I. INTRODUCTION
aireplay-ng
airodump-ng
aircrack-ng
C. Data acquisition
This module is based on the work done by [5] and [2]. This
module is captured using open source packet analysis
software Wireshark in promiscuous mode, filtering traffic
only from router to management machine (WinXP). For
each attacks procedures aforementioned, the minimum
capture duration was equal to 6 hours. The packet captured
was filed in .cap format and packet was captured between
31st of March 2014 until 6th of April 2014 (on 7th of April
started mitigation procedures).
D. Packet analysis
The packet has been analyzedusing Wireshark IO graph and
display filter expression as listed below:
((((!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid
==
!(wlan_mgt.ssid == "E")
"A"))
"B"))
"C"))
"D"))
wlan.fc.type_subtype == 0x0c
E. Brute force activity
Figure 1: Physical design of WLAN testbed architecture
B. Attack scenarios
A few penetration test (pentest) procedures were run to
stimulate brute force attacks in the WLAN infrastructure
that was built before in the testbeddesign module. The
&&
&&
&&
&&
Aircrack-ng
1.1
r2178
[12:12:50]
129832652 keys tested (878.41 k/s)KEY
FOUND! [012XXX56XX].
F. Proposed mitigation techniques
The proposed countermeasures to mitigate brute force
attack are discussed in this section. Brute force can be done
offline after handshake information captured during
deauthentication (DeAuth). Thus it is important to
anticipate the series of actions before the attacker manage to
obtain wireless information.
The following are the proposed mitigation techniques
that can be set directly by the home users:
uses channel 8
[2]
V. CONCLUSION
DeAuthentication (DeAuth) pattern and air sniffing
activities that prelude a brute force attack has been analyzed
using several prescribed pentest suites. Extensive DeAuth
activity was shown by a huge spike of frame of type
wlan.fc.type_subtype == 0x0c whereas air
sniffing activity was indicated by sudden increases of delta
time after DeAuth activity.
Two mitigation techniques have been applied at the
targeted AP 1) by increasing its time interval of
management frame of type beaconto reduce its broadcasting
information frames activity 2) by mapping its client MAC
address.
Based on the results, by delaying beacon frames and
mapping client MAC address, the attacker suite has failed
to periodically communicate with the targeted AP. This was
shown by the following message:
10:07:28 No such BSSID available.
Please specify an ESSID (-e).
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]