In this post I will explain step by step how to perform a small DoS attack on a specific Wireless client using the concept of deauthentication attack. This attack targets communications between a client and the access-point on which it is connected.
This attack acts in a unique way. The Wi-Fi protocol (IEEE 802.11) contains a mechanism that allows a wireless client to send deauthentication frame. Because a wireless client is identified by its MAC address, an attacker can send deauthentication request by spoofing the source MAC address by using this of the victim.
For this demonstration, I created a dummy SSID named “WIFI_HACKING” which is broadcasted by my FortiWIFI 30E at home. It is simply protected by WPA2. The victim, my phone NEXUS 4 running android, is connected on this SSID and can navigate to Internet without problem. Using my favorite Linux distro, I will sniff the Wireless networks to find all needed information to run this attack. Each steps are explained below.
Step 0 – Install hacking tools
For this attack, I only use “kismet” and “aircrack-ng“. If you use Kali Linux, these tools are directly available. On my Ubuntu I have to install them using this command:
fl0at0xff@bl00b:~$ sudo apt install kismet aircrack-ng
Kismet is useful to find information about current broadcasted SSIDs in the area and aircrack-ng is a set of tools that we need to launch the attack.
Step 1 – Configure attacker’s WLAN network card
The first thing to do is to configure the network card used to launch the attack in “monitor” mode. This mode allows the NIC to capture all Wi-Fi packets present in the air. Not all network card can be configured in monitor mode. To do this, shutdown your NIC, activate the monitor mode and then enable the card again. In my case, my NIC is named wlan1.
fl0at0xff@bl00b:~$ sudo ifconfig wlan1 down fl0at0xff@bl00b:~$ sudo iwconfig wlan1 mode monitor fl0at0xff@bl00b:~$ sudo ifconfig wlan1 up
When the NIC is in monitor mode, you are not able to connect to a SSID with it. To check if the interface is correctly in monitor mode, you can use this command and check the “Mode” field.
fl0at0xff@bl00b:~$ iwconfig wlan1 wlan1 IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
Step 2 – Get needed information using Kismet
To launch this attack, we need 3 information:
- The ESSID : The Wireless network name where the victim is connected. Often named “SSID”
- The BSSID : The access point’s MAC address where the victim is connected
- The channel : The channel number on which the ESSID is broadcasted
Note: you can have these information simply using airodump-ng, a tool that we will use later in this post to capture traffic but I take advantage of this post to make a very quick overview of Kismet.
If you run kismet for the first time, you will be prompted to configure it. You will be prompted to start the kismet server and you need to specify which NIC to use (source interface). Very simple and intuitive. If you encounter problems with Kismet, do not hesitate to contact me using the comment area in this page.
Simply run kismet in command line and start the server when prompted.
The following screenshots show the different steps of the configuration.
After adding the source, you could have a warning message. simply accept it. After that, you can see a lot of information about the detected SSID. You can see “INFO” section that provide all that we need. In my case:
Now, we have the channel of which the SSID is broadcasted (channel 1) and the MAC address of the AP (92:6C:AC:E5:4F:50).
Step 3 – Capture traffic and find the target client
Now, you are able to use airodump-ng, a tool presents in the aircrack-ng package, to capture all traffic for the specific BSSID and on a specific channel. With this capture, we will be able to find clients connected to the SSID. To start this capture, run this command and adapt it with your values.
fl0at0xff@bl00b:~$ sudo airodump-ng --bssid 92:6C:AC:E5:4F:50 --channel 1 wlan1
After few seconds, if there are connected clients, you will see them. In my case, I only have my Nexus 4.
The column “STATIONS” give you the MAC address of connected devices, in my case my NEXUS 4 (10:68:3F:33:1F:F3). As explained before, airodump-ng provides all needed information to launch the attack.
Step 4 – Launch the attack
Now, we are ready to launch the attack. On my Nexus 4, I installed the application “PingTools Network Utilities” of “StreamSoft” and I started a continuous ping to www.google.com. If the attack is successful, the ping must be lost and my Nexus 4 should be disconnected of the SSID.
The tool airplay-ng allows to send deauth frames by spoofing the source MAC address of wlan1 card. To start a small DoS, run this command:
fl0at0xff@bl00b:~$ sudo aireplay-ng --deauth 5 -a 92:6C:AC:E5:4F:50 -c 10:68:3F:33:1F:F3 wlan1
If all the parameters are correct, you should see your ping fails and that you are not connected anymore to the wireless network ! In this command, 5 deauth bursts of packets are send. This is sufficient to disconnect a client but it will reconnect again. Increase this value to a very large number to perform a longer DoS.
And on my Nexus 4, I saw that the ping failed and that I was not connected to the Wireless network.
You can see with this post how it is simple to perform a simple attack on targeted client which are connected to an SSID.