Everything is in the air

WiFi, that tecnology that everybody use and few of us protect. Although most of us protect our wireless networks with hardy security protocols like WPA-PSK or WPA-802.1X, we know the air is free and for everybody and then, our wireless networks can go beyond our offices, buildings and security perimeter. Therefore, an outsider could connect to our wireless network from outside, with the right credentials or exploiting some security flaw. For this reason is important to monitor all mobile devices that it's connecting to our networks, even those that aren't ours (BYOD), because we are used to sending all kind of information for these networks and we also know that once you are in, you can connect to almost anywhere.

This time I would like to write about some wireless attacks, tools and applications useful to understand how to protect our wireless networks. First, an attacker can deny our wireless service (DoS) sending deauthentication/disassociation frames, which can be also used to get beacons to break access passwords. Deauthentication frames are sent when we want to terminate all communications while disassociation frames are sent when we want to leave the current cell to roam to another cell, we also use disassociation frames when we use invalid parameters and many other reasons. Next, we can see deauthentiacion and disassociation frames:

Deauthentication Frame

Disassociation Frame

Today, there are many tools to test our wireless network like aircrack-ng, mdk3, wifite, etc but this time I want to write about WIDSTT developed by Jaime Blasco. This tool is useful to test our WIDS because we can flood the WLAN with deauthentication and disassociation frames, send invalid deauthentication frames, send over-sized SSID, send airjack beacon frames, send invalid channel numbers in beacon frames, etc.

WIDSTT tool

If we want to be “safe”, we'll have to monitor our wireless network with Wireless Intrusion Detection Systems (WIDS) to detect attacks against our access points and mobile devices. A popular wireless network detector, sniffer, and intrusion detection system is Kismet which can be used to detect the main wireless attacks like AP Spoofing or Rogue APs, deauthentication/disassociation attacks, long SSID attacks, etc. However, most manufacturers like Cisco, Fortinet, Aruba, Aerohive have their own WIDS.

Fortinet WIDS

It's time not just to have an IDS and HIDS but a WIDS as well. If you don't still have any WIDS, you can make your own WIDS with Kismet wireless sensors and sending logs to a central management interface to alert to you when something is wrong.

Alienvault WIDS

Regards my friends and remember, drop a line with the first thing you're thinking.