or if your device support it make sure you disable automatic connection on these Open APs; the attacks against a WPA2 secured networks are a lot harder to execute as it means they need to brute-force your pass phase which in the previous chapter we set to 18+ characters; so this will be an extremely time consuming exercise for the attacker. 
You could always just disable your wireless when you go out of the house/work etc but this will be quite painful as it will require a lot of manual interaction; added bonus: it will also stop you being 'tracked' at your local supermarket / mall etc.
Some WiFi drivers have the ability to set the BSSID of your AP so that it verifies that the BSSID + ESSID match on the AP or it will not connect; if you have this feature available it would be wise to use it.

## Best practices for Wifi Clients:
* Turn Wifi off when you leave your trusted Wifi area
* Do not leave Open access point such as McDonalds Free WiFi ect. in your PNL
* Enable client side BSSID filtering to add and extra step in validating your AP
* Be aware that your device can be manipulated in the manor and be on the look out WiFi connectivity in a unusual location
![](https://norelleandrea.files.wordpress.com/2015/09/no_parking_wireless_sign.jpg)