296 ◾
Ethical Hacking and Penetration Testing Guide Speeding Up the Process In case we don’t want to wait for the client to disconnect and then reconnect, we can perform a
deauthentication attack as explained earlier to force all the clients associated with that access point
(which we want to target) to disconnect and then reconnect to the access point.
Command :
aireplay-ng -0 3 –a mon0
The –0 stands for the deauthentication attack followed by the number 3, which would send
exactly three deauthentication packets. The –a parameter is used to
specify the MAC address of the target access point , which in this case would be 64:70:02:8A:12:94, followed by our interface mon0.
Bypassing MAC Filters on Wireless Networks Apart from hiding the SSID, it’s also a common practice for network administrators to apply
MAC filtering on the access point so that only white-listed hosts with MAC addresses would be
able to connect to the access point. This is done in colleges and universities where they only want
registered students to have access to the Internet. MAC filtering is also a part of low-level security
along with hiding the SSID; however, just like the hidden SSID, this security measure terribly fails
in the real world, since an attacker can spoof a legitimate MAC address to connect to the access
point. Here is how this attack would be carried out:
1. The attacker would scan the access point for the hosts that are already connected to the
access point.
2. Next, the attacker would note down the MAC address of the legitimate client that is con-
nected to the access point and spoof the MAC address to get into the white list and would
be able to connect and use the access point.
So here is how we would combine airodump-ng and macchanger to bypass MAC filtering
restrictions:
Note : Make sure that you already have monitor mode enabled before performing the following
steps.
Step 1 —The first command we would use is “airodump-ng” to scan for all the neighbor net-
works. To demonstrate this attack, we would assume that the access point with ESSID
“ROMEO” having a BSSID of “F4:3E:61:9c:77:3B” has enabled MAC filtering and only a
set of allowed MAC addresses are able to connect to this access point.
Wireless Hacking ◾
297 Step 2 —The next step would be to find a client that is already associated with the access point.
We will use airodump to find it for us.
Command :
airodump-ng –c 1 –a –bssid F4:3E:61:9C:77:3B mon0
Since the access point is on channel 1, we would type –c 1; the “–a” parameter would display
clients that are currently associated with the access point.
The output shows us that two stations are currently up with MAC addresses
B0:D0:9C:5C:EF:86 and 48:DC:FB:B1:F3:7D.
Step 3 —The final step would be to spoof our MAC address and change it to one of the client’s.
We can use a neat program in BackTrack called macchanger, but for that, we would need to
disable the monitor mode first.
Command :
airmon-ng stop wlan0
Next, we would use the following command to spoof our current MAC address.
macchanger –m B0:D0:9C:5C:EF:86 wlan0
The MAC address of the client, B0:D0:9C:5C:EF:86, is already associated with the access
point. Finally, we would issue the following command to bring the wlan0 interface up.