Back in studio with Shannon this week. Darren has answers to your WiFi deauthorization attack questions and a demo of a nifty deuth watching script. Shannon’s all about free and open source alternatives to online backup services like Backupify. Can these tools keep your cloud data secure?

Download HD Download MP4 Download XviD Download WMV

Deauthorization Attacks explained (with demo)

This week we’re answering viewer questions regarding last week’s wireless deauthorization attacks.

How does Deauth work if a client connected to an AP using encryption?
-Mark B

The answer lies in the fact that 802.11b/a/n/g management frames, special packets used to establish and maintain communications, are all sent unencrypted. These include:

  • Authentication
  • Association request
  • Association response
  • Reassociation request
  • Reassociation response
  • Beacon
  • Probe request
  • Probe response
    • And finally our favorite…

      • Deauthentication

      I was wondering how do I prevent the de authorize attacks and man-in-the-middle attacks on my laptop or computer
      -Test Account

      Short of rewriting your wireless radio’s firmware to ignore deauthorization packets I’m at a loss when it comes to preventing the attack. If you know of a way please get in touch. That said, deauth attacks are quite simple to detect.

      Viewer Tinman2k wrote in with a simple python script that uses airmon-ng and scappy to scan for associations, authentications and deauthentications.

      You’ll need to begin by placing your card into monitor mode. For example: airmon-ng wlan0 start. Then pass your monitor interface to readAuthDeauth.py

      #!/usr/bin/env python
      
      ######################################################
      #	authWatch.py v. 0.1 (Quick, Dirty and Loud) - by TinMan
      #	Place card in monitor mode and set the channel. 
      #	If you want channel hopping, run airodump-ng in 
      #	another terminal. Will add channel hopping 
      # 	in the next version. 
      ######################################################	
      #
      #	Usage: python authWatch.py 
      #	
      
      import sys
      from scapy import *
      
      interface = sys.argv[1]
      
      def sniffReq(p):
           if p.haslayer(Dot11Deauth):
      # Look for a deauth packet and print the AP BSSID, Client BSSID and the reason for the deauth.
                 print p.sprintf("Deauth Found from AP [%Dot11.addr2%] Client [%Dot11.addr1%], Reason [%Dot11Deauth.reason%]")
      # Look for an association request packet and print the Station BSSID, Client BSSID, AP info.
           if p.haslayer(Dot11AssoReq):
                 print p.sprintf("Association request from Station [%Dot11.addr1%], Client [%Dot11.addr2%], AP [%Dot11Elt.info%]")
      # Look for an authentication packet and print the Client and AP BSSID
      		   if p.haslayer(Dot11Auth):
      	   print p.sprintf("Authentication Request from [%Dot11.addr1%] to AP [%Dot11.addr2%]")
       	   print p.sprintf("------------------------------------------------------------------------------------------")
      sniff(iface=interface,prn=sniffReq)
      

      Backing up your Cloud Data

      One of these day the monkeys will rise up and conquer the net as we know it. That’s why having good backups of your online data is important. So rather than getting screwed when gmail, google docs, flickr, delicious, twitter and wordpress go down, let’s use free and open source software to make proper backups.

      Online services like Backupify make it easy to backup your cloud data — but it’s just from one cloud to another (Amazon S3). If you’d like a local copy of your data check out these programs

Leave a Reply

Your email address will not be published. Required fields are marked *

*

27 Comments

  • dennis waters 4 years ago

    Great episode!

    Can we get a hint on how your USB rubber duck works? :O
    Autorun without software on Windows, mac, and linux sounds impossible! Perhaps I misinterpreted what you meant though.

    I’m assuming its not just a U3 drive :D

  • n@0ne 4 years ago

    Not to step on DK’s response, but it looks to be the teensy based on the “that’s the exact chip” comment (6:16).

    http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

    http://www.pjrc.com/teensy/

    Darren, hit me up at the post email if you’re looking for testers.

  • dennis waters 4 years ago

    ahhh now I see… thats GENIUS!

    not gonna work on locked workstations though :) I’m safe :D

  • My day job is IT Security for a government agency, and moon light as a consultant after hours. Any case, the only way I came up with stopping Darren’s attack is using Wireless enterprise grade IPS system like Motorola’s Air Defense system. When this attack is seen in the air space that Air Defense covers it will terminate client association with trusted clients MACS with rouge APs. Well, you say if this security is based on MAC addressing why not just clone a trusted AP. Well, Air Defense will see 2 APs with same MAC address and air terminate both devices thereby protecting the wired network from intrusion. I haven’t seen any cost effective home/small business solution though. Let me know if you do find a low cost/free one.

    Oh ya, I’m going to be testing in the near future Air Defense personal Host based IPS that enforces the same policies when off the enterprise network. I hope for the same results.

    • Oops, this was addressing primarily last episode(705). But still stands, as my solution is for general users that just need to be protected from outside attacks with zero transparency to the user.

      Good Job on these past 2 episodes covering an easy WiFi man in the middle attack!

  • ZaphodBB 4 years ago

    You mentioned doing an episode on Snort :D

  • imtifade 4 years ago

    AROUND THE WORLD FTW!!!!!!

  • sloth2slow 4 years ago

    loved the show.

    couldn’t help but smile when I watched

    more snubs dancing!!!

    oh yeah, almost forgot . . . you guys are a bunch of wankers!

    too funny

  • Is it possible to execute a Deauth Attack from other Wifi enables devices, such as a Phone? One in particular being a Motorola Droid?

  • maxsy 4 years ago

    Good show, back to teh studio yey :)

  • zakisat 4 years ago

    hope we will get more of “up 30 min” episodes //love ur show// #From Algeria

  • Great show I am glad now that you guys are back together doing the show and in such good spirits!

  • Vince 4 years ago

    What i still not really understand with this Deauth packages… isn’t there any way to check on MAC level if the access-point sending the Deauth package, is also the same one you were actually connected with?
    I would for sure apply such protection on this network level.
    In that case a Deauth package can come from any place but if the MAC is not correct, it won’t respond….
    Ofcourse with an open access point, it is probably also easy to spoof MAC addresses by fetching that info from the actual access point.

    • unfortunately, this won’t do much good.

      if your card’s in monitor mode, you can see MAC addresses of not only AP’s but also any connected CLIENTS as well (which makes targeted deauth possible- in this more recent attack, you pick a victim, spoof their mac, deauth them, and pretend to be them to the AP- and pretend to be the AP to the victim- by spoofing MAC addresses of each respectively.

      pretty much the only hope you have of avoiding a de-auth is having a stronger signal to the AP than the attacker, and hoping that they’re too far away to send the deauths more quickly than the AP can send Reass. requests (from what I understand).

      cheers

  • Vince 4 years ago

    Gmail backup using an online backup service for that?
    Gmail supports pop3 (secured) so you can already access gmail using thunderbird.
    Who needs online tools for that?

  • Vince 4 years ago

    One more suggestion: tried a backup service like DropBox?
    Not only can you store up to 2GB free, you can expand it through affiliation up to 5GB. Also Dropbox allows you to synchronize your stuff between various pc-systems where you have Dropbox installed using the same account

  • tibbs 4 years ago

    Gotta love modified subversion code….

  • Slasher 4 years ago

    Great to see Snubs back on… whats left of… the set :)

  • The python script will not work for me. I keep getting the error message:

    bob@LinuxBox:~$ python authWatch.py
    File “authWatch.py”, line 27
    if p.haslayer(Dot11Auth):
    ^
    IndentationError: unexpected indent

  • Slasher 4 years ago

    Try to update or install a lower version of python. Check in the readme which versions work.

    • Tinman 4 years ago

      How is it indented? Check to make sure the word “if” is indented the same as the others.

      • Hey tinman I tried to run the authWatch.py script, at first with an error of indent as mentioned above and I indented it fine.After which I got a new error message saying that sniff ( last line ) is not defined .

        any ideas???
        SAM the ripper