The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)

KisMAC Deep Digging: WPA Challenge Received

I am under attack? 
Is Someone Trying to Break Into my Network or Crack My Password? 

WPA Challenge Received 
ATTENTION! Received deauthentication frame. You might want to check for other WiFi people

This Topic is For Advanced KisMAC users.   The Reading and Understanding of KisMAC basics are a prerequisite.
The message "WPA Challenge Received" displayed if you have Growl installed,

The other message "ATTENTION! Received deauthentication frame. You might want to check for other WiFi people" is the warning message on the Console log.

Both are telling you one thing: During the scanning, a WPA Challenge was received: Deauthentication frames were sent in order to force an AP to give a response and capture the necessary 4-way EAPOL handshakes to start an "audit" of the WPA network key.

I am under attack? Is someone trying to break into my Network or Crack My Password? 

Not necessarily, Deauthentication Frames are broadcast with KisMAC in two ways:
  1. Direct Attack against a defined SSID (Deauthenticate)
  2. Broad Attack against all Networks     (Deauthenticate All Networks) (within the same channel)

There is no sure way with KisMAC to be 100% sure that a Deauthentication attack is directed DIRECTLY against you; Only few hints.

  • You have Channel hopping "OFF" and you are monitoring a single channel. i.e 6
  • You are monitoring your own channel. i.e 6
  • You are the sole AP on this precise Channel number. All other AP's are on different channels 
When ALL of those conditions are there, you could be fairly certain that somebody is playing with your Network. 

To the contrary, if you have Channel hopping enabled, you are listening to multiple Channels and can not be sure that it was directed against you.

What is a "Deauthenticate attack"?

No need to re-invent the wheel, here it is:
Excerpt from 802.11 standard, 802.11-2007   © IEEE

"... Deauthentication
The deauthentication service is invoked when an existing Open System or Shared Key authentication is to be terminated. Deauthentication is an SS.

In an ESS, because authentication is a prerequisite for association, the act of deauthentication shall cause the STA to be disassociated. The deauthentication service may be invoked by either authenticated party (non-AP STA or AP). Deauthentication is not a request; it is a notification. Deauthentication shall not be refused by either party. When an AP sends a deauthentication notice to an associated STA, the association shall also be terminated."

© IEEE , all rights reserved.

In Plain English, it explains that a Deauthentication attack is kinda like a Denial of Service Attack (DoS). KisMAC spoofed packets force (Flood) an AP with authentication frames and creates a series of tries to force the AP to respond. Those response are then captured (handshakes)
Deauthentication is very effective at revealing a hidden SSID (De-Cloaking) or capturing 4-way EAPOL handshake.

Deauthentication is an active attack, hence when performed you will leave the comfort and stealth of Monitor Mode. You'll go from solely listening to screaming.  Hence, you can be revealed.

How Can I Tell if I am Under Attack?

3 ways:  From simple to not that simple 

( in Applications   Utilities >> Console)

If you use , it's more General Messages and you have to look into Console Messages, it does not pop up on your screen
You have to look for the message "ATTENTION! Received deauthentication frame. You might want to check for other WiFi people"  AND it does not gives you the guarantee that you are a target. Solely the fact that a Challenge was broadcast.
A second type of message form Console log is a bit  more precise  : "KisMAC[14891]    Detected WPA challenge for 00:xx:xx:xx:B7:61!"  
 In this case, we can clearly see that the BSSID xxxxB7:61 was the target.  If you are xxxxB7:61 Then it's fairly clear that you are under attack. Still, you can not guess who sent you those Deauthentication frames...

Beside the fact that I highly recommend Growl, Growl notifications can give you a hint on the fact that,  if your screen is filled with notifications, there is a good chance that the attack is against you.  Or fairly close.  Let's say that "they" are aiming in your direction....
On the other side, if you see a "WPA Challenge received" every 2 minutes, there is a chance that one SSID is trying to play with another one, and you are in the middle and just hear the conversation. 
Just look at the message, take note of the MAC Address and BSSID , and search around you...

Multiple Growl Notifications 

Possible Attack against a single channel (you!)
In some case, you'll receive so many notifications that you will have to stop Growl.
Console Log Message: "Could not display Growl notification; no screen space available" is a hint that you have just received a bucket of Deauthentication frames.
it's hard to miss such a hint....
KisMAC sends a Deauthentication  frame every 100 ms by default, hence 10 per second, this is why it can flood Growl fairly easily.

 The Big Gun .... 

If you really want to know if it was directed against you, you'll need to take out the "Big Gun"
On the Preference Pane >> Driver >> the box "keep everything" was of course, checked.
On the same pane, you have noted that the file(s) were saved as  ~/DumpLog %y-%m-%d %H:%M

Note:  The Decrypt PCAP Dump Feature on KisMAC 0.3 has a bug (TKT #371) in order to use that feature you have to return to KisMAC 0.2.99.   The Dump Filter works on 0.3 

Ok ?
Then Go to your ~ folder and locate that DumpLog.
Take a deep breath.... and ... 

And.... be ready to Download WireShark from a trusted source*

  •   Is the "World Foremost Network Analyzer"
  •   Is something that will pull the guts out of any packets, frames or anything that was send via airwaves. 
  •   Is NOT for beginners
  •   Is NOT User Friendly unless you know what you do.

  1. Read the Wiki, Documentation and FAQ. 
  2. Read Again,  or Watch the Videos
  3. Open your Dumplog File with WireShark 
  4. select  proper filters and expressions... click apply .... and discover ... 
Then, you'll see that the attack was not directed against you, for sure.
The source of the Deauthentication  was a Cisco AP BSSID xxxxx:83 and the target another Cisco AP BSSID xxxx:61

More details ...

You can now save that file, return to KisMAC , and find who's playing ...
Plug your directional antenna , and you'll get a direction
Plug your GPS, lock on the SSID and you'll find who's playing with you.
If you don't have a GPS, here is a good one for ~$30, working with KisMAC.  It's on the RIGHT side, under "I recommend"

Decrypting Packets

In order to decrypt packets, you'll need the Network Key. In Wireshark, you can plug up to 7 keys.  Assuming that you have a capture file (DumpLog, PCAP or CAP) ,  Open Wireshark, and open your capture file.
Go to Edit >> Preferences >> Protocols
Then select IEEE 802.11 and on the right, enter up to 7 network keys.
Note: You HAVE TO check the box "Enable decryption"


* WireShark should be downloaded only from trusted sources, Links here as well as other trusted and tasty wifi downloads

There is a piece of Malware called "WireShark Antivirus" that is NOT related to WireShark. it's a fake Antivirus for Windows
In case of doubt:
a) You have a Mac, and not Windozes
b) Google before Install
c) Use an Antivirus on your Mac too! Some very good ones are Free for Mac 

 WARNING!!! Received a Probe flood from xx:xx:xx:xx:2E:BC. This usually means that this computer uses a cheap stumbler such as iStumbler, Macstumbler or Netstumbler!

4-way EAPOL handshake

KisMAC Dumplog
KisMAC GPS feature

No comments:

Post a Comment