Topics: Security
WiFi jamming
This is the fourth article on the subject of wireless security, focusing on WiFi networks, and this article is about WiFi jamming. Which in fact, is not truly a form of jamming. A true WiFi jammer (such devices to exist) will disrupt or interfere the WiFi signal, making it impossible to reliably send data packets over the WiFi network. A hacker will not accomplish much with this, except that it will render the WiFi network unusable.
In this article, we'll be focusing on WiFi de-authentication. In the WiFi protocol, a special type of packet exists, which is called a de-authentication packet. We will be flooding the target Access Point with de-authentication packets. This will cause the target Access Point to disconnect the wireless clients from the network. So, in fact this "WiFi de-authentication attack" is a type of denial-of-service (DOS) attack. It isn't the actual jamming of radio frequencies.
The reason a hacker might do this, is to deny a client access to a specific Access Point. If the hacker sets up his/her own Access Point using the same WiFi network name (ESSID), then potentially the client may connect to that Access Point instead of the regular Access Point. And if that occurs, the hacker effectively becomes the man-in-the-middle, being able to monitor the clients network traffic. In a later tutorial we'll discuss how to set up your own Access Point using Kali Linux.
What you need to perform a WiFi de-authentication attack, is an installation of Kali Linux and a wireless device that is capable of running in Master mode, such as the Alpha AWUS036NH or TP-Link TL-WN722N.
Once you have started Kali Linux, it involves just 3 steps for the attack:
- Enable monitor mode on your wireless interface.
- Determine the MAC addresses of the target Access Point and client.
- Send de-authentication packets to the Access Point to disconnect one or all clients.
Enabling monitor mode on a wireless device was already discussed in the previous article on scanning WiFi networks, so just to recap it here, for example if your wireless interface is called wlan2:
# ifconfig wlan2 down # iwconfig wlan2 mode monitor # ifconfig wlan2 up
Step 2: Determining the target MAC addresses
Also discussed in the previous article on scanning WiFi networks, run airodump-ng to discover the Access Points and any clients, for example by running:
In the output listed by the airodump-ng command, you'll see in the top section the MAC addresses of the Access Points available. In the bottom section, you may see any clients connected, and both the MAC addresses of the clients (or stations) and the Access Points (or BSSIDs) will be listed, if clients are indeed connected to an Access Point.# airodump-ng wlan2
Step 3: Sending de-authentication packets
Once you have determined the MAC address of an Access Point/BSSID to target, for example B0:26:80:83:79:C0, you can flood the target with de-authentication packets, by simply running:
This will result in de-authenticating any client connected to the Access Point with MAC address B0:26:80:83:79:C0. The "-0 0" instructs aireplay-ng to use attack type 0 (de-authentication) for 0 amount of times (zero means infinite). While the attack is running this will render the WiFi network unusable.# aireplay-ng -0 0 -a B0:26:80:83:79:C0 wlan2
You can also target a specific client connected to an Access Point, for example if the MAC address of the client is 90:C1:15:1C:85:C0:
This means the client can no longer connect to the Access Point, and maybe, especially if the client knows more wireless networks, it will then connect to a different wireless network.# aireplay-ng -0 0 -a B0:26:80:83:79:C0 -c 90:C1:15:1C:85:C0 wlan2
If you simply want a client to de-authenticate 1 time, in the hopes of it connecting to a rogue Access Point that you have set up yourself, instead you can also use the option "-0 1", to just send 1 single de-authentication packet.
If you found this useful, here's more on the same topic(s) in our blog:
- Portmir
- Generating random passwords
- Scanning WiFi networks
- Restricting the number of login sessions of a user
- HACMP 5.4: How to change SNMP community name from default "public" and keep clstat working
Interested in learning more?