KARMA MANA Attack Theory
KARMA attacks are when an access point pretends to be any access point a device may be looking for. When they were first published in 2004 (KARMA Attacks Radioed Machines Automatically) the attack was to simple respond to directed wifi probe requests.
However, that stopped working in the majority of cases, and in 2014, we updated KARMA to additionally respond to Broadcast probe requests from a device with directed probe responses for network we had previously seen that device probe for. We called this new attack MANA (a backronym for whatever you like, someone at Defcon suggested Many Are Now Active, instead of my original MitM And Network Attack).
There are two different MANA modes. The first, keeps things specific to a single device ID (aka MAC address). i.e. if one device probes for a network named "foo" and another device probes for a network named "bar", device one will only see "foo" and device two will one see "bar".
Loud mode changes this to a universal network list i.e. all devices will see all networks. If we reuse the example above, both device one and two will see "foo" and "bar" networks advertised.
The rationale behind loud mode was initially, that some devices were using randomised MAC addresses when they probe’d to avoid the many solutions attempting to track devices in public areas using this trick. Loud mode would allow those networks to be discovered through the random MAC probe, and rebroadcast to the device when it used it’s legitimate MAC address (i.e. when it tried to connect).
Later, devices started direct probing much less due to attack such as Snoopy and Mana. Loud mode helps to learn networks that devices nearby are looking for and rebroadcast them to all devices to try and get a connection.