You may have heard of a signal jammer, which usually refers to a device that transmits a strong enough radio signal to drown out the reception of nearby devices such as cell phones. Specially built jammer hardware is downright illegal in many countries. Yet wifi is vulnerable to various jamming attacks that can be done with Kali Linux and a wireless network adapter.
Traditional signal interference has been a cat and mouse game of detecting and disabling signals that an opponent uses to communicate. By shutting down a target's ability to communicate, they remain isolated and vulnerable, making blocking these signals a top priority in modern electronic warfare. Countries today have developed opportunities to jam and fake mobile phones, GPS, WiFi and even satellite connections.
There are two main types of jammers: elemental and advanced. Here we will discuss basic Wi-Fi jamming, focusing on non-coded management frames. Elemental jammers can be divided into two main types: proactive and reactive. The first type, a proactive pity, is one that functions continuously regardless of whether there is traffic on a network or not. We use MDK3 as a misleading jammer, which injects normal-looking packets with a harmful effect into the network.
The most common way of this type of attack is done with the authentication packages. This is a type of "management" frame that is responsible for disconnecting a device from an access point. Forging these packages is the key to hacking into many Wi-Fi networks, because you can forcefully disconnect any client from the network at any time. The ease with which this can be done is somewhat frightening and is often done as part of collecting a WPA handshake to crack.
Apart from the temporary use of this disconnection to harvest a handshake to crack, you can also just keep those beauties coming, which results in the customer being poked with nice packages, apparently from the network with which they are connected. Because these frames are not encrypted, many & # 39; s programs benefit from management frames by forging them and sending them to one or all devices on a network.
Programs such as Aireplay-ng rely on authentication packages to perform denial of service attacks, and this type of tactic is often part of the first WPA brute forcing that a hacker learns. Spamming a target with great packages is simple but effective and often provides almost immediate action. But many who use Aireplay-ng may not know that there is another kind of management frame that can be exploited by malicious people to close clients on a WPA network.
Disassociation packages are another type of management frame that is used to disconnect a node (meaning any device such as a laptop or mobile phone) from a nearby access point. The difference between the authentication and disassociation frames is primarily the way they are used.
An AP that wants to disconnect a fraudulent device would send a authentication packet to inform the device that it has been disconnected from the network, while a disassociation packet is used to disconnect all nodes when the AP is turned off, restarted, or the area leave.
Different networks can be equipped with different countermeasures, so verification itself may not work. In fact, WPA3 protects against this attack, just like some types of WPA2. According to the Wi-Fi Alliance website:
Wi-Fi CERTIFIED WPA2 with protected management frames and Wi-Fi CERTIFIED WPA3 provide protection for unicast and multicast management action frames. Unicast management action frameworks are protected against eavesdropping and forging, and multicast management action frameworks are protected against forging. Wi-Fi CERTIFIED ac and WPA3 devices require protected management frames. They enhance existing privacy protection for data frames with mechanisms to improve the resilience of mission-critical networks.
As a result, the authentication and dissociation attacks are just one of many that can be used against a Wi-Fi network. Although there are more advanced jamming attacks based on interrupting CTS (ready to send) or data packets, we save those attacks for another guide. For now we are going to use a combination of verification and disconnection to increase our chances of constantly disabling a network.
To understand Aireplay-ng vs MDK3 as jamming tools, we must look at the help file for each tool. For Aireplay-ng we see the following relevant information:
~ $ aireplay-ng --help Aireplay-ng 1.5.2 - (C) 2006-2018 Thomas d & # 39; Otreppe https://www.aircrack-ng.org use: aireplay-ng
Filter options: -b bssid: MAC address, access point -d dmac: MAC address, destination -s smac: MAC address, source -m len: minimum package length -n len: maximum package length -u type: frame control, type field -v subt: frame control, field subtype -t tods: frame control, to DS bit -f fromds: frame control, from DS bit -w iswep: frame check, WEP bit -D: Disable AP detection Attack modes (numbers can still be used): - number of verification: verification 1 or all stations (-0) - fakeauth delay: fake authentication with AP (-1) - interactive: interactive frame selection (-2) --arpreplay: standard ARP request replay (-3) --chopchop: Decrypt WEP package / chopchop (-4) - fragment: generates valid keystream (-5) --caffe-latte: ask a client for new IV & # 39; s (-6) --cfrag: fragments against a client (-7) --migmode: attacks WPA migration mode (-8) - test: test injection and quality (-9) --help: shows this usage screen
Although the included tools are interesting, only – deauth is useful when blocking a Wi-Fi connection. Based on these filter settings, we can use Aireplay-ng to attack specific nodes on specific APs. We can do this with a command like the one below.
~ $ aireplay-ng -0 0 -a f2: 9f: c2: 34: 55: 69 -c a4: 14: 37: 44: 1f: ac wlan0mon  This command uses the wlan0 interface in monitor mode to send an unlimited stream of rights to the client at MAC address a4: 14: 37: 44: 1f: ac connected to the access point with a MAC address of f2: 9f: c2: 34: 55: 69. This attack is surgical and usually begins to work immediately, but may fail on some networks or be not very effective.
MDK3 has compared to less [chirurgische filters] listening help file.
~ $ mdk3 - help MDK 3.0 v6 - "Yes, well, whatever" by ASPj from k2wrlz, using the osdep library from aircrack-ng And with a lot of help from the great aircrack-ng community: Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, duct tape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik THANK YOU! MDK is a proof-of-concept tool for exploiting common vulnerabilities in the IEEE 802.11 protocol. MDK USE: mdk3
[test_options] TEST MODES: b - Beacon Flood mode Sends beacon frames to show fake AP & # 39; s to customers. This can sometimes cause network scanners and even drivers & # 39; s to crash! a - DoS authentication mode Sends authentication frames to all APs found within range. Too many clients freeze or reset some APs. p - Basic probe and ESSID Brute force mode Tries AP and looks for an answer, useful to check if SSID has one properly emptied or if AP is in the shipping range of your adapters SSID Gross forcing is also possible with this test mode. d - Amok mode verification / dissociation Kicks everyone found from AP m - Michael shutdown exploitation (TKIP) Cancels all traffic continuously x - 802.1X tests w - WIDS / WIPS confusion Confusion / abuse of intrusion detection systems f - gross force MAC filter mode This test uses a list of known client MAC addresses and attempts to do so authenticate them at the given AP as they change dynamically the response time for the best performance. It currently works alone on APs that correctly reject an open authentication request g - WPA Downgrade test verifies stations and APs that send WPA encrypted packages. With this test you can check whether the sysadmin will try to set its own disable network to WEP or encryption.
With MDK3 we see a few attractive options. Option g will attempt to force a network administrator to disable or downgrade encryption by targeting any connection that transmits WPA-encrypted packets with authentication attacks.
Option b randomly attempts a beacon flood attack to create fake AP's in the area and option a attempts to block a network by sending too many authentication frames. None of these attacks works for blocking the network, so instead the most useful attack option is d .
The attack Deauthentication / dissociation Amok mode by default kicks everyone from a network in the area, but with some filters we can make it work more surgically.
What You Need
To begin with, you need a fully updated copy of Kali Linux and a Kali-compatible wireless network adapter. If you need help choosing one, you can consult our guide below.
To update your copy of Kali Linux, connect to the Internet, open a terminal window, and perform the commands below.
~ $ apt update ~ $ apt upgrade
Step 1: Install MDK3
~ $ apt install MDK3 Read package lists ... Ready Build dependency structure Read status information ... Done mdk3 is already the newest version (6.0-6). mdk3 set to installed manually. The following package is installed automatically and is no longer required: libgit2-27 Use & # 39; apt autoremove & # 39; to delete it. 0 upgraded, 0 newly installed, 0 to remove and 1823 not upgraded.
Once installed, you can type mdk3 --help to view the most important options.
Step 2: Jam an Area
If we look at the filter options for MDK3, we can type mdk3 --help d to get the help information specific to the authentication module. Here we can see that it is different from the options for Aireplay-ng. Instead we have the following options to make our attack:
- -w flag for MAC addresses to ignore, or whitelist.
- -b Flag for MAC addresses to attack, or blacklist.  -s Flag for the speed (packets per second) of the attack.
- -c Flag for the channel on which the attack is being conducted.
Based on these options, we must have at least one piece of information to start something crashing. First we have to put our network adapter in monitor mode and give the name of the adapter in monitor mode so that it can be executed.
To find this, we can either type ifconfig or the newer ip a in a terminal window to find the network adapter name. It should be something like "wlan0" or "wlan1."
If you have the device name, you can put it in monitor mode with the following command airmon-ng where wlan0 is the name of your network card.
~ $ sudo airmon-ng start wlan0
After you have done this, type ifconfig or ip a to get the device's new name. You can expect it to be something like "wlan0mon."
If you have this information, you can run the script to verify everything nearby. This is noisy, not as effective as the goal getting stuck and it may be necessary for one card to continue to work. In my tests, a network card that attacked everything in the neighborhood caused few noticeable disruptions, while three network cards that attacked everything in the neighborhood caused noticeably disrupted disconnections with the network.
To execute the attack, type the following in a terminal window, with wlan0mon as the name of your adapter in monitor mode.
~ $ mdk3 wlan0mon d
Because this attack has to skip channels, it is probably missing some AP & # 39; s and may not be very fast. It is also very disturbing because it can disconnect everything within range, regardless of whether you have permission or are relevant to what you do.
Step 3: Jam a Channel
A better option for blocking an area is to block a channel. To know which channel to jam, we can use another tool called Airodump-ng to find out which channel our target is on. With our map in monitor mode as wlan0mon, we can type the following command to view information about all nearby wireless networks.
~ $ airodump-ng wlan0mon
This displays all access points in the neighborhood, along with information about them. Here we can see on which channel the access point we are focusing on is focused on, which limits our effect to a single channel instead of attacking looting that moves.
Once we know which channel the AP is on, we can press Ctrl-C to cancel the scan and type the following into a terminal window, where the channel we are attacking is channel 6 is.
~ $ mdk3 wlan0mon -c 6
Blocking a channel is very effective, but it affects all AP & # 39; s and all devices that operate on that channel. This can still be too noisy, so we need to further refine this to offer the same targeting options as Aireplay-ng.
Step 4: Whitelist & Blacklist Devices
Once we have a specific channel to attack, you can be more accurate by adding a blacklist or a whitelist.
To do this, we run our Airmon ng scan again, and this time we copy the MAC address of the device that we want to attack. I tested this for both the address of the AP and the device that you want to attack. Using the MAC address of the AP will attack everything on it, while adding the MAC address of the device will only attack it and nothing else on the network.
To get this information, we can type the following to find the AP & # 39; s on the channel we focused on earlier, in this case channel 6.
~ $ airodump-ng wlan0mon -c 6
By specifying the channel that we have previously found, we need the number of devices that we see. To find devices that are connected to our target network, we can look at the bottom of the output and find devices that are listed as associated with the MAC address corresponding to our target network.
Once we find a MAC address that is linked, it can easily target. Copy the MAC address and open a new terminal window. Type nano black.txt and press Enter to open a text editor window. Now paste the MAC address of the device you want to block and press Ctrl-X to close the text editor.
Now we can run MDK3 on the target network by executing the command below, with black.txt as the text file we just created with the MAC addresses that we want to block.
~ $ mdk3 wlan0mon d -c 6 -b ~ / black.txt
If this is done, the device must crash very quickly and permanently. Conversely, you can specify networks that you want to leave alone and then execute the command with the flag -w to attack everything else on the channel instead.
Although these attacks can be frightening, depending on what is meant as a home security camera, these risks can be mitigated by using Ethernet and the WPA3 where possible. to upgrade when devices that support it become available. One of the main differences between WPA2 and WPA3 is that WPA3 does not allow this type of attack by preventing the authentication or dissociation packets from being falsified in the first place.
Until then, you can use devices that support secure management frames, or if you suspect you are the target of such an attack, you can detect them using an intrusion detection system (IDS). Kismet can be used as an IDS to detect this type of attack because it gives you a warning when detecting dissociation or verification frames being sprayed over a network.
I hope you find this guide for understanding advanced WiFi interference with MDK3 and Aireplay-ng! If you have any questions about this tutorial or how to disrupt WiFi, you can leave a comment or reach me on Twitter @KodyKinzie .
Don't Miss It: Use Kismet to View Wi-Fi User Activity Through Walls