1 / 28

Attacking a Wireless Network via De-authentication

Attacking a Wireless Network via De-authentication. by Dou Wang, Jiaying Shi, Ying Chen School of Computer Science University of Windsor November 2007. Contents. Introduction Related Works Our Experiment De-authentication attack of Denial of Service Intrusion Detection System

priscilla-mays
Download Presentation

Attacking a Wireless Network via De-authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacking a Wireless Network via De-authentication by Dou Wang, Jiaying Shi, Ying Chen School of Computer Science University of Windsor November 2007

  2. Contents • Introduction • Related Works • Our Experiment • De-authentication attack of Denial of Service • Intrusion Detection System • Conclusion

  3. Introduction • Wireless Local Area Network (WLAN) • A network connection not requiring wired Ethernet connection, is based on radio waves technology. • Operating standard -- 802.11 standard. • flexible setup • access mobility • low cost • easy to deploy

  4. Introduction • Passive attacks focus on sniffing data sent on wireless signal. • Active attacks destroy the availability of the wireless networking infrastructure, or slow network performance.

  5. Introduction • Open Systems Interconnection (OSI) • Application Layer • Presentation Layer • Session Layer • Transport Layer • Network Layer • Data Link Layer • Physical Layer

  6. Introduction • 802.11 protocol • Data Link Layer • Medium Access Control (MAC) sub-layer determines the way to send data and access the wireless medium. • Logical Link Control (LLC) sub-layeris responsible for the MAC addressing, framing, and error control. • Physical Layer takes care of transmitting raw bits through a communication channel.

  7. Introduction • 802.11 network configuration Figure 1: Infrastructure Network and Ad Hoc Network

  8. Related works • Denial of Service A denial of service is “any action, or series of actions, that prevents any part of a system, or its resources, from functioning in accordance with its intended purpose”. Denial of service is the absence of availability. [2]

  9. Related works • Resource allocation attacks makes the victim out of service temporarily by keeping sending association flood or authentication flood. The service will be restored to be normal once the resource allocation attack stops. • Resource destruction attacks disconnects the victim out of the network by exploiting vulnerabilities. The connection will be not restored immediately even though the attack stops.

  10. Experiment 1. Authentication 1. Disassociation 2. Association 2. Deauthentication Disconnected! Connectionestablished!

  11. Experiment Image from http://www.caip.rutgers.edu/~marsic/books/WN/book-WN_marsic.pdf

  12. Experiment

  13. Experiment • Key software • Redhat Linux 9 with Kernel 2.4.20-8 • Hostap 0.0.4 • Void11 0.2.0 • Kismet 2006-04-R1 • Snort-wireless 2.4.3 with wireless patch

  14. Experiment • Attacker Laptop: • Toshiba Satellite M30 Laptop • Hardware: Intel M 2.0GHz, RAM 512MB, 40GB Partition, SMC EliteConnection 2.4GHz 802.11b SMC2532W-B • Software: Redhat Linux 9, kernel 2.4.20-8, Hostap 0.0.4, Void11 0.2.0 • Role in the project: Attacker • MAC: 00-04-e2-81-75-78 • IP Address: none

  15. Experiment • Intrusion Detetion Laptop • IBM Thinkpad R50 • Hardware: 1829-5GC, Intel M 1.5GHz, RAM 256MB, 10GB Partition, SMC EliteConnection 2.4GHz 802.11b SMC2532W-B • Software: Redhat Linux 9, Kernel 2.4.20-8, Hostap 0.0.4, Kismet 2006.04.R1, Snort-wireless 2.4.3 Alpha 04 (Build 26) • Role in the project: Sniffer, Intrusion Detection, frame capture • MAC: 00-04-e2-91-78-07 • IP Address: 192.168.1.162

  16. Experiment • Victim Laptop • ASUS M3NP Laptop • Hardware: Intel M 2.0GHz, RAM 1GB, 80GB Partition, NETGEAR Wireless PC Card 32-bit CardBus WG511 • Software: Windows 2003 Server, Microsoft IIS • Role in the project: Victim • MAC: 00-09-5b-83-f8-9c • IP Address: 192.168.1.101

  17. Experiment • Service Requestor • IBM Thinkpad T61 • Hardware: 7662-CT0, Intel Core 2 Duo 2.2GHz, RAM 2GB, 100GB Partition, Intel 8459 AGN Wireless NIC • Software: Windows Vista Home Edition • Role in the project: Service Requestor, test for DoS • IP Address: 192.168.1.103

  18. Experiment • Access Point & NICs (our heroes) • Wireless Access Point • 802.11g/2.4GHz Wireless Router D-Link DI-524 • MAC Address: 00:11:95:75:23:9A • IP Address: 192.168.1.3 • SSID: wang1124

  19. Experiment • Attacking Tool: void11 based on hostap • IDS Tool: kismet based on hostap • Analysis Tool: snort-wireless

  20. Experiment • Assumptions: • Attacker has root privilege on that laptop • Attacker knows the MAC addresses of both AP and victim • The wireless network is based on 802.11b protocol

  21. Experiment • Attacking #void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 1000

  22. Experiment • Attacking – cont’ #void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 120000

  23. Experiment • Sniffing

  24. Experiment • Analysis Result =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/30-22:09:48.627250 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A bssid: 0:9:5B:83:F8:9C Flags: Re 0x0000: C0 08 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[... 0x0010: 00 09 5B 83 F8 9C 80 4E 02 00 ..[....N.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 10/30-22:09:48.650280 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A bssid: 0:9:5B:83:F8:9C Flags: 0x0000: C0 00 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[... 0x0010: 00 09 5B 83 F8 9C A0 4E 02 00 ..[....N.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

  25. Conclusions • Simulate wireless attack on data-link layer by generating control frames to perform de-authentication flood to a single target. • Intrusion Detection System is able to detect out the attack and capture the packets. • The attack and detection tools are based on Prism Chipset wireless network cards, hostap need to be installed on Linux kernel 2.4.x. • Different rate (frame per second/millisecond) of attack can cause different scenarios, higher rate of attack can cause the access point remove the MAC address of victim computer from its cache immediately. • D-Link DI524 has self-protection from association flood and authentication flood.

  26. Acknowledgement • Yufei Xu, Da Teng and Xin Wu • Dr. Akshai Aggarwal • IT Service staff

  27. References • [1] Allison H. Scogin, “Disabling a Wireless Network via Denial of Service”, Technical Report MSU-070424. • [2] S. Harris, CISSP Certification, 2nd Edition, McGraw-Hill/Osborne, Emeryville, CA, 2003, p. 873. • [3] Basic Digital Forensic Investigation Concepts, http://www.digitalevidence. org/di_basics.html (current Mar 1, 2007). • [4] M. S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd Edition, O’Reilly Media, Inc., Sebastopol, California, 2005. • [5] R. Power, “2000 CSI/FBI Computer Crime and Security Survey,” Computer • Security Journal, vol. 16, no. 2, 2000, pp. 33-49. • [6] A. S. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, Upper Saddle River, New Jersey, 2003. • [7] http://salis.iisc.ernet.in/soho/hostap_documentation1.htm, 2007 for hostap installation • [8]http://www.wirelessdefence.org/Contents/Void11Installation.htm, 2007 for void11 installation

  28. ?

More Related