Void11 Rouge Access Point Counter-Offense

Posted by William
After looking at many high priced solutions for wireless protection the one feature they all had was the ability to prevent hosts from authenticating to a rouge access point. All that was used was to send a deauth frame to knock the station off and we already know something that can do this! Detection of rouge access points can be done with Kismet easily enough but using Void11 as an active defense in response is better. You have all used void11 for deauthenticating hosts on an access point(s) but let us use it in a more constructive way. You can create a text file with BSSID and SSID entries and have void11 either deny or permit the entries listed. Void11 calls this a matchlist. When a rouge access point comes online its SSID or BSSID will compared against the matchlist and void11 will promptly deauthenticate any host that associates to it. By default void11 will permit all entries in a matchlist.

To specify entries within a matchlist the following syntax is used: (Put an empty new line after each entry)


Match BSSID:

B:00:09:5B:23:A4:9E

Match SSID:

S:AP_1

Create a matchlist with all the BSSIDs and SSIDs of your access points.
Here is an example. Assume you have four access points with the BSSID's of:

BSSID #1: 00:09:5B:FE:80:4A
BSSID #3: 00:09:5B:3A:1C:01
BSSID #3: 00:09:5B:6E:F2:E6
BSSID #4: 00:09:5B:22:A3:E2

Also the SSID is:

SSID: Krasnaya

Put both the SSID and BSSID's of the access points into a text file that looks like the following:

S:Krasnaya

B:00:09:5B:FE:80:4A

B:00:09:5B:3A:1C:01

B:00:09:5B:6E:F2:E6

B:00:09:5B:22:A3:E2
Save the text file with the name matchlist.

Now it is time to run void11. You will require a prism 2/2.5 wireless card running with the hostap drivers.
The steps to configure the prism card and void11 are:
1) Use hostap drivers
switch-to-hostap
Eject and reinsert your card.
2) Prepare card to use void11
iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master
3) Start channel hopping and void11
Channel Hopping
void11_hopper >/dev/null &
Void11
void11_penetration -l matchlist -D wlan0
(ignore the ioctl[PRISM_IOCTL_HOSTAPD]:
Invalid argument error, void11 will still function)

Shortfalls

A skilled wireless hacker could simply spoof his rouge AP's SSID and BSSID with a valid one that is sniffed using Kismet and evade the void11 defense, but the use of the same BSSID creates the presence of a duplicate BSSID and using Kismet you can detect it. As a temporary solution you could change the SSIDs, if possible, to knock clients of the rouge access point but this solution is difficult on large scale wireless networks. In the end though it becomes a game of cat and mouse to find the location of the rouge access point.

Now when any client attempts to associate to a rouge access point it will be kicked off it leaving the rouge ap useless. Some ideas for a practical deployment would be to utilize a notebook computer with a high power wifi card. Either a Senao NL-2511 or SMC2532W-B with a either an external omni or directional patch antenna to provide extended coverage. Maybe two antennas using both connectors on the card would work also. I will work on a script to automate void11 setup for use as a startup script to make this type of solution more reliable.

~William


Free Projects