When working with wireless networks, one of the categories of attacks that may be used is that of access control attacks. Attacks put into this category aim to penetrate and compromise a wireless network by evading access control measures. These types of access control measures include items such as MAC filtering, misconfiguration, rogue access points, and other items we will discuss within this chapter.

Before we go too far, let's take a more detailed look at access control in order to understand more clearly what it is that we are attacking in this particular chapter.

The access control process is one that involves identification of syndication and authorization. Any attack against access control is going seek to steal credentials, or impersonate a user or system with the intention of gaining access and performing unauthorized or outright malicious activities...

One of the earliest and most commonly used forms of attack used to target access control is a technique known as war driving. This technique, simply put, is to use a wireless enabled device along with specialized software used to detect or probe wireless networks that have come with in range of the wireless device.

What makes war driving so popular and so effective is the fact that many computer users, both personal and business, have been deploying 802.11 wireless access points for years with little regard for security. The deployment of a wireless network that allows the user to roam has taken precedence over taking measures to secure their access points and devices against potential attack.

In response to this deployment of wireless networks that are misconfigured or insecure, we have a category of attackers that engage in this practice known as war...

The next step in war driving is to enhance the data you're collecting with location or geographic data concerning the access point or device itself. In the modern day, the collection of this data has been facilitated through the use of Global Positioning System (GPS) technology. Modern GPS devices can be attached to a system such as a notebook or laptop to the use of Bluetooth, USB, or even serial connections in some cases. If you intend to perform war driving with a mobile device such as a tablet or smart phone, it is highly likely that your device may already contain a built-in GPS that can be used to map access points.

If you are going to use an external GPS device it is important to note that not all of these devices are created equal. Some devices are able to acquire a satellite fix and location within a very short time of...

Another effective way to compromise or circumvent access control on a wireless network is to create what is known as a rogue access point. A rogue access point is simply a wireless access point that has been installed on a network without explicit permission or authorization from the owner or administrator of that network. In practice, a rogue access point can be put in place by a well-intentioned employee, or even a malicious party such as a disgruntled employee, or in an intruder.

An access point can come in one of two forms: it can be either a soft access point or some form of hard access point.

A soft access point is an access point that is created through software such as the types we have in Kali as well as other third-party applications. It can even be argued that the software present on smartphones creates a soft access point out of the smartphone...

During your explorations, one technique that may be deployed against you an effort to stop you is a technique known as MAC filtering. Simply put, MAC filtering is a countermeasure that involves either whitelisting the MAC addresses of devices approved to be on your network or blacklisting devices that you don't want on your network. While this technique is incredibly rare and often encountered on none but the smallest of networks it is still a countermeasure that frequently pops up as a recommended security mechanism. Here, we will explore how to evade MAC filtering and gain access to a network anyway.

In most consumer and commercial grade access points, it is not difficult to find an option for MAC filtering. Usually, this option goes by the name of MAC filtering or it may be under a group of settings for access control and may even...

With a rogue access point in place on a secure (or supposedly secure) network, there now arises a potential for a lot of damage and other mischief to occur. Promiscuous clients are a concern, as these are clients that send out probes looking for wireless networks to attach to that they may have attached to in the past. The fact that they engage in this process it makes the possibility that they may attach to a network accidentally and is a problem for security.

The probe packet is a special type of request that is transmitted out that is used to attach to previously associated network access points. This packet is sent out by smartphones, laptops, and other devices that are not currently connected to a Wi-Fi network and it is used to locate and connect to networks previously associated to. When this probe is sent out and a network that the client...