DOS April fools’ day

Since I have no option of cable internet in the building where I live –that’s why I have LTE- my girlfriend constantly complains about connectivity problems. Taking advantage of that, I will pull a prank on her on All fools’ day so she won’t be able to use the internet for about an hour or so. The only hardware needed is a compatible Network Interface Controller which can both enter a monitor mode and inject/capture packets. I will use the very popular TP-LINK TL-WN722N based on an Atheros AR9271 chipset. The following demo is the prova generale and I hope she doesn’t follow my blog 🙂

To make things work, I will use aircrack-ng and perform a really simple deauth WiFi attack, which is pretty much a DOS attack. Since that kind of attack requires only AP’s MAC; one can potentially compromise almost any WLAN. The solution to prevent such an attack is to enable Management Frame Protection. Deauthentication attack as far as I am aware of, is primarily used in passphrase attacks where an attacker forces the victim to disconnect/reconnect and thus allowing the eavesdropper to capture the initial handshake. So if you experience any similar network traffic, you should ensure that you are well protected with a strong password and turn MFP on, if it is available. Hiding your SSID won’t work because in monitor mode your WLAN will still be discoverable, instead of essid you will see a <length:    #some number>.

Let’s get to work now. First of all I need to find out what’s the status of the wireless interfaces (iwconfig). After that I enable monitor mode on the Atheros NIC by entering airmon-ng start wlan1. But be aware that one should kill all the other network managers beforehand, since they will cause interference problems (simply enter airmon-ng check kill). In order to display the detected APs type airodump-ng mon0. You can see what the output looks like.

airodump-mon0.png

After obtaining the MAC and the channel I am interested in, I can set the interface on listening to that particular channel by iwconfig mon0 channel 8. Now if my plan is to perform the attack so that all hosts will receive the deauth packet, I can simply enter aireplay-ng -0 0 –a 80:13:82:xx:xx:xx mon0 --ignore-negative-one, but that is definitely not a good practice since it will trigger an alarm in an analyzer as shown below (for this purpose I used kismet).

kismet.png

In order to assure a higher stealthiness level (it can still be detected if one examine the management packets as shown again in kismet) and since I am interested in deauthicating only a particular device, all I need to do is to find the MAC of the target device.

kismetFullScaled.png

I can either use airodump-ng --bssid 80:13:82:xx:xx:xx mon0 and listen to what devices are currently connected to the AP (shown on the previous printscreen as well), or I can use a scanner because I am connected to the network nmap -192.168.1.0/24 –PR –sn. I will go after the first option, since scanning the network with nmap will cause an easily detectable traffic (flooding the network with arp requests coming from the original source). After I had obtained a list of connected devices I can use google to find out which one corresponds to the vendor of the target device and attack the device I want. In my case I will attack my own mobile phone and the command will be aireplay-ng -0 0 –a 80:13:82:xx:xx:xx mon0 –-ignore-negative-one –c 40:88:05:xx:xx:xx. Tada!

deaut

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s