Hacking Wireless Networks For Dummies
.pdf
240 Part III: Advanced Wi-Fi Hacks
The same test can be performed with Authentication Request packets as well.
We’ll use CommView for WiFi’s Packet Generator tool again when we look at deauthentication and disassociation attacks later in this chapter. We’ll also demonstrate what such attacks look like through a network analyzer.
Other packet injection tools can be used to execute association-flooding attacks if you’re eager to venture out, including the following UNIX/Linuxbased tools:
file2air (http://home.jwu.edu/jwright/code/file2air-0.1. tar.bz2)
AirJack (http://sourceforge.net/projects/airjack)
libradiate (www.packetfactory.net/projects/libradiate)
Too much traffic
Wireless overloading is often unintentional, especially with today’s “robust” applications sucking up every available bit of memory, processor time, and network bandwidth. For example, the following legitimate wireless network traffic is quite possible on a typical network at any given time:
Movie and music file downloads
Basic Web browsing
P2P file sharing traffic
A bored employee hosting his own Web or FTP server
Users streaming the audio of their favorite radio talk-show host
Internal network file copies, print jobs, and so on
Vulnerability-assessment software running an obscene number of tests every second
Downloads occurring over a very-high-speed Internet connection (think T3 and faster)
Web, e-mail, FTP, or other servers transmitting and receiving data
Wireless networks can easily be saturated at speeds much lower than their claimed throughput rate (in effect, how fast they can transfer data). This is especially true for 802.11b systems that not only struggle to provide enough usable throughput but are also half-duplex (one side communicates at a time). This means that even in a perfect world, 802.11b systems can’t obtain more than 5.5 Mbps of throughput — usually less, given the speed loss that comes from handling protocols and the traffic generated by multiple clients on the network.
Chapter 13: Denial-of-Service Attacks 241
A neat commercial security-testing tool you can use to test an AP’s susceptibility to information overload is BLADE Software’s IDS Informer program (www.bladesoftware.net). This software is designed for testing IDS/IPS systems but can be used to flood a wireless network for DoS testing purposes just as well.
All it takes is one computer, generating a fair amount of legitimate traffic, to bring down an AP. In fact, according to previous nonscientific studies of 802.11b capabilities that Kevin was involved with, a typical 802.11b AP can handle only a dozen or so (often fewer) client connections before performance starts degrading for everyone on the network. This can occur even if
the network uses multiple APs in ESS mode to service a broad wireless coverage area. Using 802.11g systems won’t necessarily fix this issue; the trouble may be simply less noticeable, camouflaged by the 54 Mbps throughput of 802.11g systems (compared to only 11 Mbps in 802.11b systems).
All of this is with legitimate traffic on the network. Imagine what can happen when multiple computers are generating malicious traffic! At best, it’s certainly enough to create a serious DoS condition. Technically, such an attack could be considered a distributed DoS (DDoS) attack because multiple systems are involved.
Like their 802.11b predecessors, newer 802.11g systems can handle only three non-overlapping channels (1, 6, and 11); available bandwidth is still minimal on congested networks. This problem can be overcome by using 802.11a technology, which has more available channels for communication — and allows the grouping of more APs to handle the extra requests. But do you really want to purchase and implement the Betamax of wireless network technologies?
Are You Dis’ing Me?
Several clever DoS attacks against wireless clients are bad enough to make you want to stick with good old-fashioned Ethernet — maybe even Token Ring. These attacks are often more effective than association and authentication attacks — that’s because wireless clients tend to be more willing to believe that anything coming to them from an AP must be valid.
There are two main types of DoS attacks against client systems:
Disassociation attacks
Deauthentication attacks
The bad thing about these types of client DoS attacks is that they can go on indefinitely until the attacker stops the attack.
242 Part III: Advanced Wi-Fi Hacks
Several hacking tools are available to execute client DoS attacks, including WLAN-jack (if you’re lucky enough to have downloaded it before it was taken offline), Void11 (www.wlsec.net/void11), and FATA-jack (www.security wireless.info/public/wipentest/fata_jack.c). The same results can be accomplished very easily with CommView for WiFi’s Packet Generator as we’ll demonstrate shortly.
Disassociations
A disassociation attack is essentially a wireless station’s way of saying “I don’t want to talk to you any more.” The situation is similar to when a friend ticks you off — you (the AP) tell the friend (the wireless client) to get lost. Disassociation packets can be sent from a wireless client to an AP as well.
The way a disassociation attack works is actually very straightforward. This attack simply mimics valid disassociation frames originating from a client or AP and cuts off the association. First, the attacker spoofs either the client or the APs MAC address (usually the latter). Then he sends forged disassociation packets to either a specific system or to the broadcast address. A disassociation attack is shown graphically in Figure 13-10.
After the disassociation occurs, the client is returned to a state where it’s still authenticated to the AP, but not associated. This leaves it in a disconnected state from the network.
Deauthentications
A deauthentication attack is actually a little more effective than a disassociation attack because it puts the client in a state of complete disconnection. The deauthentication attack is a wireless station’s way of saying “Your connection to me is no longer valid.” As with disassociation attacks, this attack can originate at the client; otherwise the AP can be directed to an individual MAC address or the broadcast address.
Figure 13-11 shows how a deauthentication attack is carried out.
Chapter 13: Denial-of-Service Attacks 243
|
|
|
Wireless client |
|
Step 1: |
|
1 |
3 |
Step 3: |
|
||||
Client fully connected |
|
Client partially disconnected |
||
Client is authenticated and |
|
|
|
Client is still authenticated but |
associated with AP |
|
|
|
no longer associated with the AP |
|
|
|
|
|
Access point
Step 2: |
2 |
|
Attacker sends forged packets |
||
|
||
Attacker sends a |
|
|
Disassociate Request packet |
|
|
to take a single client offline. |
|
|
Figure 13-10: |
|
|
Disassocia- |
|
|
tion attack |
|
|
partially |
|
|
discon- |
|
|
necting a |
|
|
wireless |
|
|
client. |
|
Attacker’s system
244 Part III: Advanced Wi-Fi Hacks
|
|
Wireless client |
Step 1: |
|
3 |
|
||
Client fully connected |
|
1 |
Client is authenticated and |
|
Step 3: |
associated with AP |
|
|
|
|
Client fully disconnected |
|
|
Client is no longer authenticated |
|
|
or associated with the AP |
Access point
|
Step 2: |
2 |
|
Attacker sends forged packets |
|
|
|
|
|
Attacker sends a |
|
Figure 13-11: |
Deauthenticate Request packet |
|
to take a single client offline. |
|
|
Deauthen- |
|
|
|
|
|
tication |
|
|
attack |
|
|
completely |
|
|
discon- |
|
|
necting a |
|
|
wireless |
|
|
client. |
|
|
Attacker’s system
Chapter 13: Denial-of-Service Attacks 245
If you care to see how your systems respond to deauthentication attacks, here’s how it can be done using CommView for WiFi:
1.Load CommView for WiFi and click the blue Start Capture icon in the upper-left corner or simply press Ctrl+S on your keyboard.
This loads the Scanner utility as shown in Figure 13-7 above so you can enable your wireless NIC to capture packets.
2.Click the Capture button on the Scanner window.
This “opens” the Wireless Adapter Enable Promiscuous mode on your wireless NIC and allows you to start capturing wireless packets.
3.Generate a Deauthentication packet.
It’s a little trickier capturing one of these packets, but if you have an AP that supports manual deauthentications, capturing can be pretty
simple. As shown in the Cisco management screen in Figure 13-12, it’s as easy as clicking the Deauthenticate button for the client you wish to deauthenticate.
Figure 13-12:
Cisco
Aironet option to deauthenticate a wireless client.
246 Part III: Advanced Wi-Fi Hacks
4.Capture the Deauthentication packet.
This is as simple as capturing all wireless packets — or narrowing it down to management packets — in a network analyzer. Figure 13-13 shows what such a packet looks like in AiroPeek. All you have to do is capture the packet using any wireless network analyzer, save the packet, and import it into CommView for WiFi’s Packet Generator. Or you can simply capture the packet in CommView for WiFi and save the packet using the steps we outlined for the Association Request packet above.
5.Edit the Deauthentication packet.
After you have the packet loaded into CommView for WiFi’s Packet Generator, you can edit it to change source and destination addresses. In this example, we’ll change the source address to effectively turn it into a forged address and change the destination address to the broadcast address.
Figure 13-13:
A Deauthentication packet discovered by AiroPeek.
Chapter 13: Denial-of-Service Attacks 247
Figure 13-14 shows the packet loaded into Packet Generator and edited to have a random source address (11:22:33:44:55:66) — and the broadcast address (ff:ff:ff:ff:ff:ff) as the destination address. You can change the BSSID address (MAC address of the AP) as well. These addresses and their locations within the packet are shown in Figure 13-14.
Figure 13-14:
An edited version of the Deau-
thentication packet ready to send.
To edit the packet, you simply click inside the data area on the right side of the Packet Generator window and change the addresses to your heart’s content. Just make sure you stay within the correct fields (offsets in hex editing terminology) so you don’t overwrite other critical packet data.
Note that in Figure 13-14, you can expand the 802.11 item on the left side (simply click the + button) and verify that your changes are accurate for the source, destination addresses, and even the BSSID address.
6.Send the packet.
You can send the packet by setting the appropriate parameters for packet size, packets per second, and the number of times to send it.
This exercise demonstrates how simple it is to create a deauthentication flood attack against wireless clients. If you monitor your airwaves by a network analyzer (such as CommView for WiFi or AiroPeek) while you’re performing this attack, you’ll see quite a spectacle. Notice in Figure 13-15 how the majority of packets discovered by AiroPeek are Deauthentication packets.
Figure 13-16 shows what the same attack looks like through AiroPeek NX’s Packets view. Notice that AiroPeek NX discovered the attack and highlighted the fact in the Expert column.
248 Part III: Advanced Wi-Fi Hacks
Figure 13-15:
Deauthen-
tication
attack as
seen in
AiroPeek’s
Protocols
view.
Figure 13-16:
Deauthen-
tication
attack as
seen in
AiroPeek
NX’s
Packets
view.
Chapter 13: Denial-of-Service Attacks 249
For a real-world view of what this type of attack can do to a wireless client, take a gander at Figures 13-17 (normal wireless connectivity and a test ping out to a Web site) and 13-18 (the havoc after deauthentication).
Figure 13-17:
Normal wireless client connectivity.
Invalid authentications via fata_jack
There are other tools that can create similar client DoS attacks. One popular one is Mark “Fat Bloke” Osborne’s fata_jack. This is a Linux program based on the wlan_jack program that you’ll have to compile before using. It sends out invalid Authentication Failed frames, allowing an attacker to spoof a valid client on the network and send these invalid frames to the AP. The AP, in effect, responds to the client with Hey! Your previous authentication failed, so forget you — I don’t want to speak to you any more.
This attack is known to create erratic behavior on wireless clients, especially those running on older operating systems with older wireless hardware. Before using this program, you compile it (via the instructions in the source code); then you can run it to see whether any of your systems are vulnerable — just be careful so you don’t crash critical systems.