Kismet Wireless

Kismet Forums


Posted by:dragorn
Subject:detecting attackers using alert files
Date:22:05:11 03/03/2012

> > >
> > > Also in case of CHANCHANGE, APSPOOF and CRYPTODROP how do we find out who has carried out the change in channel of AP or remove the Security key?
> >
> > You don't - it's an impersonation attack. The whole point is that the attacker is impersonating a legitimate AP. There is no way to tell who, because there IS no "who", there is only suspicious behavior.
> Ok but what about the first part of the question, is it possible to detect the attacker (i.e. IP or MAC address)who is sending deauthentication packets for deauthflood alert (ref.: the alert shown in the earlier part)

No; again, this is a *spoofing attack*. The entire point is *its spoofing a real AP*. You can't tell who is spoofing because all you can see is that it is being spoofed.

This has *nothing* to do with the IP layer. IP packets have zero to do with dot11 association. The entire reason the attack works is because the MAC address spoofs the AP.

Reply to this message