Wireless deauthentication or wireless disassociation can be used as a denial of service attack on wireless network devices. In this video, you’ll learn about wireless deauthentication, and I’ll demonstrate a deauthentication attack on my wireless network.
<< Previous Video: Spoofing Next: Brute Force Attacks >>
A wireless disassociation attack is a bad one. You’re wandering along on your wireless network, you’re using the network normally, and then suddenly the wireless network is gone. It’s simply not there anymore, and your device is now looking for another wireless network. And then maybe you gain access to your wireless network again, and then you drop off of the network again. It’s very difficult to stop a wireless disassociation attack.
The only thing you can really do is to get a very long patch cable. We’ll talk in a moment how there may be some other things you can do to help mitigate this issue as well. This is obviously a very significant denial-of-service attack. And in the right situation, someone can keep you off the wireless network indefinitely.
So how is your system suddenly removing itself from the wireless network? Well, this all comes back to a series of management frames that are used on 802.11 network. These are the frames that are all running behind the scenes that connect you to the network, disconnect you from the network, and perform a number of other management functions. You never really see any of these frames going back and forth. It’s not something you can identify on your screen. It’s all happening behind the scenes on your wireless network.
These management frames are important for the overall operation of your wireless network. You wouldn’t be able to use wireless network without these frames. They’re used to help find an access point, connect to an access point, configure quality of service configurations, and many other requirements to be able to operate on that wireless network.
But here’s where we run into problems, especially when we’re considering these disassociation attacks. These management frames, at least in the original wireless standards, were not required to be encrypted. That means they’re sent in the clear across the network, there is no protection of the data, and there’s no authentication of where this data is coming from. And that’s where the biggest problems occur when we look at disassociation attacks.
Here, for example, is a single frame that is captured off a wireless network that is configured with encryption. But as you can see here, all of the important data about the SSID, the supported data rates, power capabilities, what channels are available– all of this information’s in the clear. It’s a management frame. And whenever we run into a disassociation attack, it’s because your access point is sending this information and allowing this information to be sent in the clear.
Let’s see what a disassociation attack looks like from the attacker’s point of view. If we look at my phone, I’m on the wireless network and we can see that my Wi-Fi address ends in 2-E-Fox-Delta. So it should be relatively easy to see this on a packet capture, which is exactly what we’re going to do. We’re going to run airodump, which is going to capture information from the wireless network. And it will show me the communication between the wireless access points and the other devices on this network. I can then begin to run a wireless disassociation attack now that I have this information.
Let’s have a look at my phone. I’m on the network pm, and it’s sitting on the network just fine. I’m going to run an aireplay-ng command, which is going to send the disassociation frames. I’m going to first specify what the BSSID is of my wireless access point, and then I’m going to specify the station MAC address that ends in 2-E-Fox-Delta. And watch when I hit Enter, how quickly suddenly the wireless network disappears. That wireless disassociation attack occurs instantly. And because I’m using this utility to constantly send those disassociation frames, my phone is not going to be able to connect again to this wireless network until I stop the disassociation attack. And only then can I connect back to the wireless network.
As you can see, this deauthorization problem is a significant issue, and that’s why the IEEE has already made changes to the 802.11 specification. 802.11w, that was introduced in July of 2014, addressed this problem by making sure that certain management frames were now going to be encrypted across the wireless network. This means that frames that would disassociate, deauthenticate, switch between channels, and other import management frames would be protected from this type of attack.
But of course, some frames would still need to remain in the clear because you need access to those before device gains access to the encrypted wireless network. So frames such as beacons, probes, authentication frames, and association frames would still be sent in the clear over the wireless network. This update to 802.11 is required in 802.11ac. So you’ll see that this protection on deauthentication will be included with all wireless versions going forward.