Topics: Security

WiFi jamming

This is the fourth article on the subject of wireless security, focusing on WiFi networks, and this article is about WiFi jamming. Which in fact, is not truly a form of jamming. A true WiFi jammer (such devices to exist) will disrupt or interfere the WiFi signal, making it impossible to reliably send data packets over the WiFi network. A hacker will not accomplish much with this, except that it will render the WiFi network unusable.

In this article, we'll be focusing on WiFi de-authentication. In the WiFi protocol, a special type of packet exists, which is called a de-authentication packet. We will be flooding the target Access Point with de-authentication packets. This will cause the target Access Point to disconnect the wireless clients from the network. So, in fact this "WiFi de-authentication attack" is a type of denial-of-service (DOS) attack. It isn't the actual jamming of radio frequencies.

The reason a hacker might do this, is to deny a client access to a specific Access Point. If the hacker sets up his/her own Access Point using the same WiFi network name (ESSID), then potentially the client may connect to that Access Point instead of the regular Access Point. And if that occurs, the hacker effectively becomes the man-in-the-middle, being able to monitor the clients network traffic. In a later tutorial we'll discuss how to set up your own Access Point using Kali Linux.

What you need to perform a WiFi de-authentication attack, is an installation of Kali Linux and a wireless device that is capable of running in Master mode, such as the Alpha AWUS036NH or TP-Link TL-WN722N.

Once you have started Kali Linux, it involves just 3 steps for the attack:

  • Enable monitor mode on your wireless interface.
  • Determine the MAC addresses of the target Access Point and client.
  • Send de-authentication packets to the Access Point to disconnect one or all clients.
Step 1: Enable monitor mode

Enabling monitor mode on a wireless device was already discussed in the previous article on scanning WiFi networks, so just to recap it here, for example if your wireless interface is called wlan2:
# ifconfig wlan2 down
# iwconfig wlan2 mode monitor
# ifconfig wlan2 up

Step 2: Determining the target MAC addresses

Also discussed in the previous article on scanning WiFi networks, run airodump-ng to discover the Access Points and any clients, for example by running:
# airodump-ng wlan2
In the output listed by the airodump-ng command, you'll see in the top section the MAC addresses of the Access Points available. In the bottom section, you may see any clients connected, and both the MAC addresses of the clients (or stations) and the Access Points (or BSSIDs) will be listed, if clients are indeed connected to an Access Point.

Step 3: Sending de-authentication packets

Once you have determined the MAC address of an Access Point/BSSID to target, for example B0:26:80:83:79:C0, you can flood the target with de-authentication packets, by simply running:
# aireplay-ng -0 0 -a B0:26:80:83:79:C0 wlan2
This will result in de-authenticating any client connected to the Access Point with MAC address B0:26:80:83:79:C0. The "-0 0" instructs aireplay-ng to use attack type 0 (de-authentication) for 0 amount of times (zero means infinite). While the attack is running this will render the WiFi network unusable.

You can also target a specific client connected to an Access Point, for example if the MAC address of the client is 90:C1:15:1C:85:C0:
# aireplay-ng -0 0 -a B0:26:80:83:79:C0 -c 90:C1:15:1C:85:C0 wlan2
This means the client can no longer connect to the Access Point, and maybe, especially if the client knows more wireless networks, it will then connect to a different wireless network.

If you simply want a client to de-authenticate 1 time, in the hopes of it connecting to a rogue Access Point that you have set up yourself, instead you can also use the option "-0 1", to just send 1 single de-authentication packet.

If you found this useful, here's more on the same topic(s) in our blog:

UNIX Health Check delivers software to scan Linux and AIX systems for potential issues. Run our software on your system, and receive a report in just a few minutes. UNIX Health Check is an automated check list. It will report on perfomance, capacity, stability and security issues. It will alert on configurations that can be improved per best practices, or items that should be improved per audit guidelines. A report will be generated in the format you wish, and the report includes the issues discovered and information on how to solve the issues as well.

Interested in learning more?