Skip to content

09. 802.11 Network Selection Algorithms

Koutto edited this page Nov 1, 2020 · 3 revisions

Preferred Network Lists (PNL)

  • Each time a station connects to a WiFi network, ESSID is stored inside station's PNL.
  • PNL is an ordered list of ESSID the station has connected to in the past.
  • PNL also stores configuration information needed to establish a connection with those networks.

Passive Scanning vs. Active Probing

  • Passive Scanning = Client device listens for beacon frames from nearby access points. Client devices are typically configured by default to connect to networks within their PNL automatically. If this is the case, and the client device receives a beacon frame whose ESSID field matches an ESSID from the client’s PNL, the client will automatically connect to the access point that sent the beacon frame.

  • Active Probing = Client devices that use active probing continuously transmit probe request frames to determine what APs are within range, as well as what their capabilities are. Probe requests come in two forms: directed and broadcast.

  • Directed Probing: Clients that use directed probing will send out probe requests for each network in its PNL. It should be noted that directed probing is the only way of identify the presence of nearby hidden networks.

    • Broadcast Probing: Broadcast probe requests work almost exactly the same way, but are sent with the ESSID field set to NULL (i.e. "Broadcast ESSID"). This addresses the broadcast probe to all nearby access points, allowing the station to check if any of its preferred networks are nearby without revealing the contents of its PNL.

802.11 Network Selection Abuse Attacks

Important: Following attacks only work on open networks.

KARMA Attack

  • Abuse Active Probing.
  • This attack consists in dynamically generating Rogue APs.
  1. The AP listens for directed probe requests, and sends back directed probe responses with the same ESSID.
  2. The client then receives the ESSID, thinks he is near a network from its PNL, and connects to the rogue AP.

KARMA-Attack

Ref: https://www.slideshare.net/sensepost/zacon-2015-zombie-mana-attacks

MANA Attack (KARMA Improvement)

Improvement of KARMA attack in which the rogue AP reconstructs the PNLs of nearby clients.

When AP receives a Probe Request:

  • If Directed Probe Request:

    • Add client's MAC to hash table,
    • Add requested ESSID to that device's PNL,
    • Respond with directed Probe Response (might not work on client if no response to Broadcast Probe previously).
  • If Broadcast Probe Request:

    • Respond with Probe Responses for each of the networks ESSID in that device's PNL

KARMA-Attack

Loud MANA Attack (MANA Improvement)

Variant of MANA attack in which the rogue AP sends Beacon & Probe Response Frames for each ESSID in the union of all PNLs of nearby clients.

  • If Directed Probe Request:
  • Same as with MANA Attack
  • If Broadcast Probe Request:
    • Respond with Probe Responses for each of the networks ESSID in EVERY device (seen before) PNL (union of PNLs)

Known Beacon Attack

  • Abuse Passive Scanning.
  • Rogue AP broadcasts dictionary of common SSIDs, that the nearby WiFi clients have likely connected to in the past (i.e. are in PNLs), in order to force a connection.

Remediations for 802.11 Network Selection Abuse implemented in modern devices

  • Device ignores Probe Responses from APs that did not first respond to Broadcast Probe

    • Circumvent this using MANA instead of KARMA
  • Device relies exclusively on Passive Scanning (no Active Probing)

    • Circumvent this using Loud MANA or Known Beacons attacks
  • Windows 10 Countermeasures:

    • Open networks are by default not added to the PNL.
    • Clients will send a probe request frame after receiving the correct beacon frame.
Clone this wiki locally