Table of contents
Basic concepts of illegal equipment
Classification of illegal devices
How to identify the type of illegal device
Illegal device judgment process
Counter the working mode of AP
AP detection mode for illegal devices
AP’s countermeasure mode for illegal devices
How countermeasure equipment works
How countermeasures devices obtain information about illegal devices
The principle of countermeasures against illegal equipment
How to determine whether there is a countermeasure device through the logs on the AP
Ruijie Configuring Countermeasures AP Steps
Basic concepts of illegal equipment
Impact of illegal equipment
1. Illegal AP simulates the SSID and password of the legitimate AP wireless signal (users may be associated with this illegal AP and user data will be leaked)
2. There are other private APs in the environment, causing the channels of legitimate APs to be interfered with.
3. An illegal STA is connected to a legal AP in the environment, occupying the channel bandwidth.
Classification of illegal devices
Illegal APs (divided into three categories)
The STA connected to the illegal AP is an illegal STA.
1. Consistent with the SSID of the legitimate AP (Rogue ssid-ap)
2. It is inconsistent with the SSID of the legitimate AP, but the signal strength is greater than the threshold (Rogue ap)
3. It is inconsistent with the SSID of the legitimate AP, and the signal strength does not exceed the threshold, but the BSSID/SSID matches the pre-configured BSSID/SSID in the static attack list (Rogue Cofig-ap)
Illegal Ad-Hoc (Rogue adhoc-ap)
Ad-Hoc network is a point-to-point wireless network, usually used for temporary networking
Wireless signals emitted by devices with wireless network cards (can be understood as terminal hotspots)
All Ad-Hoc devices detected by the counter-AP are considered illegal Ad-Hoc devices.
How to identify the type of illegal device
APs with illegal device detection enabled can determine the type of surrounding wireless devices based on the 802.11 MAC frames they listen to.
Determine the device type through the To/From DS field of 802.11MAC
| To DS |
From DS |
Equipment type |
| 0 |
0 |
To this |
| 1 |
1 |
Wireless Bridge (WDS) |
| 1 |
0 |
STA |
| 0 |
1 |
AP |
Illegal device judgment process
Process of detecting whether the device is a rogue AP
Firendly Flag: This flag is the same between APs connected to the same AC.
Process for classifying illegal AP devices
Counter the role of AP
1. Ensure that user information is not leaked (countering illegal AP)
2. Reduce the interference of private APs on legitimate AP signals
Counter the working mode of AP
The working mode is divided into two parts: detection and countermeasures; they must be turned on at the same time to achieve device countermeasures.
AP detection mode for illegal devices
It is generally recommended to use a dedicated AP as a countermeasure AP that does not provide user access services.
Normal
The default AP working mode does not enable the AP air interface scanning function (the AP device cannot send Probe Request messages)
Hybrid
The AP has an air interface scanning function and a user access function, but it may affect the access user signal;
AP devices can actively send Probe Rqeuest messages
Monitor
The AP specifically enables air interface scanning and does not provide user access.
AP’s countermeasure mode for illegal devices
Determine whether it is an illegal device based on the information obtained from AP detection, and then carry out countermeasures.
Countermeasure modes are mainly divided into 5 categories
| AP counter mode |
Counterfeit illegal device types |
| SSID |
Counterattack rogue APs whose SSID is consistent with that of legitimate APs |
| Config |
Counter rogue AP devices matching static attack lists |
| Rogue |
Counter rogue AP devices whose signal strength exceeds the threshold |
| Adhoc |
Countering Illegal Ad-hoc Devices |
| All |
Countermeasures against all illegal devices |
How countermeasure equipment works
Countermeasure equipment obtains illegal equipment through detection, and then completes the countermeasures of illegal equipment through two major steps of countermeasures
How countermeasures devices obtain information about illegal devices
Countermeasure AP mainly obtains illegal device information through active/passive scanning frames.
Rogue AP information
Active: Countermeasure AP sends Probe Request from the monitored channel, and the unknown AP will reply with Probe Response message, carrying information such as SSID, BSSID, signal strength, etc.
Passive: The counter AP receives the passive scanning information Beacon message from the unknown AP device from the detected channel, which will also carry SSID, BSSID, signal strength and other information; the Beacon message will also carry a Friendly flag. , you can use this bit to determine whether the AP is an illegal AP (if it is consistent, it is a legal AP, if it is inconsistent, it needs to be judged again)
Illegal Ad-Hoc information
Active: Countermeasures the AP to send a Probe Request from the monitored channel. The unknown device will reply with a Probe Response message. Use the To/From DS field of this message to determine whether it is an Ad-Hoc device. As long as it is an Ad-Hoc device, it is illegal. of
Passive: The countermeasure AP receives passive scanning information from unknown devices on the detected channel. It can also be judged by Beacon messages.
In addition to checking illegal AP and Ad-Hoc device information, we also need to know the information of unknown STAs
Active: Countermeasures the AP to send a Probe Request from the monitored channel. After receiving it, the STA will reply with a Probe Response message carrying its own MAC address.
The principle of countermeasures against illegal equipment
Countermeasure AP implements countermeasures through deauthentication/disassociation frames
Rogue AP countermeasure method 1, send deauthentication/association frame to the illegal STA (the source of the message sent by the countermeasure AP is the illegal AP BSSID and the destination is broadcast)
Counteract AP sending broadcast deauthentication frame (Deauthentication) and disassociation frame (Disassociation) as an illegal AP device
After receiving the illegal STA, it will disconnect from the illegal AP.
Rogue AP countermeasure method 2, send deauthentication/association frame to the rogue AP (the source of the message sent by the countermeasure AP is the STA MAC and the destination is the rogue AP BSSID)
The counter-attack AP uses the identity of the illegal STA to send unicast deauthentication and disassociation frames to the illegal AP connected to the STA.
After receiving the message, the illegal AP will disconnect from the illegal STA.
That is, there are two ways to counteract APs: unicast frames and broadcast frames. Why?
Some terminals do not accept broadcast frames, so they need to obtain the STA's MAC to send unicast frames to block the connection between illegal APs and STA.
Ad-Hoc device countermeasures (source is Ad-hoc device MAC and destination is Ad-Hoc BSSID)
Send unicast deauthentication and disassociation frames to the STA as an Ad-Hoc device
After the STA connected to the Ad-Hoc device receives the message, it will disconnect from the illegal AP.
How to determine whether there is a countermeasure AP device by capturing packets over the air interface
1. There is a significant difference between the signal strength of de-authentication/association messages and the signal strength of Beacon frames.
Because the countermeasure device and the AP device are in different locations, the signal strengths of the packets sent by the two devices are different.
2. If the destination address of the deauthentication/association message is broadcast, there will usually be a countermeasure device
3. The low rate is disabled on the AC, but the deauthentication packet is indeed sent at a low rate, so this packet is sent by the countermeasure device.
4. The sequence packet of the deauthentication Deauth message sent by the countermeasure device remains unchanged (there are also countermeasure devices that will send changing sequence numbers. This method cannot accurately determine whether there is a countermeasure device)
How to determine whether there is a countermeasure device through the logs on the AP
If there are a large number of deauthentication/association messages sent by terminals in the AP log, it indicates that there is a countermeasure device.
Ruijie Configuring Countermeasures AP Steps
Countermeasure AP configuration considerations
- It is recommended that the AP uses monitor mode
- Adjust the counter-attack period to the minimum
- Countermeasure AP configures the same channel as the rogue AP
- Add the BSSID of the illegal AP to the static attack list (blacklist)
Steps to configure countermeasures
1. Change the detection mode of the AP and specify the channels that need to be scanned and detected.
2. Configure the AP’s countermeasure mode
3. Enable unknown STA scanning
Enable AP detection mode
Ap-config 123
Device mode monitor The working mode of the AP is monitor
Scan-channels 802.11b channels 1 6 11 Configure the channels to be scanned (the default scanned channels are the channels used by the countermeasure AP)
Scan-channels 802.11a channels 149 165
Enable AP’s countermeasure function
Wids
Countermeasures enable Enable countermeasures function
Countermeasures channel-match Configure countermeasures AP based on channel countermeasures
Countermeasures mode ssid Countermeasures unknown APs that send the same SIID as the AP
Countermeasures ap-max 10 Configure the maximum number of countermeasures
Countermeasures rssi-min 20 Set signal strength threshold
Countermeasures interval 100 configures the countermeasure interval (default is 1 second)
Enable unknown STA scanning
Wids
Device unknown-sta dynamic-enable enables unicast countermeasures and sends Probe request to dynamically detect unknown device information.
Device unknown-sta mac-address 0000.0001.0001 Static configuration of illegal STA MAC information
Configure the list of devices allowed by WIDS (whitelist)
Wids
Device permit mac-address 0000.0001.0001 Allowed MAC address list
Device permit ssid admin allowed SSID address list
Device permit vendor bssid 0000.0001.0002 Allowed vendor list
Configure static attack list (blacklist)
Wids
Device attack mac-address 0000.0002.0001 Configure static attack MAC list
Device black-ssid admin1 Configure static attack SSID list
Countermeasures for AP viewing commands
Show wids unknown-sta Unknown STA device view
Show wids detected all Show all detected APs
Show wids detected friendly ap Show legitimate AP
Show wids detected interfering ap View unclassified illegal APs
Show wids detected rogue adhoc-ap/ap/config-ap/ssid-ap View illegal ad-hoc/signal strength AP/static attack AP/SSID consistent AP device