Thursday, February 5, 2015

Disconnecting Wireless.

Devices that are connected to a wireless access point can be disconnected against the users' will.

This is called 'Denial of Service' (DoS) attack.

Methods include:

- Radio Frequency Jamming.

any high power radio-frequency electromagnetic wave emitter has capability to interfere with 802.11 standard networks (WiFi).

- CSMA/CA jamming.

anyone using a device with properly modified hardware driver software can interfere with 802.11 standard networks (WiFi).

CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance, a protocol for wireless physical medium access that allows for 'collisionless' communication between many wireless network devices.

this protocol uses idea of a communication channel, different devices attempt to use different channels to avoid collisions in communication.

CSMA/CA jamming method is about sending noise data on multiple communication channels, basicly blocking each of the communication channels, making the devices that would use them otherwise wait for as long as the noise data is in the air.

- Deauthentication attack.

this attack is about sending signal to a wireless access point's client that deauthenticates user, making him/her go through authentication/authorization procedures again, reinitializing a wireless connection.

sending deauthentication signals constantly blocks user from using wireless network.

there's tool called aireplay-ng, part of aircrack-ng tool suite, that allows for this type of attack, but there are also other means.

command is as follows:

> aireplay-ng -0 0 -a 54-E6-FC-CC-2E-70 -c FF:FF:FF:FF:FF:FF mon0

where:
-0 : attack type.
  0 means deauthentication attack.
0 : number of repeats of an attack.
  here, 0 means infinity.
-a 54-E6-FC-CC-2E-70 : access point's LAN MAC address.
  there are at least two MAC addressess for access point: LAN & WAN MAC address.
  we've attacked using one of access point's LAN MAC addresses.
-c FF:FF:FF:FF:FF:FF : target of an attack's MAC address.
  FF:FF:FF:FF:FF:FF is special address, broadcast address that applies to all clients of our network.
mon0 : our network's card interface, choose the one that is in monitor mode.

sometimes we have to add additional parameter of: '--ignore-negative-one', when the network interface's channel can't be determined.


access point's & attacked device's MAC addresses can be read using airodump-ng tool.

command is as follows:

> airodump-ng mon0

where:
mon0 : our network's card interface,
  choose the one that is in monitor mode (see: 'Hacking Wireless' post for details).

BSSID field is access point's MAC address.
STATION field is client device's MAC address.

they can be read from lower part of airodump-ng's output.


No comments:

Post a Comment