Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] WLAN Session Containment DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] WLAN Session Containment DoS
Date: 27 Jun 2005 14:07:58 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WLAN Session Containment DoS
------------------------------------------------------------------------


SUMMARY

Session containment (also known as wireless intrusion prevention) is a 
technique implemented by wireless LAN IDS vendors to prevent unauthorized 
stations from connecting to an authorized or rogue access point. A denial 
of service vulnerability with some WLAN Session Containment 
implementations allows attacker to disconnect all connected users from the 
WLAN.

DETAILS

When a WLAN IDS identifies an unauthorized station on a wireless network, 
it may attempt to prevent the station from accessing network resources. 
This is accomplished by mounting a denial of service (DoS) attack against 
the rogue access point or station, leveraging weaknesses in the IEEE 
802.11 specification to disconnect one or more users from the wireless 
network.

When the disconnect message is repeated continuously, the rogue station is 
unable to connect to the wireless network, preventing a potential network 
intrusion.

When implementing a mechanism to disconnect users from a protected access 
point, vendors must consider several factors:

 * Preventing unauthorized access. The goal of session containment against 
an unauthorized station is to stop access to the distribution system or 
wired network. The selection of a technique that reliably stops access to 
the network is a major consideration for the WLAN IDS vendor.

 * Minimizing impact to the wireless spectrum or channel. A WLAN IDS 
vendor can easily prevent all access to a monitored access point by 
implementing a denial of service attack against the wireless spectrum, 
such as an RF jamming attack. This has the negative side-affect of 
preventing all access to the spectrum, including potentially authorized 
stations and access points that are accessing a nearby production network. 
A WLAN IDS vendor must implement a technique to disconnect unauthorized 
stations with minimal impact t o other production wireless networks.

 * Limiting DoS scope to designated stations. A vendor may opt to provide 
sufficient fidelity in their session containment implementation such that 
they can disconnect a single unauthorized station, preserving the 
connectivity of other authorized users. This requirement will also 
influence the implementation of the session disconnect technique.

Considering these implementation factors, vendors have implemented session 
containment by transmitting spoofed deauthenticate and/or disassociate 
management frames. By transmitting these frames with a spoofed source MAC 
address of the access point or victim station, a WLAN IDS vendor can force 
a client to disconnect from the network, forcing them to repeat the IEEE 8 
0 2 . 1 1 authentication and association process to regain access to the 
network. By repeating the transmission of these frames, a WLAN IDS can 
sustain a DoS attack against a target MAC address, preventing access to 
the network.

The following trace is an example of one vendor's implementation of 
session containment against a rogue station:
1. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:73 ICMP Echo (ping) request
2. 00:12:17:9f:08:73 -> 00:90:4b:2d:65:24 ICMP Echo (ping) reply
3. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
4. 00:90:4b:2d:65:24 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Probe Request, SSID: 
"linksys-a"
5. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Probe Response, 
SSID: "linksys-a"
6. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication
7. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Authentication
8. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Authentication
9. 00:90:4b:2d:65:24 -> 00:12:17:9f:08:71 IEEE 802.11 Reassociation 
Request, SSID: "linksys-a"
10. 00:12:17:9f:08:71 -> 00:90:4b:2d:65:24 IEEE 802.11 Reassociation 
Response
11. 00:12:17:9f:08:71 -> ff:ff:ff:ff:ff:ff IEEE 802.11 Deauthentication

In this trace, an authenticated, associated station at 00:90:4b:2d:65:24 
is exchanging ICMP echo request and response traffic with another station 
at 00:12:17:9f:08:73. After the ICMP exchange, a deauthenticate request is 
sent to the broadcast address from the access point at 00:12:17:9f:08:71, 
which causes the wireless station to reconnect to the network beginning 
with a probe request frame. A second deauthenticate notice is transmitted 
in frame 6.

this frame is transmitted before the station re-authenticates to the 
network, it is silently ignored, and the station continues the 
authentication and re-association process. The deauthenticate frame 
transmitted in frame 11 does successfully disconnect the client, forcing 
them to repeat the connect process.

In this case, the deauthenticate frames are transmitted by the WLAN IDS 
sensor with a spoofed source MAC address of the access point. This makes 
the station believe that the access point is disconnecting them from the 
network, forcing them to reconnect. Sustaining these spoofed frames will 
keep the station from being able to transmit on the network. This 
technique is employed by most vendors to implement session containment, 
with minor variations.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jwright@hasborg.com> Joshua 
Wright .
The original article can be found at:  
<http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf> 
http://i.cmpnet.com/nc/1612/graphics/SessionContainment_file.pdf
and at  
<http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164302965> 
http://www.nwc.com/shared/article/printFullArticle.jhtml?articleID=164302965.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] WLAN Session Containment DoS, SecuriTeam <=
Previous by Date:  [EXPL] TCP-IP Datalook DoS Vulnerability (Exploit), SecuriTeam
Next by Date:  [NT] IA eMailServer DoS (Format String), SecuriTeam
Previous by Thread:  [EXPL] TCP-IP Datalook DoS Vulnerability (Exploit), SecuriTeam
Next by Thread:  [NT] IA eMailServer DoS (Format String), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]