6

A great number of attack methods for WPA2 involve getting a handshake capture. To capture one the fastest way involves sending deauthentication packets to the client forcing him to initiate the handshake while you capture the entire transaction with tools such as airodump-ng.

Why do clients respond to any deauth request they hear instead of verifying the origin? It seems to me this would be a basic thing that should have been implemented as part of WPA2 to prevent easily giving away of the handshake and to prevent someone from doxing the connection.

Also, will this be addressed in the upcoming WPA3 standard?

NULL
  • 503
  • 1
  • 5
  • 13

2 Answers2

2

Why do clients respond to any deauth request they hear instead of verifying the origin?

They don't respond to any deauth/disassoc frame they hear, they only respond to such frames that are addressed to them and sourced from their AP MAC address. And yes, this by the nature of 802.11 wireless would include frames with spoofed source addresses.

Also, will this be addressed in the upcoming WPA3 standard?

No. First, WPA3 is not a standard, it is a specification for getting a particular certification(s) from the Wi-Fi Alliance for a device. The IEEE defines the 802.11 wireless standards and there are no working groups working on any amendments that change the essentials of 802.11i (which the WFA's WPA2 certification is based on). Please see my answer here for more on what WPA3 is if you like.

Second, there is no need to do so. This was addressed in an amendment by the IEEE that was ratified in 2009, namely 802.11w. The issue is that implementation of support for this amendment has been slow by certain vendors outside the enterprise environment. Check out my answer here for more.

It seems to me this would be a basic thing that should have been implemented as part of WPA2 to prevent easily giving away of the handshake and to prevent someone from doxing the connection.

PSK as defined by 802.11i (WPA2) was meant for basic, personal use. It was intended for simplicity and ease of use. If an entity wanted better security, 802.11i defined the use of 802.1X and RADIUS to provide such.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • Even with 802.11w, there are other MAC-layer DoS attacks that will force the station to reauthenticate. – multithr3at3d May 31 '18 at 19:17
  • @multithr3at3d, sure there are but they tend to be more disruptive and as such easier to detect. That is also beside the point as the OP was asking about deauths, which *are* prevented by proper implementation of 802.11w. – YLearn May 31 '18 at 19:32
  • Ok that makes a lot of sense. I didn't realize when you used a tool like aireplay-ng for example, you are spoofing the AP mac in order to present the deauth as from the real AP. Thanks for the linked Q/As, will read them. – NULL May 31 '18 at 23:31
0

To use this technique, an attacker sends a deauthentication packet to another station from the spoofed MAC address of a third victim station. The deauthentication packet is not itself authenticated, which is why this attack is possible.

The technique can be used for a variety of reasons, from "evil twin" attacks to DOS'es against personal hotspots. https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack has the details.

802.11w adds authentication to management frames, which mitigates this attack.

Mark Beadles
  • 3,932
  • 2
  • 20
  • 23