De-Authentication and Dis-Association attacks

Time for action – De-Authenticating the client

Follow the instructions to get started:

1. Let us first bring our access point Wireless Lab online again. Let us keep it running on WEP to prove that even with encryption enabled it is possible to attack the access point and client connection. Let us verify that the access point is up by using airodump-ng:
   
   
2. Let us connect our client to this access point as we verify it with airodump-ng:
   
   
3. We will now run aireplay-ng to target the client and access point connection:
   
   
4. The client gets disconnected and tries to reconnect to the access point, we can verify this by using Wireshark just as before:
   
   
5. We have now seen that even in the presence of WEP encryption, it is possible to De-Authenticate a client and disconnect it. The same is valid even in the presence of WPA/WPA2. Let us now set our access point to WPA encryption and verify the same.
   
   
6. Let's connect our client to the access point and ensure it is connected:
   
   
7. Let us now run aireplay-ng to disconnect the client from the access point:
   
   
8. Using Wireshark we can once again verify that this works as well:
   
   

What just happened?

We just learnt how to disconnect a wireless client selectively from an access point using De- Authentication frames even in the presence of encryption schemas like WEP/WPA/WPA2. This was done by sending a De-Authentication packet to just the access point - client pair, instead of sending a broadcast De-Authentication to the entire network.

Have a go hero – Dis-Association attack on the client

In the preceding exercise, we used a De-Authentication attack to break the connection. Try using a Dis-Association packet to break the established connection between a client and an access point.

Hirte attack

More information on the Hirte attack is available on the AIRCRACK-NG website: http:// www.aircrack-ng.org/doku.php?id=hirte .
We will now use aircrack-ng to conduct the Hirte attack on the same client.

Time for action – cracking WEP with the Hirte attack

1. Create a WEP access point exactly as in the Caffe Latte attack using the airbase-ng tool. The only additional option is the -N option instead of the -L option to launch the Hirte attack:
   
   
2. Start airodump-ng in a separate window to capture packets for the Wireless Lab Honeypot:
   
   
3. Airodump-ng will now start monitoring this network and storing the packets in Hirte-01.cap file.
   
   
4. Once the roaming client connects to out Honeypot AP, the Hirte attack is automatically launched by airbase-ng:
   
   
5. We start aircrack-ng as in the case of the Caffe Latte attack and eventually the key would be cracked as shown next:
   
   

What just happened?

We launched the Hirte attack against a WEP client which was isolated and away from the authorized network. We cracked the key exactly as in the Caffe Latte attack case.

Have a go hero – practice, practice, practice

We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that you have to reconnect the client to get it to work.

AP-less WPA-Personal cracking

The million dollar questions is—would it be possible to crack WPA-Personal with just the client? No access point!
Let's revisit the WPA cracking exercise to jog our memory.

To crack WPA, we need the following four parameters from the Four-Way Handshake— Authenticator Nounce, Supplicant Nounce, Authenticator MAC, Supplicant MAC. Now the interesting thing is that we do not need all of the four packets in the handshake to extract this information. We can get this information with either all four packets, or packet 1 and 2, or just packet 2 and 3.
In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and when the client connects to us, only Message 1 and Message 2 will come through. As we do not know the passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the information required to begin the key cracking process.

1. We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab. The -z 2 option creates a WPA-PSK access point which uses TKIP:
   
   
2. Let's also start airodump-ng to capture packets from this network:
   
   
3. Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2 as discussed previously:
   
   
4. But airodump-ng reports that the handshake has been captured:
   
   
5. We run the airodump-ng capture file through aircrack-ng with the same dictionary file as before, eventually the passphrase is cracked as shown next:
   
   

What just happened?

We were able to crack the WPA key with just the client. This was possible because even with just the first two packets, we have all the information required to launch a dictionary attack on the handshake.

Have a go hero – AP-less WPA cracking

We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that you have to reconnect the client to get it to work.

Summary

In this article, we have learned that even the wireless client is susceptible to attacks. These include the following— Honeypot and other Mis-Association attacks, Caffe Latte attack to retrieve the key from the wireless client, De-Authentication and Dis-Association attacks causing a Denial of Service, Hirte attack as an alternative to retrieving the WEP key from a roaming client, and finally cracking the WPA-Personal passphrase with just the client.

Posted in: BackTrack