Episode 706 – Deauth Detection and Cloud Data Backups
Back in studio with Shannon this week. Darren has answers to your WiFi deauthorization attack questions and a demo of a nifty deuth watching script. Shannon’s all about free and open source alternatives to online backup services like Backupify. Can these tools keep your cloud data secure?
Download HD Download MP4 Download XviD Download WMV
Deauthorization Attacks explained (with demo)
This week we’re answering viewer questions regarding last week’s wireless deauthorization attacks.
How does Deauth work if a client connected to an AP using encryption?
-Mark B
The answer lies in the fact that 802.11b/a/n/g management frames, special packets used to establish and maintain communications, are all sent unencrypted. These include:
- Authentication
- Association request
- Association response
- Reassociation request
- Reassociation response
- Beacon
- Probe request
- Probe response
- Deauthentication
And finally our favorite…
I was wondering how do I prevent the de authorize attacks and man-in-the-middle attacks on my laptop or computer
-Test Account
Short of rewriting your wireless radio’s firmware to ignore deauthorization packets I’m at a loss when it comes to preventing the attack. If you know of a way please get in touch. That said, deauth attacks are quite simple to detect.
Viewer Tinman2k wrote in with a simple python script that uses airmon-ng and scappy to scan for associations, authentications and deauthentications.
You’ll need to begin by placing your card into monitor mode. For example: airmon-ng wlan0 start. Then pass your monitor interface to readAuthDeauth.py
#!/usr/bin/env python ###################################################### # authWatch.py v. 0.1 (Quick, Dirty and Loud) - by TinMan # Place card in monitor mode and set the channel. # If you want channel hopping, run airodump-ng in # another terminal. Will add channel hopping # in the next version. ###################################################### # # Usage: python authWatch.py# import sys from scapy import * interface = sys.argv[1] def sniffReq(p): if p.haslayer(Dot11Deauth): # Look for a deauth packet and print the AP BSSID, Client BSSID and the reason for the deauth. print p.sprintf("Deauth Found from AP [%Dot11.addr2%] Client [%Dot11.addr1%], Reason [%Dot11Deauth.reason%]") # Look for an association request packet and print the Station BSSID, Client BSSID, AP info. if p.haslayer(Dot11AssoReq): print p.sprintf("Association request from Station [%Dot11.addr1%], Client [%Dot11.addr2%], AP [%Dot11Elt.info%]") # Look for an authentication packet and print the Client and AP BSSID if p.haslayer(Dot11Auth): print p.sprintf("Authentication Request from [%Dot11.addr1%] to AP [%Dot11.addr2%]") print p.sprintf("------------------------------------------------------------------------------------------") sniff(iface=interface,prn=sniffReq)
Backing up your Cloud Data
One of these day the monkeys will rise up and conquer the net as we know it. That’s why having good backups of your online data is important. So rather than getting screwed when gmail, google docs, flickr, delicious, twitter and wordpress go down, let’s use free and open source software to make proper backups.
Online services like Backupify make it easy to backup your cloud data — but it’s just from one cloud to another (Amazon S3). If you’d like a local copy of your data check out these programs
Great episode!
Can we get a hint on how your USB rubber duck works? :O
Autorun without software on Windows, mac, and linux sounds impossible! Perhaps I misinterpreted what you meant though.
I’m assuming its not just a U3 drive
Not to step on DK’s response, but it looks to be the teensy based on the “that’s the exact chip” comment (6:16).
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
http://www.pjrc.com/teensy/
Darren, hit me up at the post email if you’re looking for testers.
ahhh now I see… thats GENIUS!
not gonna work on locked workstations though
I’m safe 
[...] This post was mentioned on Twitter by hak5feed, Knut. Knut said: Episode 706 – Deauth Detection and Cloud Data Backups http://bit.ly/9NXWBf [...]
My day job is IT Security for a government agency, and moon light as a consultant after hours. Any case, the only way I came up with stopping Darren’s attack is using Wireless enterprise grade IPS system like Motorola’s Air Defense system. When this attack is seen in the air space that Air Defense covers it will terminate client association with trusted clients MACS with rouge APs. Well, you say if this security is based on MAC addressing why not just clone a trusted AP. Well, Air Defense will see 2 APs with same MAC address and air terminate both devices thereby protecting the wired network from intrusion. I haven’t seen any cost effective home/small business solution though. Let me know if you do find a low cost/free one.
Oh ya, I’m going to be testing in the near future Air Defense personal Host based IPS that enforces the same policies when off the enterprise network. I hope for the same results.
Oops, this was addressing primarily last episode(705). But still stands, as my solution is for general users that just need to be protected from outside attacks with zero transparency to the user.
Good Job on these past 2 episodes covering an easy WiFi man in the middle attack!
You mentioned doing an episode on Snort
AROUND THE WORLD FTW!!!!!!
loved the show.
couldn’t help but smile when I watched
more snubs dancing!!!
oh yeah, almost forgot . . . you guys are a bunch of wankers!
too funny
Is it possible to execute a Deauth Attack from other Wifi enables devices, such as a Phone? One in particular being a Motorola Droid?
Good show, back to teh studio yey
hope we will get more of “up 30 min” episodes //love ur show// #From Algeria
[...] Hak5 – Technolust ѕіחсе 2005 » Episode 706 – Deauth Detection а&#… [...]
Great show I am glad now that you guys are back together doing the show and in such good spirits!
What i still not really understand with this Deauth packages… isn’t there any way to check on MAC level if the access-point sending the Deauth package, is also the same one you were actually connected with?
I would for sure apply such protection on this network level.
In that case a Deauth package can come from any place but if the MAC is not correct, it won’t respond….
Ofcourse with an open access point, it is probably also easy to spoof MAC addresses by fetching that info from the actual access point.
unfortunately, this won’t do much good.
if your card’s in monitor mode, you can see MAC addresses of not only AP’s but also any connected CLIENTS as well (which makes targeted deauth possible- in this more recent attack, you pick a victim, spoof their mac, deauth them, and pretend to be them to the AP- and pretend to be the AP to the victim- by spoofing MAC addresses of each respectively.
pretty much the only hope you have of avoiding a de-auth is having a stronger signal to the AP than the attacker, and hoping that they’re too far away to send the deauths more quickly than the AP can send Reass. requests (from what I understand).
cheers
Gmail backup using an online backup service for that?
Gmail supports pop3 (secured) so you can already access gmail using thunderbird.
Who needs online tools for that?
One more suggestion: tried a backup service like DropBox?
Not only can you store up to 2GB free, you can expand it through affiliation up to 5GB. Also Dropbox allows you to synchronize your stuff between various pc-systems where you have Dropbox installed using the same account
Gotta love modified subversion code….
Great to see Snubs back on… whats left of… the set
The python script will not work for me. I keep getting the error message:
bob@LinuxBox:~$ python authWatch.py
File “authWatch.py”, line 27
if p.haslayer(Dot11Auth):
^
IndentationError: unexpected indent
Try to update or install a lower version of python. Check in the readme which versions work.
How is it indented? Check to make sure the word “if” is indented the same as the others.
Hey tinman I tried to run the authWatch.py script, at first with an error of indent as mentioned above and I indented it fine.After which I got a new error message saying that sniff ( last line ) is not defined .
any ideas???
SAM the ripper
[...] via e-mail Wicked Cool Emacs: BBDB: Work with Records – Faster mail with Emacs Related posts …Hak5 Technolust since 2005 Episode 706 Deauth Detection …Name (required) Mail (will not be published) (required) Website (optional) You can use these tags: [...]
[...] Hak5.org [...]