0

I'm quite familiar on the aircrack-ng suite and I was wondering if there is a way to stop airodump-ng mon0 from seeing my client's MAC IDs? This is very sensitive information a program can get without even being connected to the AP. How is this possible exactly for the software to find without being connected?

On the second part (a very irritating fact) people use the macchanger -r or -m mon0 command to spoof their MAC making it nearly impossible to track in wireshark or anything, but the router sees right past the faked MAC and shows the actual even when spoofed. Why is that and could an attacker hide a real MAC when connecting to a wireless access point?

Lastly how can I stop or prevent (make it harder) to execute a (DDoS) deauth packets? aireplay-ng -0 -0 -a [AP_MAC] -c [CLIENT_MAC] --ignore-negative-one mon0 This command can cause serious problems with denial of service on clients.

I have heard a couple things about changing the channel to something high but it gets into legal issues and other things with antennas.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Krea
  • 31
  • 5
  • 5
    Please stick to one question per question. Your first two questions are sort of related; the last one should certainly be separate (it's an interesting question in its own right, though). – cpast Feb 12 '15 at 00:25
  • Lastly how can I stop or prevent (make it harder) to execute a (DDoS) deauth packets? 802.11w see [this](http://security.stackexchange.com/questions/150085/stations-not-deauthenticating-when-using-aircrack-ng/150162#150162) and [this](http://security.stackexchange.com/questions/83356/802-11w-protected-management-frames-wi-fi/92657#92657) – Matthew1471 Feb 07 '17 at 17:25

1 Answers1

4

For the first question, your MAC address is simply not generally considered sensitive information; protocols are not designed to protect it. MAC addresses are used to let multiple devices share a physical link; packets have a source MAC and destination MAC, so that everyone but the destination knows they can ignore the packet and the destination knows which device they're talking to. The addresses are unencrypted because that's how your card knows what packets to process. WPA2 could theoretically have been designed so that it used special tokens for this purpose, but it's not clear what the point would be, because MACs aren't considered secret.

For question 2, I'm not sure the router is "seeing past" it. You can change your MAC address. It's something in firmware; on many cards, you can very easily change what the card thinks its MAC address is. There's no such thing as the "real" address; you can change the address, and that is the new real address of the device. Maybe you're seeing older log entries, or you didn't spoof it correctly, because there is in fact no general way to detect a "spoofed" MAC. An attacker can set their MAC to anything they want, and that is their new actual MAC address.

For 3, you should look into 802.11w. This is a fairly recent extension to the 802.11 standard that adds authentication and encryption to management frames (including deauth frames), which prevents deauth attacks. I think Linux and Windows both support it in general; whether or not your access point supports it is something I do not know, but you should look into.

Changing the wireless channel is not a good option, but 802.11w is a very good option to prevent deauth attacks.

cpast
  • 7,223
  • 1
  • 29
  • 35