Wednesday, October 30, 2013

WIRELESS JAMMING !!

What is jamming?

Jamming is any attack to deny service to legitimate users by generating noise or fake protocol packets or legitimate packets but with spurious timing. A particular class of Denial of Service (DoS) attacks is also considered as jamming. The most trivial way of disrupting a wireless network is by generating a continuous high power noise across the entire bandwidth near the transmitting and/or receiving nodes. The device that generates such a noise is called a Jammer and the process is called Jamming
However, jamming can be made more energy efficient and less detectable if the jammer operates using knowledge of the protocol. Jammers which jam the network with the knowledge of the protocol, are termed as protocol aware jammers
The Wireless Signal Jammer Device can be used to temporarily stop transmission, temporarily short out or turn off the power during the usage of units. These include Radios, Televisions, Microwaves, or any unit that receives electrical signals for operation.

Is Wireless network secured enough from Jamming?

NO

Since the ratification of the IEEE 802.11i in 2004, organisations have been able to improve security on their wireless networks by making use of CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code protocol). CCMP uses AES (Advanced Encryption Standard) as opposed to the RC4 streaming cipher found in implementations of WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol). However, the protection offered by 802.11i applies only to data frames and does not provide any protection over the management frames.

Why am i talking about "Management Frames" ?

It is these management frames that are insecure and can lead to DoS attacks against an organisation’s wireless network. Unencrypted management frames can disclose important pieces of information to an attacker, including details about the type of wireless equipment in use on the wireless network and configuration settings.

What are Management Frames?

802.11 management frames enable stations to establish and maintain communications. Management packets are used to support authentication, association, and synchronization.

Layer 2 DoS (Jamming using Layer 2 [protocol aware jamming] )

On an 802.11 network, an attacker can transmit packets using a spoofed source MAC address of an access point. The recipient of these spoofed frames has no way of telling if they are legitimate or illegitimate requests and will process them. The ability to transmit spoofed management frames allows MAC layer DoS attacks to take place. 

Two such MAC layer attacks are :
Authentication/Association flood attack : During the authentication/association flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication/association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connection to the wireless network.
Authentication Packet : Authentication packets are sent back and forth between the station requesting authentication and the station to which it is attempting to assert its authentic identity. The number of packets exchanged depends on the authentication method employed. Information relating to the particular scheme is carried in the body of the Authentication packet.

The aireplay-ng source-code defining the Authentication request [Line no. 88 (aireplay-ng.c)]

#define AUTH_REQ \ "\xB0\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xBB\xBB\xBB\xBB\xBB\xBB\xB0\x00\x00\x00\x01\x00\x00\x00"

Function(aireplay-ng.c) : do_attack_fake_auth()

Sample code for "-1" option in aireplay-ng

        else if(i==1) //attack -1 (open)
            {
                memcpy( h80211, AUTH_REQ, 30 ); //Authentication request data
                memcpy( h80211 +  4, opt.f_dmac, 6 );
                memcpy( h80211 + 10, opt.f_smac , 6 );
                memcpy( h80211 + 16, opt.f_bssid, 6 );
                opt.f_iswep = 0;
                opt.f_tods = 0; opt.f_fromds = 0; // Not Leaving DS
                opt.f_minlen = opt.f_maxlen = 30;
            }


Tools : Void11,mdk3,aireplay-ng etc..

Deauthentication/Disassociation flood attacks : In a deauthentication/disassociation flood attack, an attacker transmits spoofed frames with the source address of the access point. When the recipient receives the frames, they will disconnect from the network and attempt to reconnect. If the attack is sustained, the clients will be unable to maintain a connection to the wireless network. The deauthentication/disassociation flood attack targets one or all users on a specific BSSID (MAC address of the access point).
Deauthentication Packet : This packet is an announcement stating that the receiver is no longer authenticated. It is a one-way communication from the authenticating station (a BSS or functional equivalent), and must be accepted. It takes effect immediately.

The aireplay-ng source-code defining the Deauthentication request [Line no. 84 (aireplay-ng.c)]

#define DEAUTH_REQ      \
"\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
"\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"

Function(aireplay-ng.c) : do_attack_deauth()

Sample code for "-0" option in aireplay-ng


if(i==0) //attack -0
           {
               memcpy( h80211, DEAUTH_REQ, 26 ); // Deauthentication data
               memcpy( h80211 + 16, opt.f_bssid, 6 ); 
               memcpy( h80211 +  4, opt.f_dmac,  6 ); 
               memcpy( h80211 + 10, opt.f_smac, 6 ); 

               opt.f_iswep = 0;
               opt.f_tods = 0; opt.f_fromds = 0; // Not Leaving DS
               opt.f_minlen = opt.f_maxlen = 26; 
           }


Tools : file2air, mdk3, aireplay-ng etc..

Layer 1 DoS (jamming using Layer 1 [RF Noise Jamming] )

A physical layer attack on a wired network ideally requires the attacker to be inside or very close to the target wireless network. Any network that relies on a shared medium is subject to DoS attacks from other devices sharing the same medium. When one device saturates the medium, other clients will find it difficult to communicate. 
An attacker using a laptop equipped with a high output wireless client card and a high gain antenna can launch a physical medium attack on an organisation’s wireless network by generating enough RF noise to reduce the signal-to-noise ratio to an unusable level by saturating the 802.11 frequency bands. The jamming device could also be a custom built transmitter. For example, a Power Signal Generator (PSG) that is used to test antennas, cables and connectors for wireless devices can be turned into a wireless jamming device, when connected to a high gain antenna. 

No comments:

Post a Comment