Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Defending against aireplay-ng deauthentication

  1. #1
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Question Defending against aireplay-ng deauthentication

    Some idiot at school today was spamming deauthentication packets destined to the mac address of our school's main AP. The teachers had no idea what was going on but luckily I know of wireshark. Is there any way to ignore those type of packets for a temporary solution? Or is the only way to find the source and beat him over the head :b ?
    - Poul Wittig

  2. #2
    Junior Member T1ckT0ck's Avatar
    Join Date
    Mar 2008
    Posts
    41

    Default

    Quote Originally Posted by Deathray View Post
    Some idiot at school today was spamming deauthentication packets destined to the mac address of our school's main AP. The teachers had no idea what was going on but luckily I know of wireshark. Is there any way to ignore those type of packets for a temporary solution? Or is the only way to find the source and beat him over the head :b ?
    No, the deauth packet is a standard packet.

    While looking in Wireshark did you notice is he was smart enough to change his MAC?
    I have indirectly been told to play nice...yay.

  3. #3
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Question

    Quote Originally Posted by T1ckT0ck View Post
    While looking in Wireshark did you notice is he was smart enough to change his MAC?
    I was just thinking that myself..... SV had started a tread about sending custom de-auth packets to troublesome users to de-auth them back constantly, and you could add customised text into the packet for them to read in wireshark (if they know how!)

    Not a solution, but it will bug the offender and might make him stop it....

    TT

    Or with the Network admins permission go after him with karmetasploit..... filter it so it only attacks the one target (real or fake mac). you and the network admin can have some fun with him.... a good learning experience for both of you!

    TT
    Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

  4. #4
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by T1ckT0ck View Post
    No, the deauth packet is a standard packet.

    While looking in Wireshark did you notice is he was smart enough to change his MAC?
    Yes I did, I wrote it down and once the attack stopped I scanned the network with nmap multiple times to see if he was stupid enough to log on and reveal himself. No luck so far so it probably is spoofed.

    Quote Originally Posted by Talkie Toaster View Post
    I was just thinking that myself..... SV had started a tread about sending custom de-auth packets to troublesome users to de-auth them back constantly, and you could add customised text into the packet for them to read in wireshark (if they know how!)

    Not a solution, but it will bug the offender and might make him stop it....

    TT
    Haha funny idea, I'm definitely going to look into that :b.
    Quote Originally Posted by Talkie Toaster View Post
    Or with the Network admins permission go after him with karmetasploit..... filter it so it only attacks the one target (real or fake mac). you and the network admin can have some fun with him.... a good learning experience for both of you!
    TT
    I'd rather do stuff like that at home. I doubt my teacher would allow me to do something like that. No matter what HE did that would still be highly illegal :P But otherwise a good idea
    - Poul Wittig

  5. #5
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default

    Quote Originally Posted by Deathray View Post
    I'd rather do stuff like that at home. I doubt my teacher would allow me to do something like that. No matter what HE did that would still be highly illegal :P But otherwise a good idea
    Just wait till he breaks something serious.... then you'll see the network admin stalking the halls at your school with some handheld backtrack threatening to re-programme the offenders laptop - with a axe!

    There is nothing like having to crawl around in a dusty false celling to reset a hidden router too make a school/workplace think about a more 'active' security policy.....

    If he his spoofing his mac and your admin gets a hold of a suspect laptop at some point remind him to check the bash history (assuming he's using linux, he probably will be if he's playing with de-auths), everyone always forgets to reset their bash history..... the macchanger command and the aireplay -0 with your schools AP mac address would be some pretty hard evidence for someone to deny.

    TT
    Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

  6. #6
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    Maybe he's using the Backtrack CD. No evidence left behind
    Until recently, I thought that faking a MAC address makes you safe, but apparently I was wrong. It is however possible to RF-fingerprint the troublesome transmitter device (Bayesian detection) and then scan the air for a match. Unlike the MAC address, that cannot be spoofed.

  7. #7
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    11

    Default

    is there a way to detect if my wireless is being scanned/attacked by aireplay? and somehow block? stop them?

  8. #8
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default

    You can watch out for them by leaving airodump/kismet running and watching for either association with your AP (If your using WEP,which you shouldn't be!) or for suspicious de-auth packets(for WPA,kismet picks these up best....) but the problem is by the time you notice, the attacker will probably already have your key or WPA handshake!

    With good equipment and fast typing cracking WEP in under 5 mins is easy. And WPA handshakes can be caught with a single de-auth packet if you have good equipment and know where to point it, after the attacker has the handshake he can go home and dump it into his main computer and work on it at his own pace, he doesn't need to be in range of your network after he has the handshake.

    In fact i have a neighbour who recently got a n class router, and my box that scans for suspicious clients regulary (once every 2 or so days) picks up its complete handshake even though i'm channel hopping (1,6,11) and even though the neighbour is 100yds away! De-auths are not even needed if your attacker has lots of spare time.

    The best defence is a massive passphrase with special characters, and for the extra paranoid there are symbols you can use which either make it a pain in the ass to type in the commands (including bash symbols in your essid) or impossible to use rainbow tables against you, as some symbols can't be tabled in theory removing that paticular line of attack.

    TT
    Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

  9. #9
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    would blocking the mac that send the de-auth with iptables do it, or does the deivce disconnects the connection?

  10. #10
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by compaq View Post
    would blocking the mac that send the de-auth with iptables do it, or does the deivce disconnects the connection?
    No it would not help since the de-authentication packet is sent to the AP, which consequently disconnects the client after receiving it. A MAC filter would make sure that all packets from non legitimate sources are disregarded, but would be easy enough to circumvent by faking ones MAC address.
    -Monkeys are like nature's humans.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •