QUOTE
I heard of vulnerabilities in wep that let you take down a wireless network using just one computer with a wireless card. I would very much like to know how this is done. Never saw any code for this but lots and lots of articles on it. Anyone that has some can they please upload it (would prefer source rather than compiled but I trust the users here so I dont mind compiled). Thanks a lot all.
Thought i could answer it and post it here
First off, any kid walking down the street with a 2.4 ghz jammer can bring down your network easily. WEP or not, it could happen.
That is the inherent risk with wireless.
Now the question is probably refering to a standard computer with a wireless card and how it could bring down a network. Your likely referring to a Deauth flood.
One of the biggest problems with WEP and the 802.11 standard was that someone decided that with WEP, Management frames are not to be encrypted. What does this mean?
Well management frames you can think of as an the wireless extension to your ethernet network. After all, wireless network do emulate ethernet for the most part.
So what are management frames?
Probe Request, thats a popular one. Netstumbler uses that one all the time.
Probe response - should be self explanatory, means: "Hey, im running a linksys router with no wep(hack me)"
How about these
Authenticate
Associate
Authenticate and associate with a wireless router... sounds good.
We couldnt possibly need to encrypt these. no reason too right?
What about the other side?
De-authenticate
De-associate
well sure, the router says de-authenticate or deassociate with this ssid sure no problem there... or is there?
What if i had the ability to construct my own management frames??
What if i could spoof my identity as the router??
what if...
i said,
Spoof Mac, construct de-authenticate, de-assoc, packet, send to Vitctim A.
well, victim A would be immediatley disconnected. See where this is going?
Would WEP save you now? no, management frames arent encrypted remember?
Well ok, thats only 1 guy at a time.
Use your imagination...
Spoof Mac, construct de-authenticate, de-assoc, packet, send to BROADCAST address
Bam, now you have the entire network disconnected. Any client within range of you is immediatley disconnected. now we just need to flood the air with these brodcast de-authenticate/assoc frames and weve brought a wifi network to its knee's
That my friends is called a Deauth flood.
What can you do to stop it? nothing... you can detect them however.
Kismet is the greatest wireless detector ever
see what it finds here
http://www.kismetwireless.net/documentation.shtml
QUOTE
Kismet will provide alerts based on fingerprints (specific netstumbler
versions, other specific attacks) and trends (unusual probes, excessive
disassociation, etc). Kismet focuses on the 802.11 (layer 2) network
layer, and provides integration via named pipes with layer3+ IDS systems
such as Snort.
Alerts are primarily meant to be used in a stationary IDS situation. Some
are potentially useful in a mobile/wardriving setup, but others may
generate false or useless information.
Alert name: NETSTUMBLER
Alert type: Fingerprint
Alert on: Netstumbler probe requests
Alert message: "Netstumbler ($version) probe detected from ($macsource)"
Tool-specific: Yes (Netstumbler 3.22, 3.23, 3.30)
References: http://www.netstumber.com
Details: In an attempt to disclose the SSID of a network,
Netstumbler sends out unique packets. This is not done
in all situations, but when it is detected the potential
for false positives is very low.
Alert name: DEAUTHFLOOD
Alert type: Trend
Alert on: Deauthenticate/Disassociate Flood
Alert message: "Deassociate/Deauthenticate flood on $targetbssid"
Tool-specific: No
References: http://802.11ninja.net
http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
Details: By spoofing disassociate or deauthenticate packets,
arbitrary (or all) clients can be disconnected from a
network. This attack lasts only as long as the attacker
maintains the flood.
Alert name: LUCENTTEST
Alert type: Fingerprint
Alert on: Lucent link test
Alert message: "Lucent link test detected from $sourcemac"
Tool-specific: Yes (Lucent/Orinoco site survey software)
References: http://www.agere.com/wlan/customercare/ (requires login)
Details: Lucent/Orinoco/Proxim/Agere provide site survey
software. This rule will generate an alert when it is
in use.
Alert name: WELLENREITER
Alert type: Fingerprint
Alert on: Wellenreiter SSID brute force attempt
Alert message: "Wellenteiter probe detected from $sourcemac"
Tool-specific: Yes (Wellenreiter 1.5, 1.6)
References: http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
Details: Wellenreiter attempts to use a dictionary to brute-force
a hidden SSID. Between each probe attempt it resets the
card to probe for 'this_is_used_for_wellenreiter'.
Alert name: CHANCHANGE
Alert type: Trend
Alert on: Previously detected AP changing to a new channel
Alert message: "Beacon on $bssid ($ssid) for channel $newchannel,
previously detected on $oldchannel"
Tool-specific: No
Details: Man-in-the-middle attacks attempt to direct users to a
fake AP on another channel. If Kismet sees an AP
change to a new channel, this is often suspicious
behavior.
Alert name: BCASTDISCON
Alert type: Fingerprint
Alert on: Broadcast disconnect/deauthenticate
Alert message: "Broadcast [disassociation|deathentication] on $bssid"
Tool-specific: No
Details: Many attacks use a broadcast disassociate or
deauthenticate to disconnect all users on a network,
either to redirect them to a new fake network or do
cause a denial of service or disclose a cloaked SSID.
Broadcast disassociations are rarely, if ever, legitimate.
Alert name: AIRJACKSSID
Alert type: Fingerprint
Alert on: SSID of 'airjack'
Alert message: "Beacon for SSID 'airjack' from $sourcemac"
Tool-specific: Yes (airjack)
References: http://802.11ninja.net/airjack/
Details: The AirJack tools set the initial SSID to 'airjack'.
Alert name: PROBENOJOIN
Alert type: Trend
Alert on: Clients probing for networks, being accepted by that
network, and continuing to probe for networks.
Alert message: "Suspicious client $sourcemac - probing networks but
never joining."
Tool-specific: No
Details: 'Active' or 'Firmware' network scanning tools work by
letting the card probe for any network and recording
those that respond. These tools include NetStumbler,
PocketStumbler, and many others.
Kismet raises this alert when a client is seen to be
probing for networks but never joins any of the networks
which respond.
False positives are possible in noisy/lossy situations,
disabling this alert may be desireable in some
installations.
Alert name: DISASSOCTRAFFIC
Alert type: Trend
Alert on: Traffic from a source within 10 seconds of a
disassociation
Alert message: "Suspicious traffic on $sourcemac: Data traffic within
10 seconds of a disassociate."
Tool-specific: No
References: "802.11 Denial-of-Service Attacks: Real Vulnerabilities
and Practical Solutions"
Details: As discussed in the above research paper by Bellardo, J.
and Savage, S., a host which legitimately disassociates
or deauthenticates from a network should not be
exchanging data immediately thereafter. Any client which
DOES exchange data within 10 seconds of disassociating
from the network should be considered a likely victim of
a disassociate attack.
Alert name: NOPROBERESP
Alert type: Fingerprint
Alert on: Probe response packet with 0-length SSID tagged parameter
Alert message: "Probe response with 0-length SSID detected from
$sourcemac"
Tool-specific: No
Details: Many firmware versions from different manufacturers
have a fatal error when they receive a probe response
with a 0-length SSID tagged parameter.
versions, other specific attacks) and trends (unusual probes, excessive
disassociation, etc). Kismet focuses on the 802.11 (layer 2) network
layer, and provides integration via named pipes with layer3+ IDS systems
such as Snort.
Alerts are primarily meant to be used in a stationary IDS situation. Some
are potentially useful in a mobile/wardriving setup, but others may
generate false or useless information.
Alert name: NETSTUMBLER
Alert type: Fingerprint
Alert on: Netstumbler probe requests
Alert message: "Netstumbler ($version) probe detected from ($macsource)"
Tool-specific: Yes (Netstumbler 3.22, 3.23, 3.30)
References: http://www.netstumber.com
Details: In an attempt to disclose the SSID of a network,
Netstumbler sends out unique packets. This is not done
in all situations, but when it is detected the potential
for false positives is very low.
Alert name: DEAUTHFLOOD
Alert type: Trend
Alert on: Deauthenticate/Disassociate Flood
Alert message: "Deassociate/Deauthenticate flood on $targetbssid"
Tool-specific: No
References: http://802.11ninja.net
http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
Details: By spoofing disassociate or deauthenticate packets,
arbitrary (or all) clients can be disconnected from a
network. This attack lasts only as long as the attacker
maintains the flood.
Alert name: LUCENTTEST
Alert type: Fingerprint
Alert on: Lucent link test
Alert message: "Lucent link test detected from $sourcemac"
Tool-specific: Yes (Lucent/Orinoco site survey software)
References: http://www.agere.com/wlan/customercare/ (requires login)
Details: Lucent/Orinoco/Proxim/Agere provide site survey
software. This rule will generate an alert when it is
in use.
Alert name: WELLENREITER
Alert type: Fingerprint
Alert on: Wellenreiter SSID brute force attempt
Alert message: "Wellenteiter probe detected from $sourcemac"
Tool-specific: Yes (Wellenreiter 1.5, 1.6)
References: http://home.jwu.edu/jwright/papers/l2-wlan-ids.pdf
http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
Details: Wellenreiter attempts to use a dictionary to brute-force
a hidden SSID. Between each probe attempt it resets the
card to probe for 'this_is_used_for_wellenreiter'.
Alert name: CHANCHANGE
Alert type: Trend
Alert on: Previously detected AP changing to a new channel
Alert message: "Beacon on $bssid ($ssid) for channel $newchannel,
previously detected on $oldchannel"
Tool-specific: No
Details: Man-in-the-middle attacks attempt to direct users to a
fake AP on another channel. If Kismet sees an AP
change to a new channel, this is often suspicious
behavior.
Alert name: BCASTDISCON
Alert type: Fingerprint
Alert on: Broadcast disconnect/deauthenticate
Alert message: "Broadcast [disassociation|deathentication] on $bssid"
Tool-specific: No
Details: Many attacks use a broadcast disassociate or
deauthenticate to disconnect all users on a network,
either to redirect them to a new fake network or do
cause a denial of service or disclose a cloaked SSID.
Broadcast disassociations are rarely, if ever, legitimate.
Alert name: AIRJACKSSID
Alert type: Fingerprint
Alert on: SSID of 'airjack'
Alert message: "Beacon for SSID 'airjack' from $sourcemac"
Tool-specific: Yes (airjack)
References: http://802.11ninja.net/airjack/
Details: The AirJack tools set the initial SSID to 'airjack'.
Alert name: PROBENOJOIN
Alert type: Trend
Alert on: Clients probing for networks, being accepted by that
network, and continuing to probe for networks.
Alert message: "Suspicious client $sourcemac - probing networks but
never joining."
Tool-specific: No
Details: 'Active' or 'Firmware' network scanning tools work by
letting the card probe for any network and recording
those that respond. These tools include NetStumbler,
PocketStumbler, and many others.
Kismet raises this alert when a client is seen to be
probing for networks but never joins any of the networks
which respond.
False positives are possible in noisy/lossy situations,
disabling this alert may be desireable in some
installations.
Alert name: DISASSOCTRAFFIC
Alert type: Trend
Alert on: Traffic from a source within 10 seconds of a
disassociation
Alert message: "Suspicious traffic on $sourcemac: Data traffic within
10 seconds of a disassociate."
Tool-specific: No
References: "802.11 Denial-of-Service Attacks: Real Vulnerabilities
and Practical Solutions"
Details: As discussed in the above research paper by Bellardo, J.
and Savage, S., a host which legitimately disassociates
or deauthenticates from a network should not be
exchanging data immediately thereafter. Any client which
DOES exchange data within 10 seconds of disassociating
from the network should be considered a likely victim of
a disassociate attack.
Alert name: NOPROBERESP
Alert type: Fingerprint
Alert on: Probe response packet with 0-length SSID tagged parameter
Alert message: "Probe response with 0-length SSID detected from
$sourcemac"
Tool-specific: No
Details: Many firmware versions from different manufacturers
have a fatal error when they receive a probe response
with a 0-length SSID tagged parameter.
I thought this post deserved an answer atleast
And for proof of concept, i think airjack for linux does this
search for 802.11 ninja i believe.
yea, all the good wireless apps are for linux arent they...
Hooray, 50th post!!!
