Share via

AP Possible Man-in-the-Middle Attacks--NoobHere

Juanit-0o 0 Reputation points
2025-08-16T23:55:24.94+00:00

Just getting into IT&Computers in general...

Question--If an AP is set up (In more of a Neighborhood environment) that uses the same SSIDs as local/indigenous networks (maybe even..you subscribe and receive the same equipment as most people with access to modem configurations). If this "Masked" SSID pushes out a stronger signal, requiring you to attempt login through said SSID. Is it possible for the "Masked" SSID to take on a role of Ma-in-the-Middle after receiving the request from your device? I know the 4 way handshake comes into play but can this "Masked" boosted signal continue to route traffic, maybe try to decipher a few payloads or even packets.

Even with the same equipment and the ability to configure IPv6 (which requires local sharing in order to work), possibly greatly greasing the slippery slopes of "local network sharing."

Supporting instances:

Setting up a new Home WiFi, I have gone from hidden SSID to displayed SSID numerous times. The oddity is that when I switch my network to hidden, I can go through the available SSID and still see my network listed. Now... the neighborhood has gone into a sort of piggyback SSID routine lately yet when a new unique SSID is created, within 5 minutes, there is a visible SSID still present with the just created unique SSID even after configuring to be a hidden network.

Logging onto newly created WiFi/APs, the process always has at least 2 or 3 failed attempts trying to log into the new network.

I have performed traceroutes on internal IP traffic (127.0.0.0) and I am getting traces to other states and sometimes foreign countries. Is that even possible? I have accounts in my UAC Security permissions that are Unknown and when registry is opened and looked at, in some cases, these accounts cannot be removed. In resmon.exe Searches is usually suspended along with a few processes with PIDs in the single digits.

I know this is most likely a "Happy Meal" being a Noob and all. Am I going mad??? Please lay some knowledge on the Noobie here, what is happening?

Windows for home | Other | Email and communications
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bryan-V 3,435 Reputation points Microsoft External Staff Moderator
    2025-08-17T15:45:04.5433333+00:00

    Dear Juanit-0o,

    Thank you for reaching out to the Microsoft Q&A.

    You're raising some intriguing observations about Wi-Fi networks, access points, and system behaviors that touch on security concepts like man-in-the-middle (MITM) attacks. You're definitely not going mad; you're asking the right questions and observing your environment, which is a key skill in IT.

    About the Evil Twin Attack, the core of your question is spot on. An attacker can set up a rogue Access Point (AP) with the same SSID (the network name, like "MyHomeWiFi") as your legitimate network. By using a stronger transmitter, they trick your devices (phone, laptop, etc.) into automatically connecting to their AP instead of yours.

    Here’s how it works:

    1. Deauthentication (Optional but common): The attacker can send "deauth" packets to your device, forcing it to disconnect from your real Wi-Fi network.
    2. The Lure: Your device, now disconnected, searches for a familiar network to reconnect to. It sees the attacker's powerful "Evil Twin" AP with the same SSID and connects to it, thinking it's the real one.
    3. The Middle Man: Now, all your internet traffic flows through the attacker's device. You are connected to them, and they are connected to the real internet. They are the "man in the middle."

    About the password and the 4-way handshake, Modern Wi-Fi security like WPA2 and WPA3 is very strong. The 4-way handshake is the process that uses your Wi-Fi password to create a unique encryption key for your session.

    • When your device connects to the Evil Twin, it will perform the handshake. The attacker's AP doesn't know your real password, so the handshake will fail. However, the attacker can use this opportunity to present a "Captive Portal" - a fake login page that looks like your internet provider's page, saying "Please re-enter your Wi-Fi password to continue." If you type your password there, the attacker captures it.
    • The real danger is, even if you don't fall for a captive portal, if the attacker sets up the Evil Twin as an "open" network (no password), your device might still connect. Once connected, the attacker is positioned to intercept any traffic that isn't separately encrypted.

    So, Wi-Fi encryption (WPA2/3) is different from website encryption (HTTPS). While WPA2/3 encrypts the data between your device and the AP, HTTPS encrypts data between your browser and the website's server, regardless of the Wi-Fi network.

    Let's address the strange things you've been seeing:

    1. Hidden SSID Still Visible

    This is normal behavior and a common misconception. "Hiding" an SSID only stops the AP from broadcasting its name in beacon frames. However, your devices (which already know the network) still have to ask for it. They send out "probe requests" shouting, "Is MyHomeWiFi here?" and your AP responds, "Yes, I'm here!" An attacker's scanner can easily pick up these probes and replies, revealing the network's name. Hiding an SSID provides virtually no security. The fact that a "clone" appears instantly is likely just your own network responding to your device's probes.

    2. Failed Login Attempts

    This could be a sign of an Evil Twin attempting and failing the 4-way handshake. However, it's more often caused by simpler issues like a mistyped password, your device being too far from the router, or a temporary software glitch. While suspicious, it's not definitive proof of an attack.

    3. Traceroute on 127.0.0.0

    This is impossible and indicates a misunderstanding of how traceroute and IP addresses work. The entire 127.0.0.0/8 block (which includes the most common address, 127.0.0.1) is reserved for localhost. This address is a "loopback" address, meaning it always points back to your own computer. Traffic sent to 127.0.0.1 never leaves your machine.

    A traceroute to 127.0.0.1 should return a single hop: itself. If you are seeing traces to other states or countries, you are definitely not tracing 127.0.0.1. You are likely tracing a public IP address and misinterpreting the results.

    4. Unknown UAC Accounts & Registry Issues

    This is more concerning and is likely unrelated to a network attack. It's a potential sign that your computer itself is compromised with malware or a virus.

    • Unknown Accounts: Windows creates several built-in user accounts for system services. Sometimes, after updates or software installations, you might see accounts with long, cryptic names like S-1-5-21-.... These are Security Identifiers (SIDs) whose friendly names can't be resolved. While often benign, they can also be created by malware.
    • Suspended Processes: A suspended "Search" process or processes with low PIDs (Process IDs) are generally normal. The operating system kernel and its essential services are the first things to load, so they get the lowest PIDs (0-100). Suspending processes is also a normal part of Windows resource management.

    I wish my answer could help you. If you have any further issues, we are happy to assist.

    To assist others who might have similar questions and to help us improve our support system, we kindly encourage you to "Accept the answer" if it successfully addressed your concern. Accepting an answer lets other users know that this solution worked for you, and it also helps us track the effectiveness of our support efforts.

    Best regards, 

    Bryan Vu | Microsoft Q&A Support Specialist 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.