Jamming wireless technology
[also called "deauthentication attack"]
Buenaz diaz, cybermonkeys.
Nearly every device nowadays is using some form of 802.11 wireless technology.
This is awesome from a user's pov; This is nuts from a droid's pov.
The w-lan technology is pretty easy to bust once you understood how it worx.
If you target a normie or a static device (A video camera for example),
there should be no big deal. The victim will experiance a strange witchcraft and looses all wireless connections.
On the other hand: The attack is visible from a wide range. Packages floating the aether are a clear sign for a classical DOS-attack for those who are able to see. So it would be good practice to mask yourself good enough.
If you happen to have little knowlege about this kind of shit, check the
Toolz section and look around for
macchanger. Also, do not blindly copy these commands since some parameters may vary on every device, especially the name of the monitoring device set up with
airmon-ng.
Attack vectors
When working as intended, clients connected to an access point will send a special frame to the access point when they want to end the connection, and the access point will send a special frame to each device that is disconnected from the network before deleting it from it's connection list. By imitating the access point, we can spoof this frame and inject it into the network's flux data.
We can even broadcast this frame to every device connected to the specific network. After the device gets disconnected, it will immediately try to reconnect, so we keep on bursting these frames, thus we are causing a
Denial-of-service event. If we perform this attack automaticly, we can forge a mighty weapon. For example, we can create an agent that waits for a specifig device to appear in the network (for example an annoying neighbour), and start attacking it.
Preparations
We need to set up some stuff before we can have fun, but it is not too hard.
First, request a new mac address so secops and spiders won't have any hard proof against you.
Also, you will have to set up your wlan device, to be specific you must start
airmon-ng to set your device into monitoring mode. First, use the
check-kill command to kill every process that collides with the aircrack suite.
Macchanger will come handy here, but you will have to set your wlan device
down first.
Check out the pic, you can track the commands in the console window there.
Here are all commands:
//set up airmon-ng
airmon-ng check kill
iwconfig
//find name of your device, mine is "wlan0"
airmon-ng start wlan0
//monitor mode active, name should change to "wlan0mon"
//get a fresh mac address
ifconfig wlan0mon down
macchanger -a wlan0mon
ifconfig wlan0mon up
//all set up
Try writing a shellscript that does this setup for you, so you can act swiftly.
Also, depending on your account, you might need to sudo these commands.
Finding a target
Next, we need to find a target for our attack.
We are doing this with the program
airodump-ng. As you can see in the picture, you can find a big chunk of information, therefore it is a good practice to narrow down which network you want to scan.
You can do this with the following command:
;insert the name and mac address of your monitoring device
airodump-ng --bssid XX:XX:XX:XX:XX:XX wlan0mon
In the upper table you can find the names of all access points in the area, the lower table shows connected stations. Do not confuse stations with access points, as the name suggests.
Some interesting fields:
- BSSID: Mac address of this access point, important information for targeting
- PWR: connection power, you can assume how far away a device is, or even locate it if you have another scanning device
- Beacons: Number of beacons received from the device. A device may choose not to send beacons, in this case it is a hidden device (more below)
- Data: number of real payloads going over this access point. The more clients are connected, the faster this number will increase
- Enc: Encryption type of the access point. Not important in this scenario, but this is without doubt a real important data field
- Auth: Authentification type of this network
- ESSID: The name that is broadcast to represent this network
Lower part:
- BSSID: Mac address of the access point this client is connected to
- Station: Mac address of the client
- Probe: Might show the name of the device, or it's username
It is also possible to use the program
Kismet to monitor the devices around you, but I never really used it since I am familiar with the aircrack suite. But nevertheless
Kismet is a usefull tool that even shows some more information about the devices.
If the access point chose not to send any beacons (stealth mode), there are two things you can do to discover them, where the first one is active and fast, but not very stealthy. The second one requires time, but you cannot be detected.
For both methods, start a monitoring device, bring up
wireshark, and set up following filter:
wlan.fc.type_subtype==0x05
The stealth technique requires only waiting from now on. The filter tells wireshark only to show
probe responds frames, which are part of the connection protocol set by the IEEE.
|
[picture not related] |
Now we lurk. Eventually, a client would connect to the network and you can grab the information about the access point under
IEEE 802.11 wireless LAN management frame.
For active discovery, you will have to engage this attack against a device in the hidden network and monitor the respond frame when the device auto-reconnects after deauthentication.
Start the attack
Although you do not really need to do so, it would be a good practise to set the WNIC of the attacking mashine to the same channel the target is on. For future attacks you can skip this step, but for now at least try it one time since it might come in handy if you script this attack to automaticly attack different targets.
ifconfig wlan0mon down
iwconfig wlan0mon channel 1
ifconfig wlan0mon up
For the actual attack we will be using the program
aireplay-ng from the aircrack suite.
You can either broadcast the attack frames to every device associated with the access point, or target a specific device. Aireplay will send a fixed number of frames, or infinite frames, depending on your goals. If you want to sniff wpa2 keys or try to locate hidden networks, consider sending only 2-3 deauthentication frames so an intrusion detection system won't bust your ass or automaticly swaps the channel.
To broadcast the deauthentication frames, try
aireplay-ng -0 10 -a XX:XX:XX:XX:XX:XX wlan0mon
Parameters:
- 0: deauthentication mode
- 10: send x frames (here 10), if you leave the parameter blank, aireplay will keep sending deathentication frames forever
- a: mac address of the access point we are attacking
- wlan0mon: name of your interface device
To target a specific device in the network, use
aireplay-ng -0 10 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0mon
Obviously, the c parameter is for the target client. If you want to target more than one, but not all clients, consider writing a shellscript.
Here is a picture of how the attack looks like if it is successful:
As already stated, your frames will be seen from space, depending on your attack you can vary the rate of packet burst. For example, somebody playing online games would have a bad ping if you sent a deauth frame every 30 ms, for example.
That's it, cybermonkeys. If you liked this post, leave me a holler.
War does not determine who is right...
Comments
Post a Comment