One moment you’re connected to the wireless network, and the next moment you’re disconnected. In this video, you’ll see a wireless disassociation attack in action and you’ll learn what you can do to prevent this attack from happening to you.
A wireless disassociation attack is a bad one. You’re wandering along under a wireless network, you’re using the network normally, and then suddenly the wireless network is gone. It’s simply not there anymore, and your device is now looking for another wireless network. And then maybe you gain access to your wireless network again, and then you drop off of the network again. It’s very difficult to stop a wireless disassociation attack. The only thing you can really do is to get a very long patch cable. And we’ll talk in a moment how there may be some other things you can do to help mitigate this issue as well. This is obviously a very significant denial-of-service attack, and in the right situation someone can keep you off the wireless network indefinitely.
So how is your system suddenly removing itself from the wireless network? Well, this all comes back to a series of management frames that are used on 802.11 network. These are the frames that are all running behind the scenes that connect you to the network, disconnect you from the network, and perform a number of other management functions. You never really see any of these frames going back and forth. It’s not something you can identify on your screen. It’s all happening behind the scenes on your wireless network. These management frames are important for the overall operation of your wireless network. You wouldn’t be able to use a wireless network without these frames. They’re used to help find an access point, connect to an access point, configure quality of service configurations, and many other requirements to be able to operate on that wireless network.
But here’s where we run into problems, especially when we’re considering these disassociation attacks. These management frames, at least in the original wireless standards, were not required to be encrypted. That means they’re sent in the clear across the network. There’s no protection of the data, and there’s no authentication of where this data is coming from. And that’s where the biggest problems occur when we look at disassociation attacks. Here, for example, is a single frame that is captured off a wireless network that is configured with encryption. But as you can see here, all of the important data about the SSID, the supported data rates, power capabilities, what channels are available, all of this information’s in the clear. It’s a management frame. And whenever we run into a disassociation attack, it’s because your access point is sending this information and allowing this information to be sent in the clear.
Let’s see what a disassociation attack looks like from the attacker’s point of view. If we look at my phone, I’m on the wireless network and we can see that my Wi-Fi address ends in 2 E Fox Delta. So it should be relatively easy to see this on a packet capture, which is exactly what we’re going to do. We’re going to run airodump, which is going to capture information from the wireless network, and it will show me the communication between the wireless access points and the other devices on this network. I can then begin to run a wireless disassociation attack now that I have this information. Let’s have a look at my phone. I’m on the network “pm,” and it’s sitting on the network just fine. I’m going to run an aireplay-ng command, which is going to send the disassociation frames. I’m going to first specify what the BSSID is of my wireless access point, and then I’m going to specify the station Mac address that ends in 2 E Fox Delta, and watch, when I hit Enter, how quickly, suddenly, the wireless network disappears. That wireless disassociation attack occurs instantly, and because I’m using this utility to constantly send those disassociation frames, my phone is not going to be able to connect again to this wireless network until I stop the disassociation attack. And only then can I connect back to the wireless network.