Hacking Wireless Networks (2015)

Part III

Advanced Wi-Fi

Hacks

Chapter 13 Denial-of-Service Attacks

In This Chapter

ᮣ Exploring 802.11 weaknesses that lead to DoS exposure

ᮣ Understanding what DoS attacks can do to your wireless devices

ᮣ Investigating hacker tools that can create DoS conditions

ᮣ Understanding what DoS attacks look like

ᮣ Performing various DoS attacks to test your systems

ᮣ Preventing DoS attacks with countermeasures

Imagine experiencing all of the following scenarios simultaneously: ߜ You’re trying to finish a presentation you have to give in 30 minutes.

ߜ You’re on a conference call you were forced to participate in at the last minute.

ߜ Your other office phone line is ringing.

ߜ Your cell phone is jamming out “Another One Bites the Dust,” signifying yet another call from an agitated user.

ߜ Your organizer software is alerting you of a meeting you’re about to miss.

ߜ Someone’s waiting outside your cubicle with a delivery.

ߜ Your PDA has vibrated itself out of its cradle and onto the floor from all the e-mail alerts you’re getting from your firewall.

ߜ Your computer crashes with a Blue Screen of Death, just before you have any chance to save your Power Point file.

ߜ Your colleague in the next cubicle is asking you a question.

ߜ The building fire alarm starts going off.

This may be the closest you’ll get to experiencing a personal denial-of-service (DoS) attack. In other words, an “attack” in which an overwhelming number 20_597302_ch13.qxd 8/4/05 7:06 PM Page 226

226 Part III: Advanced Wi-Fi Hacks

of circumstances, most of which are beyond your control, prevent you from focusing on the task at hand and getting your work done.

DoS attacks against your wireless network aren’t much different. In essence, they send a horde of malicious network requests — or overload the airwaves and wireless systems with junk traffic — preventing legitimate requests from being addressed. This Achilles heel of wireless networks can affect your systems in ways you may have never imagined, leaving your systems completely defenseless. No mystery that DoS attacks just happened to fall into the

“Number 13” bad-luck chapter.

Many of the recent, highly publicized hacker attacks against popular Web sites and e-commerce companies have been DoS attacks. These were carefully crafted attacks — often utilizing thousands of compromised systems —

that were able to bring down Web servers from across the Internet. It’s worth noting, however, that such attacks are not all that common against wired networks; that’s because they typically require a high-level of skill and planning to carry out. With DoS attacks against wireless networks, however, we’re not so lucky — ordinary levels of hacker competence can produce way too much network mayhem.

Most network DoS attacks are performed out of pure malice — and often for the fun of it — but sometimes they’re performed for competitive or political purposes. Often these attacks aim to further penetrate a network or force an administrator to try different security mechanisms (or none at all) — even while troubleshooting and trying to find out why signals and systems are dropping like flies. The typical motivation, however, is more basic — to take network service away from others and keep them from doing what they need to do.

Here’s where the notorious vulnerabilities of the IEEE 802.11 specifications (gruesomely detailed in Chapter 12) come into play. 802.11-based systems —

including wireless clients, access points, and the entire radio spectrum they operate over — can be completely compromised in a much simpler fashion.

All it takes is a few basic tools and minimal know-how to perform some wicked DoS attacks against wireless systems — not necessarily what you bargained for when you implemented your way-cool and convenient wireless network.

There are two main reasons that 802.11-based wireless systems are vulnerable to DoS attacks:

ߜ Lack of frame authentication in 802.11 management frames such as beacons, association requests, and probe responses. The functionality inherent in the MAC layer of a 802.11-based network is all about access: It allows wireless systems to discover, join, and basically roam free on the network, completely exposed to the elements. This implicit trust among wireless systems makes it easy for attackers to spoof legitimate devices and bring down individual hosts — or even an entire wireless network — all at once.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 227

Chapter 13: Denial-of-Service Attacks

227

ߜ Lack of physical boundaries for radio waves. Radio is everywhere, and can come from anywhere. This makes attacks simpler and reduces the likelihood that an attacker will get caught. Additionally, APs and other wireless infrastructure equipment are often exposed in easy-to-access areas where they’re more susceptible to tampering and theft.

You can easily create self-inflicted DoS conditions on your systems when you test for such vulnerabilities. Running the wrong tools — or the right tools without understanding (and being prepared for) their consequences — can crash your wireless network or cause your data to be corrupted or compromised. Such “results” are certainly one quick way to get on the bad side of a lot of people. Be careful when you use any of the tools we mention or demonstrate on this chapter, starting with this rule. Always test your tools on non-production systems first if you’re not sure how to use them. Such precautions help prevent DoS conditions that could disrupt your live systems.

Given the danger involved in performing DoS tests against your own systems, this chapter will be a little different from other ones in this book: It’s more about attack education than attack demonstration. We outline the various types of DoS attacks against wireless networks, and then show you what some DoS tools can do if you choose to perform such attacks against your systems.

What Can Happen

Denial of Service attacks do just that — deny service. They prevent legitimate wireless users and systems from performing typical tasks such as ߜ Connecting to the wireless network

ߜ Staying connected to the wireless network

ߜ Serving up various network requests

ߜ Managing network communications

Obviously, disruption of these types of network services can wreak havoc on usability — and can even threaten data integrity.

Types of DoS attacks

DoS attacks can come at various levels within a wireless network. They can impact radio signals, network protocols, and even wireless applications.

Signals can be jammed, wireless devices can be spoofed so the bad guys can perform malicious acts, and APs can be overloaded. In addition, if vulnerable APs and ad-hoc clients are located behind the network firewall and are 20_597302_ch13.qxd 8/4/05 7:06 PM Page 228

228 Part III: Advanced Wi-Fi Hacks

attacked or somehow compromised, there’s a chance that the wired network can be negatively affected.

Wireless attackers can even take advantage of vulnerabilities in the power-saving features of client computers. Here are some typical gambits: ߜ Tricking an AP into thinking that a specified client is going to sleep —

when it’s not — which stops the client from transmitting and receiving packets.

ߜ Spoofing a wireless client to make an AP think that a client has awak-ened from its power-saving sleep — when it hasn’t. The AP thinks the client is ready to receive packets that have queued up to wait for its attention, and sends the packets. Result: traffic jam.

ߜ Forcing a wireless client to stay asleep — which keeps it from communicating on the network.

ߜ Preventing a wireless client from going to sleep — potentially causing its battery to run down prematurely.

Two highly popular attacks that could be categorized as denying service —

hijacking and MITM attacks — come at the network level. (These are covered in Chapter 12.) DoS attacks can even be accomplished by exploiting the weaknesses in encryption and authentication algorithms such as WEP and WPA.

We cover these attacks in Chapters 14 and 15, respectively.

It’s so easy

DoS attacks, especially those that come at the RF level — riding the radio beam in — are ridiculously easy to carry out for several reasons: ߜ Physically separating potential attackers from the radio waves they’re trying to use can be very difficult and costly.

ߜ Unlike military and other custom wireless applications, commercial applications are quite commonplace. The bad guys have the same commercial equipment we do.

ߜ An attacker can increase the DoS capabilities of a rogue system simply by increasing the RF transmitting power.

ߜ The 802.11 wireless protocols were designed for usability and compatibility — not necessarily to protect against DoS attacks.

Unfortunately, the defenses for DoS attacks are few and far between. It really pays to be proactive and understand what can happen and, if you so desire, perform your own DoS testing to see how vulnerable your systems are before a problem occurs.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 229

Chapter 13: Denial-of-Service Attacks

229

DoS attacks against wireless systems are not only difficult to prevent but hard to trace; it can be next to impossible to determine where the attacks are coming from. This is why you’ve got to slip into the mindset of the attacker and test your own systems, or at least implement reasonable countermeasures to keep the predators at bay.

Before you start regretting ever venturing into the wireless arena, keep in mind that many DoS attacks are purely theoretical (less practical) in nature and have no supporting tools and no confirmed existence in the real world.

We don’t mean that DoS attacks on wireless networks shouldn’t be taken seriously; we’re just saying the picture is not as bleak as many make it out to be.

Accordingly, we’ll stick to the more practical DoS attacks and tests in this chapter. Let’s jump right into things.

We Be Jamming

As you might expect, a major type of DoS attack that wireless networks are susceptible to is RF jamming. Wireless network signals can be disrupted and prevented from doing their work (jammed) when another radio signal that operates in the same or nearby frequency range. The normal ranges for 802.1 x-based network communications are 2.4 GHz (for 802.11b and g) or 5 GHz (for 802.11a). A high-powered rogue signal can interferes with — or overpower — the network’s existing radio transmissions. Technically, the Queensland Attack covered in Chapter 12 could be considered a type of jamming attack as well as a DoS attack.

Wireless networks are very sensitive to jamming because of their low-power operation and the relatively narrow bandwidth (22 MHz per channel) they use to communicate. Depending on the power of an incoming rogue signal, jamming and other RF interference can cause your systems to drop a few packets here and there — or create complete communications breakdown.

Both effects can be equally disruptive.

Unlike 802.11b and g networks, which use the crowded ISM band, 802.11a equipment is much less susceptible to jamming caused by interference from other devices because it runs in the 5 GHz frequency range.

RF jamming can occur unintentionally from nearby equipment. It can also occur maliciously by an attacker with an RF jammer, a wireless laptop with a high-powered NIC such as the 300mW PC Card NIC sold by Demarch Technology Group (www.demarctech.com), or even a high-powered AP. A high-gain or directional antenna that can boost the attacker’s signals can wreak greater havoc. This will not only increase the power output but will also provide the added benefit of physical distance between the attacker and the system she’s jamming.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 230

230 Part III: Advanced Wi-Fi Hacks

RF jamming can force wireless clients to roam the available frequencies, searching for an alternate access point to communicate with — and they may find one on somebody else’s available wireless network. When a client finds an alternate AP, it may inadvertently authenticate and associate to one of your own APs — or (worse) to a rogue AP that the attacker has set up. We talk more about this type of commandeering in Chapter 12.

Common signal interrupters

Various types of radio-transmission devices can disrupt 802.11-based wireless networks — especially 802.11 b and g systems that operate in the ISM band.

The interesting thing is that many such troublesome devices are common everyday electronics present in our offices and homes — these, for instance: ߜ 2.4 GHz cordless phones

ߜ Wireless security cameras

ߜ Bluetooth systems

ߜ Baby monitors

ߜ Microwave ovens

ߜ Radio power generators (more on these below)

ߜ X-10 home automation equipment

The reason that these devices are all here in the 2.4 GHz spectrum is that these are all low-powered RF devices that can be operated without the owner or operator requiring a license from the Federal Communications Commission (FCC). All of these devices are capable of causing wireless-network disruption that can lead to intermittent network connectivity or (worse) self-inflicted DoS attacks that you didn’t intend to create.

What jamming looks like

Before we get too far into jamming attacks, it makes sense to show you what RF interference actually looks like when it’s happening.

Figure 13-1 shows what a strong 802.11b signal looks like in NetStumbler’s Channel view. Note that although this is not a true RF spectrum analyzer (which can show detailed radio-frequency information), we can still see the signal disruption taking place. The tall and even bars shown in the figure represent a strong and continuous signal.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 231

Chapter 13: Denial-of-Service Attacks

231

Figure 13-1:

Strong

wireless

signal

experi-

encing no

interfer-

ence.

Figure 13-2 shows an 802.11b signal that’s experiencing some random noise and signal loss. Notice the signal profile: It’s degraded and choppy compared to that of Figure 13-1.

Figure 13-3 shows an 802.11b signal that’s experiencing severe jamming.

Notice that although the signal is strong at times, it’s missing across various time periods and is being overpowered by another signal. This secondary signal is shown in red at the bottom of the green (actual) signal in NetStumbler. NetStumbler also shows a purple bar that signifies a potential loss of radio signal.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 232

232 Part III: Advanced Wi-Fi Hacks

Figure 13-2:

Wireless

signal

experi-

encing mild

interfer-

ence.

Fight the power generators

As we alluded to earlier, DoS attacks against 802.11 wireless systems can also be carried out through the use of RF jammers — also known as radio power generators or signal generators. Most companies don’t sell devices called RF

“jammers”; instead, they market them as signal generators for the purpose of designing and testing radio signals, cabling, antennae, and so on.

Such devices can generate power levels that range from several hundred milliwatts up to several watts, across broad frequency ranges — easily overpowering the weaker 802.11 signals that usually run in the low end of the 1-to-100

milliwatt range. If you’re into electronics design (and have the know-how and parts), you can make your own radio-power-generator system. Thankfully, for those of us who don’t have that kind of time or patience, several commercial signal generators are available. They’re helpful tools for testing your wireless network’s susceptibility to DoS attacks when it’s subjected to such powerful signals. Two systems we’re familiar with are the following: ߜ YDI Wireless (now Terabeam Wireless) makes the PSG-1 signal generator (www.ydi.com/products/test_eq/psg.php)

ߜ Global Gadget offers the 2.4JM signal generator (www.globalgadgetuk.

com/wireless.htm)

20_597302_ch13.qxd 8/4/05 7:06 PM Page 233

Chapter 13: Denial-of-Service Attacks

233

Figure 13-3:

Wireless

signal expe-

riencing

severe

signal

disruption

(jamming).

Secondary

Purple

signals (red)

bars

Actual signals (green)

There are also various signal-generator vendors listed at online e-commerce sites such as Naptech (www.naptech.com) and TestMart (http://signal generator.testmart.com).

A jamming attack against a wireless network can be carried out from several dozen meters away, which helps the attacker hide. The two jammers we mentioned are handheld systems — so an attacker could conceivably have one stored in his pocket or briefcase, and you’d be none the wiser. Perhaps the most frustrating thing about jammers is that even the most highly protected wireless systems are pretty much indefensible in the face of such an attack.

We won’t demonstrate what using a radio power generator can do to a wireless network — but suffice it to say that the outcome is likely to be worse than the RF signal disruption shown earlier in Figure 13-3.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 234

234 Part III: Advanced Wi-Fi Hacks

AP Overloading

802.11-based wireless access points can only handle so much traffic before their memory fills up and their processors become overloaded. This type of DoS attack overloads not only the wireless medium (as outlined earlier) but also the actual wireless infrastructure — and APs themselves.

There are several ways that APs can become overloaded and simply stop addressing the needs of existing or new clients — or just break down altogether. Some of these de-facto attacks are unintentional; others are deliberate and malicious. Let’s take a look at what can happen.

Guilty by association

Attackers can exploit a weakness in the way access points queue incoming client requests — beginning with the client association identifier (AID) tables —

the section of an AP’s memory that stores client connection information. The AID tables only have a finite amount of memory and thus can only handle a limited number of wireless client connections. Once this memory fills up, most APs will no longer accept incoming association requests; some APs even crash.

These types of DoS attacks typically use one of two methods: ߜ Association flooding

ߜ Authentication flooding

Both are easier to do when anybody can connect. When APs are set up to use

“open” as the default authentication type, just about any client (trusted or untrusted) can connect to the AP. This is one of those fundamental 802.11 security flaws deemed necessary to keep wireless-connectivity headaches to a minimum. Such open authentication allows any client to send two critical requests: ߜ Authentication requests for initial connectivity

ߜ Association requests to “join” the wireless network

Now, wireless client connectivity to an AP that’s running open authentication has the three basic phases:

1. No connection

2. Authenticated but not associated

3. Authenticated and associated

This three-step process is critical for understanding DoS attacks, so we show it again in Figure 13-4.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 235

Chapter 13: Denial-of-Service Attacks

235

Wireless client

Phase 1:

Phase 3:

Not Connected

Associated

Client is not authenticated

Client is now authenticated

or associated with AP

and associated with AP

Phase 2:

Authenticated

Client is now authenticated

but not associated with AP

Figure 13-4:

Client-to-AP

connection

process.

Access point

Attacks that overload the AID tables create a situation that can take a wireless network from normal to frozen in no time: Even an average number of legitimate wireless-client connections can multiply to an insane number when illegitimate connections pile on, faster than you can say intrusion prevention.

Association and authentication attacks are possible mainly because 802.11

management-frame requests and sequencing are not authenticated — or monitored for anomalies.

If you’re up for testing to see how easy it is to fill up the AID tables on your AP(s), there are several tools you can use. One of our favorites is Void11 — a packet-injection tool. Figure 13-5 shows its options: Notice the authentication- and association-flood options, as well those for flooding a single target, broadcast systems, and randomly generated systems.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 236

236 Part III: Advanced Wi-Fi Hacks

Figure 13-5:

The various

options of

the Void11

packet-

injection

tool.

You can download Void11 from the WLSec project homepage at www.wlsec.

net/void11. Or, if you’re not too fond of trying to get your wireless NIC to work in UNIX/Linux, you can run Void11 directly off the super-cool KNOPPIX

CD-ROM-based Auditor Security Collection (http://new.remote-exploit.

org/index.php/Auditor_main). See Chapter 15 for more details on using and tweaking the Auditor hacking tools.

A great Windows-based tool for creating association and authentication attacks is CommView for WiFi’s Packet Generator Tool, shown in Figure 13-6.

Figure 13-6:

CommView

for WiFi’s

Packet

Generator

tool.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 237

Chapter 13: Denial-of-Service Attacks

237

Packet Generator, which is very easy to use, allows you to replay practically any 802.11 packet (including Association and Authentication Request packets) that you’ve captured in CommView for WiFi or another network-analyzer program.

Here’s a brisk walkthrough capturing an association request packet in CommView for WiFi, copying the packet to the Packet Generator tool, and then sending the packet onto the airwaves:

1. Load CommView for WiFi and click the blue Start Capture icon in the upper-left corner or simply press Ctrl+S on your keyboard.

This loads the Scanner utility (as shown in Figure 13-7) so you can enable your wireless NIC to capture packets.

Figure 13-7:

CommView

for WiFi’s

Scanner

utility.

2. Click the Capture button on the Scanner window.

This “opens” the Wireless Adapter Enable Promiscuous mode on your wireless NIC, and allows you to start capturing wireless packets.

3. Capture an Association Request packet.

The easiest way to do this is to power on a new wireless client and look for its requests to the AP to associate. Packet number 115 in Figure 13-8

shows what an Association Request packet looks like. Note that CommView for WiFi lists this as a MGNT/ASS REQ. packet where the MGNT represents a management type packet.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 238

238 Part III: Advanced Wi-Fi Hacks

Figure 13-8:

An 802.11

Association

Request

packet in

CommView

for WiFi.

4. Copy the Association Request packet into Packet Generator.

You can do this by following these steps:

a. Ensure you have the packet you wish to copy highlighted and then press Ctrl+R to load the Packet Generator tool.

b. Within the Packet Generator window, click the black Up arrow next to the sigma (Σ) symbol to show the Templates section.

c. Resize both the CommView for WiFi window and the Packet Generator window so you can view both on your desktop.

d. Simply drag and drop the Association Request packet into the Templates section of the Packet Generator window.

5. Rename the packet.

In the Packet Generator tool, simply right-click the packet labeled New Template(0) in the Templates section and enter a new name such as AssociationRequest. Click outside of the name area to make the change permanent.

That’s all there is to it! You’re now ready to use CommView for WiFi’s Packet Generator tool to send the Association Request packet to your AP(s). Note that if you’d like to change the source or destination MAC

addresses in the packet, you can do so very easily by simply clicking into the hex-data area of the Packet Generator window and changing the data directly. (We walk you through this process later in the chapter, in the section called “Deauthentications.”)

6. Send the packet.

You can send the packet by simply selecting the AssociationRequest (or whatever you named it) packet in the Templates section and clicking Send in the Packet Generator tool. Note that you can change the packet size, number of packets per second, and the number of times to send it.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 239

Chapter 13: Denial-of-Service Attacks

239

This exercise demonstrates how simple it is to create an association-flood attack. This whole process (depicted in Figure 13-9) — and its potentially harmful results — can happen in a split second.

Typical wireless client connections

Wireless client

Access point

Wireless client

Flooded wireless network

Fake wireless client

Legitimate

OV E R LOA D

Legitimate

wireless client

Access point

Fake wireless client

Figure 13-9:

Fake wireless client

Legitimate

The

wireless client

transition

Fake wireless client

from

Legitimate

“normal”

wireless client

client asso-

Fake wireless client

ciations to

a flooding

attack.

Fake wireless client

20_597302_ch13.qxd 8/4/05 7:06 PM Page 240

240 Part III: Advanced Wi-Fi Hacks

The same test can be performed with Authentication Request packets as well.

We’ll use CommView for WiFi’s Packet Generator tool again when we look at deauthentication and disassociation attacks later in this chapter. We’ll also demonstrate what such attacks look like through a network analyzer.

Other packet injection tools can be used to execute association-flooding attacks if you’re eager to venture out, including the following UNIX/Linux-based tools:

ߜ file2air (http://home.jwu.edu/jwright/code/file2air-0.1.

tar.bz2)

ߜ AirJack (http://sourceforge.net/projects/airjack)

ߜ libradiate (www.packetfactory.net/projects/libradiate) Too much traffic

Wireless overloading is often unintentional, especially with today’s “robust”

applications sucking up every available bit of memory, processor time, and network bandwidth. For example, the following legitimate wireless network traffic is quite possible on a typical network at any given time: ߜ Movie and music file downloads

ߜ Basic Web browsing

ߜ P2P file sharing traffic

ߜ A bored employee hosting his own Web or FTP server

ߜ Users streaming the audio of their favorite radio talk-show host ߜ Internal network file copies, print jobs, and so on

ߜ Vulnerability-assessment software running an obscene number of tests every second

ߜ Downloads occurring over a very-high-speed Internet connection (think T3 and faster)

ߜ Web, e-mail, FTP, or other servers transmitting and receiving data Wireless networks can easily be saturated at speeds much lower than their claimed throughput rate (in effect, how fast they can transfer data). This is especially true for 802.11b systems that not only struggle to provide enough usable throughput but are also half-duplex (one side communicates at a time).

This means that even in a perfect world, 802.11b systems can’t obtain more than 5.5 Mbps of throughput — usually less, given the speed loss that comes from handling protocols and the traffic generated by multiple clients on the network.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 241

Chapter 13: Denial-of-Service Attacks

241

A neat commercial security-testing tool you can use to test an AP’s susceptibility to information overload is BLADE Software’s IDS Informer program (www.bladesoftware.net). This software is designed for testing IDS/IPS systems but can be used to flood a wireless network for DoS testing purposes just as well.

All it takes is one computer, generating a fair amount of legitimate traffic, to bring down an AP. In fact, according to previous nonscientific studies of 802.11b capabilities that Kevin was involved with, a typical 802.11b AP can handle only a dozen or so (often fewer) client connections before performance starts degrading for everyone on the network. This can occur even if the network uses multiple APs in ESS mode to service a broad wireless coverage area. Using 802.11g systems won’t necessarily fix this issue; the trouble may be simply less noticeable, camouflaged by the 54 Mbps throughput of 802.11g systems (compared to only 11 Mbps in 802.11b systems).

All of this is with legitimate traffic on the network. Imagine what can happen when multiple computers are generating malicious traffic! At best, it’s certainly enough to create a serious DoS condition. Technically, such an attack could be considered a distributed DoS (DDoS) attack because multiple systems are involved.

Like their 802.11b predecessors, newer 802.11g systems can handle only three non-overlapping channels (1, 6, and 11); available bandwidth is still minimal on congested networks. This problem can be overcome by using 802.11a technology, which has more available channels for communication — and allows the grouping of more APs to handle the extra requests. But do you really want to purchase and implement the Betamax of wireless network technologies?

Are You Dis’ing Me?

Several clever DoS attacks against wireless clients are bad enough to make you want to stick with good old-fashioned Ethernet — maybe even Token Ring. These attacks are often more effective than association and authentication attacks — that’s because wireless clients tend to be more willing to believe that anything coming to them from an AP must be valid.

There are two main types of DoS attacks against client systems: ߜ Disassociation attacks

ߜ Deauthentication attacks

The bad thing about these types of client DoS attacks is that they can go on indefinitely until the attacker stops the attack.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 242

242 Part III: Advanced Wi-Fi Hacks

Several hacking tools are available to execute client DoS attacks, including WLAN-jack (if you’re lucky enough to have downloaded it before it was taken offline), Void11 (www.wlsec.net/void11), and FATA-jack (www.security wireless.info/public/wipentest/fata_jack.c). The same results can be accomplished very easily with CommView for WiFi’s Packet Generator as we’ll demonstrate shortly.

Disassociations

A disassociation attack is essentially a wireless station’s way of saying “I don’t want to talk to you any more.” The situation is similar to when a friend ticks you off — you (the AP) tell the friend (the wireless client) to get lost. Disassociation packets can be sent from a wireless client to an AP as well.

The way a disassociation attack works is actually very straightforward. This attack simply mimics valid disassociation frames originating from a client or AP and cuts off the association. First, the attacker spoofs either the client or the APs MAC address (usually the latter). Then he sends forged disassociation packets to either a specific system or to the broadcast address. A disassociation attack is shown graphically in Figure 13-10.

After the disassociation occurs, the client is returned to a state where it’s still authenticated to the AP, but not associated. This leaves it in a disconnected state from the network.

Deauthentications

A deauthentication attack is actually a little more effective than a disassociation attack because it puts the client in a state of complete disconnection.

The deauthentication attack is a wireless station’s way of saying “Your connection to me is no longer valid.” As with disassociation attacks, this attack can originate at the client; otherwise the AP can be directed to an individual MAC address or the broadcast address.

Figure 13-11 shows how a deauthentication attack is carried out.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 243

Chapter 13: Denial-of-Service Attacks

243

Wireless client

Step 1:

Step 3:

Client fully connected

Client partially disconnected

Client is authenticated and

Client is still authenticated but

associated with AP

no longer associated with the AP

Access point

Step 2:

Attacker sends forged packets

Attacker sends a

Disassociate Request packet

to take a single client offline.

Figure 13-10:

Disassocia-

tion attack

partially

discon-

necting a

wireless

client.

Attacker’s system

20_597302_ch13.qxd 8/4/05 7:06 PM Page 244

244 Part III: Advanced Wi-Fi Hacks

Wireless client

Step 1:

Client fully connected

Client is authenticated and

associated with AP

Step 3:

Client fully disconnected

Client is no longer authenticated

or associated with the AP

Access point

Step 2:

Attacker sends forged packets

Attacker sends a

Deauthenticate Request packet

Figure 13-11:

to take a single client offline.

Deauthen-

tication

attack

completely

discon-

necting a

wireless

client.

Attacker’s system

20_597302_ch13.qxd 8/4/05 7:06 PM Page 245

Chapter 13: Denial-of-Service Attacks

245

If you care to see how your systems respond to deauthentication attacks, here’s how it can be done using CommView for WiFi:

1. Load CommView for WiFi and click the blue Start Capture icon in the upper-left corner or simply press Ctrl+S on your keyboard.

This loads the Scanner utility as shown in Figure 13-7 above so you can enable your wireless NIC to capture packets.

2. Click the Capture button on the Scanner window.

This “opens” the Wireless Adapter Enable Promiscuous mode on your wireless NIC and allows you to start capturing wireless packets.

3. Generate a Deauthentication packet.

It’s a little trickier capturing one of these packets, but if you have an AP that supports manual deauthentications, capturing can be pretty simple. As shown in the Cisco management screen in Figure 13-12, it’s as easy as clicking the Deauthenticate button for the client you wish to deauthenticate.

Figure 13-12:

Cisco

Aironet

option to

deauthen-

ticate a

wireless

client.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 246

246 Part III: Advanced Wi-Fi Hacks

4. Capture the Deauthentication packet.

This is as simple as capturing all wireless packets — or narrowing it down to management packets — in a network analyzer. Figure 13-13

shows what such a packet looks like in AiroPeek. All you have to do is capture the packet using any wireless network analyzer, save the packet, and import it into CommView for WiFi’s Packet Generator. Or you can simply capture the packet in CommView for WiFi and save the packet using the steps we outlined for the Association Request packet above.

5. Edit the Deauthentication packet.

After you have the packet loaded into CommView for WiFi’s Packet Generator, you can edit it to change source and destination addresses.

In this example, we’ll change the source address to effectively turn it into a forged address and change the destination address to the broadcast address.

Figure 13-13:

A Deau-

thentication

packet

discovered

by AiroPeek.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 247

Chapter 13: Denial-of-Service Attacks

247

Figure 13-14 shows the packet loaded into Packet Generator and edited to have a random source address (11:22:33:44:55:66) — and the broadcast address (ff:ff:ff:ff:ff:ff) as the destination address.

You can change the BSSID address (MAC address of the AP) as well.

These addresses and their locations within the packet are shown in Figure 13-14.

Figure 13-14:

An edited

version

of the Deau-

thentication

packet

ready to

send.

To edit the packet, you simply click inside the data area on the right side of the Packet Generator window and change the addresses to your heart’s content. Just make sure you stay within the correct fields (offsets in hex editing terminology) so you don’t overwrite other critical packet data.

Note that in Figure 13-14, you can expand the 802.11 item on the left side (simply click the + button) and verify that your changes are accurate for the source, destination addresses, and even the BSSID address.

6. Send the packet.

You can send the packet by setting the appropriate parameters for packet size, packets per second, and the number of times to send it.

This exercise demonstrates how simple it is to create a deauthentication flood attack against wireless clients. If you monitor your airwaves by a network analyzer (such as CommView for WiFi or AiroPeek) while you’re performing this attack, you’ll see quite a spectacle. Notice in Figure 13-15 how the majority of packets discovered by AiroPeek are Deauthentication packets.

Figure 13-16 shows what the same attack looks like through AiroPeek NX’s Packets view. Notice that AiroPeek NX discovered the attack and highlighted the fact in the Expert column.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 248

248 Part III: Advanced Wi-Fi Hacks

Figure 13-15:

Deauthen-

tication

attack as

seen in

AiroPeek’s

Protocols

view.

Figure 13-16:

Deauthen-

tication

attack as

seen in

AiroPeek

NX’s

Packets

view.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 249

Chapter 13: Denial-of-Service Attacks

249

For a real-world view of what this type of attack can do to a wireless client, take a gander at Figures 13-17 (normal wireless connectivity and a test ping out to a Web site) and 13-18 (the havoc after deauthentication).

Figure 13-17:

Normal

wireless

client

connec-

tivity.

Invalid authentications via fata_jack

There are other tools that can create similar client DoS attacks. One popular one is Mark “Fat Bloke” Osborne’s fata_jack. This is a Linux program based on the wlan_jack program that you’ll have to compile before using. It sends out invalid Authentication Failed frames, allowing an attacker to spoof a valid client on the network and send these invalid frames to the AP. The AP, in effect, responds to the client with Hey! Your previous authentication failed, so forget you — I don’t want to speak to you any more.

This attack is known to create erratic behavior on wireless clients, especially those running on older operating systems with older wireless hardware. Before using this program, you compile it (via the instructions in the source code); then you can run it to see whether any of your systems are vulnerable — just be careful so you don’t crash critical systems.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 250

250 Part III: Advanced Wi-Fi Hacks

Figure 13-18:

Wireless

client con-

nectivity

losses after

a deauthen-

tication

attack

begins.

Physical Insecurities

When it comes to physical insecurities, we’re not referring to that uncomfortable feeling when we realize we need to shed a few pounds. We’re actually talking about an attacker physically exploiting an AP — maybe not with a sledge-hammer, but with about that much subtlety — in a way that can lead to a DoS

situation.

If an attacker wants to deny service to a reception area, a coffeeshop, or even an entire airport terminal, all he has to do is something trivial like shutting off the power or stealing the AP itself. If an attacker really wants to get sneaky, he could slightly unplug the Ethernet cable or slightly disconnect the antennae from the back of the AP. These two problems — easily and commonly overlooked —

can drive you bonkers trying to troubleshoot!

When performing your ethical-hacking tests — or even if you’re simply troubleshooting wireless-network connectivity problems — be sure to look at this oh-that’s-too-obvious area. As do most people working in IT, we’ve found that the simple things tend to cause the most problems.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 251

Chapter 13: Denial-of-Service Attacks

251

DoS Countermeasures

There are several things you can do to protect your airwaves and systems from DoS attacks. Many of these are free and relatively simple if you can spare the time. Only a couple of these suggestions require that you spend money —

albeit good money — but the solutions are usually worth every penny.

Know what’s normal

Establish a baseline of typical wireless-network usage. Use AiroPeek, CommView for WiFi, or your favorite network analyzer to look at ߜ Protocols in use

ߜ Minimum, maximum, and average number of connections

ߜ Minimum, maximum, and average throughput

ߜ RF signal strength

ߜ Any notable RF interference

ߜ Number of users

It’s best to gather this data as soon as you set up your network, if possible. If you can’t do that, simply start now and use the data you gather as your baseline. Continue to monitor what’s going on periodically, during ߜ Specific timeframes

ߜ Random timeframes

ߜ High-traffic times of day

ߜ Low-traffic times of day

This information will prove invaluable when you’re trying to determine whether a DoS attack is about to occur, is occurring, or has already occurred.

Without baseline information, knowing what’s right and what’s not is mad-deningly difficult.

Contain your radio waves

If RF signals are leaking outside your building — they likely are — then practically all of the DoS attacks we mention here are possible. Adding insult to injury, trying to track down where jamming signals are coming from (outside of using complex triangulation calculations) is very difficult.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 252

252 Part III: Advanced Wi-Fi Hacks

The best way to keep your radio waves inside and intact is to use directional antennae whenever possible to point the signals in only the direction they need to go. You should also scale back the transmission power of your APs if possible. This can leave you more susceptible to stronger signals overpower-ing yours, but that’s the chance you have to take. The Cisco Aironet AP

shown in Figure 13-19 has this capability.

There’s also RF shielding materials that can be built in to or added onto building walls and windows, but this can be costly. If actual shielding of the radio signals is not possible, then the best alternative is to keep attackers as far away from your wireless systems as you can. This means protecting your entire building — even your organization’s campus — with fences and guard posts if necessary.

Figure 13-19:

Changing

the transmit

power on a

Cisco AP.

20_597302_ch13.qxd 8/4/05 7:06 PM Page 253

Chapter 13: Denial-of-Service Attacks

253

If there’s one good thing about Physical Layer jamming attacks, it’s that hackers have to put forth a fair amount of effort to carry them out. If you keep upping the ante, they’ll have to do that as well. Eventually they reach a limit: their jamming devices can only utilize so much transmitting power. If you put enough protective measures in place, the hackers will have to put themselves physically in the same room as your wireless systems — where they might be subject to not-so-subtle defensive measures (say, angry system administrators with two-by-fours). If you can’t keep the bad guys out at this point, well, you may have bigger problems on your hands.

Limit bandwidth

Many enterprise-class APs allow you to tweak Quality of Service and Class of Service configurations to limit what comes and goes. Specific features vary among virtually every AP, so be sure to check your documentation to see what’s available.

Use a Network Monitoring System

With a network monitoring system, you can set SNMP traps and other programmable alerts to notify you during excessive traffic loads, signal degrada-tion, signal losses, and more.

Use a WIDS

A wireless intrusion–detection/prevention system (IDS/IPS) is perhaps the most effective way of defending against DoS attacks. Such systems look for ߜ Unauthorized MAC addresses

ߜ Unauthorized broadcast traffic

ߜ Jamming

ߜ Association floods

ߜ Authentication floods

ߜ Disassociation attacks

ߜ Deauthentication attacks

20_597302_ch13.qxd 8/4/05 7:06 PM Page 254

254 Part III: Advanced Wi-Fi Hacks

Most WIDS even track the state of wireless communications, and can look for various protocol anomalies. For instance, if data transfer is observed after deauthentication or disassociation requests, a WIDS system may smell a rat, determine that such requests are illegitimate, and tear down the communication link. Refer to Appendix A for a detailed listing of such vendors.

Attack back

Some WIDS already have the ability to attack the attacker, but you can do it yourself almost as easily. If bells, whistles, and automation are not in your budget, you can keep things simple by utilizing a tool such as Void11, CommView for WiFi, or other packet-injection programs, combined with a list of allowed systems on your network. If you come across an unauthorized system trying to attack your network, a simple deauthorization attack sent back in the attacker’s direction may be all you need.

If your situation warrants fighting back, be very careful about it — you could end up breaking laws, violating security-ethics commandments, or simply getting schooled and trounced by your attacker.

Demand fixes

There are certain things that only the wireless-standards bodies (such as the IEEE and Wi-Fi Alliance) and the vendors of wireless products have control over.

If you’re serious about implementing wireless (and you or your organization have enough clout in the industry), then request — better yet, demand —

that your wireless vendors and standards bodies fix the issues we cover in this chapter.

In addition, there’s no reason organizations developing, testing, or certifying wireless-network products shouldn’t use the same tools we demonstrate in this chapter and throughout this book. Again, in order to defend against the enemy, you must understand the enemy. Encouraging the powers that be to do so only makes logical sense.

21_597302_ch14.qxd 8/4/05 7:05 PM Page 255