Wireless Disassociation Attacks – SY0-601 CompTIA Security+ : 1.4

An encrypted wireless network may not stop all types of attacks. In this video, I’ll demonstrate a wireless disassociation attacks and you’ll learn how to prevent them.

<< Previous Video: Bluejacking and Bluesnarfing Next: Wireless Jamming >>


Let’s say you’re using your wireless network and it’s working exactly the way you would expect, except suddenly the wireless network disappears completely. You have no wireless connectivity. And then finally, it comes back and you can start using the wireless network again. Except then it disappears again. And it keeps coming back and disappearing over and over and over again. And because it’s on a wireless network, there’s really nothing you can do to maintain that connection to the wireless access point.

If you’re not able to communicate, then you simply aren’t able to send any information over the network. You would have to get a patch cable and physically plug in on a wired ethernet connection if you needed to regain any type of connectivity. It may be what you’re seeing as a wireless disassociation or sometimes what we call a wireless deauthentication attack. This is a denial of service attack that is specifically causing devices that are on the wireless network to suddenly not be able to communicate at all to the access point.

In order to understand how this attack works, we need to know more about the way that devices connect to a wireless network and disconnect from a wireless network. To be able to perform these functions, your mobile device has to send a number of management frames to the access point and the access points replying back to your mobile device also using these management frames. These are conversations that all take place between the mobile device and the access point. And we as the end users never see these conversations occurring.

And these are important conversations. These management frames manage quality of service communication, they allow devices to associate to access points, and disassociate themselves from the access point. And any other management functions occur because these management frames are sent between those two endpoints.

Unfortunately, the original 802.11 standard didn’t provide any type of protection for these management frames. They are sent in the clear over the network. And there’s no way to authenticate or verify that a management frame that was received by the access point really did originate on your device. This means that an attacker could send these management frames to an access point, and cause problems with your communication.

Here’s a packet capture of an association request made over this 802.11 network. You can first see that everything in this frame is in the clear. You’re able to read through all of this. None of this is encrypted information. You’re able to see receiver address, destination address, transmitter address, and so on. And here’s the wireless management frame details that discuss the SSID parameters, the supported rates for speeds, power capabilities, and also other information that’s important when a device is trying to authenticate or associate with an access point.

Let’s try to take advantage of this vulnerability. I have my mobile device. My mobile phone is on the left side. And on the right side is a Linux device that I’m going to use to perform this disassociation attack. I pulled up the about page on my mobile device so that we can see the Wi-Fi address of this device ends in two echo fox delta. That’s going to be an important Wi-Fi address to use if we want to direct this disassociation attack to just this device on the network.

The first thing I’ll do is run a utility that shows me what’s running on the network. This is arrow dump NG. And it shows me BSS ID that is the access point and all of the stations that may be communicating to that access point. And if you look closely, you can see the Wi-Fi address on my mobile phone that ends in two echo fox delta is also this station address two echo fox delta. And you can see there were frames being sent back and forth actively while this capture was being made.

Now I’ve brought up the Wi-Fi screen on my mobile device. And I’m going to use a utility called air replay to be able to send deauthentication frames, that’s what the dash zero does, and I’m going to send it to this specific BSS ID, that’s the access point, and this specific station which is my mobile device. When I hit Enter, watch the connected network which is the PM network as soon as I start sending these deauthentication frames, it disconnects itself completely from the Wi-Fi network. And now this mobile device is no longer connected.

And as long as I’m still sending these deauthentication frames, this device is not going to be able to reconnect to this wireless network. Obviously, this is a significant vulnerability. And the IEEE has already made changes to the 802.11 specification to address this specific issue. The update was made in the 802.11w update that was made available in July of 2014.

Now some of the more important management frames are encrypted, things like disassociation, deauthentication, and any time you’re switching between channels is all something that is over a protected channel instead of being sent in the clear. This also means that some third party on the network would not be able to send these types of frames and remove you from the network.

Of course, not all management frames will be encrypted. There are certain management frames that have to be unencrypted so that you’re able to first connect to the device. Frames such as beacons, probes, authentication, and association frames are still sent in the clear. This update with 802.11w was rolled into the 802.11ac standard. So if you’re running 802.11ac or a later version of 802.11, then this protection is already in your access point. If you’re using those newer standards, then an attacker would not be able to use a disassociation or deauthentication attack to remove you from your wireless network.