penetration tester

You are a penetration tester tasked with testing the wireless network of your client Brakeme SA. You are attempting to break into the wireless network with the SSID “Brakeme-Internal.” You realize that this network uses WPA3 encryption. Which of the following vulnerabilities is the promising to exploit?

You are a penetration tester tasked with testing the wireless network of your client Brakeme SA. You are attempting to break into the wireless network with the SSID “Brakeme-Internal.” You realize that this network uses WPA3 encryption.
Which of the following vulnerabilities is the promising to exploit?

Option 1 : AP misconfiguration
Option 2 : Key reinstallation attack
Option 3 : Dragonblood
Option 4 : Cross-site request forgery

1. AP misconfiguration

The Misconfigured APs are a type of security surface, that are the easiest to breach, if its detected. The place, where you will most likely meet misconfigured AP’s are home wireless network or very small businesses. Large wireless environments are most likely using centralized management platforms that control hundreds or thousands of AP and keep them synchronized, therefore it is less likely to meet any configuration error there.

Most common areas of misconfiguration, that leads to wireless cracking’s are ?

  • Some AP configurations are left to factory defaults, like usernames and passwords or default WLAN’s broadcasted (SSID’s) and default settings may be found in manuals of the specific vendor on the internet.
  • Human Error – advanced security policies are configured on a set of AP’s across the organization, and other ones are forgotten and left with default weak security settings.

As a counter-measure against misconfigured AP, organizations should follow the ongoing site surveys as a tool to monitor a secure wireless environment.

2. Key reinstallation attack

KRACK (“Key Reinstallation Attack”) may be a replay attack (a sort of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. it had been discovered in 2016[1] by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven.[2] Vanhoef’s research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted within the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the complete keychain wont to encrypt the traffic.
The weakness is exhibited within the Wi-Fi standard itself, and undue to errors within the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is probably going to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD etal. .
The widely used open-source implementation wpa_supplicant, utilized by Linux and Android, was especially susceptible because it are often manipulated to put in an all-zeros encryption key, effectively nullifying WPA2 protection during a man-in-the-middle attack. Version 2.7 fixed this vulnerability.
The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept sent and received data.

3. Dragonblood

Dragonblood allows an attacker in range of a password-protected Wi-Fi network to get the password and gain access to sensitive information like user credentials, emails and mastercard numbers. consistent with the published report:
“The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, like protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is suffering from several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3’s Simultaneous Authentication of Equals (SAE) handshake, commonly referred to as Dragonfly, is suffering from password partitioning attacks.”
Our Wi-Fi researchers at WatchGuard are educating businesses globally that WPA3 alone won’t stop the Wi-Fi hacks that allow attackers to steal information over the air (learn more in our recent blog post on the topic). These Dragonblood vulnerabilities impact alittle amount of devices that were released with WPA3 support, and makers are currently making patches available. one among the most important takeaways for businesses of all sizes is to know that a long-term fix might not be technically feasible for devices with lightweight processing capabilities like IoT and embedded systems. Businesses got to consider adding products that enable a Trusted Wireless Environment for all kinds of devices and users alike.
Recognizing that vulnerabilities like KRACK and Dragonblood require attackers to initiate these attacks by bringing an “Evil Twin” Access Point or a Rogue Access Point into a Wi-Fi environment, we’ve been that specialize in developing Wi-Fi security solutions that neutralize these threats in order that these attacks can never occur. The Trusted Wireless Environment framework protects against the “Evil Twin” Access Point and Rogue Access Point. one among these hacks is required to initiate the 2 downgrade or side-channel attacks referenced in Dragonblood.
What’s next? WPA3 is an improvement over WPA2 Wi-Fi encryption protocol, however, as we predicted, it still doesn’t provide protection from the six known Wi-Fi threat categories. It’s highly likely that we’ll see more WPA3 vulnerabilities announced within the near future.
To help reduce Wi-Fi vulnerabilities, we’re asking all of you to hitch the Trusted Wireless Environment movement and advocate for a worldwide security standard for Wi-Fi.

4. Cross-site request forgery

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. for many sites, browser requests automatically include any credentials related to the location , like the user’s cookie , IP address, Windows domain credentials, then forth. Therefore, if the user is currently authenticated to the location , the location will haven’t any thanks to distinguish between the cast request sent by the victim and a legitimate request sent by the victim.
CSRF attacks target functionality that causes a phase change on the server, like changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.
It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. this will be accomplished by simply storing an IMG or IFRAME tag during a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack within the site, the severity of the attack is amplified. especially , the chances are increased because the victim is more likely to look at the page containing the attack than some random page on the web . The chances are also increased because the victim is certain to be authenticated to the location already.


CSRF attacks also are known by variety of other names, including XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to the present sort of attack as a One-Click attack in their threat modeling process and lots of places in their online documentation.

Learn CEH & Think like hacker

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment