WiFi networks have become an integral part of our everyday life, providing an invisible tapestry of connectivity. However, within this seemingly idyllic landscape lurks a formidable threat: de-authentication attacks and the artful capture of WiFi handshake packets. Brace yourself as we embark on a captivating journey, exploring the clandestine world of WiFi security breaches.
Setting up a WiFi penetration testing lab
The first step of our journey consists of setting up a WiFi penetration testing lab which will consist of four devices.
In this instance, 2 mobile devices were being used as WAP and a client, while I have provided links to the other 2 devices. It is not necessary to have a Pineaple as TP-Link (TL-WN722N) adapter in combination with Kali Linux could also perform similar attacks, for the budget version of this lab.
Wifi Attacks are well known and for a long time, some publicly available tools and devices can perform such attacks. Without proper infrastructure in place, it is very difficult to detect these attacks, however, if you have a bit of time and if you are willing to learn some basic Arduino programming you can make for an effective deauthentication detector. I have used a D1 microcontroller clone from Aliexpress with ESP 8266 chip for the purposes of this lab.
This ESP8266 is able to detect deauthentication or disassociation frames and turn inbuilt led in any of those are present.
IEEE 802.11 standard defines management frames that are used in wireless communications, and inside the Reason code, various reason codes can be observed and the most interesting being reason code 3 – Deuthenticated because sending Station is leaving BSS. For more in-depth information on this topic, you can visit the following link.
In essence, our ESP8266 will be constantly sniffing the wifi traffic and can detect the presence of these frames as shown in the capture below:
To achieve this from the WiFi Pineapple I have specified my Samsung Galaxy A52 MAC address and initiated a deauthentication attack by selecting under Actions – Deauthenticate Client.
What can be done with Deuthentication attacks?
You might wonder how are these deuthentication attacks relevant and why would we care in the first place if someone kick us out of the network.
If we remember our CIA triad (Confidentiality, Integrity, Availability) by performing deauthentication attacks the Availability is being affected, or in other words, legitimate clients trying to connect to a WiFi network are prevented to do so, and in turn, this might cause business impact if any of these systems rely on a WiFi connection to perform business-critical tasks.
But that is not all!
By performing these attacks continuously while we are sniffing the network at the same time, a 4-way handshake can be captured between the client that has stored WiFi credentials and the Access Point which will in fact, disrupt the confidentially side of the CIA triad. Now that we have captured our hash we can resort to offline password cracking methods or any other means of hash comparison and reveal the WiFi password in clear text, and if the corporate network is not correctly segmented from the wifi network…
Once the attacker has access to the network it is Game Over. Skilled attackers can utilise various techniques and lateral movements to find their way to critical systems and achieve their objectives.
What can we do to protect ourselves?
On the bright side, there are a few ways to protect our networks from such attacks and here we are going to mention a few.
- Monitor your wifi for suspicious disconnects, and In a pinch build yourself a cheap wifi Deauth Detector as mentioned before.
- Use password best practices, for your WiFi network authentication and make sure that you are not using weaker WEP standard that is easily exploitable. Remember, proactive security measures are key to maintaining a safe and reliable wireless network environment.
- Implement Network Segmentation: To limit the potential impact of a successful attack, divide your network into subnetworks or VLANs. This can keep attackers from accessing critical devices or sensitive data.
- Intrusion Detection and Prevention Systems (IDS): Implement IDS/IPS solutions capable of detecting and mitigating deauthentication attacks by monitoring network traffic patterns and detecting suspicious activities.
- Wireless Intrusion Prevention Systems (WIPS): Use WIPS solutions that specialize in detecting and preventing WiFi-specific attacks such as deauthentication and handshake capture. This is usually advised for high-security infrastructure.
Hopefully by implementing a layered security approach and by following best security practices you can defend your networks and keep the bad guys out. For penetration testing on a budget, you can simulate a similar scenario as mentioned in this article and know how attackers think in order to better understand how to efficiently defend against the same. I wish you happy labbing!