Bring Down a Wireless Network

1. Bring Down a Wireless Networks

CHAPTER

5

5.1 Scope

In the previous chapter you have learned how to identify and profile a wireless network. This chapter is going to teach you how to disrupt or completely bring down the operation of a wireless network using attack techniques that are generally called Denial of Service attacks. A Denial of Service attack is a malicious attempt meant to shut down a computer or network making it inaccessible to its intended users. This is accomplished by flooding the target with high volumes of traffic or by sending special messages that can trigger a crash.

This chapter using various attack techniques and tools is going to demonstrate how you can :

Completely bring down the operation of a wireless network

Prevent connected clients from using the network resources

Kick out connected clients

Disrupt the normal bandwidth allocation

Avoid getting caught by Intrusion Detection Systems

5.2 Methodology Overview

Figure 5-1: Methodology overview for wireless DoS attacks

The methodology for causing a Denial of Service attack to a wireless network is divided in two distinct categories:

Resource exhaustion: This category involves techniques and tools that can cause a DoS attack to wireless networks by exhausting resources like the memory and CPU of the Access Point or the available bandwidth.

Protocol abuse: This category involves techniques and tools that can cause a DoS attack to wireless networks by altering protocol information in the transmitted frames.

5.3 Scenarios

In order to better understand each discovery technique various real life scenarios will be presented in this chapter. Each scenario examines in detail the techniques, the tools and the benefits of different Denial of Service attack techniques. More specifically the scenarios that will be examined are the following:

Scenario #1: Authentication Request Flooding attack

Scenario #2: Disassociation attack

Scenario #3: Deauthentication attack

Scenario #4: CTS attack

Scenario #5: Beacon Flooding attack

Required tools for executing lab scenarios

Scenario #1 airmon-ng, wireshark, MDK3

Scenario #2 airmon-ng, airodump-ng, wireshark, tcpreplay

Scenario #3 airmon-ng, wireshark, ghex, tcpreplay

Scenario #4 airmon-ng, wireshark, ghex, tcpreplay

Scenario #5 airmon-ng, wireshark, pico, MDK3

5.3.1 Scenario #1: Authentication Request Flooding

This Denial of Service scenario targets directly the heart of the wireless network since it is launched against the Access Point. If by some means you manage to stop the Access Point from working then the entire operation of the wireless network will collapse. The following figure (figure 5-2) shows the network topology and the attack phases of this lab scenario. The Access Point with MAC address ‘00-24-17-BA-7E-3B’ supports a wireless network with SSID ‘Target_Network’ and a legitimate client with MAC address ‘00-27-19-FF-F3-14’ is connected to it. As we are going to see in order to launch the DoS attack of this scenario we are not going to use the SSID name of the wireless network so it doesn’t matter if it is broadcasted or not. The attacker’s workstation from where the DoS attack will be launched has the MAC address ’00-C0-CA-54-DF-24’.

Figure 5-2: Lab topology and attack phases for lab scenario #1

The main idea behind the attack of this lab scenario is to flood the Access Point with

several authentication requests. Every Access Point (and actually every computing system) has a finite number of connection requests it can handle. After this number is reached the system might:

stop accepting new connections (thus all new clients are denied access)

freeze (thus the connected clients cannot access the wireless network)

reboot in order to clean its physical memory

The main tool that we are going to use to implement this Denial of Service attack is mdk3. The required steps to launch the attack are four and are shown in the figure below (figure 5-3)

Figure 5-3: Action steps for Scenario #1

STEP 1: Initially we have to create a monitoring interface. The monitoring interface will be created using the airmon-ng tool. Open a Terminal Window and issue the following command:

sudo airmon-ng start wlan0

The airmon-ng tool replies with a success message (see figure 5-4) informing you about the successful creation of a new interface in monitor mode (mon0).

Figure 5-4: Creation of monitor interface using airmon-ng

STEP 2:

After creating the monitoring interface we have to select the network against which we are going to launch the Denial of Service attack. In order to locate the target wireless network and find the MAC address of its Access Point we are going to use wireshark. In the open Terminal window issue the command :

sudo wireshark

From the menu on the top of the window select Capture Interfaces. The Capture Interfaces window opens (figure 5-5) and lists all the available system interfaces that can be used to capture packets.

Figure 5-5: Wireshark’s capture interface window

Press the Start button next to mon0 interface to start sniffing wireless packets from the air. Wireshark presents in real time all the traffic that is being sniffed by the monitoring interface. To narrow down the results and instruct wireshark to capture and present in real time only beacon frames we are going to use a filtering expression. At the Filter’ field located at top of the main window type:

wlan.fc.type_subtype==0x08

Immediately wireshark starts presenting only beacon frames (figure 5-6). Scroll up and down at the results to locate the target Access Point (in our example the one with MAC address 00-24-17-BA-7E-3B).

Figure 5-6: Wireshark’s output using the beacon frames filter

Now change the filtering expression to the following and press ‘Enter’:

wlan.fc.type_subtype==0x0b

This filtering expression instructs wireshark to present in real time only

authentication request frames. In the next step of this scenario this filtering expression will help you understand what exactly is going on behind the flooding attack.

STEP 3: In order to perform a successful attack against a wireless network it is a good practice to put the WNIC of your attacking machine to the same channel with the target Access Point. In this lab scenario the Access Point operates in channel 1 so open a Terminal window and issue the commands below in the following order:

sudo ifconfig wlan0 down (shuts down the WNIC interface)

sudo iwconfig wlan0 channel 1 (changes the channel of the WNIC)

sudo ifconfig wlan0 up (enables the WNIC interface)

STEP 4:

The final step of this lab scenario which is actually the real Denial of Service attack is to launch mdk3 and use its ability to transmit multiple authentication requests to an Access Point. More specifically the mdk3 can transmit authentication requests using randomly selected source MAC addresses causing the Access Point to stop accepting new wireless traffic or completely crash. Since the source MAC address of the transmitted authentication request frames are random your real MAC address is not exposed.

Open a Terminal window and type the following command:

sudo mdk3 mon0 a -a 00:24:17:BA:7E:3B

Interface to be used

Enable Authentication

DoS mode

MAC address of the Access Point

The mdk3 tool changes to DoS mode and starts transmitting multiple authentication request frames to the Access Point (figure 5-7). Every 500 authentication request frames it displays a message about the status of the Access Point (AP seems to be INVULNERABLE). Few seconds later the Access Point becomes unresponsive and usually after 70.000 – 80.000 frames crashes and reboots. In reality as you are going to see in your lab scenarios although the Access Point might be in the process of rebooting the mdk3 tool keeps reporting that the device is functional and continues to send thousands of authentication request frames.

Figure 5-7: Mdk3 authentication request flooding

During the attack if you check the wireshark’s output you will see that the Access Point of our scenario receives a burst of authentication request frames from randomly selected MAC addresses.

Figure 5-8: Wireshark’s output for mdk3 authentication request flooding

Attention

This Denial of Service attack can be detected by Wireless Intrusion Detection Systems

Always remember that wireless Denial of Service attacks are active attacks meaning that you are transmitting malicious frames that can be detected by an intrusion detection system or simply by a network sniffing tool like wireshark. Using the presented attacking technique you are protecting the real identity of your system by not exposing its real MAC address.

Random source MAC

addresses

5.3.2 Scenario #2: Deauthentication Attack

The Denial of Service attack that will be presented in this lab scenario targets the connected clients of a wireless network. The lab topology (figure 5-9) is similar to the previous scenario. The Access Point with MAC address ‘00-24-17-BA-7E-3B’ supports a wireless network with SSID ‘Target_Network’. Legitimate clients are connected to this wireless network and are browsing the Internet. The MAC addresses of two connected wireless clients are ‘00-27-19-FF-F3-14’ and ‘5C:E8:EB:79:50:71’. The attacker’s workstation from where the Denial of Service attack will be launched has the MAC address ’00-C0-CA-54-DF-24’.

Figure 5-9: Lab topology and attack phases for lab scenario #2

This type of Denial of Service attack works by sending on behalf of the Access Point deauthentication frames to the connected clients of the target wireless network. When a connected client receives from the Access Point this type of wireless frame is obligated by the 802.11 standard to disconnect immediately from the network. Abusing this property can lead to a large scale Denial of Service attack. Someone might think ‘If the client is using encrypted communications with the Access Point how can you send a message without knowing the encryption key?’. Well you don’t have to know the key since the management frames according to the 802.11 standard are transmitted unencrypted! So no matter if encryption is used you can sniff, copy, edit and retransmit the management frame of your choice. The main tool that we are going to use in this lab scenario is aireplay-ng. The required steps for successfully implementing the DoS attack are shown below

(figure 5-10):

Figure 5-10: Action steps for Scenario #2

STEP 1: To create a monitoring interface use the airmon-ng tool. Open a Terminal Window and issue the following command:

sudo airmon-ng start wlan0

The airmon-ng tool replies with a success message (see figure 5-11) informing you about the successful creation of a new interface in monitor mode (mon0).

Figure 5-11: Creation of monitor interface using airmon-ng

STEP 2: After creating the monitor interface (mon0) it is time to locate the wireless network against which we are going to launch the Denial of Service attack. Open a Terminal window and issue the command:

sudo airodump-ng mon0

Airodump-ng hops between channels and presents in real time the available wireless networks together with the list of connected clients. The wireless network of our lab scenario is the one with MAC address 00:24:17:BA:7E:3B so in order to narrow down the presented information type the following command:

sudo airodump-ng --bssid 00:24:17:BA:7E:3B mon0

This command includes the parameter --bssid and as we have already seen in the previous chapter instructs airodump-ng to monitor only communications from a specific Access Point. In our case the output of airodump-ng is the following (figure 5-12):

Figure 5-12: Airodump-ng output for the target wireless network

From the above output we have identified that the wireless network of this lab scenario operates in channel 1 and has two connected clients.

STEP 3: As we have already mentioned in order to perform a successful attack against a wireless network it is a good practice to always put the WNIC of your attacking machine to the same channel with the target Access Point. In this lab scenario the Access Point operates in channel 1 so open a Terminal window and issue the commands below in the following order:

sudo ifconfig wlan0 down (shuts down the WNIC interface)

sudo iwconfig wlan0 channel 1 (changes the channel of the WNIC)

sudo ifconfig wlan0 up (enables the WNIC interface)

STEP 4: The final step of this scenario is to launch the Denial of Service attack against the selected wireless network. Before that lets open wireshark and configure it with the appropriate filter so it presents in real time deauthentication frames (you can perform the attack without opening wireshark but it is great for understanding what really happens in the background). Open a Terminal window and type the following command:

sudo wireshark

Go to the menu on the top of the window and select Capture Interfaces. The Capture Interfaces window opens (figure 5-13) and lists all the available system interfaces that can be used to capture packets.

Figure 5-13: Wireshark’s capture interface window

Press the Start button next to mon0 interface to start sniffing wireless packets from the air. Wireshark presents in real time all the traffic that is being sniffed by the monitoring interface. To narrow down the results and instruct wireshark to capture and present in real time only deauthentication frames we are going to use a filtering expression. At the Filter’ field located at top of the main window type:

wlan.fc.type_subtype==0x0c

In order to launch the Deauthentication attack we are going to use aireplay-ng. This tool is a part of the aircrack-ng suite and has the ability to transmit deauthentication frames on behalf of an Access Point. Open a Terminal window and issue the following command (don’t forget to add the --gnore-negative-one if it doesn’t work):

sudo aireplay-ng -0 10 -a 00:24:17:BA:7E:3B mon0

MAC address of the

Access Point

Interface to be used

Send 10 Deauthentication

frames

The aireplay-ng tool transmits 10 deauthentication frames to every listening wireless client using as source MAC address the one of the Access Point (figure 5-14):

Figure 5-14: Aireplay-ng sending deauthentication frames

At the same time if you change back to the wireshark screen you will see the deauthentication frames that the Access Point broadcasts (it means that the destination MAC address is FF:FF:FF:FF:FF:FF). In reality as we analyzed it is not the Access Point transmitting these frames but the attacker’s machine using the Access Point’s MAC address (this is called spoofing).

Figure 5-15: Wireshark output for aireplay-ng sending deauthentication frames

The wireless clients that received these deauthentication frames immediately will disconnect from the wireless network. So you managed to disconnect everybody from the network thus causing a Denial of Service event. Since the clients will try to connect back to the wireless network you can remove the number ‘10’ from the last command and aireplay-ng will keep sending deauthentication frames for ever. In this way the clients will keep connecting and disconnecting from the wireless network.

Attention

This Denial of Service attack can be detected by Wireless Intrusion Detection Systems

In case we want to disconnect a specific client and not the entire network (thus implementing a small scale Denial of Service attack) you can modify the aireplay-ng command to aim only that client. From the airodump-ng output (figure 5-12) we can see that at the moment two clients are connected to the target wireless network. Let’s select one of them (MAC address 5C:E8:EB:79:50:71) and send the deauthentication frames using the command below:

sudo aireplay-ng -0 10 -a 00:24:17:BA:7E:3B - c 5C:E8:EB:79:50:71 mon0

The aireplay-ng tool sends 10 deauthentication frames only to the specified MAC address (figure 5-16). The result of this attack is to disconnect the client from the wireless network. As in the previous example if you don’t specify the number of the deauthentication frames then aireplay-ng will keep sending them forever thus causing a permanent Denial of Service event to the wireless client.

Figure 5-16: Aireplay-ng sending deauthentication frames

At the same time if you check the wireshark’s GUI you will see that this time the deauthentication frames are not destined to everybody (broadcast address) but only to the wireless client with MAC address 5C:E8:EB:79:50:71.

MAC address

of the

Access Point

Interface

to be used

Send 10

Deauthentication

frames

MAC address

of the

connected client

Figure 5-17: Wireshark output for aireplay-ng sending deauthentication frames