Term Paper on Attacking Wi-Fi nets with traffic injection
Abstract- Wi-Fi is a popular technology that allows an electronic device to exchange data wirelessly (using radio waves) over a computer network, including high-speed Internet connections. There are many techniques to attack any Wi-Fi network. Traffic injection is also one of the techniques.
Traffic injection also known as Wi-Fi Injection used to hack Wi-Fi system to access information on pc or attack the PC with virus, or can access the internet from your Wi-Fi system.INTRODUCTION
The injection attack involves "injecting" or forcefully inserting fragments or complete code. This is usually aimed at altering the normal path or execution of the flow of the operation. Injecting is usually done in places where user input is requested, and instead of entering standard inputs, the attacker inserts codes, thus leading to the name, injection attack.
In a traffic injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
- PROBLEM DEFINITION
Attacking Wi-Fi nets with traffic injection is a technique of hacking or brought down any Wi-Fi network by injecting bogus traffic. So we have to find technique of traffic injection in any Wi-Fi network.
- Existing solution:
In traffic injection we mostly attack Wi-Fi using open Internet protocol. So before we learn how to inject traffic in Wi-Fi we first should understand what internet protocol is we should gain enough knowledge of internet protocol and what are the types of Internet protocols are there which can be used in traffic injection.
Internet protocol (IP):
The Internet Protocol (IP) is the principal communications protocol used for relaying datagrams (also known as network packets) across an internetwork using the Internet Protocol Suite. Responsible for routing packets across network boundaries, it is the primary protocol that establishes the Internet.
IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering datagrams from the source host to the destination host solely based on the addresses. For this purpose, IP defines datagram structures that encapsulate the data to be delivered. It also defines addressing methods that are used to label the datagram source and destination.
Historically, IP was the connectionless datagram service in the original Transmission Control Program introduced by Vint Cerf and Bob Kahn in 1974, the other being the connection-oriented Transmission Control Protocol (TCP). The Internet Protocol Suite is therefore often referred to as TCP/IP.
The first major version of IP, Internet Protocol Version 4 (IPv4), is the dominant protocol of the internet. Its successor is Internet Protocol Version 6 (IPv6), which is increasing usage.
Different types of internet protocols used for traffic injection:
a) Spanning Tree Protocol (STP): The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links.
Spanning Tree Protocol (STP) is standardized as IEEE 802.1D. As the name suggests, it creates a spanning tree within a mesh network of connected layer-2 bridges (typically Ethernet switches), and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.
STP is based on an algorithm invented by Radia Perlman while working for Digital Equipment Corporation.
Operation: The collection of bridges in a local area network (LAN) can be depicted as a graph whose nodes are bridges and LAN segments (or cables), and whose edges are the interfaces connecting the bridges to the segments. To break loops in the LAN while maintaining access to all LAN segments, the bridges collectively compute a spanning tree. The spanning tree is not necessarily a minimum cost spanning tree. A network administrator can reduce the cost of a spanning tree, if necessary, by altering some of the configuration parameters in such a way as to affect the choice of the root of the spanning tree. The spanning tree that the bridges compute using the Spanning Tree Protocol can be determined using the following rules. The example network at the right, below, will be used to illustrate the rules.
Select a root bridge. The root bridge of the spanning tree is the bridge with the smallest (lowest) bridge ID. Each bridge has a unique identifier (ID) and a configurable priority number; the bridge ID contains both numbers. To compare two bridge IDs, the priority is compared first. If two bridges have equal priority, then the MAC addresses are compared. For example, if switches A (MAC=0200.0000.1111) and B (MAC=0200.0000.2222) both have a priority of 10, then switch A will be selected as the root bridge. If the network administrators would like switch B to become the root bridge, they must set its priority to be less than 10.
Determine the least cost paths to the root bridge. The computed spanning tree has the property that messages from any connected device to the root bridge traverse a least cost path, i.e., a path from the device to the root that has minimum cost among all paths from the device to the root. The cost of traversing a path is the sum of the costs of the segments on the path. Different technologies have different default costs for network segments. An administrator can configure the cost of traversing a particular network segment. The property that messages always traverse least-cost paths to the root is guaranteed by the following two rules.
Least cost path from each bridge. After the root bridge has been chosen, each bridge determines the cost of each possible path from itself to the root. From these, it picks one with the smallest cost (a least-cost path). The port connecting to that path becomes the root port (RP) of the bridge.
Least cost path from each network segment. The bridges on a network segment collectively determine which bridge has the least-cost path from the network segment to the root. The port connecting this bridge to the network segment is then the designated port (DP) for the segment.
Disable all other root paths. Any active port that is not a root port or a designated port is a blocked port (BP).
Modifications in case of ties. The above rules over-simplify the situation slightly, because it is possible that there are ties, for example, two or more ports on a single bridge are attached to least-cost paths to the root or two or more bridges on the same network segment have equal least-cost paths to the root. To break such ties:
Breaking ties for root ports. When multiple paths from a bridge are least-cost paths, the chosen path uses the neighbor bridge with the lower bridge ID. The root port is thus the one connecting to the bridge with the lowest bridge ID. For example, in figure 3, if switch 4 were connected to network segment d instead of segment c, there would be two paths of length 2 to the root, one path going through bridge 24 and the other through bridge 92. Because there are two least cost paths, the lower bridge ID (24) would be used as the tie-breaker in choosing which path to use.
Breaking ties for designated ports. When more than one bridge on a segment leads to a least-cost path to the root, the bridge with the lower bridge ID is used to forward messages to the root. The port attaching that bridge to the network segment is the designated port for the segment. In figure 4, there are two least cost paths from network segment d to the root, one going through bridge 24 and the other through bridge 92. The lower bridge ID is 24, so the tie breaker dictates that the designated port is the port through which network segment d is connected to bridge 24. If bridge IDs were equal, then the bridge with the lowest MAC address would have the designated port. In either case, the loser sets the port as being blocked.
The final tie-breaker. In some cases, there may still be a tie, as when two bridges are connected by multiple cables. In this case, multiple ports on a single bridge are candidates for root port. In this case, the path which passes through the port on the neighbor bridge that has the lowest port priority is used.
In summary, the sequence of events to determine the best received BPDU (which is your best path to the root) is
- lowest root bridge id
- lowest root path cost
- lowest sender bridge id
- lowest sender port number
b) Open Shortest Path First (OSPF): Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008).
OSPF is perhaps the most widely-used interior gateway protocol (IGP) in large enterprise networks. IS-IS, another link-state dynamic routing protocol, is more common in large service provider networks. The most widely-used exterior gateway protocol is the Border Gateway Protocol (BGP), the principal routing protocol between autonomous systems on the Internet.
OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.
OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm.
The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers.
The OSPF routing policies to construct a route table are governed by link cost factors (external metrics) associated with each routing interface. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost.
An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation.
By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will; often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.
OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. This is in contrast to other routing protocols, such as the Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its own error detection and correction functions.
OSPF uses multicast addressing for route flooding on a broadcast network link. For non-broadcast networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP packets never traverse IP routers; they never travel more than one hop. OSPF reserves the multicast addresses 188.8.131.52 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known as AllSPFRouters) and 184.108.40.206 for IPv4 or FF02::6 for IPv6 (all Designated Routers, AllDRouters), as specified in RFC 2328 and RFC 5340.
For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol (MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or other IGPs, (Interior Gateway Protocol), is widely deployed.
The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).
OSPF version 3 introduces modifications to the IPv4 implementation of the protocol. Except for virtual links, all neighbor exchanges use IPv6 link-local addressing exclusively. The IPv6 protocol runs per link, rather than based on the subnet. All IP prefix information has been removed from the link-state advertisements and from the Hello discovery packet making OSPFv3 essentially protocol-independent. Despite the expanded IP addressing to 128-bits in IPv6, area and router identifications are still based on 32-bit values.
c) Routing Information Protocol (RIP): The Routing Information Protocol (RIP) is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process.
RIP implements the split horizon, route poisoning and hold down mechanisms to prevent incorrect routing information from being propagated. These are some of the stability features of RIP. It is also possible to use the so called RMTI (Routing Information Protocol with Metric-based Topology Investigation) algorithm to cope with the count-to-infinity problem. With its help, it is possible to detect every possible loop with a very small computation effort.
Originally each RIP router transmitted full updates every 30 seconds. In the early deployments, routing tables were small enough that the traffic was not significant. As networks grew in size, however, it became evident there could be a massive traffic burst every 30 seconds, even if the routers had been initialized at random times. It was thought, as a result of random initialization, the routing updates would spread out in time, but this was not true in practice. Sally Floyd and Van Jacobson showed in 1994 that, without slight randomization of the update timer, the timers synchronized over time. In most current networking environments, RIP is not the preferred choice for routing as its time to converge and scalability are poor compared to EIGRP, OSPF, or IS-IS (the latter two being link-state routing protocols), and (without RMTI) a hop limit severely limits the size of network it can be used in. However, it is easy to configure, because RIP does not require any parameters on a router unlike other protocols (see here for an animation of basic RIP simulation visualizing RIP configuration and exchanging of Request and Response to discover new routes).
RIP is implemented on top of the User Datagram Protocol as its transport protocol. It is assigned the reserved port number 520.
Versions: There are three versions of the Routing Information Protocol: RIPv1, RIPv2, and RIPng.
RIP version 1: The original specification of RIP, defined in RFC 1058 uses classful routing. The periodic routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must have the same size. There is also no support for router authentication, making RIP vulnerable to various attacks.
RIP version 2: Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last standardized in 1998. It included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier specification if all Must Be Zero protocol fields in the RIPv1 messages are properly specified. In addition, a compatibility switch feature allows fine-grained interoperability adjustments.
In an effort to avoid unnecessary load on hosts that do not participate in routing, RIPv2 multicasts the entire routing table to all adjacent routers at the address 220.127.116.11, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications.
(MD5) authentication for RIP was introduced in 1997.
Route tags were also added in RIP version 2. This functionality allows for routes to be distinguished from internal routes to external redistributed routes from EGP protocols.
- Support of IPv6 networking.
- While RIPv2 supports RIPv1 updates authentication, RIPng does not. IPv6 routers were, at the time, supposed to use IPsec for authentication.
- RIPv2 allows attaching arbitrary tags to routes, RIPng does not;
- RIPv2 encodes the next-hop into each route entries; RIPng requires specific encoding of the next hop for a set of route entries.
RIPng sends updates on UDP port 521 using the multicast group FF02::9.
d) Hot Standby Router Protocol (HSRP): Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and has been described in detail in RFC 2281.
The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway becomes inaccessible, in close association with a rapid-converging routing protocol like EIGRP or OSPF. By multicasting packets, HSRP sends its hello messages to the multicast address 18.104.22.168 (all routers) for version 1, or 22.214.171.124 for version 2, using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers. The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP address and will respond to the ARP request from machines connected to the LAN with the MAC address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP address and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over. A HSRP Basics Simulation visualizes Active/Standby election and link failover with Hello, Coup, ARP Reply packets and timers.
HSRP has the ability to trigger a failover if one or more interfaces on the router go down. This can be useful for dual branch routers each with a single serial link back to the head end. If the serial link of the primary router goes down, the backup router would take over the primary functionality and thus retain connectivity to the head end.
Attacking Wi-Fi nets with traffic injection:
a) How to inject traffic in Wi-Fi nets: Chipsets and drivers: To inject traffic in any Wi-Fi network we first learn about chipsets and drivers which are useful in traffic injection.
On Linux, we can inject in monitor mode with:
- Prism2/2.5/3 with hostap[HAP] or wlan ng[WLAN]
- Prism54 FullMAC with prism54[PR54]
- Atheros with madWi-Fi[MADW]
- Ralink RT2x00 with rt2x00[RT2X]
- Realtek RTL8180 with rtl8180[RTL8]
Frames injection and sniffing: we inject and sniff in monitor mode using the same adapter
# iwconfig ath0 mode monitor
# iwconfig ath0 channel 11
# ifconfig ath0 up promisc
We can read and write to ath0 directly1 with layer 2 socket (e.g.PF PACKET)
Preparing stuff: Using Scapy[SCAP] as backend
from scapy import Raw,Dot11,Dot11WEP,LLC,\
SNAP, sendp, conf
s = conf.L2listen(iface = "ath0")
conf.iface = "ath0"
Raw data and frame injection: Send direct frame from SrcMAC to DstMAC
dot11_frame = Dot11(type = "Data",
FCfield = "to-DS",
addr1 = BSSID,
addr2 = SrcMAC,
addr3 = DstMAC)
dot11-frame /= LLC(ctrl=3)/SNAP()/"Raw data"
Reading date frames: Extract BSSID field value
dot11_frame = s.recv(1600)
if dot11_frame.getlayer(Dot11).FCfield & 1:
BSSID = dot11_frame.getlayer(Dot11).addr1
BSSID = dot11_frame.getlayer(Dot11).addr2
Management Traffic: Management traffic is easy to generate as well
b) WEP Cracking: Known attacks against WEP
- IV collisions
- Clear text attacks (e.g. authentication challenge) and authentication bypass
- RC4 output/IV couple table construction
- Arbitrary frame injection
- Korek Chopchop attack
- Fluhrer, Mantin and Shamir attack (weak IVs attack)
- Korek optimization of FMS attack based on solved cases
Some of them can be boosted by traffic injection
c) Bypassing captive portals: Once authenticated, users must be tracked
- MAC address
- IP address
- MAC and IP addresses
Those network parameters can easily be spoofed!
MAC based authorization tracking: Authorized clients are identified by their MAC address
- MAC address is easy to spoof
- No MAC layer conflict on Wi-Fi network
- Just need a different IP
MAC tracking bypass: Change Wi-Fi interface MAC address
joker# ifconfig ath0 hw ether $MAC
joker# ifconfig ath0 $IP $NETMASK $BROADCAST
joker# route add default $FIREWALL
We can also use bridge firewalling[BLA03] to SNAT output frames on the fly.
IP based authorization tracking: Authorized clients are identified by their
- IP address are just a little more tricky to spoof
- ARP cache poisoning helps redirecting traffic
- Traffic redirection allows IP spoofing
IP tracking bypass:
joker# echo 1 > /proc/sys/net/ipv4/ip_forward
joker# arp-sk -i ath0 -w -d $FIREWALL -S $BATMAN \-D $FIREWALL
joker# iptables -t nat -A OUTPUT -d ! $LAN \
-j SNAT --to $BATMAN
joker# iptables -t mangle -A FORWARD -d $BATMAN \-j TTL --ttl-inc 1
MAC and IP based authorization tracking: The smart way for tracking people?
- Previous technic won’t help because of MAC address checking
- Send traffic with spoofed MAC address
- ARP cache poisoning and IP spoofing for answers redirection
MAC and IP tracking bypass: Reconfiguring the interface won’t help on this
We’ll use ebtables[EBT] to have output frames spoofed
joker# modprobe bridge
joker# brctl addbr br0; brctl addif br0 ath0
[configure bridge interface br0]
joker# ebtables -t nat -A POSTROUTING -o ath0 -d $FW_MAC \-j snat --to-source $BATMAN_MAC
Then you can apply IP spoofing and perform ”Smarter spoofing”.
d) Attacking Wi-Fi stations: Associated stations are almost naked
- LAN attacks (ARP, DHCP, DNS, etc.)
- Traffic interception and tampering
- Direct station attacks
Traffic tampering with injection: Wi-Fi communication can be listened on the air
- Listen to Wi-Fi traffic
- Catch interesting requests
- Spoof AP and inject your own answers
- Clap clap, you’ve done airpwn-like[AIRP] tool
Only think of injecting nasty stuff in HTTP traffic, just in case someone would dare to use MSIE on an open WLAN
Station to station traffic prevention: Security feature that blocks traffic within DS
Usually known as station isolation
- Station sends To-DS frame
- AP sees destination is in DS
- AP drops the frame
- No From-DS frame, so no Communication
Isolation by pass using traffic injection: Joker can inject From-DS frames directly
- No need for AP approval
- we can spoof about anyone