Introduction to 802.11 wireless frames
The best way to understand how any type of network protocol work is to look at it from the packet level. I’ll show you how we can capture wirelss frames and how these packets look like under normal conditions.
Capturing wireless packets
We have many tools to capturing wireless packets. In this post, I’m going to use Kismet(on Windows similar software includes Netstumbler and Inssider).
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
Kismet pust your wireless card into monitor mode and then provides a basic view of the different APs nearby(as identified by the captured packets).
- Probing & Network discovery
Kismet can be installed very easily on any unix based operating system and can be also executed in Windows running CYGWIN.
To install kismet on debian based:
sudo apt-get install kismet
kismet usage example:
[email protected]:/ kismet
- Capture wireless packets
Packets captured by Kismet can be saved into pcap files, which are then analyzed by ethereal by opening those files in an offline mode.
- Dissecting wireless packets
Let’s now extract some common wireless packet types and ovserve how wireless communication is made possible.
Beacon frame is one of the most common wireless frames. A beacon frame is a packet send by a wireless access point.
Some of fields we need to note are:
– Destination address
– BSSID(Basic Station System ID) field which contains the MAC address for the wireless side of the access point.
– Sequence number: is cremented by one every time the wireless station emits a packet.
– SSID: wireless name
MAC spoofing attack
MAC spoofing attackers change MAC address to that of an authenticated user to bypass the MAC filtering configured in an access point.
Implementation on linux:
// Loggin as root and disable the network interface ifconfig wlan0 down // Enter the new MAC address ifconfig wlan0 hw ehter 01:02:03:aa:bb:cc // Bring the interface backup ifconfig wlan0 up
DOS attacks: Deauthentication
An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the vicim. The protocol does not require any encryption for this frame, even when the session was established wih WEP for data privacy, and the attacker only need to know the victim’s MAC address, which is avaiable in the clear through wireless network sniffing.
Aircrack-ng can mount a WiFi deauthentication attack.
aireplay-ng --deauth 25 -h <TARGET MAC> -b <AP MAC> wlan0
MITM(man in the midde) & Rouge AP
In this type of attack, the attacker attemps to insert himselft in the midde of a communication for purposes of intercepting client’s data and cloud potentially modify them before discarding them or sending them out to the real destination.
In order to insert oneselft in the middle of the communication, one has to accomplish 2 tasks, first, the legimate AP serving the client must first be brought down or made “very busy” so as to create a “difficult to connect” scenariao for the wireless client, secondly, the attacker must setup an alternate rouge AP with the same credentials as the original for purposes of allowoing the client to connect to it.
Either RF interence or DOS attack can accomplish the first task.
Here are steps by steps an attacker does:
This post I introduced about capture, disecting wireless packets and 2 types common attack(DOS & MITM) on the wireless network.
Others attack type on wifi encryption and also wireless defence I’ll write on the next post.