Linux Tip: (Wireless Deauthing)
I found a great way to have some fun with friends and family. Using Linux to kick an individual or everyone off of an access point. Fun times you say, well lets see.
Deauthing is you pretending to be the access point asking the client to re connect. You spoof a re authorization packet to the client which makes the client try to reconnect to the access point. However, because you are constantly sending these packets the client can't connect because they continuously need to re authenticate. This is also how people kick users to set up a man in the middle attack. When you kick the client the client will automatically find another known access point. If you provide that to then they will connect to it. However, we are not going to get in to man in the middle attacks today. Maybe another time. ;-)
First of all you are going to need a few things to make this work.
aircrack-ng (http://www.aircrack-ng.org/)
mdk3 (http://homepages.tu-darmstadt.de/~p_larbig/wlan/#mdk3)
You should be able to find these in your repos.
Your wireless card also needs to support injection and monitor mode.
Its possible to do this with just aircrack-ng but I prefer mdk3 for the actual deauthing.
First thing we need to do is see if your wireless card supports injection and monitor mode.
For the sake of this tip we will call your wireless device wlan0. If you need to know what yours is type this command.
ifconfig -a |
Now look for the wlanx that you want to use. Most people will only have one unless your like me and use two wireless cards.
First take your card down with this command
ifconfig wlan0 down |
For testing injection type this
aireplay-ng -9 wlan0 |
You should get something back that says "Injection is working!"
Now to test if your card support monitor mode.
We first need the physical name of the wireless card. For this run.
airmon-ng |
Identify your card on the list and look for the phy#
Once you have it run this but replace phy0 with yours.
iw phy phy0 info |grep -A8 modes |
Under supported interface modes it should have "monitor" listed.
So if everything’s cool lets move on. If not you may need newer drivers or a different wireless card. I recommend the Alfa USB WiFi AWUS036H.
Now we are ready to have some fun. You need to get some info about your access point to proceed. So at this point disconnect from your network and lets get to it.
Use this command to get info about your access point.
airodump-ng wlan0 |
This should start packet capturing all wireless traffic. Once you see yours hit Ctrl+C to cancel the capture.
Take note of your essid, mac address, and channel.
once you have it lets take a closer look at whos on line with the same command but a little different.
You have to make sure your wireless card is set to the same channel as your access point. Theirs a bug in aircrack-ng that will not do it for you. At least there was for me. for this step I will number the steps to make it easier to start over it it doesn't work.
Update: 5/18/2012
I found a way to avoid the channel -1 bug in aircrack. Just skip step 3 and don't use airmon-ng to put your card in monitor mode. This will stop the mon0 interface from being created but airodump-ng will put your card in monitor mode.
1.) Bring your network card back up with this command.
ifconfig wlan0 up |
2.) change your channel with iwconfig like this. My channel is 6. Make sure you use the channel you got earlier.
iwconfig wlan0 channel 6 |
3.)Now put your card in monitor mode with this command. Don't forget to put the channel number at the end.
airmon-ng start wlan0 6 |
4.)Bring your wireless card back down.
ifconfig wlan0 down |
5.) Now its time to find out who's on line. Run this command below.
airodump-ng -c 6 --bssid {mac address for access point} wlan0 |
-c is for the channel number
--bssid is for your mac address on your access point.
If you want to store the captured packets just add the -w option with the location you want to store the capture files. This would look like this
airodump-ng -c 6 --bssid {mac address for access point} -w {path and name of file} wlan0 |
Once airodump-ng starts running if you see something on the end of the top line that says something like stuck on channel -1 then you suffered from the same bug I did. To fix it hit Ctrl+C and run these two commands and then start over on step 1.
airmon-ng stop mon0 airmon-ng stop wlan0 |
If you don't see that error then your good.
Now kick back and watch the stations appear. Each system on the network will show up at the bottom as they use the wireless. You can cross reference the first three MAC segments xx:xx:xx on line to see the manufacturer until you find your pray. For me it was my daughters Kindle Fire.
Once you see the device you want to kick off the network write down the mac address and hit Ctrl+C to stop the packet capture.
Now finally for the moment of truth. Which family member do you have in your sites. Once you pick one run this command.
echo "xx:xx:xx:xx:xx:xx" > ./black.lst |
Replace the "xx" with the mac address of the victim.
This creates a list of mac addresses you want to kick. If you want to add more then one change the > to >>.
The final command.
mdk3 wlan0 d -n {essid} -b ./black.lst |
replace {essid} with the essid of the access point.
That's it. As long as the command runs they will be kicked off line. Unless they spoof there mac address or use another access point. This also works well for neighbors that your wife gives the pass-phrase out to.
You can take this a step further and kick everyone off the access point with this command.
mdk3 wlan0 d -n {essid} |
By just leaving out the black list you will kick off everyone on that access point.
To stop the attack just hit Ctrl+C to kill the command and everyone will be able to connect again.
Have fun and remember its cool to play with your own equipment but don't cause trouble for other people. That's not nice. ;-)
Share