Protected Broadcast Disasscociation/Deauthentication verificatiton in WPA3/WPA2-PMF/OWE with Wireshark

In the earlier posts we have learnt about the protected management frames and the importance of protecting the management frames. Refer the below post to understand about PMF.

Protected Management Frames

In this post we will learn about how the Broadcast Deauthentication/Disassociation frames gets encrypted and sent to the Clients. These broadcast management frames will get encrypted using the IGTK that gets created at the time of 4-way handshake.

The detailed post about the Generating the GTK/IGTK was written in the earlier posts. Refer the below link to understand the generating the GTK/IGTK and proceed.

GTK/IGTK Generation

Problem Description

  1. Here the STAs and AP has the valid connection.

2. An attacker sends the Deauthentication/Disassociation notificaiton to the all connected clients with the Broadcast Address.

3. Here the STAs assumes that the Deauthentication/Disassociation came from the valid AP and all the clients terminates the session.

Observe the below figure for this scenraio, this scenario shows that an attacker can easily disconnect the stations that are connected by spoofing the AP MAC address and sending the Broadcast Frame.

Figure 1 : Attacker Sending the Spoofed Deauthentication/Disassociation to the Connected Clients

These kind of attacks can be mitigated by protecting the broadcast management frames. If the PMF is enabled , These management frames will be protected and the receiving stations will verify the frames and then then disconnects. If the verification is failed the clients simply ignore the frames. PMF is introduced with 802.11w, and it is enabled by default in WPA3/OWE.

Broadcast management Frames will be protected by the IGTK. This IGTK will be sent in M3 Message of 4-way Handshake.

Observe the Below Figure 2.

Figure 2 : Observe that Stations Ignoring the frames from Attacker.

Verification of Protected Broadcast Deauthentication Frame with Wireshark

Now we will take the real time example of verification of a Broadcast Deauthentication frame and we will verify how this frame looks like in the wireshark.

Figure 3 : Broadcast Deauthentication Frame

Here the input to the CCMP program are

  1. 2 Bytes input Here the 2 Bytes input is (0x03,0x00) , This input is based on the Figure 4.
  2. IGTK that got generated at the time of 4-way Handshake.
  3. IPN (This is the Packet Number, get it from the wireshark capture)

Once we send the proper input to the CCMP program and this will be sent to the clients.

Figure 4 : Reason code 3 For Deauthentication

Now if we properly give the input to the CCMP program, then we will get the below output. We have to properly send all the required hex data to the CCMP. It takes some effort to do that.

Observe the below output from the CCMP program and compare the MIC with the wireshark it matches.

Figure 5 : Verifying the CCMP MIC with the wireshark

This is how the Clients verifies the Protected Broadcast deauthentication Frames. Only authenticated clients can verify this because IGTK is known only to the authenticated clients. As the attacker doesn’t know the IGTK he can not send the properly protected Broadcast Frames, and the clients/APs ignores the frames.

This verification procedure will be same for any type of authentication mechanism, either it is WPA2-PMF, OWE or WPA3.

This is all about protecting the broadcast frames.