2. Attack Summaries
AngryOxide is capable of multiple attack methods that it runs simultaneously, all with the goal of obtaining a valid & complete hashline for hashcat to crack. The attack types consist of standard proven attacks, as well as the occasional "provisional" attacks that are included for testing but not yet proven as capable against networks.
Standard Attacks
- Deauthentication
- M1 retrieval (Rogue Station)
- Anonymous Reassociation
- Rogue M2 (Rogue AP)
Provisional Attacks
- Channel Switch Announcement
- Disassociation
The attack cycle in AngryOxide is automated and rate-limited. The internal "clock" is Access Point (BSSID) dependent and relies on the amount of beacon frames we have received from the access point. If you do not receive any beacon frames, no attack will occur.
Only the following attacks are rate-limited together as a part of this attack cycle:
- Deauthentication
- Anonymous Reassociation
- Channel Switch Announcement (Provisional)
- Disassociation (Provisional)
M1 Retrieval and Rogue M2 require communication with a AP or station (respectively) and are state-based instead.
The rate limiting has three settings:
- Slow: 200
- Normal: 100
- Fast: 40
Each basic attack will be fired once during a beacon "cycle" equal to the rate. This is calculated using modulus math:
let rate = beacon_count % attack_rate;
if (rate) == 0 {
deauth_attack();
} else if (rate) == attack_rate / 4 {
anon_reassociation_attack();
} else if (rate) == (attack_rate / 4) * 2 {
csa_attack();
} else if (rate) == (attack_rate/ 4) * 3 {
disassoc_attack();
}note: this is pseudocode
This results in a specific attack being sent once for each cycle, assuming the default beacon interval of ~100ms:
| Rate | Cycle Length | Total Cycle Time | Timing Between Attack |
|---|---|---|---|
| Slow | 200 | 20 seconds | 5 seconds |
| Normal | 100 | 10 seconds | 2.5 seconds |
| Fast | 40 | 4 seconds | 1 second |
The Deauthentication attack is the classic, most well known form of forcing a Four Way Handshake. This attack involves sending a Management Deauthentication frame to the client while posing as the AP in order to force a disconnect and subsequent reconnect and new 4wHS.
There are several downsides to this method in the modern age, primarily that this attack can cause a station to blacklist an Access Point for an unknown amount of time, resulting in no handshake. Additionally if flooded the authentication sequence can be interrupted causing a mismatch of EAPOL timers and undefined behavior for both the AP and Client.
Rate limiting Deauthentication frames (and giving the option to disable them entirely) are some mitigations AO uses to minimize risk.
It is also important to know that Deauthentication Frames are protected by Management Frame Protection (MFP) and will not work against MFP networks (such as WPA3).
Angry Oxide employs Deauthentication by sending a "broadcast" frame every 4 attack cycles, and a direct (to a specific client) Deauthentication frame once per cycle. When sending a direct frame, AO will also send a Deauthentication frame to the AP.
Reason Codes:
| Destination | Reason Code | Description |
|---|---|---|
| Client | 7 | Class 3 frame recieved from Non-associated STA |
| AP | 3 | Deauthentication because STA is leaving |
The Anonymous Reassociation attack uses Reassociation Frames in order to force an AP to deauthenticate all of it's clients, and is capable on bypassing MFP on access points that are vulnerable.
This works by sending a Management Reassociation frame to the AP with a source address of broadcast (FF:FF:FF:FF:FF:FF). Some access points will not filter for this address and respond with a Deauthentication frame back to broadcast with the reason "Class3FrameReceivedFromNonassociatedSTA" (7).
This attack works against some AP's.
The M1 retrieval attack is used to collect a EAPOL Message 1 from an access point, which may contain a PMKID. This PMKID will be directly offline-crackable and therefore this is a Client-Less attack.
This attack is done by authenticating and associating with the AP as a rogue-client. When the AP sends an M1 we respond with a Disassociation frame to cancel the authentication sequence. This behavior is subject to change in future revisions with tuning.
You can read more about PMKID from hashcat.
The rogue M2 attack (also known as Rogue AP or Probe Response Injection) works by responding to probe requests and acting as a rogue AP in order to get devices to authenticate and associate with AO. This results in a valid M1/M2 hashline of what is likely the correct PSK.
This is considered a AP-Less attack, as the Network being probed for may not even be present.
These attacks are purely conceptual, and may be removed in future versions of the tool if expected behavior is not identified.
The CSA attack uses the Channel Switch Announcement information element (info) to send five rogue beacons in an attempt to force clients to an adjacent channel. The goal of this attack is to force a re-authentication when the client returns to the original channel after not finding the AP on the other channel.
The Disassociation attack is similar to the Deauthentication attack, but uses Management Disassociation frames instead of Deauthentication. It is worth noting that if the target network is on a WiFi 6e channel (6Ghz) AO will send the client a DisassociatedDueToPoorRSSI (71) reason code, which by the specification explicitly disallows network blacklisting.
Reason Codes:
| Band | Destination | Reason Code | Description |
|---|---|---|---|
| 2.4/5/6Ghz | AP | 8 | Disassociated Because STA is leaving BSS |
| 2.4/5 | Client | 4 | Disassociated Due to Inactivity |
| 6Ghz | Client | 71 | Disassociaated Due to Poor RSSI |