When attempting to associate with a wireless network, clients search for an in range access point and request to connect. This authentication process takes place prior to joining the network. Any wireless client must first authenticate to the target network and ensure compatibility before being able to join and forward traffic over a given wireless network.
There are two different methods of authentication. They are as follows:
- Open System Authentication
- Shared Key Authentication
In Open System authentication, there is no verification of the identity of the devices and any wireless client can join the network, assuming it has the required characteristics, such as data transfer rates and a wireless protocol.
In Shared Key authentication, a shared key is used to verify both the access point and the wireless client. The shared key is configured on both devices and validated before the connection is made. During the shared key authentication process, the access point sends a challenge in clear-text to the wireless client. The wireless client encrypts the challenge text with the shared key and sends the response back to the access point. The access point decrypts the encrypted response and compares it with the challenge text. If both of them match, it allows the client to join the network; otherwise, the client is not permitted to join the network.
In this section, we will discuss authentication flood attacks, where an attacker sends a large number of authentication frames to the target network. Upon receiving authentication frames in sufficient quantity, some access points restart themselves or do not accept new connections from wireless clients, thus denying access to legitimate wireless users on the network.
In this example, we will use the MDK3 tool to send authentication frames to a selected access point in the target network. MDK3 is a tool specifically designed to exploit the weaknesses of the 802.11 protocol. The attack is divided into two parts: in the first part, we scan the air for access points, and in the second part, we use the MDK3 tool to attack the access point by sending authentication frames in large numbers in a short time frame.
Network identification is the first step in the execution of this DoS attack. We will use airmon-ng to scan the available channels and detect wireless access points in the range. Once a target access point has been identified, we will perform a Denial of Service attack on the access point by flooding the AP with authentication frames. During the period of the attack, legitimate wireless clients cannot connect to access point; thus, the network becomes paralyzed temporarily, resulting in a Denial of Service condition.
Perform the following steps:
- Set up the wireless card for scanning, bring the card up, and create a monitor mode interface on the wireless card. Use the
ifconfigutility to check the status of the interfaces available. Run the following commands to bring the card up. Here, we assume the wireless interface to bewlan0:#ifconfig wlan0 up #airmon-ng start wlan0
You should be able to see the following screen:
- Perform the scanning activity to determine the in-range access points. You can use any of the tools we've discussed so far to perform the task; here, we use airodump-ng to scan the air:
#airodump-ng mon0
airodump-ng scans all the 14 channels in a 2.4 GHz frequency band and gives us the list of the access points and clients visible in the range. Check the MAC address of the access point you are interested in. In this example, we will be targeting an access point with the MAC address 90:94:e4:c8:04:e8, functioning on channel 10 with the SSID Seclab.
The following screenshot shows a sample output of the airodump-ng command:
For the second part of the attack, we leverage MDK3 to perform denial of service on the target access point using authentication flood attack. MDK3 runs with test mode option a and specifies the authentication flood mode. Shown in the following figure is the usage of MDK3:
To perform authentication flood attack on the access point, we need only the MAC address of the access point. In our case, it is 90:94:e4:c8:04:e8:
- Run the following command to perform authentication flood attack on the access point with the MAC address
90:94:e4:c8:04:e8via the monitor mode interface,mon0:#mdk3 mon0 a –a 90:94:e4:c8:04:e8 –m –cOther flags used in this example include the following:
-a: Target MAC address -m: Tells mdk3 to use a valid client MAC address -c: Skip check for successful attack
The preceding output shows that the target access point is flooded at a speed of 870 packets per second. You can also verify the success of this attack by trying to connect to the target network from any Windows machine or smartphone.
- Try to connect to the
Seclabnetwork from any wireless client. Let's say we try to connect from the Windows machine during the period of the authentication flood attack on the access point, we observe that we are not able to connect to the access point.
- Go to attacker machine (Kali Linux) and stop the authentication flood attack. Now try to connect to the SSID
Seclabfrom a Windows machine. You will see that the connection now succeeds and clients can successfully authenticate again.
This demonstrates the temporal nature of this attack. When the access point is busy trying to authenticate all of the spoofed connections, it doesn't leave any cycles for legitimate clients to connect. Once the attack is terminated, it is free to service clients once again. This is the case with the majority of the DoS attacks that leverage flaws in management and control frames.
As is evident from this attack, Denial of Service attacks are easily executed against a target network and can have a significant impact on the availability of the networks. While learning, do not try this outside of your lab environment and ensure you have written permission that DoS is in scope when conducting these attacks during a penetration test. Since this attack targets the functionality fundamental to all 802.11 networks, it is possible with any encryption or authentication techniques, including WEP, WPA, or WPA2 networks. During the period of the attack, legitimate wireless clients are denied network access.