Pre-connection attacks are the first part of a network attack. This mainly involves disconnecting a client from a network without gaining access or having the password to the network.
Before we get into all the cool stuff, let's see if your system or WiFi card can actually handle this. In-order to hack a wireless network, the WiFi adaptor must support monitor mode and packet injection.
What are the different modes in which a WiFi card operates?
The WiFi cards are capable of operating in 2 different modes.
- Managed mode: This is the default operating mode for all WiFi cards. All the WiFi cards supports this mode. With this mode, the WiFi card can capture only the packets that are directed towards our machine.
- Monitor mode: This mode allows a WiFi card / adaptor to monitor all the traffic in a wireless channel. However, not every WiFi card may support this mode.
To know which mode your WiFi adaptor operates in, execute the following command in the terminal.
iwconfig
Here we can see that the WiFi card uses managed mode.
Now let's set the WiFi card to monitor mode.
1. Disable the interface(wlan0) first.
ifconfig [interface name] down2. Let's kill all the processes that might interfere when we use monitor mode. This will completely kill the internet connection.
Note: This is not a problem as pre-connection attacks are used before we gain access to a network.
airmon-ng check kill3. Now let's change the mode to monitor mode.
iwconfig [interface name] mode [mode]In our case, the mode is monitor.
4. Now let's enable the interface.
ifconfig [interface name] upIf you run the iwconfig command, you can see that the mode has been changed to monitor mode. Also the interface name has been changed. This interface name is what we'll use for the rest of the tutorial.
Packet Sniffing
It's the act of capturing data packets across a computer network for further analysis.
In this tutorial, we'll use airodump-ng to sniff packets. It is a part of the aircrack-ng suite. It can capture and display detailed information about the networks around us.
Let's sniff some packets, shall we?
- Make sure monitor mode is enabled and execute the following command in the terminal.
airodump-ng [interface name]This will list out all the nearby networks along with a lot of detailed information including the mac address of the clients connected to them.
BSSID: The mac addresses of the network.
PWR: The signal strength of the network. Higher the number, stronger the signal.
Beacons: Frames sent by the network to broadcast it's existence.
#Data: Number of data packets.
#/s: Number of data packet we collected in the past 10 seconds.
CH: The channel the network works on.
MB: Maximum speed supported.
ENC: The type of encryption used.
CIPHER: The type of cipher used.
AUTH: The authentication mechanism used.
ESSID: The name of the network.
STATION: Client's mac address.
By default, airodump-ng will only sniff the 2.4Ghz networks.
airodump-ng --band [band] [interface name] Band Arguments
a - 5Ghz
b - 2.4Ghz
g - 2.4Ghz
ac - Below 6Ghz
Note: Simply adding the band argument won't work unless the network adaptor supports the specified band.
Sniff on a target network
airodump-ng --bssid [BSSID] --channel [CH] --write [filename] [interface name]
This will show detailed information about the targeted networks and also lists out the clients connected to it. This will also capture the packets and write to a file we specify. This can be used for further analysis which is beyond the scope of this article.
If you execute the ls command, you'll see that a few new files has been created with different extensions. The file we'll be using is the *.cap file. This file contains the data captured while we were running the previous command in an encrypted form. This file will contain everything that was sent from / to our targeted network. This might include sensitive information like passwords, chats etc...
Now that we have gathered required information about the network and clients connected to it, let's now start with the fun part.
Deauthentication attack
Using this attack we can disconnect any client from any WiFi networks within our reach. It will work on all kind of encrypted networks.
Some key features of this method are:
- No need to know the network key (password)
- No need to be connected to the network
How it works
- First, we pretend to be the targeted client that we want to disconnect by changing our mac address to that of the target and tell the router to disconnect.
- Pretend to be the router by changing the mac address to that of the router and tell the client that it's been disconnected.
aireplay-ng --deauth [#DEAUTHPACKETS] -a [NETWORKMAC] -c [TARGETMAC] [interface name]
#DEAUTHPACKETS: The number of deauthentication packets you want to send.
The higher the number of deauthentication packets, the longer the client will stay disconnected. So if you want the client to stay disconnected for a long time make sure you give a very large number.
If the client has turned on "automatically connect to the network" feature, connection will be re-established as soon as we stop sending deauth packets.
How can you prevent Pre-Connection Attacks?
To be honest, it is quite impossible to prevent someone from sending you de-authentication packets.
Instead of focusing on complete prevention against it, working on building your resilience against such pre-connection attacks is more plausible.
The following tips are focused on advancing the resilience of your network:
- Ensure that your network is uncompromisable by configuring your network by using a WPA2
- Make certain that your passphrase is built strong. It is advisable to use a variety of alphabets, numbers, and special characters for this purpose
- Enable an MFP (Management Frame Protection) as an added layer of protection along with the WPA2
Happy Hacking!!
