Page 1 of 1

"Management frame protection" - 802.11w compatibility

Posted: Mon May 30, 2016 6:33 pm
by R1CH
While browsing for techniques to protect against media level attacks, I found the 802.11w specification which protects management frames like deauth. This prevents an attacker from being able to kick clients off the network either to capture the WPA2 4-way handshake for password cracking or as a denial of service attack. https://en.wikipedia.org/wiki/IEEE_802.11w-2009

I saw that Mikrotik implements "Management frame protection" in the wireless settings, but according to the wiki "RouterOS implements proprietary management frame protection algorithm". I am assuming that proprietary means that this is only compatible with other MT devices? Is there a chance to see the standardized 802.11w specification implemented as well? This would be a superior solution as standard wireless clients that support 802.11w such as laptops and phones would be able to benefit from the management frame protection and be resistant to deauth attacks and other nefarious behavior.

Re: "Management frame protection" - 802.11w compatibility

Posted: Mon May 30, 2016 7:01 pm
by TonyJr
Good post - i'd like to find out more about the implementation of management frame protection too.

TonyJr

Re: "Management frame protection" - 802.11w compatibility

Posted: Tue Jan 10, 2017 8:05 pm
by R1CH
Bump - was wondering if there was any update or comment about this. With tools like WifiJammer[1] and scripts like [2] becoming more accessible, it's becoming very easy for anyone with a laptop to cause havoc on networks that lack 802.11w. It wouldn't surprise me if someone comes out with a USB Killer[3] style tool at some point to automate the process to a button press.

[1] https://github.com/DanMcInerney/wifijammer
[2] https://github.com/veerendra2/wifi-deauth-attack
[3] https://www.usbkill.com/

Re: "Management frame protection" - 802.11w compatibility

Posted: Wed Jul 26, 2017 3:53 pm
by R1CH
It's getting far too easy to perform deauth attacks these days. Maybe someone should scatter some devices like this around Mikrotik HQ and then we will see a solution? :)

https://github.com/spacehuhn/esp8266_deauther

https://www.aliexpress.com/store/produc ... 0.0.G3Ymlk)

BTW: The wireless chips in MT devices should already have full support for this, just need to add it in software. "It is an optional feature in 802.11 and is required for 802.11 implementations that support TKIP or CCMP." "The 802.11w standard is implemented in Linux and BSD's as part of the 80211mac driver code base, which is used by several wireless driver interfaces; i.e., ath9k. The feature is easily enabled in most recent kernels and Linux OS's using these combinations."

Re: "Management frame protection" - 802.11w compatibility

Posted: Fri Sep 01, 2017 8:40 am
by Njumaen
I only can support this request, especially when using capsman!

Took me 3 bucks for a WeMos D1 and 5 minutes for flashing to start sending deauth packets.

„most recent kernels“ might be the problem ;)

Re: "Management frame protection" - 802.11w compatibility

Posted: Fri Sep 22, 2017 3:47 am
by pcunite
This sounds like a needed feature.

Re: "Management frame protection" - 802.11w compatibility

Posted: Fri Mar 02, 2018 1:12 am
by td32
bump for this feature, i hope it gets on the todo list

Re: "Management frame protection" - 802.11w compatibility

Posted: Wed Apr 11, 2018 9:42 am
by lapsio
Is it there yet?

Re: "Management frame protection" - 802.11w compatibility

Posted: Sat Apr 21, 2018 12:13 am
by brunoemmels
Anyone has any news about this issue?

I'm surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for.

Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere...

Any way to push Mikrotik for this?

Re: "Management frame protection" - 802.11w compatibility

Posted: Sun Apr 22, 2018 11:52 pm
by R1CH
Anyone has any news about this issue?

I'm surprised how neglected this feature was for this whole time, and now just became one of the top priority features that Mikrotik MUST go for.

Specially these days, where any newbie can buy an extremely inexpensive WiFi Deauther anywhere...

Any way to push Mikrotik for this?
Show up to a MUM with a deauther, might get some attention :D

Re: "Management frame protection" - 802.11w compatibility

Posted: Mon Apr 23, 2018 12:01 am
by lapsio
No, really. It seriously stinks that it's not supported yet. I'm going to keep deauth myself for next 2 months and complain that my RB2011 wifi doesn't work as manifest.

Re: "Management frame protection" - 802.11w compatibility

Posted: Sun Nov 03, 2019 5:40 pm
by muetzekoeln
Hey Mikrotik,
please implement dot11w PMF in the next ROS release! It's about time ...