No, the deauth packet is a standard packet.Originally Posted by Deathray
While looking in Wireshark did you notice is he was smart enough to change his MAC?
Defending against aireplay-ng deauthentication
Some idiot at school today was spamming deauthentication packets destined to the mac address of our school's main AP. The teachers had no idea what was going on but luckily I know of wireshark. Is there any way to ignore those type of packets for a temporary solution? Or is the only way to find the source and beat him over the head :b ?
- Poul Wittig
No, the deauth packet is a standard packet.
While looking in Wireshark did you notice is he was smart enough to change his MAC?
I have indirectly been told to play nice...yay.
I was just thinking that myself..... SV had started a tread about sending custom de-auth packets to troublesome users to de-auth them back constantly, and you could add customised text into the packet for them to read in wireshark (if they know how!)
Not a solution, but it will bug the offender and might make him stop it....
TT
Or with the Network admins permission go after him with karmetasploit..... filter it so it only attacks the one target (real or fake mac). you and the network admin can have some fun with him.... a good learning experience for both of you!
TT
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
Yes I did, I wrote it down and once the attack stopped I scanned the network with nmap multiple times to see if he was stupid enough to log on and reveal himself. No luck so far so it probably is spoofed.
Haha funny idea, I'm definitely going to look into that :b.
I'd rather do stuff like that at home. I doubt my teacher would allow me to do something like that. No matter what HE did that would still be highly illegal :P But otherwise a good idea
- Poul Wittig
Just wait till he breaks something serious.... then you'll see the network admin stalking the halls at your school with some handheld backtrack threatening to re-programme the offenders laptop - with a axe!I'd rather do stuff like that at home. I doubt my teacher would allow me to do something like that. No matter what HE did that would still be highly illegal :P But otherwise a good idea
There is nothing like having to crawl around in a dusty false celling to reset a hidden router too make a school/workplace think about a more 'active' security policy.....
If he his spoofing his mac and your admin gets a hold of a suspect laptop at some point remind him to check the bash history (assuming he's using linux, he probably will be if he's playing with de-auths), everyone always forgets to reset their bash history..... the macchanger command and the aireplay -0 with your schools AP mac address would be some pretty hard evidence for someone to deny.
TT
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
Maybe he's using the Backtrack CD. No evidence left behind
Until recently, I thought that faking a MAC address makes you safe, but apparently I was wrong. It is however possible to RF-fingerprint the troublesome transmitter device (Bayesian detection) and then scan the air for a match. Unlike the MAC address, that cannot be spoofed.
is there a way to detect if my wireless is being scanned/attacked by aireplay? and somehow block? stop them?
You can watch out for them by leaving airodump/kismet running and watching for either association with your AP (If your using WEP,which you shouldn't be!) or for suspicious de-auth packets(for WPA,kismet picks these up best....) but the problem is by the time you notice, the attacker will probably already have your key or WPA handshake!
With good equipment and fast typing cracking WEP in under 5 mins is easy. And WPA handshakes can be caught with a single de-auth packet if you have good equipment and know where to point it, after the attacker has the handshake he can go home and dump it into his main computer and work on it at his own pace, he doesn't need to be in range of your network after he has the handshake.
In fact i have a neighbour who recently got a n class router, and my box that scans for suspicious clients regulary (once every 2 or so days) picks up its complete handshake even though i'm channel hopping (1,6,11) and even though the neighbour is 100yds away! De-auths are not even needed if your attacker has lots of spare time.
The best defence is a massive passphrase with special characters, and for the extra paranoid there are symbols you can use which either make it a pain in the ass to type in the commands (including bash symbols in your essid) or impossible to use rainbow tables against you, as some symbols can't be tabled in theory removing that paticular line of attack.
TT
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
would blocking the mac that send the de-auth with iptables do it, or does the deivce disconnects the connection?
No it would not help since the de-authentication packet is sent to the AP, which consequently disconnects the client after receiving it. A MAC filter would make sure that all packets from non legitimate sources are disregarded, but would be easy enough to circumvent by faking ones MAC address.
-Monkeys are like nature's humans.
Posting Permissions
