The advent of wireless connectivity has ushered in a new age, providing flexibility and freedom from cables. However, this ease of use also brings its own unique set of security challenges. Its wired counterpart would typically require an attacker to have physical access to launch an attack. In stark contrast, wireless connectivity simply demands signal availability for a potential attacker.
Given the rising incidence of cyber threats, it is imperative to understand one of the most pervasive – the deauthentication attack. Disturbingly simple, this attack could be initiated by anyone within signal reach – and can result in your device being forcibly disconnected from the network’s access point (AP). However, understanding this cyber menace involves familiarization with certain terminologies:
* Service Set Identification (SSID): A 32-character (maximum) alphanumeric key identifying the name of the wireless local area network (WLAN).
* AP (Access Point): Essential for linking the wireless device to the network.
* BSSID: The MAC address of the Access Point.
Intuitively, one might ask: why does this attack occur? Simply put, it is carried out either by a professional penetration tester probing the security robustness of a company’s wireless network or a malcontent hacker looking to wreak havoc on users.
Elucidating the dynamics of a deauthentication attack demands an understanding of the established connection between the clients and the AP. This connection is established by exchanging various frames, eventually setting the stage for communication between the client and the AP after detecting the available wireless APs and exchanging a set of management frames like authentication and association request frames.
To illustrate the mechanics of a deauthentication attack in action, I used Kali Linux to play the role of the attacker and a Windows 7 machine as the victim. Kali Linux was installed in a VMware machine with a USB wireless card, and the following steps were carried out:
1. The name of the wireless card was determined by executing the command ‘airmon-ng’.
2. The wireless card was set to monitor mode 0 by executing the command ‘airmon-ng start wlan0’.
3. A scan for available APs in the perimeter was conducted using the command, ‘iwlist wlan0 scanning. Here, crucial information like the MAC address, channel number, and ESSID of the AP are highlighted.
4. In order to set mon0 to Channel 1 , the command ‘airodump-ng mon0 -c –bssid ‘ was run.
This command anticipated the attack by setting the station and displaying all connected wireless devices.
Finally, the deauthentication attack was launched! Leveraging ‘aireplay’, the attack deployed a deauth packet using command: ‘aireplay-ng -0 10 -a 84:1B:5E:50:C8:6E -c 88:53:2E:0A:75:3F mon0’. Breaking down the command:
* -0 sends the deauth packet
* 10 refers to the number of packets
* -a is the MAC address of the AP
* -c is the MAC address of the client (being deauthenticated). The MAC address of the client was spoofed.
The victim’s machine experiences this as an abrupt disconnection from the network – a highly disruptive experience especially in the midst of ongoing work.
This attack can be analyzed by tracing the packet flow; initiated with a frame from the victim’s machine, which contains the deauthentication flag, and followed by a second deauthentication flag frame sent from the AP to the victim. All these aspects prove elusive to trace since no direct correlation to the attacker can be established.
Given the complexity in tracking this attack, the key question is: How do you detect such an attack? The answer lies in subtle patterns. When a user manually disconnects from the AP, three deauth packets are seen after restarting the AP three times. However, a mere single deauth packet sent from the attacker’s side could result in 256 frames captured on Wireshark due to its two-fold capture capability.
High numbers of captured frames could raise alarms in a Wireless Intrusion Detection System (WIDS), which could alert the network owner. At a user level, the prevention of this type of attack remains challenging. Still, at an organizational level, a competent WIPS/WIDS system like AirMagnet Enterprise can efficiently detect these attacks, mitigating the risk of wide-scale damage. Looking ahead, network interface cards or APs need mechanisms to better proactively shield against deauthentication attacks.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
