Saying No to the YESMAN - Defense Against Jasager

With work returning to “normal” levels I began digging through my backlog of seclist updates, errata updates and security related podcasts,

One particular attack method has me concerned as a typical Paranoid Systems Admin, namely the one covered by Darren @,

Where combining jasager and airdrop-ng can allow you to easily set yourself up as a m.i.t.m transparently, so I began thinking how would you defend against such an attack, with most if not all wifi clients switching to jasager transparently without the user ever knowing, now remember this is all theory at this point it could be completely wrong, please leave feedback in the comments.

before I beging let’s make a couple of assumptions.

  1. You are the admin for your network
  2. You are in control of all AP’s on your network

If you can not confirm 1 & 2 then you can land yourself in a whole heap of trouble, so think before you do please …

That said onto a possible defense scenario, making airdrop-ng work as a “shield”.

The main premise of airdrop is to send DeAuth packets forcing a wifi client to reconnect, Darren’s jasager + airdropĀ  podcast (“Airport wifi challenge”) used this in conjunction with jasager to force clients to reconnect but to jasager instead, essentially denying access to the real AP’s and masquerading as them using jasager.

With me so far?

  1. Client is connected to REAL Access Point
  2. airdrop-ng sends DeAuth for all BSSIDs except jasager’s
  3. Client Attempts to reconnect, jasager masquerades as the REAL AP
  4. Client is now pwned.

To re purpose airdrop-ng as a “shield”, we change step 2 above .

  1. Client is connected to REAL Access Point
  2. airdrop-ng sends DeAuth for all BSSIDs except the REAL access point

Now this does cause a problem for any genuine “pop up” wifi, such as the share functionality on mac osx, andĀ  mobile hotspots (wifi 3g), but it is one possible method of defense.

If you have some theories related to detecting and defeating WiFi m.i.t.m attacks please let me know, I’d love to hear them,

I’ll work on getting a screencast for this up as soon as possible.

  • this will not protect against BSSID / MAC spoofing,
  • this will only prevent against a rougue AP BSSID masquerading as your valid AP.
  • this will only work within range of your wifi device generating the DeAuth packets.
  • improper configuration could cause D.o.S of nearby REAL Ap’s and generaly piss people off.

Update 04/10/2011 Seems that this project wifijammer can do exactly what I outlined above. via: Hackaday