Hacking: 802.11 Protocol Attacks, Deauthentication

<<

bojan

Newbie
Newbie

Posts: 19

Joined: Wed Mar 26, 2008 2:03 am

Post Wed Mar 26, 2008 2:12 am

Hacking: 802.11 Protocol Attacks, Deauthentication

Written by Devin Akin
Tuesday, 19 February 2008

This article is presented as part of hacking + solution track for Wireless Security Expo 2008. The hacking video is available here hxxp://www.cwnp.com/learning_center/video_deauth.html

Deauthentication is the most common form of 802.11 protocol denial-of-service (DoS) attack. After watching the Deauthentication video, you can see that performing this type of attack takes seconds using common and user-friendly software and hardware, can wreak havoc on a network, and can be used as part of other types of wireless network attacks. Deauthentication frames are considered notifications, not requests, which means any associated station or AP that receives a deauthentication frame must comply.
802.11 stations must authenticate themselves through "Open System Authentication" prior to requesting a connection. Following successful authentication (consisting of two acknowledged authentication frames), the client station will then request association (connectivity). The association request frame is followed by an association response frame. Each of these frames are also acknowledged.

The next steps depend on the type of security in use on the WLAN and determine just how intrusive a deauthentication attack will be. If the WLAN is using only Open System authentication, then a deauthentication attack will yield a very minor interruption for client stations. The reason for this is that the authentication and association process is extremely fast. When deauthenticated, a client station must reauthenticate and reassociate, but this entire process takes only a few milliseconds to complete. If the WLAN is using WEP with Open System authentication, the same process would apply.

If the WLAN is using WPA/WPA2-PSK, then a 4-way handshake (plus 4 ACK frames) will follow the acknowledged association response frame. This process is fairly fast (roughly an additional 20-30 ms), but added to the Open System authentication and association, it can easily add up to 50 ms (total) when adding in contention time. If a single AP is used, this won't be a big problem, but a deauthentication like this may also cause a client station to roam. Roaming requires passive and active scanning, which could add 1-3 seconds to the process. This additional time can easily disrupt many applications.

If the WLAN is using 802.1X/EAP and not using Opportunistic PMK Caching (not widely supported in client utilities), deauthentication can cause a disruption of 0.5 - 5 seconds depending on the specific EAP type in use, scanning processes, and the 4-way handshake. 802.1X/EAP authentication mechanisms are almost always deployed in enterprise WLANs. Any application that is latency sensitive will suffer dramatic problems when the client station is deauthenticated. File transfers, voice/video streams, thin-client sessions, and other real-time applications will often break when disrupted for more than 0.5 seconds.

The 802.11w amendment to the 802.11-2007 standard offers three new security pieces: Data Origin Authenticity, Replay Detection, and Management Frame Protection. The data origin authenticity mechanism defines a means by which a station that receives a management frame (such as a deauthentication frame) can determine which station transmitted the data or management frame. This feature is required to prevent an intruder from masquerading as an authorized station. The replay detection mechanism defines a means by which a station that receives a management frame from another station can detect whether the received frame is an unauthorized retransmission. Management frame protection is required to protect against forgery and eavesdropping on management frames such as Action, Disassociate, and Deauthenticate frames through the use of security keys.

Most of today's WLAN infrastructure systems do not support management frame protection, and until they do, deauthentication attacks will remain a significant security problem.
<<

bojan

Newbie
Newbie

Posts: 19

Joined: Wed Mar 26, 2008 2:03 am

Post Wed Mar 26, 2008 2:13 am

Re: Hacking: 802.11 Protocol Attacks, Deauthentication

I frgot to say this is my first post in EH-NET!!!
<<

bojan

Newbie
Newbie

Posts: 19

Joined: Wed Mar 26, 2008 2:03 am

Post Thu Mar 27, 2008 3:59 am

Re: Hacking: 802.11 Protocol Attacks, Deauthentication

but i want 2 ask which is more powerfull in this ddos area??

protocol attacks or a stronge botnet??????
<<

dean

Post Thu Mar 27, 2008 9:35 am

Re: Hacking: 802.11 Protocol Attacks, Deauthentication

I will assume that when you say 'protocol attacks' that you mean attacks against the management frames in the 802.11 protocol.

The excerpt you posted talks about the effect of deauth or auth attacks. It's trivial to run a sustained deauth flood on an AP or client effectively keeping them off the network. Note that this is an attack against the local (W)LAN.

A botnet is generally, although somewhat seldom now, going to be used to attack the internet facing presence of an organization. Depending on the size of the botnet and the type of DDoS employed this can be very effective in generating Gbits of traffic to the targets. Consider having a botnet of 100 machines each with only 56k of upstream bandwidth. If these are all directed to DoS a single target a simple SYN flood can cause a significant disruption in traffic.

So to answer your question they are both attacks against services using or abusing the protocols used for communications. They are different in that one can be done remotely and the other requires you to be within range of the AP or client. (and yes, this includes using an amplifier, antenna, etc...)

Is one more severe than the other? Well that depends on which service is more important to the organization.
dean
<<

bojan

Newbie
Newbie

Posts: 19

Joined: Wed Mar 26, 2008 2:03 am

Post Sat Mar 29, 2008 1:09 am

Re: Hacking: 802.11 Protocol Attacks, Deauthentication

Like Devinator says "Most of today's WLAN infrastructure systems do not support management frame protection" .

And that is because it is fairly new (about 4-5 months old ?).

So, maybe if you look at the Management Frame Protection project on ieee, you'll know what all management frame protection is targeting. Don't know if they have an RFC for Management Frame Protection. (Lazy to search .. just woke up  )

Deauthentication is just one type of frame that is shown in the video. But other frame types are certainly more destructive. A couple of the other frame types are mentioned in his paper. But not elaborated.

The best place to try all this would be your own SOHO WLAN or at home on that irate house mate that knows about ACLs and has equal access to the router config on a shared DSL connection
<<

bojan

Newbie
Newbie

Posts: 19

Joined: Wed Mar 26, 2008 2:03 am

Post Sat Mar 29, 2008 1:55 am

Re: Hacking: 802.11 Protocol Attacks, Deauthentication

A DDoS is possible, but with machines within the vicinity which is possible (if it is within the vicinity, there is a good chance that you actually own these machines), I mean .. what are the odds of finding loads of hosts and that too ones using 802.11 ..

What further reduces the chances is that most home pcs that use the 802.11 are behind a router/Nat which makes them useless for DDoS.

But using zombie hosts to launch a deauth ddos - well , the odds are almost close to zero.

And most ddos attacks usually use Syn or ack floods .. udp also sometimes.

Yea, and when people launch a ddos, they usually resolve you dns and hit any ip associated with it, coz they know once you get on an ip, your isp will null route that ip and will be willing to change your ip immediately.

One way to mess around with the skiddies is to point your dns to microsoft.com or cybercrime.gov when you are getting hit .. lol .. and it works a lot of times.

It is like re-routing their ddos to w/e ip you want to hit .


oh and yea .. if the owners of the WAPs or W gateways or w/e are using Wireless Intrusion Prev. Systems, (WIPS)s, then there is a good chance that they'll stop even the initial deauth attack.

holy shikeees .. google.com has a black back :P

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software