How can an access point spoof me into connecting?

Question

I was reading through the answers of the question "How can I ensure that I connect to the right wireless Access Point?" and was wondering how it is possible for an access point to imitate another wifi network assuming I use WPA2.

I read the wikipedia article and it looks like that the PMK (Pairwise Master Key) is never actually send over the network. Also, the client station sends a Nonce to the access point, which the access point concatenates with the PMK and hashes to produce an authentication. How could an impostor produce a valid authentication without knowing the PMK?

What am I missing?

EDIT: I read a little further through the comments and it seems like I can only fake a wireless access point, if I actually have the PMK. Can somebody confirm, that I have the right idea?

Answer 1

I'm going to go out on a limb here and could be wrong, but...

If there are two APs using the same encryption level and the same passphrase, then I believe most wireless clients will happily connect to either without raising a fuss. I do not believe that the equivalent of an SSH host key is used to fingerprint the original "authentic" AP.

Therefore, if an attacker knows the passphrase in use by an AP, they can imitate that AP and either hijack traffic or perform a man-in-the-middle attack.

I am reasonably sure that this was my experience when I temporarily configured a second AP in my house with the same passphrase, using XP and Windows 7 clients.

It may be that the protocol supports an AP host key, but that the Windows client implementation does not take advantage of it. As I say, I'm going out on a limb here, basing my response on limited experience which I recall hazily. I'm sure someone will let me know if I'm wrong!

Answer 2

It's a combination of social engineering (or gullibility if you will) and a technological attack.

First, create an open AP with an identical SSID (Note that the BSSID need not be the same) on the same channel using extremely high power output, the higher the better.

Second, use a disassociation attack. This causes the "target" to disconnect from the AP.

Users will then often just reconnect to the network with the same name. If the power output is high enough on the evil twin then the real AP will be completely obscured. Since the password to the real network is saved on their computer they won't notice that they aren't prompted for a password to join the evil twin.

pwn3d.

Answer 3

You are talking about attacking the technology when by a long way you should be attacking the human. Not withstanding how much effort it would take to knock down a consumer grade wireless access point. I'm guessing you would have more than just limited success just standing up an AP with the same SSID.

I imagine if you could knock down the legitimate AP (even still that's probably overdoing it), stand up your own without a password. People would go to browse the Internet, see that they weren't connected, look at their list select the "correct" SSID, (not really notice that there is no password because they figure that their password is just saved and technology is being quirky again).

Wouldn't be much more difficult in a business setting provided you have access to a network jack. I think most rogue APs are attacking the person not the technology.

Answer 4

Using enterprise WPA2, a certificate is stored for the valid access points, so spoofing in a manner that causes credentials to leak isn't trivial. With shared authentication, any access point that is using the same shared credentials will be a valid association.

Answer 5

You can spoof BSSID/lladdr/mac (ifconfig wlanX hw ether 00:de:ad:be:ef:01) along with ESSID. At this point your AP becomes indistinguishable from the target. I have experienced that clients connect after doing this, even if they expected WPA/WPA2 to be in place, without user action, i.e. automatically (at night). I didn't use the same channel as the AP when I did this.