A supporting slide deck for Digital Silence's 2018 talk from HackWest, BSides KC, and Thotcon. A supplemental blog post with more useful written information can be found at: https://digitalsilence.com/5ghz-electronic-warfare-part-1-attacking-802-11n-networks You can check out the source code at: https://github.com/s0lst1c3/eaphammer

1. 5GHz Electronic Warfare
Part I - 802.11n

2. net user author /domain
Gabriel Ryan
Co-Founder / Principal Security Consultant @ Digital Silence
@s0lst1c3 @digitalsilence_
gabriel@digitalsilence.com

3. Typical Enterprise WiFi Configurations will have
Dedicated networks for:
● Guest internet
● Corporate network access
● Possibly BYOD
Varying levels of security for each of these. However, if it’s important it’ll probably
be protected using WPA-EAP

4. Unless it’s ICS/SCADA, in
which case it’ll probably be
protected by WEP

5. How do you attack WPA-EAP?
The primary means of breaching WPA-EAP networks is the Rogue AP Attack
● Bread of butter of wireless pentesting

6. Rogue AP Attack
Force client devices to connect to the attacker’s access point. Most reliable way
of doing this == evil twin attack

9. (VERY) High level WPA2-EAP overview

11. The problem
To perform an evil twin attack, the attacker must either:
1. Entice a client device to roam to a rogue AP by providing a better connection
(higher signal strength, better signal to noise ratio)
2. Coerce a client device to roam to a rogue AP by denying access to legitimate
AP (deauth packets)

12. The problem
Most modern hardware uses 802.11ac or 802.11n.
Existing tools for performing rogue AP attacks either:
1. Don’t support 802.11n and 802.11ac at all
2. Only do so with extensive manual configuration
What this means: timeboxed pentesters stuck using 802.11g or 802.11a

13. 802.11n and 802.11ac provide notably better
throughput than 802.11a or 802.11g
802.11g – maximum of 54 Mbps
802.11n – theoretically can reach speeds of 600-900 Mbps (300 Mbps more
realistic)

17. What this means
It is very difficult to entice a client to roam from a 40 MHz 802.11n access point
to a 20MHz 802.11g rogue access point.
Coercion through denial service the only viable option in most cases.

19. Why coercion doesn’t always work
● Very rarely will you be going up against a single AP
● When you deauth a single AP the clients will just roam to another 802.11n or
802.11ac AP

27. Can’t you solve this problem by deauthenticating
BOTH target access points?
Sure, you’ll just need 3 WiFi interfaces (1 for rogue AP, 2 for deauthentication)
● but what if the target network uses 3 APs?
● now we need 4 WiFi interfaces
● … and so on and so forth
This can quickly get out of hand.

28. Other proposed solution: jam 5GHz spectrum using
SDR
I’ve heard of people doing this. Disclaimer: I do not endorse or recommend it.

29. Other proposed solution: jam 5GHz spectrum using
SDR
cat /dev/urandom | $FIVE_GHZ_SPECTRUM

32. Obviously a terrible idea
 Not a targeted attack
 802.11n and 802.11ac can still use 2.4Ghz spectrum
 5GHz used by all kinds of other neat stuff…. like aircraft radar

35. What we really need: a tool that can create rogue
APs using 802.11n and 802.11ac on both 2.4Ghz
and 5GHz spectrums
... This talk focuses primarily on 802.11n. Stay tuned
for 802.11ac.

36. Why 802.11n is so hard:
 Access point configuration is highly complicated
 Access points must be 802.11h compliant in order to work on DFS channels
(i.e. - must be able to detect and avoid interfering with airplane radar)
 BSS overlap prevention must be circumvented
What does any of this mean? Stay tuned for following sections.

37. Before we continue… let’s talk about 802.11n

38. 802.11n offers five main technical improvements:
● Multiple Input Multiple Output (MIMO)
● Spatial Multiplexing
● Channel Bonding
● Short Guard Interval
● Mac Layer Improvements

39. Multiple Input Multiple Output

40. Spatial Multiplexing

41. Without Spatial Multiplexing:

42. With Spatial Multiplexing:

43. How 802.11n Uses Spatial Multiplexing
Multiple data streams transmitted at the same time and on the same channel.
How this works:
 Transmitter splits data streams into multiple spatial streams using MIMO
signal process
 Each spatial stream is transmitted using a dedicated antenna
 Receiver recombines the spatial streams using MIMO signal process

44. Channel Bonding

45. Channel Bonding
Traditional 802.11 channels (assuming OFDM):
 20 MHz wide

47. 802.11n Channel Bonding
 Traditional 802.11 channels (assuming OFDM) are 20 MHz Wide
 Channel bonding combines two or adjacent channels to create a 40 MHz
wide channel, doubling bandwidth

49. Other improvements introduced by 802.11n:
 Short Guard Interval
 MAC improvements
This is a 45 minute presentation, so we don’t have time to talk about these ;)
Not as relevant to discussion as MIMO, spatial multiplexing, and channel
bonding. Look them up if you’re curious.

50. What this means for pentesters:
To create a rogue AP using 802.11n you must:
1. select a channel width (20 MHz or 40 MHz)
2. select an operating channel
3. select a hardware mode that works with that operating channel
4. set your HT parameters correctly

51. We’re not done…
To create a rogue AP using 802.11n you must:
5. decide whether to allow non-HT connections to your HT access point
6. select an appropriate number of spatial streams
Bonus: if you chose a 40MHz channel, you need to choose whether to place the
secondary channel above or below the primary channel. :D

52. If you mess up any of these up, hostapd
will either refuse to start or silently fail.

54. There is a method to this madness. You just need to
know what configuration options to use in any given
situation…

55. … or use a tool that will
handle configuration for
you.

56. Demo

57. Achieving 802.11h Compliance

58. Achieving 802.11h Compliance
● Certain parts of the 5Ghz spectrum are used by radar
● Regulations by FCC, EU, etc dictate that APs operating on this channel must
be capable of detecting and avoiding radar
● This means that if you want to legally operate on DFS channels, you need to
be compliant

59. Also a safety issue…

61. Achieving 802.11h Compliance
How we’ve addressed this:
● Added flags to eaphammer that enable 802.11h, granting access to DFS
channels
● Note: you may still have to enable DFS at the kernel level. That’s on you.
● For researchers: added flags that force eaphammer to use DFS channels
even if DFS is not enabled (do not use this outside of a lab)

62. Circumventing BSS Overlap Protection

64. BSS Conflicts:
Law of 802.11n - thou shall not occupy the same primary channel as another AP if
possible

65. BSS Conflicts
Evil Twin Attack - Deliberately occupying the same ESSID and channel
as another AP in order to force client devices to connect to the attacker

67. BSS Conflicts
Fortunately, we can resolve this issue by patching hostapd to ignore BSS
conflicts.
● People have been doing this for years, and it’s as easy as changing a couple
lines of code (hostapd only checks for conflicts at start) [3]

72. What’s been added to eaphammer:
Out of the box support for
● 5Ghz rogue access points
● 802.11n compatibility (ac comes next)
● Added support for wmm (for good measure)
● 802.11h compliant (yay)
● Minimal manual configuration needed, granular configuration still possible

73. Check out the source code:
https://github.com/s0lst1c3/eaphammer