Denial of Service attacks on the 802.11 using Deauthentication packets & other Security issues SHROBON BISWAS WEST BENGAL UNIVERSITY OF TECHNOLOGY [email protected] Abstract The 802.11 protocol known as WiFi (Wireless fidelity) commonly, has been around since a very long time. The base version of this standard was released in 1997 and has had several subsequent modifications and amendments. There have been many flaws in the encryption mechanisms of this immensely popular protocol earlier which were patched in the subsequent revisions. In this paper we state a severe flaw right at the root or very heart of the protocol i.e the Authentication model (between the client and the Access Point) and we exploit this by carrying out a DOS (Denial Of Service Attack). We will explain the various other attacks that can be possible on this protocol that stems from this basic flaw. Introduction In this section we will be describing the connection process of the Client and the Access Point and for simplicity we will be considering an OPEN AUTHENTICATION (AP without any encryption) . 1. The AP on being powered, starts sending out Broadcast frames (known as Beacon Frames) to announce its presence. (See Explanations section (a)) 2. The STA/Client keeps searching to find whether an AP is available by sending out a probe request packet to all networks in the vicinity or the Client sends a Directed Probe request to a specific broadcast address its PNL (Preferred Network List). 3. Probe Response is got from the AP 4. Now the Client sends an authentication request
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Denial of Service attacks on the 802.11 using Deauthentication packets & other Security issues
SHROBON BISWAS WEST BENGAL UNIVERSITY OF TECHNOLOGY
Abstract
The 802.11 protocol known as WiFi (Wireless fidelity) commonly, has been around since a very long time. The base version of this standard was released in 1997 and has had several subsequent modifications and amendments. There have been many flaws in the encryption mechanisms of this immensely popular protocol earlier which were patched in the subsequent revisions. In this paper we state a severe flaw right at the root or very heart of the protocol i.e the Authentication model (between the client and the Access Point) and we exploit this by carrying out a DOS (Denial Of Service Attack). We will explain the various other attacks that can be possible on this protocol that stems from this basic flaw.
Introduction
In this section we will be describing the connection process of the Client and the Access Point and for simplicity we will be considering an OPEN AUTHENTICATION (AP without any encryption) .
1. The AP on being powered, starts sending out Broadcast frames (known as Beacon Frames) to announce its presence. (See Explanations section (a))
2. The STA/Client keeps searching to find whether an AP is available by
sending out a probe request packet to all networks in the vicinity or the Client sends a Directed Probe request to a specific broadcast address its PNL (Preferred Network List).
3. Probe Response is got from the AP
4. Now the Client sends an authentication request
5. The AP sends an Authentication response along with a success code.
Note: For simplicity sake we have considered it as an OPEN AP.
6. Now the client sends an association request
7. The AP replies back with an association response
8. Now the data transfer takes place between AP and Client
The AP-Client State Machines : © Cisco.com
Explanations
a.) The Beacon Frame contains no encryption or signature based mechanism hence the information about the AP flows as plain text over the air can be sniffed by an attacker with his Wireless Card on Monitor Mode. Then with this information the attacker can broadcast the same beacon frames spoofing the original AP’s MAC address and SSID (Service Set Identifier) to setup a fake access point. This type of fake access points can be used as the stepping stone for the MITM ( Man in the Middle ) attacks and other Honeypot based Attacks.
b.) Take a deeper look into the AP-Client State Machines. We infer from the model that that a Deauthentication notification sends the client to state 1 from state 3. Our objective will be to dive in deeper into the deautentication packet and reproduce such packets such that we can disconnect all clients (or a specific client) connected to the access point . WLAN PACKET HEADERS: [3]
>Frame Control: --Protocol Version: for every 802.11 packet, the protocol version is 0 --Type: Either management frame, Data frame or Control frame -- To DS and from DS:
To DS From DS Interpretation 0 0 STA to STA in same IBSS;
For all Management & control frames
--More Frag: Indicated if more fragments of the current frame are to follow. Only Applicable to Data and management frame. --Retry: Indicates if the current frame is a retransmission --Power Management: Indicates if the station is in Power Save mode or active Mode --WEP: 1 indicated that the frame body is encrypted; 0 indicates no encryption --Order: Indicates that all received frame bits must be processed in order >Frame Body: Contains the Data payload >FCS: CRC over the MAC header and frame body . >Duration ID: Used to set the NAV (Network Allocation Vector) i.e the minimum time an STA needs to wait before attempting retransmission. A deauthentication packet is a management packet, and are of 2 types. 1. Directed Deauthentication (Deauth directed to a specific STA) 2. Broadcast Deauthentication (Deauth directed to all clients connected to
the AP)
Attack Infrastructure
Used Apparatus and Configurations:
Operating system: Kali Linux 1.0.9
RAM : 4Gb ddr3 1600 Mhz
Processor: Core i5 1st gen 3.06 Ghz
0 1 Exiting from the DS
1 0 Entering the DS 1 1 Used in WDS
Tools used : Aircrack suite(Aircrack , Airodump , Airmon , Aireplay & Wireshark)
Wifi Card: TP-LINK WN722N
Aim: To use the aircrack suite of tools to send a stream of Broadcast
Deauthentification packets targeted to an AP to break all the connections of clients accessing the AP.
Kali Linux is a Linux distribution that ships with a large number of Pentesting tools and utilities. We will plan the attack using the aircrack suite of tools provided by Kali Linux. First we configure our TP-Link WN722N network card and put it on Monitor mode and create the mon0 interface using airmon-ng. Once our card is in monitor mode, we can sniff the air for packets using any network sniffer. We have used Wireshark for the sniffing purpose. Next we use a utility called airodump-ng to hop channels to identify the AP’s broadcasting in the vicinity. From here get the BSSID,ESSID, and MAC addresses of the STA and the AP’s and other details regarding the Encryption mechanism and cipher suites. Once we have this information, we use aireplay-ng to send a broadcast deauthentication using the BSSID of the AP , whose client connections we are trying to break . What effectively happens is that aireplay-ng broadcasts a stream of deauthentification packets with the BSSID and ESSID of the real AP . The clients connected to the AP assume it to be deauth messages from the original AP and Deauthenticates from the network. While the deauth flood attack is on, no client can connect to the access point, effectively resulting in a denial of service. ** The most shocking point is that the attacker need on be on the same network to perform such an attack. **
Performing the attack Demonstrating MAC spoofing
This is the initial configuration:
FIGURE 1
**Notice the HWaddr in the wlan0 Section : 10:fe:ed:21:a9:49 , this is my original MAC address
Now A simple utility was used to change the MAC address of wlan0.
FIGURE 2 here -r stands for a random MAC generation . Other such parameter can be used to change the Vendor specifications and other details.
Now let us see if the mac address change took place using ifconfig again
FIGURE 3
**So we see the change now. Our MAC address from 10:fe:ed:21:a9:49 has changed to d8:0e:bc:0f:b3:f5 So we were successful in spoofing the MAC address of our wireless card, namely TL-WN722N.
Demonstrating channel hopping
The objective is to detect all the AP in the vicinity. Step 1 : Putting the wireless card (wlan0) in monitor mode to silently monitor packets that are in the air.
FIGURE 4 We made use of airmon-ng to set out card in monitor mode . Now we can use the mon0 interface to sniff packets in the air and also identify the access points in the vicinity. step 2 : A wireless card can only be in one channel at a given point of time . So to determine the all the access point in the vicinity we need to constantly hop channels to find out the AP and on which channel they are on. We use airodump-ng to hop channels and do the job for us
**See that the card is on channel 3 right now : It randomly keeps hopping channels to discover networks**
FIGURE 5
**Another glimpse to show that the card is on another channel now; channel 2**
FIGURE 6
Demonstrating a packet capture **Please note that the entire experimentations and packet capture was done on my personal network **
We now see from FIGURE 6 that BSNL(my Access Point) has a BSSID of
00:26:15:68:61:57 and is on Channel 11.
We will be using the above information to set our wireless card on monitor mode (mon0 interface ) and fix it on channel 11. So that we specifically get to sniff the packets of the given BSSID on channel 11. Packet capture was carried out using Wireshark Network Protocol analyzer.
FIGURE 7: packet capture in process
Now let us explore the very first packet we see i.e the selected packet in Figure 7
FIGURE 8 : detailed packet capture Now we get every minute detail about the packet by expanding the sections. Have a close look at Figure 9 ; it reveals the following Type/subtype : Beacon frame ( means it’s a broadcast message by the AP) Source Address: 00:26:15:68:61:57 BSSID : 00:26:15:68:61:57 ESSID : BSNL **For this experiment we will only be concerned with the above parameters So now we have successfully studied the beacon frame send out by the ESSID “BSNL”.
FIGURE 9: Packet revealing Type of frame, ESSID , BSSID
Deauthentication
In FIGURE 6 , we see 10:FE:ED:21:A9:49 in the station column next to the ESSID
BSNL . The MAC address is that of the client that was connected to BSNL at that point of time. With the client MAC addresses out in the open , we can easily perform a Directed deauth by sending a stream of Deauthentication packets or else we can just perform a Broadcast Deauthencation . The broadcast deauthencation will disconnect all clients connected on the network “BSNL” and will not let them connect back till we stop the deauthencation flood. We would use aireplay-ng to send broadcast deauth messages targeted to the ESSID “BSNL” to effectively perform a DoS attack. The following figure shows the deauth attack in action
FIGURE 10
Let us also see the corresponding packet capture of the deauth flood.
FIGURE 11 The Deauthentication packets are successfully sniffed by wireshark and all the clients connected to the AP with ESSID “ BSNL “ have been disconnected successfully .
FIGURE 12 Aftermath
We have explained the entire process of the DOS attack on the 802.11 networks and have carried out an experiment on our own network and achieved success. Many other attacks make use of this vulnerability and build upon it. Some examples and situations would be as follows
The attacker first deauthenticates all the clients that are on a specific access point, and carries on the deauth flood . Now he sets up a fake access point having the same BSSID and ESSID of the original AP, thus luring the client to connect to the fake access point, and intercepts all data that the client browses. In some cases he may not even have to lure the client, as it will connect to the fake AP automatically if the signal strength is high and that BSSID and ESSID exists in the Clients PNL (preferred network list) [5]
The attacker can deauthenticate clients connected to an AP and force them to reconnect so that he can collect the 4 way handshake which the client and AP exchange during the authentication and association process. With the 4 way handshake captured, cracking the WPA/WPA2 key is just a matter of time .
Suggestions
The reason as to why the DOS attack using the fake deauthentication packets succeeded is because MAC addresses are being passed through the air as plain text and can be spoofed easily. There is no encryption or signature based mechanism to authenticate the actual Access Point. Moreover the AP does all the authentication, while the client lays an implicit trust on what it receives from the access point. This enables for easy spoofing of MAC addresses, Bypassing MAC filters to gain easy access into the network and setting up fake access points by generating false beacon frames. To avoid such a scenario, a new authentication model should be developed that does away with BSSID and ESSSID and MAC addresses and uses some other attribute which should be encrypted and both side checking i.e the client and the AP both perform a check of that encrypted attribute before accepting and receiving any packets.
Links and References [1] Access Point and Station state machine : cecs.wright.edu
[2] Intercepting Mobile Communications: The Insecurity of 802.11 : Nikita Borisov,
Ian Goldberg ,David Wagner
[3] Wlan Packet Headers : www.wildpackets.com
[4] Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless
networks : Kemal Bicakci , Bulent Tavli
(This paper just states a possibility and not the working infrastructure and proof )
(Deals With MAC address Spoofing detection --- Used in WIDS and WIPS today )
[5] Study of DoS Attacks on IEEE 802.11 WLAN and its Prevention/Detection
Techniques Nisha Sharma, Paras Nath Barwal CDAC Noida
[6] Weaknesses in Wireless LAN Session Containment by Joshua Wright
[7] IEEE80211. ANSI/IEEE Std 802.11, 1999 Edition (R2003), "Part 11: Wireless
LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", 12
June 2003.
Related Documents
