Creating Rogue Access Points :
In order to creake fake access points, we will be using a tool named as MDK. It could also be used to do packet injection.
1) Go to the terminal of your backtrack instance,Type in cd pentest/wirless/mdk3 and press enter
2) Now run mdk3 using the command "./mdk3" without any arguments
3) This will provide us with a detailed information of how to use the MDK tool and what are the different parameters which can be given to the tool
4) For our case study we are only interested in creating beacon frames. In the options we can see there is an option "-b beacon flood mode"
5) Now we will create an arbitrary beacon frame flood will be ./mdk3 mon0 b -n "FakeSSID"
6) Now we can see that a new network with the SSID "FakeSSID" gets created. The mdk tool send outs these beacon frames while jumping to various channels and with various ESSID's to confuse the wifi clients around it.
So this was how an attacker can create a fake access point and make it visible to all the wifi clients nearby.
Lets analyze the process of how a client connects to an Access Point.
The moment you switch on the wireless network of a wifi client, the client sends out or broadcasts a packet announcing its presence. This packet is called a probe request packet.
The client usually sends out a null probe request packet first, meaning that it looks for all the available access points in the vicinity.
The APs in the vicinity respond to the probe request packet with a probe response packet. The client also sends out probe requests for the AP stored in the cache i.e. the APs to which it has previously connected.
If the client selects to connect to a specific AP then the client sends a Authentication request which is responded by the AP with an Authentication response packet. After authentication phase comes the association phase. In which the client sends an Association Request and the AP responds with a Association responsepacket. After these three steps the actual data transfer between the client and the AP starts.