Wireless Spoofing

There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

MAC Address Spoofing

The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

Typical APs control access by permitting only those stations with known MAC addresses. Either the attacker has to compromise a computer system that has a station, or he spoofs with legitimate MAC addresses in frames that he manufactures. MAC addresses are assigned at the time of manufacture, but setting the MAC address of a wireless card or AP to an arbitrary chosen value is a simple matter of invoking an appropriate software tool that engages in a dialog with the user and accepts values. Such tools are routinely included when a station or AP is purchased. The attacker, however, changes the MAC address programmatically, sends several frames with that address, and repeats this with another MAC address. In a period of a second, this can happen several thousand times.

When an AP is not filtering MAC addresses, there is no need for the attacker to use legitimate MAC addresses. However, in certain attacks, the attacker needs to have a large number of MAC addresses than he could collect by sniffing. Random MAC addresses are generated. However, not every random sequence of six bytes is a MAC address. The IEEE assigns globally the first three bytes, and the manufacturer chooses the last three bytes. The officially assigned numbers are publicly available. The attacker generates a random MAC address by selecting an IEEE-assigned three bytes appended with an additional three random bytes.

IP spoofing

Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

The IP layer of the OS simply trusts that the source address, as it appears in an IP packet is valid. It assumes that the packet it received indeed was sent by the host officially assigned that source address. Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofer must circumvent the IP layer and talk directly to the raw network device. Note that the attacker’s machine cannot simply be assigned the IP address of another host X using ifconfig or a similar configuration tool. Other hosts, as well as X, will discover (through ARP, for example) that there are two machines with the same IP address.

IP spoofing is an integral part of many attacks. For example, an attacker can silence a host A from sending further packets to B by sending a spoofed packet announcing a window size of zero to A as though it originated from B.

Frame Spoofing

The attacker will inject frames that are valid by 802.11 specifications, but whose content is carefully spoofed as described above.

Frames themselves are not authenticated in 802.11 networks. So when a frame has a spoofed source address, it cannot be detected unless the address is wholly bogus. If the frame to be spoofed is a management or control frame, there is no encryption to deal with. If it is a data frame, perhaps as part of an on-going MITM attack, the data payload must be properly encrypted.

Construction of the byte stream that constitutes a spoofed frame is a programming matter once the attacker has gathered the needed information through sniffing and probing. There are software libraries that ease this task. Examples of such libraries are libpcap (sourceforge.net/projects/libpcap/), libnet (libnet.sourceforge.net/), libdnet (libdnet. sourceforge.net/) and libradiate (www.packetfactory.net/projects/libradiate/ ).

The difficulty here is not in the construction of the contents of the frame, but in getting, it radiated (transmitted) by the station or an AP. This requires control over the firmware and driver of the wireless card that may sanitize certain fields of a frame. Therefore, the attacker selects his equipment carefully. Currently, there are off-the-shelf wireless cards that can be manipulated. In addition, the construction of special purpose wireless cards is within the reach of a resourceful attacker.

Source : http://www.cs.wright.edu