From charlesreid1

Data Layer 2 Attacks


Let's review the network stack before we launch into network layer attacks.

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Layer 3 is the Network layer. It handles IP addresses and translating between MAC addresses and IP addresses.


Suppose you're attacking a sheep that's on a foreign network, and you have zero information about the sheep and/or about the sheep's network. Where does that leave you? Fortunately, given the volume of information publicly broadcasted by devices, you've got plenty to go on.

The Data layer is synonymous with the MAC addresses of machines. This is the basic way that computers are able to create data channels among themselves - it all begins with the unique device identifiers called MAC addresses. These identifiers are like hardware fingerprints. (Changing your mac address with a tool like Macchanger is akin to changing your fingerprints, and can potentially raise Hell on a network.) MAC addresses usually encode information about the manufacturer in the first 6 hex digits; for example, most or all Apple computers share a set of MAC prefixes. These prefixes can be looked up online or using software libraries in the kernel, and will tell you the manufacturer of a given device.

Attacks in Layer 2 are valuable because they require no prior information about a sheep, a network, etc. Because Layer 2 information (unique identifiers/MAC addresses) provides the most basic foundations of a communication system, this information is not private or encrypted - in fact it is publicly broadcast. This is perhaps the most startling thing about using the aircrack tool - the wealth of information that is continuously being broadcast by a huge number of devices.

Devices like routers are continually broadcasting advertisements with their MAC address and SSID (network name). Networks need to publicly advertise their MAC addresses in order for clients to send connection requests.

Client devices are also continually sending their own MAC address, as they need to include a "return address" on all packets they transmit. Every device in the vicinity will receive these packets - the 802.11 protocol simply dictates that radios be polite and not read other people's mail, and packets not intended for the host machine are discarded at the hardware level and never reach the CPU. By putting a wifi card in monitor mode, you are turning off that discard mechanism, and every single packet you hear is processed by the CPU.

Deauth Attacks

Because Layer 2 is where basic channels of data are created, everything must be public. This includes the handshake process - which is where the main weakness of WPA lies. The handshake process must take place publicly, and according to the WPA protocol, the encrypted handshake is sent in a packet that anyone can read. Thus, someone listening with software like Aircrack can capture these handshake packets, and obtain an encrypted passphrase for a given network. With tools like John, these encrypted passphrases can be cracked.

Rogue AP Attacks

Another type of trickery that can occur at Layer 2 is a Rogue AP, namely, a fake AP that is created with the intention of tricking clients into revealing wifi credentials. This attack is also a Layer 2 attack, because it takes advantage of the fact that devices are often set to automatically send an encrypted handshake packet to any wifi network that claims to be a "remembered" wifi network. Of course, the names of these "remembered" networks are also broadcast, so it isn't like it's a secret or anything.

The Rogue AP attack tricks the sheep into thinking that a random access point is actually the sheep's (for example) home network, for which the encrypted passphrase is saved so the sheep can quickly and conveniently connect to their home wifi network when they get home after a long day of doing sheep stuff from 9 to 5. The phone does not question whether the wifi network is in the right place - it just checks that the MAC address (easily spoofed) is correct.