Wireless Attacks – CompTIA Security+ SY0-701 – 2.4

Wireless networks are susceptible to many different types of attacks. In this video, you’ll learn about deauthentication attacks, RF jamming, and more.


Let’s say you’re on a wireless network browsing the internet, and then suddenly, you’re disconnected from the wireless network. There’s no warning, no messages. You’ve simply dropped off the network. And now, you no longer have internet access. So you wait a bit. You reconnect to the wireless network. You go back to surfing. And then the wireless network drops off again. This is something that can happen over and over and over again. And you may not be able to even stop it from occurring.

Anyone on this wireless network could be susceptible to a wireless deauthentication attack. This is a denial of service that takes people that are working normally on the wireless network, and then suddenly disconnects them completely from any connectivity over that network. The main vulnerability associated with this deauthentication attack relates to the management frames that are sent and received by the access point.

These are frames that normally we don’t see happening. They’re all going back and forth between your device and the access point behind the scenes. But they’re used to connect your device to the network, manage its connection, and then disconnect it when you’re done using the network. Each time you bring up a list of the access points you want to connect to or you authenticate or deauthenticate from an access point, it’s using these management frames to provide that functionality.

Unfortunately, earlier versions of the 802.11 specification did not provide any security for these management frames. They’re sent across the network in the clear. There’s no encryption of these frames. And therefore, an attacker could manipulate these frames in order to cause problems for people on that network. I took a packet capture of traffic that’s on my 802.11 network. And I pulled up one of many different types of management frames.

One thing you’ll notice immediately is that everything on this page is all in the clear. Nothing is encrypted. So anyone who’s close to this access point can view all of this information. This happens to be an 802.11 radio information frame. You can see the receiver address, the destination address, the transmitter address, and other details relating to the device itself.

Then you can see the parameters for that device. The SSID for this wireless access point is pmn. That’s the name of the wireless network. You can see the supported rates for that network and other details associated with that wireless access point.

Let’s look at an example of a authentication attack. I have an attacker’s screen on the right side in black. And you can see the user or victim’s device is on the left side. For this attack to work, we need to know the Mac address or hardware Wi-Fi address of the device we’d like to remove from the network. In this case, it’s the user’s iPhone. And this iPhone’s Mac address ends with 2E:FD. We’re first going to run a utility called airodump-ng. And we’re going to specify the wireless card that we’re using for this Linux device, which, in this case, is wlan0mon.

When we run this command, you’ll notice that we have a listing of all of the access points in this area. This one is listed with the BSSID. And you can see the ESSID associated with that address. I also have a list of all of the devices that are communicating to that wireless access point. And you’ll notice that the last one in the list ends in 2E:FD. And that matches the Wi-FI address of this iPhone.

Now that we have the hardware addresses for the wireless access point and the device that we’d like to remove from the network, let’s run a command to send some de-authentication frames across the wireless network. We’ll use this utility aireplay-ng and specify a dash 0 to send the authentication frames. Then we’ll select the wireless access points hardware ID and then the device that we’d like to remove from the network with its Mac address.

Then we’ll begin the aireplay. And you’ll notice the PM network on the left side suddenly disappears when the de-authentication frames are sent across the network. As long as we continue sending these de-authentication frames, this particular device will not be able to reconnect to this wireless network.

The engineers on the IEEE 802.11 committee realized that this particular problem is a significant security concern. And they made updates to the specification to prevent this from occurring in the future. These updates were incorporated into the 802.11ac standard and newer. With this update, a number of management frames are now encrypted. So frames such as the disassociate, the authenticate, and channel switch announcements are now encrypted by default and would no longer be susceptible to this type of denial of service attack.

If you perform a packet capture on your 802.11ac network or newer, you may still see management frames that are not encrypted. This is because there are a number of important management frames that have to be in the clear prior to the encryption occurring. So things like beacons, probes, authentication, and association frames are frames that you might still see if you take a packet capture.

The DoS attack took advantage of a vulnerability within the 802.11 protocols themselves. But there are other ways to prevent someone from connecting to a wireless network using Radio Frequency, or RF, jamming. This is a type of denial of service attack that affects not just a single device but everyone trying to communicate over those wireless frequencies.

The attackers will send interfering wireless signals to anyone who may be nearby. The goal is to have them decrease the signal-to-noise ratio so that the user is hearing more noise than actual real data from the wireless access point. And of course, if your device can’t hear anything being sent by the wireless access point, then it’s not able to send or receive traffic and communicate over that network.

You may have even done this yourself without realizing what was happening. It’s very common, for example, for microwave ovens to cause problems with 2.4 gigahertz wireless networks. And sometimes, fluorescent lights can also cause jamming over these wireless frequencies. But if you’re not running into a problem with an oven or with your lights, then it is possible that someone is sending additional signals out to cause problems on your wireless network.

There are many different ways for an attacker to cause this type of jamming. They could send a constant amount of information. They could send random data across the network. Or they might send a large number of legitimate frames over this wireless network. All of this would cause noise and problems for people that were trying to communicate to this access point.

The attacker might also send data at random times to make the troubleshooting of this problem a little more difficult. And this might be more of a reactive jamming. Normally, when the network is quiet, there’s no jam signal to see. But as soon as someone tries to communicate with the access point, the attacker turns up the volume and makes it impossible for anyone to communicate on this wireless network.

Just like the de-authentication attack, someone performing wireless jamming needs to be local to that access point. So somewhere nearby is the user that’s causing these wireless jamming problems. You just need to hunt them down and turn off the jam signal. Amateur radio operators often refer to this as a fox hunt. The fox hunter will often use a directional antenna that can be used to move around to locate exactly where a signal may be coming from.

As you get closer to the signal, it becomes much louder, and it’s difficult to know exactly what direction it’s coming from. So a good fox hunter may also have an attenuator that will lower the signal strength and make it easier to tell what direction any signal might be coming from. Using these techniques, you can eventually narrow down and triangulate exactly where a signal may be coming from and hopefully locate where a signal jam may be occurring on your network.