Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.2 - Attack against MAC filters

2.2 - Attack against MAC filters

- One of the most used security measure consists on protecting the access to a network with a MAC filter implemented on the Access Point. However, during this practice it will be shown that filtering MACs is actually useless, because that filter can be defeated. MAC filtering is based on the usual wired firewalls, where there is a list of allowed and denied devices. Actually, MAC filtering is added by the AP software and is not really present in the 802.11's security standard.

- For instance, let's filter the access of the attacker "kali" (00:C0:CA:72:1A:36) with the AP's option MAC Restrict Mode equal to Deny:

- As we can see, now there is just one legitimate client connected, "roch". 

- About "kali"s wlan0 interface, it is verified that its MAC address is 00:C0:CA:72:1A:36:

- If "kali" tries to connect to the network "spaniard" it will be rejected due to the filter:

- This screenshot shows that the status is of failured connection: Access Point = Not-Associated:

- Wireshark detects Authentication failure packets between the AP (Motorola) and the attacker "kali" (Alfa card):

- To start the attack from "kali", the first step would be to write down the legitimate connected client "roch"s MAC, it is 28:C6:8E:63:15:6B, which is shown by airodump-ng in clear text. In shortly that number will be of great value:

- The interface wlan0 is turned off:

- With the command macchanger the wlan0's MAC address is replaced by legitimate client "roch"s MAC, which has been shown by airodump-ng in clear text:

- The interface wlan0 is turned on:

- It is checked that now wlan0 has got a different MAC address than the original one:

- Then, the connection to "spaniard" is tried again:

- The connection is successful, because the status has changed to Access Point = 00:25:F2:9B:91:23

- The conclusion of this practice is that an attacker whose access to a network is prohibited due to a MAC filter implemented at the AP is able to beat the filter just spoofing its own MAC address, replacing it with the MAC of a legitimate client. How to know the good client's MAC? as usual, airodump-ng helps to solve that step.

- What is really shocking is to verify that even the AP gets confused, because it reads the spoofed MAC address of the attacker "kali" as if it was the good one: