LinkedinTryHackme

802.11 Denial of Service

In traffic analysis, it's critical to scrutinize link-layer protocols. 802.11 (Wi-Fi) attacks, while sometimes overlooked, require continuous monitoring due to potential human errors that might compromise perimeter security.

Capturing 802.11 Traffic

To analyze 802.11 raw traffic, a wireless interface in monitor mode is required. This enables visibility into raw 802.11 frames, similar to promiscuous mode.

  • Enumerate Wireless Interfaces (Linux): iwconfig

  • Enable Monitor Mode (Option 1: airmon-ng):

sudo airmon-ng start wlan0

  • Enable Monitor Mode (Option 2: System utilities):

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

  • Verify Monitor Mode:

iwconfig

To capture traffic, specify the AP's channel (-c), BSSID (--bssid), and output file (-w) with airodump-ng:

sudo airodump-ng -c 4 --bssid F8:14:FE:4D:E6:F1 wlan0 -w raw

How Deauthentication Attacks Work

Deauthentication/dissociation attacks are common link-layer attacks, often used to:

  • Capture WPA handshakes

  • Disrupt service

  • Force users to connect to malicious networks

Attackers typically spoof 802.11 deauthentication frames from the legitimate AP, tricking clients into disconnecting. Tools like aireplay-ng and mdk4 often use reason code 7 for deauthentication.

Detecting Deauthentication Attacks

Open deauthandbadauth.cap in Wireshark to inspect traffic from the AP's BSSID:

  • Wireshark Filter (for AP’s BSSID):

wlan.bssid == xx:xx:xx:xx:xx:xx

  • Filter for Deauthentication Frames:

(wlan.bssid == xx:xx:xx:xx:xx:xx) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 12)

If excessive deauthentication frames appear, this suggests an attack. Reason Code 7 is often used by common attack tools. To filter for this:

(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 12) and (wlan.fixed.reason_code == 7)

Revolving Reason Codes

Sophisticated attackers may vary reason codes to avoid detection:

  • Filter for Reason Code 1:

(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 12) and (wlan.fixed.reason_code == 1)

  • Filter for Reason Code 2:

(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 12) and (wlan.fixed.reason_code == 2)

Compensating Measures

To prevent deauthentication attacks:

  • Enable IEEE 802.11w (Management Frame Protection)

  • Use WPA3-SAE

  • Update WIDS/WIPS detection rules

Detecting Failed Authentication Attempts

Excessive association requests can indicate an attack. Filter in Wireshark to capture these:

(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 0) or (wlan.fc.type_subtype == 1) or (wlan.fc.type_subtype == 11)
PreviousQuestionNextRogue Access Point & Evil-Twin Attacks

Last updated