Whether you're a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems... Read More
Today we're following up our discussion on 802.11 frames with an investigation of beacons and a practical example using BackTrack Linux and a technique known as raw frame injection.
As you recall from last time, the beacon frame is one of the four types of management frames. The other three being association, authentication and probes, which we'll be getting into shortly.
Now the beacon frame is a special kind of management frame as it contains information about the network. This brings us to the terms:
Beacon frames or simple beacons are transmitted periodically by base stations or access points to announce the presence of wireless networks. The beacon frame is made up of several parts, including:
Whether the station is acting in ad-hoc or infrastructure mode (also known as managed mode)
The SSID or network name. We'll be getting more into service sets of 802.11 networks but for now the SSID is a 32 character, typically human-readable string that uniquely identifies the network.
The TimestampThe timestamp is quite simply a unit of time by which all associating stations synchronize to. It's like that scene in the movie where all the spies synchronize their watches, except that it happens by hex in the blink of an eye.
And capability information such as:
Supported data rates
Typically access points are setup the broadcast their beacons every 10 seconds. This can add quite a bit of overhead so for improved performance on networks where not a lot of clients are connecting and disconnecting, like a home network, this setting is often changed to be much higher.
MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig's homepage and is built in to the latest version of BackTrack from backtrack-linux.org.
Today we're using MDK3 in our practical example of transmitting and analyzing beacon frames.
To achieve this we'll first we'll need a card capable of raw frame injection. In order to test whether our card has this capability we'll use the aireplay tool which is part of the aircrack-ng suite.
Aireplay-ng is a tool for injecting wireless frames and can accomplish 10 basic WiFi attacks, including deauthentication, fake authentication, fragmentation and more. We'll be getting more in depth with the the aireplay-ng tool soon, but for today we'll be using mode 9, also known as test mode.
Now before we can use either aireplay-ng or MDK3 we'll need to bring up a monitor interface for our card, or set our card in monitor mode. If you recall from a previous episode the easiest way to do this is with the command airmon-ng start and our interface.
airmon-ng start wlan2
Now that our card has been set to monitor mode and we have the interface mon0 we can proceed to test our NIC.
Issuing aireplay-ng -9 (or --test) and our wireless interface (which in our case is wlan2) we can test to see whether or not our radio can handle raw frame injection.
aireplay-ng -9 wlan2
Our test is complete and we can see that aireplay-ng reports "injection is working"
Now on to MDK3, which is capable of performing many modes of attack. Issuing mdk3 at the command prompt will display a brief description of them.
mdk3 | more
Today we're focusing on the beacon flood mode. For more information on any mode issue mdk3 --help and the mode. So we'll issue
mdk3 --help b
Alternatively we could issue mdk3 --fullhelp for information on all attack modes.
So now finally to craft our beacon flood we can see here that the options -f will read SSIDs from a text file, -g will show that they're using the 802.11g protocol at 54 Mbps, -a will show them as having WPA enabled using AES encryption, and -c will let us specify a channel.
Thankfully I already have a text file full of SSIDs handy so let's just issue
mdk3 mon0 b -f ssid.list -g -a -c 11
Now as you can see mdk3 is transmitting hundreds of beacons on channel 11 for the access points I've specified.
We can verify this using our other wireless interface by scanning for all nearby networks with the command:
iwlist wlan0 scan | grep ESSID
Now Similar to fuzzing, this sort of attack can sometimes break wifi scanners or network interface drivers. And with a specially crafted ssid list I'm sure you can come up with your own fun.
Mind you all of these BSSIDs or mac addresses are random and there's no chance of anyong actually associating with these base stations. At least not now.
What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up -- email@example.com
And be sure to check out our sister show, Hak5 for more great stuff just like this.
Squarespace is a publishing system for anyone looking to build a blog, portfolio or any kind of website. Squarespace offers a uniquely flexible tool for just about anyone (no coding experience required) to build high end websites with that same functionality that you will find on some of the highest trafficked pages on the web. Squarespace also has amazing iPhone and iPad apps so you can easily update your blog and manage comments on the go. Go to www.squarespace.com to get a 2-week free trial and 10% off when you sign up in July. Just enter coupon code hak57.
7 days ago
Employers want social media passwords, US gets a #CPO, and #TheOnion! All that and more this time on #ThreatWire! http://t.co/SrZpicvnt6
10 days ago
#Installing #Solar panels, #Google #Chrome #extensions, and more on @Hak5! http://t.co/QppYLgZpi5
10 days ago
Legalizing #Internet eavesdropping, #LivingSocial is #hacked, and more on this weeks #ThreatWire! http://t.co/xyIxzy8kes
10 days ago
@thescribe I didn't! They were disabled and enabled throughout the segment. Each one has a different icon. - @Snubs
10 days ago
@myraitnetwork thank you!
25 days ago
#PGP #Encrypt your email, back up your #Gmail Account with #Ubuntu, text #messaging your #WiFi #Pineapple On #Hak5! http://t.co/KSZeO4GEPU