The era of wireless connectivity gives flexibility and mobility, but also comes with security issues. In wired connectivity, the attacker needs physical access in order to connect and attack. In the case of wireless connectivity, an attacker just needs the availability of the signal to launch an attack.
In this article, I will discuss the very serious deauthentication attack. Even your neighbours kid could make your life miserable by launching such an attack, in which your device can get disconnected from the access point (AP).
Before proceeding further, you will need to get familiar with some of the terminology we will use in this article.
Service Set Identification (SSID): An SSID is a 32-character (maximum) alphanumeric key identifying the name of the wireless local area network (WLAN).
AP (Access Point): This is used to connect the wireless device to the wireless network.
BSSID: MAC address of the AP.
The concept behind the attack
So, why are these attacks made? Where, and typically, who attacks whom? Well, the attack can be made by a penetration tester on a companys wireless network, if the company or organisation wishes to check the robustness of its own wireless security. The tester then sends a report of the findings to the company. But some hackers mount such attacks simply to create a nuisance for users.
The connection between the clients and APs is established by the exchange of various frames, as shown in Figure 1. The communication between the client and the AP is established after probing the available wireless APs. After that, the exchange of a series of management frames, like authentication and association request frames, takes place.
Launching the deauth attack
In order to launch the attack, I used the following:
- Kali Linux as the attacker
- Windows 7 as the victim
Kali Linux was installed in a VMware machine with a USB wireless card (Atheros-based), and it successfully recognised the wireless card. I then followed the steps given below to launch the attack.
Step 1. To know the name of the wireless card, I typed the command airmon-ng as shown in Figure 2.
The wireless cards name is wlan0.
Step 2. The next command airmon-ng start wlan0 sets your wireless card on monitor mode 0, which means mon0 as shown in Figure 3.
Step 3. I then typed iwlist wlan0 scanning as shown in Figure 4 to find out about all the APs in the vicinity.
In Figure 4, important information like the MAC address, channel number and ESSID of the AP is highlighted in red rectangle boxes.
Step 4. Here, I set mon0 to Channel 1, using the following command:
as shown in Figure 5.
The consequences can be seen in Figure 6, where BSSID is the MAC address of AP, and STATION means all wireless devices are connected to the AP. I now chose one victim:88:53:2E:0A:75:3F
Now its time to mount the attack!
Step 5. In the attack, I used aireplay to send the deauth packet.
The following command does the job:
Heres a description of the above command:
- -0 sends the deauth packet
- 10 refers to the number of packets
- -a is the MAC address of the AP
- -c is the MAC address of the client to be deauthenticated. The MAC address of the client has been spoofed here.
Analysing the deauthentication attack
Figure 9 shows the packet flow. The first frame comes from the victim’s machine (spoofed), which contains the deauthentication flag. The second deauthentication flag frame is sent from the AP to the victim. A local packet capture session is initiated using Wireshark to capture the frames generated by the attacker.
Who is behind the attack?
This attack is made at the data-link layer, which is associated with the MAC address. The book, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (Second Edition) by Eoghan Casey, states that the data-link layer addresses (MAC addresses) are more easily identifiable than network layer addresses (e.g., IP addresses). This is because a MAC address is usually directly associated with the network interface card in a computer, whereas an IP address can be easily reassigned to different computers. However, in Wireshark-captured data, the source is the victim and the destination is the AP, and vice versa. Therefore, it is impossible to find out the attackers identity.
So how do we detect the attack?
The deauthentication frame is sent by a station to another station when it wishes to terminate communications. When we manually disconnect from the AP, we can see three dauth packet after restarting AP three times as shown in figure 10. By using aireplay we have sent one deauth packet but on Wireshark, we captured 256 frames.
Wireshark captured frames from one side and we have sent packets from the other side; so I can say that, from our side, 256/2 = 128 frames were sent. In this way, this attack also falls in the category of a DOS attack.
After seeing a large number of frames, a wireless intrusion detection system (WIDS) can raise the alarm.
At the user level, there is still no fool-proof way to prevent this attack. But at the organisation level, a WIPS/WIDS system like AirMagnet Enterprise can specifically detect these attacks, preventing major enterprise-wide damage. Going ahead, wireless cards or APs should have some mechanism to protect users from deauthentication attacks.