In an wired network, unplugging the Ethernet cable from the machine is typically required in order to disconnect from the network. However, in a wireless network, a deauthentication frame is used to serve the same purpose. Wireless clients send the deauthentication frame to access points when they wish to leave the network. Access points can also send deauthentication frames to disconnect the wireless client from the network. This will occur under normal conditions when the access point is rebooting; there is an inactivity timeout with the client, or the AP is unable to handle all the currently connected stations. The goal of the deauthentication flood attack is to spoof the deauthentication frames and disconnect the clients connected to access points, thus denying access to legitimate wireless clients on the network. The attacker crafts the deauthentication frames with the required parameters and sends them to the target network. Since the deauthentication frames cannot be authenticated or verified for authenticity, the wireless clients and access point will accept them and disconnect from the network.
In the next section, we will perform the deauthentication flood attack using the Metasploit framework.
In this attack, we scan for in-range access points and perform DoS attack against the wireless clients connected to them. By sending spoofed deauthentication frames, the attacker tries to forcefully drop the connection between wireless clients and target access point. This attack can target as less as one wireless client associated with the target access point, or it can disconnect all clients from a target AP. Here, we try to find wireless clients and access points by entering monitor mode on our interface, getting the MAC address of a target client and access point, and supplying them to the Metasploit module.
This attack can also be performed to disconnect all clients connected to access points using broadcast MAC address in deauthentication packets. Follow these steps to perform deauthentication flood attack on wireless networks:
- Set up the wireless card for scanning, bring the card up, and create a monitor mode interface on the wireless card. Run the following commands to accomplish the task:
#ifconfig wlan0 up #airmon-ng start wlan0
- Perform the scanning to determine the access points in our range:
#airodump-ng mon0
The output from airodump-ng shows that the wireless client with the MAC address
cc:b2:55:ff:2e:1cis connected to access pointSeclabwith the MAC address90:94:e4:c8:04:e8. To perform a Denial of Service attack on the target network, we can send deauthentication frames to access points and wireless client from Metasploit. As was the case in the previous example that leveraged the Metasploit framework, we need to installlorcon2beforehand in order to enable packet injection.
Though this would not be necessary in a live fire exercise, if you want to see the effects of this attack in the lab, you can log in to a wireless client you designate as the victim of this attack and connect to the
Seclabnetwork. - Start pinging the access point with the
–toption to ping continuously. From the following output, it is clear that you are able to reach the access point without any packet loss:
The following screenshot shows that the wireless client is connected to an access point and is experiencing stable network connectivity:
Now, go to the attacker machine and start the deauthentication flood from within Metasploit:
- Start the metasploit console from the attacker machine (Kali). Run the command:
#msfconsole
- We need the following parameters to perform the deauthentication attack using Metasploit against the wireless client and access point:
- The channel on which the target AP is operating
- The MAC address of the access point
- The MAC address of the wireless client
All these parameters can be found from the airodump-ng tool output demonstrated in the previous exercise when listening for available wireless networks.
The following msf console screenshot shows the available options and the commands required to populate the parameters for the attack:
- Run the following commands on the metasploit console to set the preceding parameters:
msf> use auxiliary/dos/wifi/deauth msf> set ADDR_BSS 90:94:e4:c8:04:e8 msf> set ADDR_DST cc:b2:55:ff:2e:1c msf> set ADDR_SRC 90:94:e4:c8:04:e8 msf> set CHANNEL 9 msf> set NUM 100 msf> run
ADDR_BSS specifies the MAC address of the target access point, and ADDR_DST specifies the MAC address of the destination device, which may be another router or wireless client. We normally feed the MAC address of wireless client in the ADDR_DST field. ADDR_SRC can be a access point MAC address. We then select the channel option to specify the channel on which the access point is functioning.
The following screenshot shows the client's connectivity during the time of attack. The client is unable to stay connected to the access point, having to reinitialize and reauthenticate after every deauthentication is received. The resulting is a degradation of the wireless connectivity to the client and a Denial of Service.
From the preceding figure, you can see that there are two periods of outage where the client is unable to ping the upstream router. In this example, the attack was run twice, for a few seconds each. If you were to run the module continuously for a long period of time, no wireless clients would be able to connect to the target network during the period of the attack. This can have a huge impact on the reliability and availability of the target network.