Bypassing Shared Authentication is a bit more challenging than previous exercises, so follow the steps carefully.
airodump-ng
using the command airodump-ng mon0 -c 11 --bssid 00:21:91:D2:8E:25 -w keystream
. The -w
option which is new here, requests airodump-ng
to store the packets in a file whose name is prefixed with the word "keystream". On a side note, it might be a good idea to store different sessions of packet captures in different files. This allows you to analyze them long after the trace has been collected: airodump-ng
will capture this exchange automatically by sniffing the air. An indication that the capture has succeeded is when the AUTH
column reads SKA
that is, Shared Key Authentication as shown next: keystream
is stored in a file prefixed with the word keystream
in the current directory. In my case the name of the file is keystream-01-00-21-91-D2-8E-25.xor
as shown next: aireplay-ng
tool. We run the command aireplay-ng -1 0 -e Wireless Lab -y keystream-01-00-21-91-D2-8E-25.xor -a 00:21:91:D2:8E:25 -h aa:aa:aa:aa:aa:aa mon0. aireplay-ng
uses the keystream we retrieved in step 5 and tries to authenticate with the access point with SSID Wireless Lab
and MAC address 00:21:91:D2:8E:25
and uses an arbitrary client MAC address aa:aa:aa:aa:aa:aa
. Fire up Wireshark and sniff all packets of interest by applying a filter wlan.addr == aa:aa:aa:aa:aa:aa:
aireplay-ng
lets us know if the authentication succeeded or not in the output: aireplay-ng
tool to the access point: aireplay-ng
used the derived keystream
for encryption, the authentication succeeds and the access point sends a success message in the fourth packet:We were successful in deriving the keystream
from a shared authentication exchange, and we used it to fake an authentication to the access point.
Access points have a maximum client count after which they start refusing connections. By writing a simple wrapper over aireplay-ng
, it is possible to automate and send hundreds of connection requests from random MAC addresses to the access point. This would end up filling the internal tables and once the maximum client count is reached, the access point would stop accepting new connections. This is typically what is called a Denial of Service (DoS) attack and can force the router to reboot or make it dysfunctional. This could lead to all the wireless clients being disconnected and being unable to use the authorized network.
Check if you can verify this in your lab!
a. Sending a Deauthentication packet
b. Rebooting the client
c. Rebooting the access point
d. All of the above
a. Provides decent security
b. No security
c. Requires use of encryption
d. None of the above
a. Deriving the keystream
from the packets
b. Deriving the encryption key
c. Sending Deauthentication packets to the access point
d. Rebooting the access point
18.191.44.23