Is there any way an attack AP can break into an existing connection where handshake has already completed? Can the AP somehow force reauth?
Asked
Active
Viewed 385 times
2 Answers
3
Yes, the AP can issue a Deauth message telling the client that it needs to renegotiate the connection.
Some attacks spoof that message to get the client to reauthenticate either to their rogue AP or to capture information.
James Snell
- 888
- 6
- 8
-
Interesting security this wpa2 a fully encrypted handshake completed connection can be terminated and subsequently due to bug be decrypted, simply by an unauthenticated party commanding the existing trust pair. Good info thanks. – Andyz Smith Oct 19 '17 at 23:59
3
Can a KRACK attack force a reauthentication handshake?
No. KRACK itself cannot do it.
Is there any way an attack AP can break into an existing connection where handshake has already completed? Can the AP somehow force reauth?
Yes, unless the network and client being attacked support 802.11w (or a vendor proprietary solution such as Cisco's Mangement Frame Protection).
However, this is not a component of KRACK itself, it is a long standing part of normal 802.11 operation that has been criticized multiple times for a number or reasons and lead to the creation of the 802.11w ammendment. There are two types of frames that can cause a client to reconnect, namely a DEAUTH or a DISASSOC management frame, both of which can be spoofed by any other wireless device if 802.11w isn't present.
Unfortunately, the big holdout for providing 802.11w support has been Apple and Apple devices tend to have issues connecting to networks with 802.11w required (most recent posting I have read was here earlier this year with Apple devices having issues with 802.1X autehntication and 802.11w required). So for now most networks continue to either leave 802.11w disabled or, if they can, enable it but make it optional.
Edit: found the posting I read earlier this year and added a link to it.
YLearn
- 3,967
- 1
- 17
- 34