Can a rogue client bypass the Wi-Fi Access Point?

Question

Let's assume that one client contains malware, and that it belongs to a Wi-Fi network protected with WPA2/Personal (hence, via a password known to the piece of malware), where some other vulnerable clients are present.

I can activate some filtering or other security measures in the Wi-Fi Access Point, so that any malicious traffic from the rogue device is blocked.

Still, I understand that the rogue device is theoretically able with some sniffing to figure out the unique key (PTK) any other client in the network shares with the AP.

With that key, can the rogue device try attack (e.g. probe for vulnerabilities) the other devices, fully bypassing the AP? How does that scenario look like?

As edited, by "attacking" I meant "probing for vulnerabilities" (old and unpatched software, services protected by factory default passwords, etc) — SquareRootOfTwentyThree, Jan 11 '19 at 15:08
What type of router do you have? What is your infrastructure? It's mentioned below but network isolation (a setting on enterprise routers) will provide what you're looking for. — bashCypher, Jan 11 '19 at 23:40

score 1 · Answer 1 · answered Jan 11 '19 at 15:13

Can't comment yet, but I'd say it really depends on what filtering/security measures you're activating, and when you're doing it.

Getting the WiFi key, one a user as been infected is pretty easy. I would go for some ARP Broadcast to detect every other terminals and try to monitor their activities and perhaps detect some vulnerabilities, and scan the open ports on the router.

The most viable solution would be to simply block the MAC Adress of the rogue device on the WiFi or router but if it has detected other devices and perhaps open ports, it still could access it from outside the local network.

score 1 · Answer 2 · answered Jan 11 '19 at 23:25

It's kind of hard to understand your question but given that scenario any competent hacker/malware can do whatever it needs to attack another client in that network.

Given that you know the passphrase of the AP, by getting the the four way handshake you can completely strip the WPA2 (Knowing the PTK as you stated) exposing all unencrypted traffic.

Another thing the malware can do is an ARP Poisoning/Flooding and hence becoming a MITM, all traffic will now go through the infected client.

On the AP side, both white listing and blacklisting are pointless a simple spoof will do the trick. The only thing I can think of is some IMPLEMENTATIONS of client isolation, which as I remember it creates a VLAN for each client. This obviously depends on the manufacturer and how it's IMPLEMENTED.

Can a rogue client bypass the Wi-Fi Access Point?

2 Answers2