Denial of Service Hijacking

Due to the nature of RF, denial of service (DoS) can occur at several layers of the wireless protocol. RF jamming is a type of DoS that occurs when an RF source sends a more powerful RF signal that drowns out the wireless signals from other sources. The purpose is to overwhelm these wireless devices, thus causing a loss in data connectivity and communications. Jamming of this nature is very difficult to prevent because it is done in a brute-force manner without any regard as to protocol considerations; if enough noise is generated, nothing will get through. However, this kind of attack is easily detected as you will experience a total loss of network connectivity in the area under attack. Executing a RF jamming attack itself is not difficult. All that is required is a high-powered RF emission source (1 watt and up). Dedicated devices exist that do this, e.g., http://www .spymodex.com/video02.htm.

Protocol DoS or layer 2 DoS attacks come in the form of management and control frames that are being transmitted to create a loss in communication between clients and APs. These exploit the fact that the origin of management and control frames are not validated by the client. For instance, when a wireless client receives a deauthentication frame that looks like it is coming from the AP it is connected to, it will think it has lost its connectivity to the AP and will attempt to reassociate with the AP again via normal protocol negotiations. A continual flood of deauthentication frames received by the wireless client will result in the card obeying its operational parameters and deauthenticating itself before trying to reassociate. Tools like WLAN-Jack (http:// sourceforge.net/projects/airjack) as well as Aireplay-ng can be used to send a stream of deauthentication frames.

Another DoS condition can occur when you flood the association table of the AP with many fake clients, thus preventing legitimate clients from associating with the AP. Tools like File2air (http://802.11ninja.net/code/file2air-1.0RC1.tgz) and Void11 (http://www.wkec .net/void11) are able to inject fake association packets. Pedro Larbig's MDK2 and MDK3 tools (http://homepages.tu-darmstadt.de/~p_larbig/wlan) also provide a host of attacks, including beacon flooding, fake client loading, and MIC (for WPA) attacks.

Hijacking an AP and causing a wireless client to connect to the fake AP as opposed to the genuine AP is another mode of DoS. Typically termed Evil Twin (we refer to it as ph00ling when a complete spoofed SSG portal is set up in conjunction with the fake AP), this form of MITM attack fools the wireless client into connecting to it instead of the genuine AP so as to steal login credentials, personal, and/or credit card information from the user. Though you can use tools like Airsnarf to do this, it can also be done manually by setting the WNIC in master mode, configuring a HTTPD server to serve pages matching the captive portal of the spoofed service, and establishing a DHCPD and DNS server so the victim receives the IP address you choose to give him or her and resolves all DNS requests back to the attacker's ph00ling box. Another variation of this attack comes in the form of an AP acting as a wireless distribution system (WDS) to a legitimate AP; it broadcasts itself as the legitimate AP and passes on all of the client's data onto the real AP via WDS methods, but not before making a copy of the data received and sent onward.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment