Tag: Ethical Hacking

MikroTik RouterOS 7.5 change default DNS

Want to change default DNS for the network in MikroTik’s RouterOS CLI? You can use web UI but it could have some issues preventing from configuration save, so it is nice to know how to use it via CLI. First login into the box and then:

ip dhcp-server network set dns-server=1.1.1.1 X

Change X with the network number of your preference. You can show them using print command at /ip/dhcp-server/network level. Last thing: the option that may prevent from configuration save on UI is DHCP Option Set. When empty (for various reasons) then you need to go to CLI to do the job. It is the only way.

airodump-ng and aireplay-ng to deauthenticate clients from access point

Disconnecting wireless clients from access points

The problem

The nature of wireless networking is quite problematic because transmission goes over air and can be intercepted by anyone. Of course there is data packet stream encryption. But deauthentication frames are not encrypted and can be forged. It’s applicable to IEEE 802.11 standard. However if your device is capable of 802.11w standard amendment then the management frames are protected from forging, however in various devices this option is disabled by default even if they support it. In case of your device check manual for default settings. It’s worth enabling this option. Not enabling, and securing both stations and base stations can lead not only to service denial/disruption, but also opens way to few possible attacks like “evil-twin“.

How to

To identify network or device to disrupt you can use airodump-ng. It turns your network adapter into listening mode and scans nearby networks. To switch between stations or base stations mode press “a”. For realtime sorting press “r”. Last must know shortcut is “s” for sorting. Space bar pauses scanning. 

ip addr # to look for yournetadapter
sudo airodump-ng yournetadapter -w capturefilename

Base stations, which are access points are identified by column BSSID. Stations, which are clients, shows in the second table below. You can choose to deauthenticate just with MAC address of an access point or ESSID, which is human readible name. You can also pick some stations from the the second table to direct a deauthentication attack more precisely.

For a deauthentication part of the procedure use aireplay-ng tool. Pass –deauth with number of frames to send. If targeting only access points then pass -a with MAC of BSSID. If you target also some stations, then pass -c with MAC of a station (client).

sudo aireplay-ng --deauth 100 -a BSSIDMAC -c STATIONMAC yournetadapter

With proper values passed, stations will be disconnected from access point so their wireless service will be disrupted. As mentioned before it applies only to devices without IEEE 802.11w extension, which is most of consumer network devices. For enterprises it is highly possible that they will have proper enhancements already enabled.

Afterword

With airodump-ng you can select particular wireless channel to scan. You can also identify networks without security enabled at all. With traffic capturing feature enabled you can intercept precious parts of authentication procedure so you could try to crack it offline.

As an optional tool for any wireless related activities I can recommend WIFiman for Android which does the job of network perimeter exploration.