3

I am running blackbox pentests on an enterprise wireless setup. My area of attack consists of multiple APs that have a 2.4 GHz interface and also a 5GHz one.

I have successfully deauthenticated users from the 2.4 GHz interface and they jumped to the 5 GHz one.

The problem comes when I try to deauth them from the 5Ghz. Expectations are that they will jump back to the 2.4Ghz frequency or they will be temporarily deauth, but neither case appears to be happening from my understanding.

When I am running the deauth attack I constantly receive acknowledgements of deauth (or ACKs) from both the targeted AP and targeted victim's MAC but the connection to the internet is still alive and no interference is noticed in the targeted machine. I am thinking that the AP monitors the deauth incoming packets and if there is a larger sequence it will deflect it but this should be replicated on the 2.4 GHz interface too.

Is this due to something within the 5 GHz protocol - does the re-connection from the 5 GHz happen too fast for the victims machine to notice? Is it backwards compatible? (I mean, does the jump from 5 to 2.4 is actually real and can happen ?)

Note: The tests are done correctly with the correct devices and tools (mdk3, aireplay and other custom made tools) according to the requirements laid out in their respective manuals.

LTPCGO
  • 965
  • 1
  • 5
  • 22
Sabin Nicula
  • 43
  • 1
  • 6
  • What does a deauth attack have to do with pentest? – DepressedDaniel Nov 25 '16 at 00:11
  • 1
    Pehaps because when you deauth someone, the will often reauth, thus providing an opportunity to capture. – Troy Witthoeft Nov 25 '16 at 02:01
  • @[Sabin Nicula] s279 asked, and I think it's valid. You're SURE you have the correct hardware? Very few radio chipsets work reliably at 5GHz with aireplay. Internet is littered with folks asking for help deauthing 5GHz bands. Can you PLEASE confirm what radio chipset are you using and what 5GHz radio band are you targeting N? AC? – Troy Witthoeft Nov 25 '16 at 02:15
  • What hardware are you using for 5ghz? – s279 Nov 25 '16 at 00:44
  • Yes, the attack is done correctly, the AP has 2 different BSSID's for the 2.4 and 5. I made sure to chose them correctly when I launch the tests. For the 5Ghz frequency attacks I used both my machine's embedded wireless driver that can support 2.4 and 5 and a TP-Link WDN3200 that also supports both of the frequencies. Also when I launched the attack I made sure to target the right channel, I have monitored the traffic while attacking(5Ghz attack) and it keeps switching the target's power to 0 and back on -X but no effect on the internet connection. Just to clear things out. – Sabin Nicula Nov 25 '16 at 08:57
  • My expectations were that if I managed to successfully deauth from the 2.4Ghz and noted that the target jumped to 5Ghz frequency then I should reverse the process and jump it back to 2.4 or at least observe some internet disruptions when attacking the 5Ghz. My actual point is to release a rogue AP with better power so that when deauth is happening, it should pick my rogue AP because of better power. But there is no evidence that the target is actually experiencing any deauth from the 5Ghz so a follow up on the attack with a rogue AP would be useless and blind. – Sabin Nicula Nov 25 '16 at 09:04
  • @TroyWitthoeft I am targeting with A. Also the channel is 64. I don not have a device that supports AC, that would of been great tho. But I think the problem might not be so related with the device. More with the protocol I suppose. Also another premise should be that the AP recognizes multiple deauth packets and filters them. I am thinking that by sending one packet at a higher interval of time should consider them valid. – Sabin Nicula Nov 25 '16 at 10:34
  • It might be the DFS in the 5GHz band, channels 52-140 have Dynamic frequency selections to avoid other technologies in the same spectrum, so maybe after the deauth both AP and STA are jumping into another channel? – Azteca Jan 18 '17 at 22:32
  • @SabinNicula I've edited your question to make it a bit clearer but couldn't quite make sense of the end, can you help me to rephrase the following: 'Is it backwards compatible? (I mean, does the jump from 5 to 2.4 is actually real and can happen ?)'? – LTPCGO Sep 04 '19 at 14:20

1 Answers1

2

Deauth can be tricky. Let's look at some common issues from Aircrack-ng's page on Deauthentication.

You are physically too far away from the client(s)

How close are you? Can you get closer? If not, have you considered a better card? The Alfa cards are a favorite for this type of work. See them in action here and here. By better I mean louder with chipsets having more mature drivers. I am suggesting the Alfa AWUS051NH. The TP-Link TL-WDN3200 you are using can work, but it has a history of funny driver issues in Kali Linux. Just a suggestion.

Some clients ignore broadcasts deauths

You said you targeting an enterprise device? Is it made by Cisco? Does it have have IEEE 802.11w-2009 turned on so that it encrpts it's management frames? That would defeat your deauth attempts. However, you did say that you can SEE the deauth ACKs, yes? So, it looks like it's working...

Clients may reconnect too fast for you to see that they had been disconnected.

And this is it, no? You ARE deauthing the client and they are reconnecting too fast for you to observe a service interruption. What did you expect to see?

Hope this helps.

Troy Witthoeft
  • 186
  • 5
  • Thank you for the answer. I have studied the phenomenon deeper into the protocol packets and I have monitored the following processes: I have captured and studied the deauth from the 2.4 of a client while jumping into the 5Ghz interface (having also a monitor on that freq). Looking at the management frames and the packets sent and received between the AP and the victim showed me that the process of deauth from the 2.4 is quite similar to the 5 one. And yes, it's about a Cisco AP. The difference is represented by the fact that in the 5Ghz interface, the AP keeps communicating with the victim. – Sabin Nicula Nov 28 '16 at 22:11
  • In the 5Ghz freq their behavior is in fact strange because the AP and the target seems like they both changed ACK's for the deauth action but after that they keep sending requests to send and receive. Until I will acquire a better card, I will blame it on the TP-Link I used for the tests. Even tho the same AP broadcasts both 2.4Ghz and 5Ghz frequencies, the 2.4 has a larger radius then the 5 one. The ACK's from 2.4 were something like 60 | 62 (from 2 steps 128 sended packets) while the ones from 5Ghz attack were 10 | 4 in average. So this sums that the power of the card's signal was too low. – Sabin Nicula Nov 28 '16 at 22:18