3

When using aircrack to attack WPA, deauth packets are used to force a host to deauthenticate. But the machine sending these deauth packets is not even connected to the network. How possible is it that the AP accepts packets from a machine not connected to it? In other-wards, why would an AP or end host accepts de-authentication requests from arbitrary senders who are not even connected to the network?

Minaj
  • 1,536
  • 2
  • 14
  • 23

1 Answers1

5

AP accepts packets from a machine not connected to it from arbitrary senders

Normally, deauthentication [and other management] frames don't have to be encrypted (i.e. require an existing authenticated 'connection' between the AP and the client). Therefore, they can be spoofed.

The way to protect against this kind of attack is to use Management Frame Protection (check out http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82196-mfp.html#climfp):

Specifically, client MFP encrypts management frames sent between access points and CCXv5 clients so that both access points and clients can take preventive action and drop spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect these types of class 3 unicast management frames: disassociation, deauthentication, and QoS (WMM) action.

What are the legitimate uses for deauth frame?

In addition to just that, termination of the secure communication (e.g. 'Forget this network'), there are a few possible reasons specified by 802.11, like these (reason/description):

  • 2 - Previous authentication no longer valid
  • 3 - Station is leaving (or has left) IBSS or ESS
  • 4 - Disassociated due to inactivity

(you can read more at, for example, https://supportforums.cisco.com/document/141136/80211-association-status-80211-deauth-reason-codes or )

Why is it that Access Points do not implement these Management Frame Protection mechanisms?

It is available in many APs, but usually "Optional" by default, to prevent client connectivity issues. You can read more in this answer: 802.11w protected management frames - Wi-Fi

Personally, I think that it is not such a big deal, because (a) strong PSKs make bruteforcing long and non-so-effective, (b) you can just wait for a legitimate client to leave and come back to catch the handshake. I.e. it makes it harder to get in, but doesn't prevent the possibility.

Community
  • 1
Alex Leonov
  • 166
  • 4
  • Why is it that Access Points do not implement these Management Frame Protection mechanisms ? It appears all Wi-Fi networks today are vulnerable to spoofing of deauth packets. Why are these mechanisms not used? – Minaj Oct 15 '16 at 22:52
  • Also, can you please clarify on the purpose of deauth packets in practice? I know how they help to aid attacks, but I am not sure of their legitimate purpose when a network operates normally – Minaj Oct 15 '16 at 22:57
  • @Minaj added some info the the answer – Alex Leonov Oct 16 '16 at 19:47
  • Thanks. One more question: when attacking WPA, why is it that a single deauthenticate message is normally not enough to cause deauthentication? One usually has to send multiple messages to achieve deauthentication. Not sure why this is the case. Any ideas? – Minaj Oct 16 '16 at 20:02
  • @Minaj I think it's because not all packets are actually received - either due to distance, signal strength, or something else; aircrack even shows you number of ACKs from AP and the client for the deauth packets – Alex Leonov Oct 16 '16 at 21:19