Through the use of an 802.11 analyzer, a person can monitor 802.11 frames sent over the wireless
LAN and easily fool the network through various "man-in-the-middle" attacks. You can view the
frames sent back and forth between a user's radio NIC and access point during the association
process. As a result, you'll learn information about the radio card and access point, such as IP address
of both devices, association ID for the radio NIC, and SSID of the network.
With this information, someone can setup a rogue access point (on a different radio channel) closer to
a particular user to force the user's radio NIC to reassociate with the rogue access point. Because
802.11 doesn't provide access point authentication, the radio NIC will happily reassoicate with the
rogue access point. Once reassociation occurs, the rogue access point will capture traffic from
unsuspected users attempting to login to their services. Of course this exposes sensitive user names
and passwords to a hacker who has an interface with the rogue access point.
Someone can also use man-in-the-middle techniques using a rogue radio NIC. After gleaning
information about a particular wireless LAN by monitoring frame transmissions, a hacker can program
a rogue radio NIC to mimic a valid one. This enables the hacker to deceive the access point by
disassociating the valid radio NIC and reassociating again as a rogue radio NIC with the same
parameters as the valid radio NIC. As a result, the hacker can use the rogue radio NIC to steal the
session and carryon with a particular network-based service, one that the valid user had logged into.
Content Copyright © Original Author