IEEE 802.11w: Securing your WiFi from Deauth Attack Part 2: Electric Kool-Aid Acid Test

"You are hereby empowered!!!" - Tom Wolfe, The Electric Kool-Aid Acid Test

In Part 1, we tested for cheap devices compatible with IEEE 802.11w-2009. Here, we will just detail the configuration files needed to build a Ieee 802.11w-209 compatible Raspberry Pi 3 B+ WiFi Bridge. The actual steps are detailed in the official Raspberry Pi site.  We will need:
1. Raspberry Pi 3 B+
2. Very good 5V 2.5A USB power module (e.g. the Raspberry Pi 2.5A module). This requirement is important! I used a stonking 5V 6A TDK RDM05-6R0
3. Realtek RTL8812BU generic WiFi dongle. Or a dongle with any of the Atheros chips tested in Part 1.
4. ADSL modem router with wired (ie copper) LAN interface.

For simplicity, the above diagram omits the power supplies and the powered hub. The RTL8812BU can draw a lot of power, especially if connected to an outdoor antenna.

Note it is also possible to set up the above devices as WiFi repeater by using the Raspberry Pi's built-in WiFi chip (wlan0) as WAN.

Top middle: TDK 5V 6A power module. Center: Raspberry Pi 3 B+ with RTL8812BU. Bottom left: thick USB power cable with ammeter showing 920mA current draw

First, set up your ADSL modem and make sure you have Internet WAN access via the copper LAN (ie wired Ethernet). I used a TP-Link Archer D20.

Next, set up your Raspberry Pi 3 B+ with the latest and greatest version of Raspbian. The Linux version of the installation guide worked for me, but there is also a Windows version. It is really worth using a fast sdcard (16GB is sufficient and 32GB is plenty), Class 10 or better if you can manage it.  You will need to set it up to log into your Internet connection. My Pi connected to the Internet when I plugged in the LAN cable. After it has finished installation you need to update it immediately:

# apt-get update
# apt-get upgrade

This can take hours depending on your Internet connection and you will have to reboot your Pi. Next, set up your root password:
# sudo vi /etc/passwd

Remove the 'x' from the line
root:x:0:0::/root:/bin/bash

Next set the root password using:
#sudo passwd root

I usually use the wifi bridge in 'headless' (ie no monitor or keyboard) so I usually turn off the GUI using
#sudo raspi-config

To control it, I usually enable the ssh server (again using raspi-config). Now to run it headless I make sure my laptop is connected to the same network and if it is also running Debian (Rasbian is a version of Debian) I simply do:
$ssh -t pi@raspi.local

It is also handy to have your first setup connected to copper LAN as well as keyboard and monitor, as we will be messing about with networking tools and a mistake is likely to freeze up your remote login.

If wlan1 the rtl8812bu does not come up, refer to Part 1.

Next you will need to stop systemd from messing with your network interfaces.
# systemctl mask wpa_supplicant.service
Created symlink /etc/systemd/system/wpa_supplicant.service � /dev/null.

In /etc/dhcpcd.conf add the lines:
interface eth0
static ip_address=192.168.1.1/24

interface wlan0
  denyinterfaces wlan0
  nohook wpa_supplicant

interface wlan1
  denyinterfaces wlan1
  nohook wpa_supplicant

Reboot, and you should be ready for the next step.

We need to use hostapd for our bridge, so we stop systemd from messing with it:

# systemctl mask hostapd

We make a bridge:

# brctl addbr br0

# brctl addif br0 wlan1

If all went well, you should get:

# brctl show br0

bridge name     bridge id               STP enabled     interfaces

br0             8000.1cbfce5d51a0       no              wlan1

Add the copper LAN to your new bridge in case you want to connect client devices by wire

# brctl addif br0 eth0

# ifconfig eth0 0.0.0.0 up

# ifconfig wlan1 0.0.0.0 up

Where 192.168.1.1 is the IP address of your Pi at eth0 and 192.168.0.1 is the address of your WAN router (ie the D-Link Archer D50 in the diagram):

# ifconfig br0 192.168.1.1 up

Next set up your dnsmasq config file with:

interface=br0

except-interface=lo

listen-address=192.168.1.1

bind-interfaces

As usual you need to tell systemd to keeps its grubby hands to itself:

# systemctl mask dnsmasq

# killall dnsmasq 

# dnsmasq -C /etc/dnsmasq.conf 

Next we get the Pi to start forwarding. Add the following lines to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv4.ip_forward = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.ip_dynaddr = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# sysctl -p /etc/sysctl.conf

Next is hostapd. Set up the config file /etc/hostapd/hostapd.conf thus:

interface=wlan1

driver=nl80211

ssid=ElectricKoolAid

hw_mode=g

channel=1

macaddr_acl=0

wpa=2

wpa_passphrase=VerySecretPassword

rsn_pairwise=CCMP

ieee80211w=2

wmm_enabled=1

auth_algs=3

ignore_broadcast_ssid=1

wpa_key_mgmt=WPA-PSK-SHA256 WPA-EAP-SHA256

wpa_pairwise=CCMP

# killall hostapd

# hostapd -dd -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf -B

Next set up /etc/firewall.conf thus:

*filter

:INPUT DROP [39:4576]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [42055:10283301]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i br0 -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br0 -j ACCEPT

-A FORWARD -i eth0 -j ACCEPT

COMMIT

# Generated by iptables-save v1.6.0 

*nat

:PREROUTING ACCEPT [78732:17589805]

:INPUT ACCEPT [29742:7228146]

:OUTPUT ACCEPT [2937:514776]

:POSTROUTING ACCEPT [985:97284]

-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

COMMIT

# Generated by iptables-save v1.6.0 

*mangle

:PREROUTING ACCEPT [1318452:373291697]

:INPUT ACCEPT [623742:150528221]

:FORWARD ACCEPT [120385:79521689]

:OUTPUT ACCEPT [42068:10285133]

:POSTROUTING ACCEPT [168801:90872517]

-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "fix packet size for stuff that\'s being routed through this box (SEE NOTE *)" -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# iptables-restore < /etc/firewall.conf

Your IEEE 802.11w-2009 bridge AP "ElectricKoolAid" with "VerySecretPassword" should be up by now.

Over at the client (in my case the Acer Aspire E1) make a wpa_supplicant config file wpa_supplicant.conf. Notice we make IEEE 802.11w compulsory:

ctrl_interface_group=0

eapol_version=1

ap_scan=1

fast_reauth=1

# WPA protected network, supply your own ESSID and WPAPSK here:

network={

  scan_ssid=1

  ssid="ElectricKoolAid"

  proto=RSN  

  key_mgmt=WPA-PSK-SHA256

  pairwise=CCMP TKIP 

  group=CCMP TKIP

  psk="VerySecretPassword"

  ieee80211w=2

  priority=10

}

And, assuming you have already wrestled with systemd (and won!) there too:

# wpa_supplicant -d -Dnl80211 -iwlan0 -c/etc/wpa_SIKAMAT7.conf -B

Note: for some reason, nl80211 worked a lot better than wext

And you should have a working link to the Pi bridge. 

# wpa_cli -iwlan0 status   

bssid=11:22:33:44:55:66

freq=2412

ssid=ElectricKoolAid

id=0

mode=station

pairwise_cipher=CCMP

group_cipher=CCMP

key_mgmt=WPA2-PSK-SHA256

pmf=2

mgmt_group_cipher=BIP

wpa_state=COMPLETED

ip_address=192.168.0.114

And there should be Internet access; provided you have set up your WAN router's dhcp server, the client at the end of the bridge "ElectricKoolAid" should get its dhclient requests routed straight through.

ping -c 4 -I wlan0 8.8.8.8

PING 8.8.8.8 (8.8.8.8) from 192.168.0.114 wlan0: 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=524 ms

64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=518 ms

64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=380 ms

64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=346 ms

--- 8.8.8.8 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3001ms

rtt min/avg/max/mdev = 346.240/442.040/524.243/79.921 ms

To get it to start on power up, just put the commands in /etc/rc.local

There you have it, IEEE 802.11w-2009 AP and client, immune from the dreaded Deauth Attack. In part 3 we will launch an aircrack-ng deauth attack at the the bridge AP.

Or, as Tom Wolfe said: "You are hereby empowered!!!". Happy Trails.