We will learn the following topic in detail:
- The Best Wireless Adapters
- Beacon Frame
- Authentication Frame
- Deauthentication Packet
- Disassociation Packet
Recommended Wireless Card
As a penetration tester, to conduct any kind of wireless network attack, make sure that we have an appropriate wireless card. The wireless card should be a separate card from our main or daily wireless card that we use to use an external or USB Wi-Fi adapter. There are several criteria to select the best wireless card that we personally recommend. They are:
- Support a wide range of areas and pick a wireless card with an antenna. The larger the antennas are, the more powerful they usually are.
- Support the monitor mode and packet injection. It is used to scan the surrounding network,
- deauthentication or disassociation attack, and to capture the station’s WPA handshake.
Support the virtual interface. It is used to do an Evil Twin attack.
The Best USB Wi-Fi Adapters for Kali Linux
The following brand is the best Wi-Fi adapters that are mostly used by penetration testers. Note that we cut down the list only into two adapters so you have no confusion on choosing. They are as follows:
1. TP-Link TL-WN722N Version 1 (affordable). Please stay away from the higher version of it. Version 1 has an Atheros chipset which is great, but the newer version (v2-v4) uses a Realtek chipset. We tried and compared both chipsets on this TP-Link version (v1 and v2). With some configuration, version 2 could support the monitor and packet injection only. But you cannot use it to do an Evil Twin attack because it supports a virtual interface.
Figure 1.TP-Link TL-WN722N
2. Alfa Networks AWUS036NHA. The Alfa network Wi-Fi adapters are the best option, but the price tells. If you are willing to get a greater experience, it is better to invest in this stuff.
Figure 2. Alfa AWUS036NHA
How Wi-Fi Broadcasting Works
In this section, before jumping into the MDK4 tutorial, you should know how the Wi-Fi router works; not all the technology behind it but only limited to the relation of the client (station) and the access point. Trust me, this will help you understand how a specific attack mode works.
The modern Wi-Fi router already supports a multi SSIDs. Basically, it means that in the same router, we are able to configure several access points, and each of those SSIDs also has its own BSSID.
BSSID is the physical address of an access point or the MAC address. Every SSID broadcasts a beacon frame in a network range to any listening devices. These listening devices are any device that has a wireless card. It could be a laptop, a smartphone, an Internet of Things device, a repeater, and many more.
Imagine a beacon frame like a salesperson standing in front of a restaurant. He is in charge of advertising the restaurant, promoting the best-selling menu, and so on, to any and all passers. The people who could hear the salesperson are called a station (or a listening device).
The beacon frame carries a lot of information such as:
|SSID name||We call it the Wi-Fi name.|
|BSSID||The MAC address of the SSID.|
|Security||It provides the security options. For example, the open system (no password) or Shared Key (WEP, WPA, or WPA2).|
|Channel||The frequency that the SSID is working on.|
|Beacon interval||How many beacons frame does the access point sends out.|
Authentication and Association Frame
When a station receives a signal wave informing of a beacon frame and wants to connect to an access point, it first sends an authentication frame. This authentication frame contains the identity of a station, usually the MAC address.
The access point here is like a company that is currently opening a job vacancy. Then, comes an applicant (let’s call him “station”). The applicant visits the recruiter or HRD at the company with a curriculum vitae file containing his personal data (illustration of an authentication frame). Then, the HRD performs a match whether the applicant’s criteria meet the requirements of the available vacancy. The requirements here are similar to the security options on the access point (open or shared key). At this stage, an authentication process occurs. The applicants who meet the required criteria will receive a success message and then proceed to the association stage.
At the association stage, applicants will be given an employee identity card and get an access to traverse inside the company building. They can also communicate with the other employees in the company.
Deauthentication and Disassociation Packet
On the other hand, in the company, there is an old employee (we call it “station” again) who wishes to resign from the company. The employee does not immediately leave but sends a letter of resignation to the HRD. This is a deauthentication process. The resignation letter is called a deauthentication packet.
The HRD here does not have the authority to restrain the employee from leaving. There are no requirements whatsoever that can prevent this. Finally, the HRD inevitably agrees to the employee’s resignation request.
At this stage, the deauthentication process is completed. Then, we enter the disassociation stage. At this stage, the company withdraws the attributes and access rights of the employees who resigned. Now, the station and the company have no relationship. They are not connected anymore.
Understanding how the IEEE* 802.11 Authentication and Association at a glance help us to gain knowledge of how the access point deals with the stations. By knowing that information, we will know exactly how to conduct a wireless network jamming properly.