International Conference on Computational Science and Technology 2014 (ICCST14)

Profiling and Mitigating Brute Force Attack in Home

Wireless LAN
MohdYusof Mohammad Hafiz
Department of Computer Technology and Networking
Faculty of Computer and Mathematical Sciences,
UniversitiTeknologi MARA,
40450 Shah Alam, Selangor , MALAYSIA
2012352917@isiswa.uitm.edu.my

Fakariah Hani Mohd Ali

Department of Computer Technology and Networking
Faculty of Computer and Mathematical Sciences,
UniversitiTeknologi MARA,
40450 Shah Alam, Selangor , MALAYSIA
fakariah@tmsk.uitm.edu.my

Abstract Brute force is another dangerous type of cyber

attack meant for cracking wireless LAN WPA/WPA2
password. It preludes with several other attacks attempts
namely DeAuthentication, packet sniffing (airodump) and
finally aircrack. The successful of a brute force attack is so
determined by these attempts. This study will analyze
DeAuthentication attack traffic pattern, sniffing and aircrack
activity and propose two mitigation techniques which are 1)
increase beacon time interval 2) mapping users MAC address.

finally exhaust the APs memory resource. After

deauthentication attacks are successful, the AP will reset
and it begins TCP handshake processes all over again, and
at this point, attacker will intercept the handshake
communication process by gaining as much information as
possible via extracting out their PSK information. The PSK
information will be compared against wordlist database of
previously prepared.

Experimental result shows that deployment of

mitigation techniques is efficient to stop these activities
and mitigate the brute force attack.

II. RELATED STUDIES

Key TermsProfiling, Brute Force Attack, Wireless LAN,

Mitigation.

I. INTRODUCTION

IRELESS LAN (WLAN) has gained popularity due

to its mobility and portability, however this
technology is prone to security threats like spoofing. This is
due to unguided medium used by WLAN technology to
propagate information is ranged in open public access. Due
to its widespread deployment areas, WLAN security
network becomes more and more severe [1].
Earlier stage of WLAN, uses Wired Equivalent Privacy
(WEP) in their security feature was not sufficient as more
and more flaws discovered and nowadays were replaced by
Wi-Fi Protected Access (WPA) and WPA2 technologies [2]
however this techniques still vulnerable to DoS and brute
force attacks.
WLAN has been the target for a large number of attacks
[3] and amongst them is brute force attack. Brute force
WLAN attack in this study is to exhaust Phase Shift
Keying(PSK) information extracted from any particular
Access Point (AP) against wordlist database created from
various available open source penetration test tool set. Also
in this study we are going to profile the signature of brute
force attacks.
In [3] explain a few processes that may lead to later
classification of brute force attack. It begins with faked
deauthentication requests from faked wireless client that
transmitted over a numerous number of attempts frame and

There are limited studies discuss on the brute force threats

profiling specifically. Generally various profiling
techniques are in the area of cyber attacks and malicious
threats found particularly in the area of enterprise/campus
and industrial (control systems) network environments.
However those studies are important to outline parameters
used in order to profile WLAN attacks activities.
Paper [5] outlines useful architecture to profile a wireless
activity and finally achieved to design their lightweight IDS
(Intrusion Detection) system for WLAN. However, their
detection algorithm is based on a few mathematical
assumptions. This self-defined attack rules is something
bazaar for home users mitigation action as according to [2]
that more complex configurations for common Internet
users causing them to deactivate wireless security in order
to avoid sophisticated setups. In this study we adapt their
data packet capture module and data packet analysis
module.
Paper [6] prepares new technique to create wordlist to
possible efficient password combination for WLAN
password. This study helps us to design passwords
countermeasures module to mitigate brute force attack in
WLAN in spite recommendation from ITU-T.
In [2] discussedReaver software that allows brute force
activities and later outlines detection activity to capture,
decode and analyze all wireless frames with regards to this
attack. However those proposed countermeasures should be
adopted by vendors to prevent brute force attacks and this is
something beyond end users action domain.
In [7] proposed a simplest agent for wireless IDS
creation. Compare to its simplicity this wireless IDS agent
has a relatively perfect functionality with a great detection
capability. It uses general subtype as feature set.

International Conference on Computational Science and Technology 2014 (ICCST14)

Generalizing subtype as a feature set without specifying its
description will lead to false positives of certain attacks.
In [8] developed a discrimination algorithm using
correlation coefficient to detect anomalies in the wireless
traffic.The algorithm requires pairing of client MAC
address and AP thus will reduce scalability of the wireless
LAN.
In [9] proposed a very comprehensive adaptive neurofuzzy interference system. The results show significant
reduction of average detection delay (ADD). The detection
module uses sequence number as a detection signature.
Sequence number is only available for a few subtype, for
instance, QoS Data (0x28), Action (0x0d) and not available
for subtype of Acknowledgement (0x1d), Request-to-send
(0x1b), Clear-to-send (0x1c). Thus by selecting sequence
number as a selection feature, also will lead to false
positive.
III. RESEARCH METHODOLOGY
This section will describethe proposed mitigation
model, the experiment testbed and the results of this project.
A. Testbed design
Testbed design module is to achieve testbed WLAN home
architecture by fulfilling the following activities 1- Design
testbed network based on simple home-based WLAN
environment 2- Collecting baseline network traffic .
Monitor mode interface was enabled to make necessary
attack towards AP and capture corresponding traffic to
launch brute force. Network traffic in this environment will
be recorded to benchmark baseline WLAN network traffic
before brute force attack. Figure 1 below shows the
physical design of WAN testbed architecture.

attack scenarios were simulated usinga well-known open

source pentest software Kali. Kali is used to exploit the
previously described security flaws in WLAN home using
predefined penetration test library suite.
There are two ways to obtain WPA-PSK handshake
information as discuss in the introduction section: using
passive sniffing or using deauthentication attack [6].
Attacks procedures will use the following suite:

aireplay-ng
airodump-ng
aircrack-ng

C. Data acquisition
This module is based on the work done by [5] and [2]. This
module is captured using open source packet analysis
software Wireshark in promiscuous mode, filtering traffic
only from router to management machine (WinXP). For
each attacks procedures aforementioned, the minimum
capture duration was equal to 6 hours. The packet captured
was filed in .cap format and packet was captured between
31st of March 2014 until 6th of April 2014 (on 7th of April
started mitigation procedures).
D. Packet analysis
The packet has been analyzedusing Wireshark IO graph and
display filter expression as listed below:

Study a single AP transaction and filter other

broadcasted AP (BSSID represented by
alphabetical letter A, B, C, D and E) within thetest
environment range by using the following filter
expression:

((((!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid == "E")

"A"))
"B"))
"C"))
"D"))

Study only a beacon subtype and filter the rest by

using the following expression:

wlan.fc.type_subtype == 0x0c
E. Brute force activity
Figure 1: Physical design of WLAN testbed architecture
B. Attack scenarios
A few penetration test (pentest) procedures were run to
stimulate brute force attacks in the WLAN infrastructure
that was built before in the testbeddesign module. The

&&
&&
&&
&&

Figure 2 below illustrated the brute force activity.

International Conference on Computational Science and Technology 2014 (ICCST14)

IV. RESULTS AND DISCUSSIONS
A. 802.11 Baseline network characteristics

Figure 2: Brute force activity

As aforementioned a technique in [6] was used to prepare
the wordlist. Phone number as a sample password was
chosen because there is large enterprise in the United States
and Canada use the customers phone number as the
password [10].For that we managed to crack the password
at 12 hours 12 minutes and 50 seconds (this was done
before intervention or mitigation procedures):-

Figure 3 below shows subtype characteristics captured

during data gathering phase. Subtype is a type of 802.11
frames. Subtype captured in this WLAN infrastructure of
type Management (Mgmt) are Beacon (0x08), Probe
Response (0x05), Action 0x0D), Authentication (0x0B),
Association Request (0x00), Association Response (0x01),
Reassociation Response (0x03). Meanwhile, subtypes of type
to
Send
(0x1B),
Control
(Ctrl)
areRequest
Acknowledgement (0x1D), Clear to Send (0x1C), CF-End
(0x1E), Block Ack Request (0x18), and PS-pool (0x1A) and
finally subtypes of type data are Data (0x20), QoS Data
(0x28), Null function (0x24), QoS Null function (0x2C).

Aircrack-ng
1.1
r2178
[12:12:50]
129832652 keys tested (878.41 k/s)KEY
FOUND! [012XXX56XX].
F. Proposed mitigation techniques
The proposed countermeasures to mitigate brute force
attack are discussed in this section. Brute force can be done
offline after handshake information captured during
deauthentication (DeAuth). Thus it is important to
anticipate the series of actions before the attacker manage to
obtain wireless information.
The following are the proposed mitigation techniques
that can be set directly by the home users:

Figure 3: Subtype frames captured

Figure 4 shows the construction of 802.11 MAC headers
with subtype resides in a frame control.

Increase Beacon time interval from 100ms to

500ms as to reduce its frame broadcasting
frequency.
root@bt:~# --specific command-set beacon-interval 500 //for an interval
of
1000ms=1s
--line truncated for brivity-dev<devname>ibss join <SSID><freq
in
MHz>
[fixed-freq]
[<fixed
bssid>]
[beacon-interval <TU>] [basic-rates <rate
in Mbps,rate2,...>] [mcast-rate <rate in
Mbps>] [key d:0:abcde]

Map users MAC address

Mapping our home users MAC addresses into the
Access Point reduce and even eliminate sniffing
attempt by unknown machine.

Figure 4: 802.11 header[11]

There are three main types of 802.11 frames 1)
management frames which enable STA to establish and
maintain communications with AP 2) control frames assist
in the delivery of data frames between stations 3) data
frame carries from higher layers, such as web pages, printer
control data etc, within the body of the frame [8].
It can be easily spotted from Figure 5 that 802.11 frame
type management and control consumes most of the traffic

International Conference on Computational Science and Technology 2014 (ICCST14)

frames. Request-to-send (RTS) is a frame of type control
value 01 and subtype value of 1011, thus the hexadecimal
representation is 0x1B. It is used to coordinates access to
airwaves [11]. Clear-to-send (CTS) frames on the other
hand often response to RTS. RTS/CTS function reduces
frame collisions within STA and AP.
Acknowledgement frame is also a type control value 01
and subtype value of 1101. Hexadecimal representation is
0x1D. The receiving station will send acknowledgement
frame to the sending station to acknowledge the receipt of
data. If the sending station doesnt receive
acknowledgement after a period of time, the sending station
will transmit the frame.
Beacon is a frame of type management value 00 and
subtype value of 1000. The hexadecimal representation is
0x08. Beacon is a periodic frame sent by AP (or stations in
case of IBSS) and giving information about the BSS. The
AP announces its presence and relay information such as
timestamp to help synchronize member stations with SSID.
Radio NIC continually scan all 802.11 radio channels and
listen to beacons to choose the best signal. Beacon
management frame can be easily forged because, unlike
data messages, they are neither encrypted nor integrity
protected by any part of the standard and require no
authentication [12].
Management frame of 802.11 is an important feature in
feature selection. Feature selection is the most critical step
in building intrusion detection models [5] and selection of
parameter to mitigate and eliminate cyber attacks especially
brute force.
In 802.11 all Layer 2 management frames are broadcast
in plain text so that nearby devices can discover the
network and request a connection, if an attacker captures
these plaintext management frames they can forge packets
which appear to originate from a victim [13].
B. Simulated of attacked 802.11 network characteristics

Figure 5: Slice of 802.11 deAuthentication (DeAuth) frame

(first prelude to brute force attack)
Figure 5 shows a slice of deAuthentication frame in a
typical WLAN network. This frame could prelude brute
force attacks as mentioned in [13] that two potential frame
types which can be used for causing a DoS condition in
802.11WiFi are DeAuth and DisAssoc (DisAssociation)
frames. Thus we are interested to anticipate excessive
activity of this frame in order to mitigate brute force
attack.Reception of either of these frames moves the victim
out of the authenticated state in the AP state machine and
into another state which does not allow for exchange of data
packets.Deauthentication frames are masqueraded to appear
to originate from a client, notifying the AP that the victim
no longer wishes to maintain a connection [14].
After flooding the network with DeAuth frames, the
station associated with an attacked AP and the AP itself will
start to run handshake procedures with each other in order
to re-establish connection between them.

Figure 6: Delta time duringairodump-ng activity

(second prelude to brute force attack)
During this time the attacker will launch airodumpngsuite to dump whatever STA-AP communication
information that they can retrieve from the air. This will
later save in a .cap file and finally be matched with
wordlist file to brute force the password. Figure 6 shows
significant spikes of delta time indicates intensive data
crawling activity is currently taking place.
During brute forcing activity, it is made offline thus we
unable to provide any traffic activity characteristic. It is
now understood that, we need to eliminate any attempt to
unnatural DeAuth attack launched by the attacker (and at
the same time permit natural DeAuth frame between
machines to machine communications) and dumping
handshake information between STA-AP during connection
re-establishment.
C. Final results
This intervenednetworkpackets were captured between
arrival Time: Apr 7, 2014 22:02:30.904989000 Malay
Peninsula Standard Time, frame number: 1 and arrival
Time: Apr 7, 2014 22:20:11.176877000 Malay Peninsula

International Conference on Computational Science and Technology 2014 (ICCST14)

Standard Time. Figure 7 below is the IO graph
representation of the packet captured before the mitigation
procedures. Obvious spike of frames indicate DeAuth
attack.

It clearly shows, after we applied the workaround

countermeasures or mitigation procedures on the wireless
router (AP), the DeAuth, air sniffing and aircrack attempts
had failed. From the attacker machine it shows messages 1)
no such BSSID available 2)mon0 is on channel 3, but
the AP uses channel 8 3) No matching network found check your bssid. Thus it stops completely the brute force
attack.
The events chronologies are as follows:

At 22:04:58 (before mitigation)DeAuth was

launched from attacker machine and was
successfully broadcasted 30 DeAuth message to
the targeted BSSID from 22:04:58 until 22:05:13.
Any STA associated with this BSSID during this
time was disconnected. Figure 10 shows spike of
the DeAuth activity.
root@bt:~# --specific cmd-10:04:58 Waiting for beacon frame (BSSID:
XX:XX:XX:XX:35:30) on channel 8
NB: this attack is more effective when
targeting
a connected wireless client (-c <client's
mac>).
10:04:58 SendingDeAuth to broadcast -BSSID: [XX:XX:XX:XX:35:30]
10:04:59 SendingDeAuth to broadcast -BSSID: [XX:XX:XX:XX:35:30]
10:04:59 SendingDeAuth to broadcast -BSSID: [XX:XX:XX:XX:35:30]
--lines truncated for brivity-10:05:12 SendingDeAuth to broadcast -BSSID: [XX:XX:XX:XX:35:30]
10:05:13 SendingDeAuth to broadcast -BSSID: [XX:XX:XX:XX:35:30]

Figure 7: Spike in traffic frames during

DeAunthenticationattack. This was captured before
mitigation.
Then the aforementioned parameters were applied and
another DeAuth attack was launched from the attacker
machine it. Figure 8 below shows the result.

At around 22:06:01 the beacon time interval was

changed from 100ms to 500ms (first parameter).
Five time milliseconds lag from its original
periodical information broadcasting activity.
At 22:07:13 another DeAuth was launched from
attacker machine, this time the machine shows the
following message:
10:07:28 No such BSSID available.
Please specify an ESSID (-e).

Figure 8: After mitigation is applied the traffic stayed

normalindicatesDeAuthaireplay-ngsuite and
airodump-ngsuite attacksare failed.Thus failing brute
force attack using aircrack-ng suite.

From the graph of Figure 10, it shows no excessive

DeAuth spike like before. The attack (DeAuth)
was successfully ruled out!
Then at around 22:10:41 MAC address of the
client STA (second parameter) was mapped.
At 22:14:41 we launched airodump-ng suite at
attacker machine, try to obtain radio
communication on the targeted AP. This time it
shows the machine (attacker) is on different
channel from the AP. Below is the full operation:
root@bt:~# --specific cmd-- --mac
changed-10:14:41 Waiting for beacon frame (BSSID:
XX:XX:XX:XX:35:30) on channel 3
10:14:50 mon0 is on channel 3, but the AP

International Conference on Computational Science and Technology 2014 (ICCST14)

ACKNOWLEDGMENT

uses channel 8

Again it was successfully ruled out air sniffing!

Definitely, when the final brute force was
launched attack usesaircrack-ngsuite, it shows
unsuccessful result as follow:

This research is supported by the Research Management

Institute, UniversitiTeknologi MARA and registered under
the Research Acculturation Grant Scheme (RAGS) #600RMI/RAGS 5/3 (77/2012)
REFERENCES
[1]

1) A failure of locating bssid (targetted AP). Brute

force was failed! Below is the full message:

[2]

root@bt:~# --specific command

-lines truncated for brevityNo matching network found - check your bssid.
[3]

V. CONCLUSION
DeAuthentication (DeAuth) pattern and air sniffing
activities that prelude a brute force attack has been analyzed
using several prescribed pentest suites. Extensive DeAuth
activity was shown by a huge spike of frame of type
wlan.fc.type_subtype == 0x0c whereas air
sniffing activity was indicated by sudden increases of delta
time after DeAuth activity.
Two mitigation techniques have been applied at the
targeted AP 1) by increasing its time interval of
management frame of type beaconto reduce its broadcasting
information frames activity 2) by mapping its client MAC
address.
Based on the results, by delaying beacon frames and
mapping client MAC address, the attacker suite has failed
to periodically communicate with the targeted AP. This was
shown by the following message:
10:07:28 No such BSSID available.
Please specify an ESSID (-e).

The IO graph during this time frame indicates normal

traffic activity and no presence of huge spike of frame
subtype 0x0c, thus failing attackersDeAuthentication
and air sniffing attempts.
During brute force activity by using aircrack-ng
suite, attackers machine has failed to locate the targeted
AP. Thus we had successfully mitigated the brute force
attack. The following message indicates the failure.
root@bt:~# --specific command
-lines truncated for brevityNo matching network found - check your
bssid

For future works, we would like to apply client-puzzle

model [15] in the subtype 0x0c as the feature selection for
mitigation procedures. Then we will compare the detection
rate of our model to other IDS model available.

[4]
[5]

[6]
[7]
[8]

[9]

[10]
[11]
[12]

[13]

[14]
[15]

Dong Q, Gao L. 2010. A New Client-Puzzle Based DoS-Resistant

Scheme of IEEE 802.11i Wireless Authentication Protocol. 3rd
International Conference on Biomedical Engineering and
Informatics (BMEI 2010).
Petiz I, Rocha E, Salvador P, Nogueira A. 2013. Using Multiscale
Traffic Analysis to Detect WPS Attacks.IEEE International
Conference on Communications 2013: IEEE ICC-13- 3rd IEEE
International Workshop on Smart Communication Protocols and
Algorithms (SCPA 2013).
Laishun Z, Minglei Z, Yuanbo G. 2010. A Client Puzzle Based
Defense Mechanism to Resist DoS Attacks in WLAN. International
Forum on Technology and Applications.
Simoneau P. 1997. Hands-On TCP/IP.McGraw-Hill Series on
Computer Communications.New York, NY, USA.
Jian W, Zhi-fengF,Yong C. 2012. Design and Implementation of
Lightweight Wireless Lan Intrusion Detection System.Fourth
International Conference on Multimedia Information Networking
and Security.
Krekan J, Pleva M, Dobos L. 2013. Statistical Models Based
Password Candidates Generation for Specified Language Used in
Wireless LAN Security Audit. IEEE 978-1-4799-0944-5/13/
Haddadi F, Sarram M A. 2010. Wireless Intrusion Detection System
Using a Lightweight Agent.Second International Conference on
Computer and Network Technology.978-0-7695-4042-9/10
Kavitha P, Usha M. 2013. Detecting Anomalies in WLAN using
Discrimination AlgorithmComputing, Communications and
Networking Technologies (ICCCNT),2013 Fourth International
Conference on. Tiruchengode
Mar J, Yeh Y C, Hsiao I F. 2010. An ANFIS-IDS against
Deauthentication DOS Attacks for a WLAN.Information Theory
and its Applications (ISITA),International Symposium. Taichung,
Taiwan.
White C. 2011. "Red Robin forces phone number as password, says
not to share". http://www.neowin.net/news/red-robin-forces-phonenumber-as-password-says-not-to-share. Online. 7 April 2014.
Wildpacket.2013.
Wlan
packet
types.http://www.wildpackets.com/resources/compendium/wireless
_lan/wlan_packet_types . Online. 21 April 2014
Konings B, Schaub F, Kargl F, Dietzel S. 2009. Channel Switch and
Quiet Attack: New DoS Attacks Exploiting the 802.11 Standard.
IEEE 34th Conference on Local Computer Networks (LCN 2009).
Zurich, Switzerland.
MilikenJ, Selis V, Yap K M, Marshall A. 2013. Impack of Metric
Selection
on
Wireless
DeAuthenticationDoS
Attack
Performance.IEEE Wireless Communications Letters,Vol.2, No.5.
DOI 10.1109/WCL.2013.072513.130428
Khatib K. 2010. Impact of Feature Reduction on the Efficiency of
Wireless Intrusion Detection Systems.IEEE Transactions on
Parallel and Distributed Systems.
Dong Q, Gao L, Li X. 2010. A New Client-Puzzle Based DoSResistant Scheme of IEEE 802.11i Wireless Authentication Protocol
.3rd International Conference on Biomedical Engineering and
Informatics (BMEI 2010). Yantai China IEEE DOI
:10.1109/BMEI.2010.5639818