Follow me and make a little progress every day!!
Today is the day to share troubleshooting cases~ Here's the thing:
The customer purchased a set of AC+AP to realize the hotel's wireless networking, with a scale of about 100 AP points, and 2.4G and 5G are used. During this period, some passengers have successively reported that "the wireless network is very poor and cannot be connected at all", as follows:
(To protect privacy, the SSID name is set to "HOTEL_2.4G&5G")
As a result, the continuous negative reviews and complaints from tourists have had a certain impact on the hotel and caused economic losses! The hotel owner asked the IT department to solve it as soon as possible, and the engineers of the IT department tested that the wired network was normal, and it was completely wireless.
In desperation, we can only find a manufacturer to solve it. After we learned about it at the project site and the IT staff, this problem only appeared in the past week, and there was no such problem when the project was implemented. It's really strange, the project has been on the ground for a long time, and this problem has occurred, either the equipment is faulty or there is interference, but after a series of investigations, we found that the truth is not so simple!!
【Network topology】
The network architecture is relatively simple, and the hotel deploys a total of 100+ AP points, which are centrally managed by AC controllers.
Illustrate:
- Two SSIDs are configured on the AC and all APs are bound separately
- SSID Configuration:
- SSID1仅绑定2.4G:HOTEL_2.4G
- SSID2仅绑定5G频段:HOTEL_5G
【Troubleshooting Analysis】
Step 1: Try wireless optimization
1. The problem is more obvious, mobile phones and laptops cannot be associated with the hotel's wireless HOTEL_2.4G or HOTEL_5G, and will prompt "unable to access the network", "connection failure", "wireless deactivation" and so on;
2. So we tried to do channel isolation optimization and power optimization, but there is still this problem, and the tuning does not have any effect at all.
Step 2: Wireless frame interaction analysis
Since the problem of wireless network connection is very obvious, then the problem should occur in the probe, auth, associate, and eapol-key stages of the mobile phone interacting with AP1, and the wireless frame with the problem is captured as follows (using the capture network card + omnipeek):
It was found that the wireless authentication and connection were normal, but it was found that after 2 seconds, the Apple mobile phone sent a Disassoc frame to actively declare the wireless frame of the deassociation, and AP1 responded to the deauth frame after receiving it, indicating that it was disconnected from the wireless association with the Apple phone:
After the association is disassociated, the mobile phone will continue to try to link to AP1, but it will appear again that either the mobile phone declares to disassociate itself or the AP declares to disassociate (the terminal is eliminated):
It was only at this moment that we realized that the wireless network in the field had been attacked! It turned out to be a deauth attack!!
Step 3: Further analyze the source of the wireless attack
Further analysis of the wireless frame shows that the signal strength of the message that sends the deauth and disassociate decorrelation message is very weak:
In fact, the AP1 and IPhone XR phones are right next to our packet capture network card, and the mobile phone signal should be very strong. In this regard, the normal interaction of packets is filtered:
In other words, the fake deauth and disassoc attack frames are sent by an attacking device in the distance, so the signal is attenuated, not from the Apple phone and AP1. Once the AP and the iPhone receive the deauth and disassoc attack frames in the wireless space, they will immediately disconnect!
Step 4: Confirm the deauth attack method
There are two common targets for deauth attacks, one is to attack the SSID (i.e., the name of the wireless network), and the other is to attack the BSSID (i.e., a specific AP). To determine which type it is, we did the following tests:
| SSID | BSSID | state | outcome | remark |
| HOTEL_2.4G | Wireless AP1 | enable | Unable to connect | original |
| HOTEL_2.4G | Wireless AP2 | enable | Unable to connect | original |
| HOTEL_5G | Wireless AP1 | enable | Unable to connect | original |
| HOTEL_5G | Wireless AP2 | enable | Unable to connect | original |
| NEW TEST_2.4G | Wireless AP1 | enable | Normal connection | New |
| NEW TEST_2.4G | Wireless AP2 | enable | Normal connection | New |
| NEW TEST_5G | Wireless AP1 | enable | Normal connection | New |
| NEW TEST_5G | Wireless AP2 | enable | Normal connection | New |
Test results: A new SSID under the same AP point can be used normally, and the actual hammer is a deauth &disassoc attack against the SSID.
【Attack Principle】
The problem is that the wireless is so "fragile" that a wireless client on an AP can be disconnected by forging a few packets. The attack principle is to exploit the vulnerability that the wireless management frame is not encrypted in the WPA/WPA2 encryption mode, so that hackers can sniff the terminal and AP to carry out attacks, and this wireless encryption vulnerability has been solved in WPA3.
The "Deauth" and "Disassoc" attacks mentioned above have also appeared:
- Wireless password cracking
- Some wireless devices are protected by mechanisms, or rogue mechanisms
- Malicious attacks and sabotage on some tools and software
【Solution】
There is no good way to track the deauth attack source, so you can only find the attack device according to the strength of the attack signal source (Lanling Wang: Find me?? )
It was hard to find but finally found, it turned out to be a good thing done by the hotel next door. It seems that business warfare methods are everywhere, and the rest is left to the customer to solve by himself (if you can't find the source of the attack, you can only change the SSID to use, but it is not ruled out that it will be attacked). To be honest, there are actually quite a few similar cases, and Marriott has done this:
Marriott launched an attack by sniffing on guests' WiFi, allowing only guests to use their own Wi-Fi.
Xiaoyunjun Network
Xiaoyunjun - HCIE/PMP/Network Planner/Original Engineer/Ben 985. My official account only engages in originality, not training. The content involves: planning low, medium and high network architecture solutions, picking up the product performance and compatibility of equipment from different manufacturers, and sharing network knowledge and experience. The ceiling of the actual combat of the network worker, thank you for your attention~
129 pieces of original content
Official account
suggestion
If you encounter similar problems in the future, you can try to change the SSID name and use the same SSID for mobile phone hotspots to test to see if there may be a network attack.
Collect, watch, and like me below, thank you~ Please leave a message for topic discussion
Pay attention to the official account
My official account only engages in originality, not training. The content involves: planning low, medium and high network architecture solutions, picking up the product performance and compatibility of equipment from different manufacturers, and sharing network knowledge and experience. The ceiling of the actual combat of the network worker, thank you for your attention~
My official account only engages in originality, not training. The content involves: planning low, medium and high network architecture solutions, picking up the product performance and compatibility of equipment from different manufacturers, and sharing network knowledge and experience. The ceiling of the actual combat of the network worker, thank you for your attention~