Wi-Fi deauthentication attack

Last updated

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

Contents

Technical details

Sequence diagram for a Wi-Fi deauthentication attack Deauth attack sequence diagram.svg
Sequence diagram for a Wi‑Fi deauthentication attack

Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a "sanctioned technique to inform a rogue station that they have been disconnected from the network". [1]

An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP), WPA or WPA2 for data privacy, and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing. [2] [3]

Usage

Evil twin access points

One of the main purposes of deauthentication used in the hacking community is to force clients to connect to an evil twin access point which then can be used to capture network packets transferred between the client and the access point.

The attacker conducts a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.

Password attacks

In order to mount a brute-force or dictionary based WPA password cracking attack on a Wi‑Fi user with WPA or WPA2 enabled, a hacker must first sniff the WPA 4-way handshake. The user can be elicited to provide this sequence by first forcing them offline with the deauthentication attack. [4]

In a similar phishing style attack without password cracking, Wifiphisher starts with a deauthentication attack to disconnect the user from their legitimate base station, then mounts a man-in-the-middle attack to collect passwords supplied by an unwitting user.

Attacks on hotel guests and convention attendees

The Federal Communications Commission has fined hotels and other companies for launching deauthentication attacks on their own guests; the purpose being to drive them off their own personal hotspots and force them to pay for on-site Wi-Fi services. [5] [6] [7] [8] [9]

Toolsets

Aircrack-ng suite, MDK3, Void11, Scapy, and Zulu software can mount a Wi‑Fi deauthentication attack. [10] Aireplay-ng, an aircrack-ng suite tool, can run a deauthentication attack by executing a one-line command:

aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy wlan0
  1. -0 arms deauthentication attack mode
  2. 1 is the number of deauths to send; use 0 for infinite deauths
  3. -a xx:xx:xx:xx:xx:xx is the AP (access point) MAC (Media Access Control) address
  4. -c yy:yy:yy:yy:yy:yy is the target client MAC address; omit to deauthenticate all clients on AP
  5. wlan0 is the NIC (Network Interface Card)

Pineapple rogue access point can issue a deauth attack. [11] [12]

See also

Related Research Articles

<span class="mw-page-title-main">Wireless LAN</span> Computer network that links devices using wireless communication within a limited area

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

<span class="mw-page-title-main">Wi-Fi</span> Wireless local area network

Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks, used globally in home and small office networks to link devices and to provide Internet access with wireless routers and wireless access points in public places such as coffee shops, hotels, libraries, and airports to provide visitors.

<span class="mw-page-title-main">Wireless access point</span> Device that allows wireless devices to connect to a wired network

In computer networking, a wireless access point, or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network or wireless network. As a standalone device, the AP may have a wired connection to a router, but, in a wireless router, it can also be an integral component of the router itself. An AP is differentiated from a hotspot, which is a physical location where Wi-Fi access is available.

Wired Equivalent Privacy (WEP) was a severely flawed security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits, was at one time widely used, and was often the first security choice presented to users by router configuration tools.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

<span class="mw-page-title-main">Wi-Fi Alliance</span> Non-profit organization that owns the Wi-Fi trademark

The Wi-Fi Alliance is a non-profit organization that owns the Wi-Fi trademark. Manufacturers may use the trademark to brand products certified for Wi-Fi interoperability. It is based in Austin, Texas.

A wireless distribution system (WDS) is a system enabling the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the traditional requirement for a wired backbone to link them. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client frames across links between access points.

<span class="mw-page-title-main">Wi-Fi hotspot</span> Wi-Fi access point

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure client transitions from one Basic Service Set to another performed in a nearly seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012. The terms handoff and roaming are often used, although 802.11 transition is not a true handoff/roaming process in the cellular sense, where the process is coordinated by the base station and is generally uninterrupted.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks.

wpa_supplicant Open-source implementation of IEEE 802.11i

wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 and Haiku. In addition to being a WPA3 and WPA2 supplicant, it also implements WPA and older wireless LAN security protocols.

hostapd is a user space daemon software enabling a network interface card to act as an access point and authentication server. There are three implementations: Jouni Malinen's hostapd, OpenBSD's hostapd and Devicescape's hostapd.

<span class="mw-page-title-main">Aircrack-ng</span> Software suite

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Packages are released for Linux and Windows.

The DG834 series are popular ADSL modem router products from Netgear. The devices can be directly connected to the phone line and establish an ADSL broadband Internet connection to the ISP and share it among several computers via 802.3 Ethernet and 802.11b/g wireless data links.

<span class="mw-page-title-main">Wireless repeater</span> Wireless computer networking device

A wireless repeater is a device that takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network. When two or more hosts have to be connected with one another over the IEEE 802.11 protocol and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap. It can be a specialized stand-alone computer networking device. Also, some wireless network interface controllers (WNIC)s optionally support operating in such a mode. Those outside of the primary network will be able to connect through the new "repeated" network. However, as far as the original router or access point is concerned, only the repeater MAC is connected, making it necessary to enable safety features on the wireless repeater. Wireless repeaters are commonly used to improve signal range and strength within homes and small offices.

WiFi-Where was a tool that facilitated Wardriving and detection of wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. Versions existed for the operating systems iOS and Palm OS. Originally created in June 2004 for the Palm OS by Jonathan Hays of Hazelware Software, the IP for WiFi-Where was licensed to 3Jacks Software in 2009. An iPhone version of the application was released in January 2010, but was pulled from the App Store by Apple in March 2010. The app was frequently listed as a common tool to facilitate Wardriving As of 2010, it is still available in the Jailbroken Cydia store.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

References

  1. Joshua Wright (2005), Weaknesses in Wireless LAN Session Containment (PDF)
  2. Mateti, Prabhaker (2005), Hacking Techniques in Wireless Networks: Forged Deauthentication, Department of Computer Science and Engineering, Wright State University, archived from the original on 2020-07-14, retrieved 2015-08-18
  3. Bellardo, John; Savage, Stefan (2003-05-16), "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions", Proceedings of the USENIX Security Symposium, Aug 2003 via Cal Poly (Deauthentication Attack chapter link)
  4. Wireless Security Series Part I: Detoolauthentication Attacks by AirMagnet Intrusion Detection Research Team, Fluke Networks, archived from the original on 2016-03-18, retrieved 2015-08-18
  5. Katia Hetter (October 4, 2014), Marriott fined $600,000 by FCC for blocking guests' Wi-Fi, CNN
  6. Nicholas Deleon (August 18, 2015), "FCC Fines Hotel Wi-Fi Provider for Blocking Personal Hotspots", Vice
  7. Order and consent decree — In the Matter of SMART CITY HOLDINGS, LLC (PDF), Federal Communications Commission, August 18, 2015, DA 15-917, The complaint charged that its customers could not connect to the Internet using the complainant's equipment at several venues where Smart City operates or manages the Wi-Fi access. Specifically, the complainant alleged that Smart City transmitted deauthentication frames to prevent the complainant's customers' use of their Wi-Fi equipment. ... Smart City's responses [to FCC Letters of Inquiry] revealed that, at several venues where it managed or operated Wi-Fi systems, it automatically transmitted deauthentication frames to prevent Wi-Fi users whose devices produced a received signal strength above a preset power level at Smart City access points from establishing or maintaining a Wi-Fi network independent of Smart City's network.
  8. Mike Masnick (October 3, 2014), "FCC Fines Marriott For Jamming Customers' WiFi Hotspots To Push Them Onto Hotel's $1,000 Per Device WiFi", Tech Dirt
  9. Thomas Claburn (October 4, 2014), "Marriott Pays $600,000 For Jamming WiFi Hotspots", Information Week
  10. Deauthentication, Aircrack-ng
  11. Declan McCullagh (March 10, 2012), Five ways to protect yourself from Wi-Fi honeypots, CNet
  12. Darren Kitchen (January 14, 2015), "WiFi Deauth Attacks, Downloading YouTube, Quadcopters and Capacitors", Hak5, episode 1722

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.