1 attacking a wireless network via de-authentication by dou wang, jiaying shi, ying chen school of...
Post on 19-Dec-2015
219 views
TRANSCRIPT
11
Attacking a Wireless Network Attacking a Wireless Network via via
De-authenticationDe-authentication
byby
Dou Wang, Jiaying Shi, Ying ChenDou Wang, Jiaying Shi, Ying Chen
School of Computer ScienceSchool of Computer Science
University of WindsorUniversity of Windsor
November 2007November 2007
22
Contents
IntroductionIntroduction Related Works Related Works Our ExperimentOur Experiment
De-authentication attack of Denial of ServiceDe-authentication attack of Denial of Service Intrusion Detection System Intrusion Detection System
ConclusionConclusion
33
Introduction
Wireless Local Area Network Wireless Local Area Network (WLAN)(WLAN)
A network connection not requiring wired A network connection not requiring wired Ethernet connection, is based on radio Ethernet connection, is based on radio waves technology. waves technology.
Operating standard -- 802.11 standard.Operating standard -- 802.11 standard. flexible setup flexible setup access mobility access mobility low cost low cost easy to deployeasy to deploy
44
Introduction Passive attacksPassive attacks focus on sniffing data focus on sniffing data
sent on wireless signal. sent on wireless signal. Active attacksActive attacks destroy the availability of destroy the availability of
the wireless networking infrastructure, or the wireless networking infrastructure, or slow network performanceslow network performance..
55
Introduction Open Systems Interconnection Open Systems Interconnection
(OSI)(OSI) Application LayerApplication Layer Presentation Layer Presentation Layer Session Layer Session Layer Transport Layer Transport Layer Network Layer Network Layer Data Link Layer Data Link Layer Physical LayerPhysical Layer
66
Introduction
802.11 protocol802.11 protocol Data Link LayerData Link Layer Medium Access ControlMedium Access Control (MAC) sub-layer (MAC) sub-layer
determines the way to send data and access the determines the way to send data and access the wireless mediumwireless medium..
Logical Link ControlLogical Link Control (LLC) sub-layer (LLC) sub-layer is is responsible for the MAC addressing, framing, and responsible for the MAC addressing, framing, and error control.error control.
Physical LayerPhysical Layer takes care of transmitting takes care of transmitting raw bits through a communication channel. raw bits through a communication channel.
77
Introduction 802.11 network configuration802.11 network configuration
Figure 1: Infrastructure Network and Ad Hoc Network
88
Related works
Denial of ServiceDenial of ServiceA denial of service is “any action, or series A denial of service is “any action, or series of actions, that prevents any part of a of actions, that prevents any part of a system, or its resources, from functioning system, or its resources, from functioning in accordance with its intended purpose”.in accordance with its intended purpose”. Denial of service is the absence of Denial of service is the absence of availability. [2]availability. [2]
99
Related works
Resource allocation attacksResource allocation attacks
makes the victim out of service temporarily by makes the victim out of service temporarily by keeping sending association flood or authentication keeping sending association flood or authentication flood. The service will be restored to be normal flood. The service will be restored to be normal
once the resource allocation attack stops.once the resource allocation attack stops. Resource destruction attacks Resource destruction attacks
disconnects the victim out of the network by disconnects the victim out of the network by exploiting vulnerabilities. The connection will be not exploiting vulnerabilities. The connection will be not restored immediately even though the attack stops.restored immediately even though the attack stops.
1010
1. Authentication
2. Association
Connection established!
1. Disassociation
2. Deauthentication
Disconnected!
Experiment
1111
Experiment
Image from http://www.caip.rutgers.edu/~marsic/books/WN/book-WN_marsic.pdf
1212
Experiment
1313
Experiment
Key softwareKey software Redhat Linux 9 with Kernel 2.4.20-8Redhat Linux 9 with Kernel 2.4.20-8 Hostap 0.0.4Hostap 0.0.4 Void11 0.2.0Void11 0.2.0 Kismet 2006-04-R1Kismet 2006-04-R1 Snort-wireless 2.4.3 with wireless patchSnort-wireless 2.4.3 with wireless patch
1414
Attacker Laptop:Attacker Laptop:• Toshiba Satellite M30 LaptopToshiba Satellite M30 Laptop
Hardware: Intel M 2.0GHz, RAM 512MB, 40GB Hardware: Intel M 2.0GHz, RAM 512MB, 40GB Partition, SMC EliteConnection 2.4GHz 802.11b Partition, SMC EliteConnection 2.4GHz 802.11b SMC2532W-BSMC2532W-B
Software: Redhat Linux 9, kernel 2.4.20-8, Hostap Software: Redhat Linux 9, kernel 2.4.20-8, Hostap 0.0.4, Void11 0.2.00.0.4, Void11 0.2.0
Role in the project: AttackerRole in the project: Attacker MAC: 00-04-e2-81-75-78MAC: 00-04-e2-81-75-78 IP Address: noneIP Address: none
Experiment
1515
Experiment
Intrusion Detetion LaptopIntrusion Detetion Laptop• IBM Thinkpad R50IBM Thinkpad R50
• Hardware: 1829-5GC, Intel M 1.5GHz, RAM Hardware: 1829-5GC, Intel M 1.5GHz, RAM 256MB, 10GB Partition, SMC EliteConnection 256MB, 10GB Partition, SMC EliteConnection 2.4GHz 802.11b SMC2532W-B2.4GHz 802.11b SMC2532W-B
Software: Redhat Linux 9, Kernel 2.4.20-8, Hostap Software: Redhat Linux 9, Kernel 2.4.20-8, Hostap 0.0.4, Kismet 2006.04.R1, Snort-wireless 2.4.3 Alpha 0.0.4, Kismet 2006.04.R1, Snort-wireless 2.4.3 Alpha 04 (Build 26)04 (Build 26)
Role in the project: Sniffer, Intrusion Detection, frame Role in the project: Sniffer, Intrusion Detection, frame capturecapture
MAC: 00-04-e2-91-78-07MAC: 00-04-e2-91-78-07 IP Address: 192.168.1.162IP Address: 192.168.1.162
1616
Experiment
Victim LaptopVictim Laptop• ASUS M3NP LaptopASUS M3NP Laptop
Hardware: Intel M 2.0GHz, RAM 1GB, 80GB Partition, Hardware: Intel M 2.0GHz, RAM 1GB, 80GB Partition, NETGEAR Wireless PC Card 32-bit CardBus WG511NETGEAR Wireless PC Card 32-bit CardBus WG511
Software: Windows 2003 Server, Microsoft IIS Software: Windows 2003 Server, Microsoft IIS Role in the project: VictimRole in the project: Victim MAC: 00-09-5b-83-f8-9cMAC: 00-09-5b-83-f8-9c IP Address: 192.168.1.101IP Address: 192.168.1.101
1717
Experiment
Service RequestorService Requestor• IBM Thinkpad T61IBM Thinkpad T61
• Hardware: 7662-CT0, Intel Core 2 Duo 2.2GHz, Hardware: 7662-CT0, Intel Core 2 Duo 2.2GHz, RAM 2GB, 100GB Partition, Intel 8459 AGN RAM 2GB, 100GB Partition, Intel 8459 AGN Wireless NICWireless NIC
Software: Windows Vista Home EditionSoftware: Windows Vista Home Edition Role in the project: Service Requestor, test for DoSRole in the project: Service Requestor, test for DoS IP Address: 192.168.1.103IP Address: 192.168.1.103
1818
Experiment
Access Point & NICs (our heroes)Access Point & NICs (our heroes)• Wireless Access PointWireless Access Point
• 802.11g/2.4GHz Wireless Router D-Link DI-524802.11g/2.4GHz Wireless Router D-Link DI-524 MAC Address: 00:11:95:75:23:9AMAC Address: 00:11:95:75:23:9A IP Address: 192.168.1.3IP Address: 192.168.1.3 SSID: wang1124SSID: wang1124
1919
Experiment
Attacking Tool: void11 based on hostapAttacking Tool: void11 based on hostap IDS Tool: kismet based on hostapIDS Tool: kismet based on hostap Analysis Tool: snort-wirelessAnalysis Tool: snort-wireless
2020
Experiment
Assumptions:Assumptions: Attacker has root privilege on that laptopAttacker has root privilege on that laptop Attacker knows the MAC addresses of both Attacker knows the MAC addresses of both
AP and victimAP and victim The wireless network is based on 802.11b The wireless network is based on 802.11b
protocolprotocol
2121
Experiment
AttackingAttacking#void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 1000#void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 1000
2222
Experiment
Attacking – cont’Attacking – cont’#void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 120000#void11-penetration wlan0 –t 1 –s 00:09:5b:83:f8:9c –B 00:11:95:75:23:9a –d 120000
2323
Experiment
SniffingSniffing
2424
Experiment
Analysis ResultAnalysis Result=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/30-22:09:48.627250 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A10/30-22:09:48.627250 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A
bssid: 0:9:5B:83:F8:9C Flags: Rebssid: 0:9:5B:83:F8:9C Flags: Re
0x0000: C0 08 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[...0x0000: C0 08 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[...
0x0010: 00 09 5B 83 F8 9C 80 4E 02 00 ..[....N..0x0010: 00 09 5B 83 F8 9C 80 4E 02 00 ..[....N..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/30-22:09:48.650280 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A10/30-22:09:48.650280 Deauthent. 0:9:5B:83:F8:9C -> 0:11:95:75:23:9A
bssid: 0:9:5B:83:F8:9C Flags:bssid: 0:9:5B:83:F8:9C Flags:
0x0000: C0 00 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[...0x0000: C0 00 3A 01 00 11 95 75 23 9A 00 09 5B 83 F8 9C ..:....u#...[...
0x0010: 00 09 5B 83 F8 9C A0 4E 02 00 ..[....N..0x0010: 00 09 5B 83 F8 9C A0 4E 02 00 ..[....N..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
2525
ConclusionsConclusions
Simulate wireless attack on data-link layer by Simulate wireless attack on data-link layer by generating control frames to perform de-generating control frames to perform de-authentication flood to a single target. authentication flood to a single target.
Intrusion Detection System is able to detect out Intrusion Detection System is able to detect out the attack and capture the packets.the attack and capture the packets.
The attack and detection tools are based on Prism The attack and detection tools are based on Prism Chipset wireless network cards, hostap need to be Chipset wireless network cards, hostap need to be installed on Linux kernel 2.4.x.installed on Linux kernel 2.4.x.
Different rate (frame per second/millisecond) of Different rate (frame per second/millisecond) of attack can cause different scenarios, higher rate of attack can cause different scenarios, higher rate of attack can cause the access point remove the MAC attack can cause the access point remove the MAC address of victim computer from its cache address of victim computer from its cache immediately. immediately.
D-Link DI524 has self-protection from association D-Link DI524 has self-protection from association flood and authentication flood.flood and authentication flood.
2626
AcknowledgementAcknowledgement
Yufei Xu, Da Teng and Xin WuYufei Xu, Da Teng and Xin Wu Dr. Akshai AggarwalDr. Akshai Aggarwal IT Service staffIT Service staff
2727
ReferencesReferences
[1] Allison H. Scogin, “Disabling a Wireless Network via Denial of [1] Allison H. Scogin, “Disabling a Wireless Network via Denial of Service”, Technical Report MSU-070424.Service”, Technical Report MSU-070424.
[2] S. Harris, [2] S. Harris, CISSP CertificationCISSP Certification, 2nd Edition, McGraw-Hill/Osborne, , 2nd Edition, McGraw-Hill/Osborne, Emeryville, CA, 2003, p. 873.Emeryville, CA, 2003, p. 873.
[3] Basic Digital Forensic Investigation Concepts, [3] Basic Digital Forensic Investigation Concepts, http://www.digitalevidence. org/di_basics.html (current Mar 1, 2007).http://www.digitalevidence. org/di_basics.html (current Mar 1, 2007).
[4] M. S. Gast, [4] M. S. Gast, 802.11 Wireless Networks: The Definitive Guide802.11 Wireless Networks: The Definitive Guide, 2nd , 2nd Edition, O’Reilly Media, Inc., Sebastopol, California, 2005.Edition, O’Reilly Media, Inc., Sebastopol, California, 2005.
[5] R. Power, “2000 CSI/FBI Computer Crime and Security Survey,” [5] R. Power, “2000 CSI/FBI Computer Crime and Security Survey,” ComputerComputer
Security JournalSecurity Journal, vol. 16, no. 2, 2000, pp. 33-49., vol. 16, no. 2, 2000, pp. 33-49. [6] A. S. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, [6] A. S. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall,
Upper Saddle River, New Jersey, 2003.Upper Saddle River, New Jersey, 2003. [7] [7] http://salis.iisc.ernet.in/soho/hostap_documentation1.htmhttp://salis.iisc.ernet.in/soho/hostap_documentation1.htm, 2007 for , 2007 for
hostap installationhostap installation [8]http://www.wirelessdefence.org/Contents/Void11Installation.htm, 2007 [8]http://www.wirelessdefence.org/Contents/Void11Installation.htm, 2007
for void11 installationfor void11 installation
2828
??