قالب وردپرس درنا توس
Home / Tips and Tricks / How to Detect and Classify Wi-Fi Jamming Packages with NodeMCU's Null Byte :: WonderHowTo

How to Detect and Classify Wi-Fi Jamming Packages with NodeMCU's Null Byte :: WonderHowTo



Most common Wi-Fi jamming attacks use Deauthentication and Dissociation Packets to attack networks. This enables a cost-effective ESP8266-based device programmed in Arduino to detect and classify Wi-Fi denial-of-service attacks by turning on a different color LED for each type of packet. The pattern of these colors also allows us to query the tool used to attack the network.

Types of Jamming Attacks

Jammer used in electronic warfare usually require devices that overload the signal of the target with radio energy it is impossible to distinguish between the signal and the noise coming into the channel the target used for communication; This type of jamming is popular because it works, but it also requires special equipment that is banned or heavily regulated in most countries.

Another type of jamming attempts to send messages that separate the target from the network to which they are connected instead of drowning the signal of a target by trying to overwhelm it. You may think that this kind of attack only works if you are connected to the network, but here WPA has a fatal error. Because so-called management frames are not encrypted, it is possible to send malicious messages from outside the network that can cause people within the network to be unable to connect.

Deauthentication Packages

The most common type of attack done is with Deauthentication Packets. This is a kind of "management" framework responsible for disconnecting a device from an access point. Faking these packages is the key to hacking on many Wi-Fi networks because you can forcibly separate any client from the client at any time. The ease with which this can be done is a bit scary and is often done as part of a WPA handshake for cracking.

In addition to using this interruption to force a handshake, you can also let those deauths come in. This has the effect of seemingly infecting the client with deauth packets from the network it's connected to , Because these frames are not encrypted, many programs use management frames by forging them and sending them to one or all devices on a network

Dissasciation Packets

Dissociation packages are another type of management framework used to create a node (ie any device such as a laptop or mobile) from a nearby access point. The difference between Deauthentication and Dissociation frames is mainly that an AP attempting to disconnect a rogue device sends a Deauthentication Packet to inform the device that it has been disconnected from the network, whereas a Dissociation Packet is used to node Shut Down, Restart, or Leave Area

Shared Wi-Fi Denial Tools

There are many tools for attacking Wi-Fi networks, and many of them automate only simpler tools like Aireplay-ng and MDK3. We covered both the use and the detection of both tools. However, this example sets some design goals for detecting attacks on a network. To do this, we need to understand how each and every job effectively interferes with a Wi-Fi network.

Aireplay-ng is often used to temporarily disconnect clients to receive a WLAN handshake. Fake Deauthentication Packages are used on any network or client that the user specifies either with a specified number of Deauthentication Packets or a continuous data stream. It is also used in frameworks such as Airgeddon, which automatically feed the results of scans into Aireplay to actively attack real-time detected networks in an area.

MDK3 uses a mix of Disassociation and Deauthentication packages that are initially slower than an Aireplay-ng attack. This attack is also used in frameworks like Airgeddon and can be distinguished by the alternating pattern of deauthentication and dissociation packages.

Optimizing the Deauth Detector

To design a detector, I was looking for a script for the NodeMCU as the basis for our design. I found Spacewood's DeauthDetector, a sketch in Arduino for ESP8266 devices like the NodeMCU, which turns on an LED when a certain number of Deauthentication or Dissociation packets are detected. This is another of Spacehuhn's excellent design, and you should check his website to see more of his ESP8266-based projects.

In the DeauthDetector code, I found exactly what it took to show an LED the nature of the attack in progress, rather than just turning on a light when there was an attack.

  if (buf [12] == 0xA0 || buf [12] == 0xC0) {

This line might look similar If you followed our guide to use Wireshark to do the same. This is because the Capture filter we used to find Deauthentication and Disassociation packages looks at the same elements, so we can divide that code looking for them into two different sections: one for managing a variable that tracks every type of package and a corresponding LED to alert the user

What you need

To create this detector, you need a NodeMCU or ESP8266-based device. You will also need a computer with Arduino IDE to program it, and either a tri-color (RGB), four-pin LED or at least two LEDs to indicate when a package of each type is detected. You'll need a breadboard to wire everything together, and it's recommended to use a resistor or potentiometer to avoid blowing your LED.

Here's a list of what I've used:

Step 1: Download & Configure Arduino IDE

The free, cross-platform Arduino IDE allows us to quickly prototype what we need , Arduino IDE (the IDE stands for "integrated development environment") enables fast writing and uploading of scripts to Arduino-like microcontroller devices.

You can download the Arduino IDE from the official website. Once it's installed, you need to click on the "Arduino" drop-down menu, then select "Settings." Next, paste the following URL into the Additional Board Manager URLs field. Click OK to continue.

  http://arduino.esp8266.com/stable/package_esp8266com_index.json 

Next, add the NodeMCU to the Boards Manager . To do this, you need to click on "Tools" and then hover over the "Board" area to see the drop-down list of supported boards. Click on "Boards Manager" above to open the window for adding additional boards.

When the Boards Manager window opens, type "esp8266" in the search bar. Select "esp8266" from "ESP8266 Community" and install it to add support for the NodeMCU to your Arduino IDE.

Once this is done, you should be ready to program your NodeMCU. Plug your NodeMCU into your breadboard and your NodeMCU into the computer. If you click on "Tools", you should see the correct port automatically selected. Select "NodeMCU 1.0."

If you use a faulty cable, the port may not be displayed, so if you see nothing After trying the other steps, try first another cable.

Step 2: Download the DeauthDetector

After setting up our IDE, we can download SpaceHahn's DeauthDetector to change the code. You can download the original version here if you want to join in the discussion, but I will use my forked version below for our example.

In a terminal window, type the following to download the modified DeauthDetector: Browse to its directory and list the contents.

  git clone https://github.com/skickar/DeauthDetector.git
CD DeauthDetector
ls 

Once you are in the new folder containing the downloaded files, you will see an INO drawing file and two libraries needed for the project. Open the INO file in the Arduino IDE and then click on "Sketch" at the top of the menu. Select "Add File" to select the two libraries we downloaded along with the INO file. Make sure you add mac.cpp and mac.h or that our code fails.

Once we have added the library, we can send the code to our NodeMCU, but let's take a look at the code and see how he works.

Step 3: Change the Deauth Detector Code

First and most obviously, we have our main settings. There is a collection of definitions that determine how the code works. Here we can define whether we want to channel the channel or not, or just stay on one channel by setting the channelHopping setting to true.

Depending on where we are, we can define the highest channel to scan channel hopping (Japan is 14, while the US only goes to 11) and the number of packets detected per minute, over which we will decide an attack. As we optimize the detector, this will not be so important.

  // ===== SETTINGS ===== //
#define channel 1 // the channel to scan to (1-14)
#define channelHoping true // Search on all channels
#define maxChannel 13 // US = 11, EU = 13, Japan = 14
#define ledPin 2 // LED pin (2 = built-in LED)
#define inverted false // invert HIGH / LOW for the LED
#define packetRate 3 // min. Packages before it is detected as an attack 

Next, we have a bunch of variables that track things in the script. I've added two variables to track deauthentication and disassociation packages, creatively called "dissoc" and "deauth."

  #define scanTime 500 // Scan time per channel in ms

// mac of;
// Mac too;
unsigned lang c = 0;
unsigned long deauth = 0;
unsigned long dissociation = 0;
not signed long prevTime = 0;
unsigned long curTime = 0;
int curChannel = channel; 

Next we have a sniffer function and an "if" statement that adds to the "c" counter, which counts how many deauthentication or dissociation packets we have received. I have commented on this because we will track them individually.

  void sniffer (uint8_t * buf, uint16_t len) {

/ * if (buf [12] == 0xA0 || buf [12] == 0xC0) {

C ++;
}
* / 

Instead, we'll insert two "if" statements that will be added to a cooldown timer. Whenever we detect dissociation packages, we turn on an LED by setting the cooldown timer to 500 and then subtracting one from the timer each time we scan a packet that is not a dissociation package. This means that during a running attack, the light stays on and off as soon as the attack stops and normal traffic resumes. The same logic applies to deauthentication packages that we track in the second "if" statement.

  if (buf [12] == 0xA0) {
dissociated = 500;
}
if (buf [12] == 0xC0) {
deauth = 500;
} 

Now we decide what happens if the package does not match, which means that it's a normal Wi-Fi package, not what we're looking for. To handle this, we use an "else" clause that says that if the deauth or dissoc decay timer is equal to or greater than one, one is subtracted from the timer. Otherwise, if the timer is already zero, do nothing.

  else {
if (deauth> = 1) {
deauth--;}
if (dissoz> = 1) {
Dissociation--;}
} 

In our setup loop, we set up our pins for the output mode and Spacehuhn's sniffer functions are working to look for packages. We state that we want to turn pins D5, D6, and D7 on with the pinMode (pin, mode) function, in which case we turn on the pins for the output mode. With this code we can control the LEDs from these pins.

  void setup () {
Start of series (115200);

wifi_set_opmode (STATION_MODE);
wifi_promiscuous_enable (0);
WiFi.disconnect ();
wifi_set_promiscuous_rx_cb (sniffer);
wifi_set_channel (curChannel);
wifi_promiscuous_enable (1);

pinMode (D5, OUTPUT);
pinMode (D6, OUTPUT);
pinMode (D7, OUTPUT);
} 

Now we have our main loop, the part of the code that keeps executing. In this section of the code, we define the time and define the logic that actually turns the LEDs on.

  void loop () {
curTime = millis ();

if (curTime - prevTime> = scanTime) {
prevTime = curTime; 

In this section, we determine what happens, depending on the value of our cooldown timer, which starts at zero but is set to 500 for each deauthentication or dissociation package. Each is tracked separately and each time subtracted each time a normal packet is detected, if the cooldown timer is not already zero. Here we simply say that if the cooldown timer is one or more, the LED is turned on by turning the corresponding pin to high. Also included is the logic to invert the LED, which you can set correctly or incorrectly at the beginning.

  if (deauth> = 1) {
if (inverted) digitalWrite (D5, LOW);
otherwise digitalWrite (D5, HIGH);}
otherwise{
if (inverted) digitalWrite (D5, HIGH);
otherwise digitalWrite (D5, LOW);
}
if (dissoz> = 1) {
if (inverted) digitalWrite (D7, LOW);
otherwise digitalWrite (D7, HIGH);
}
otherwise{
if (inverted) digitalWrite (D7, HIGH);
otherwise digitalWrite (D7, LOW);
} 

Finally, we say that if the value of the cooldown timer is "else" (less than one in this case), the LED turns off. This is the last of our modifications and the last part of the code controls the channel jump and sets the NodeMCU to the next channel, assuming that the channel jump is enabled.

  if (channelHopping) {
curChannel ++;
if (curChannel> maxChannel) curChannel = 1;
wifi_set_channel (curChannel);
}
}

} 

The final code should look like this:

  #include 
#include "Mac.h"

external "C" {
#include "user_interface.h"
}

// ===== SETTINGS ===== //
#define channel 1 // the channel to scan to (1-14)
#define channelHoping true // Search on all channels
#define maxChannel 13 // US = 11, EU = 13, Japan = 14
#define ledPin 2 // LED pin (2 = built-in LED)
#define inverted false // invert HIGH / LOW for the LED
#define packetRate 3 // min. Packets before it is detected as an attack

#define scanTime 500 // Scan time per channel in ms

unsigned long deauth = 0;
unsigned long dissociation = 0;
not signed long prevTime = 0;
unsigned long curTime = 0;
int curChannel = channel;

Void sniffers (uint8_t * buf, uint16_t len) {

if (buf [12] == 0xA0) {

dissociated = 500;
}
if (buf [12] == 0xC0) {

deauth = 500;
}
otherwise{
if (deauth> = 1) {
deauth--;}
if (dissoz> = 1) {
Dissociation--;}
}

//}
}

void setup () {
Start of series (115200);

wifi_set_opmode (STATION_MODE);
wifi_promiscuous_enable (0);
WiFi.disconnect ();
wifi_set_promiscuous_rx_cb (sniffer);
wifi_set_channel (curChannel);
wifi_promiscuous_enable (1);

pinMode (D5, OUTPUT);
pinMode (D6, OUTPUT);
pinMode (D7, OUTPUT);

Serial.println ("starting!");

}

Empty loop () {
curTime = millis ();

if (curTime - prevTime> = scanTime) {
prevTime = curTime;
Serial.println ((string) c);

if (deauth> = 1) {
if (inverted) digitalWrite (D5, LOW);
otherwise digitalWrite (D5, HIGH);}
otherwise{
if (inverted) digitalWrite (D5, HIGH);
otherwise digitalWrite (D5, LOW);
}
if (dissoz> = 1) {
if (inverted) digitalWrite (D7, LOW);
otherwise digitalWrite (D7, HIGH);
}
otherwise{
if (inverted) digitalWrite (D7, HIGH);
otherwise digitalWrite (D7, LOW);
}
if (channelHopping) {
curChannel ++;
if (curChannel> maxChannel) curChannel = 1;
wifi_set_channel (curChannel);
}
}

} 

When the changes are complete (or when you're done, as we already did in our example), you can press the arrow in the upper-left corner of the Arduino IDE to send your code to the NodeMCU.

Step 4: Wiring and Testing the Modified DeauthDetector

After you send the code to the NodeMCU, you can wire your four-pin, three-color RGB LED in one of two ways. The most direct way is to put it next to pins D5, D6, D7 and ground on the mini breadboard. This works well and will probably not blow the LED, but to be sure, you can use some resistance in your design.

To pick up a resistor, place it between the ground pin and the grounding pin you use at the NodeMCU.

Once this is wired, you should be ready to go!

Follow our instructions on using MDK3 and Airplay-ng to shoot down some enemy packets against a network for which you have permission lit in response. Also, look for patterns in the colors shown, as they directly reflect the behavior of the program being used.

You can review our guide to launching Wi-Fi Denial of Service attacks below. Be warned, these attacks are very illegal against networks that you are not allowed to test, so make sure you have permission before.

Handheld Wi-Fi Jamming Detector

This tool is a great way to visualize Wi-Fi attacks and allows anyone to see if there is an attack and what kind of Wi-Fi packages with a minimum involved in work. Instead of Wireshark running to see what is going on around you, this simple project shows if an attack is underway and, if so, what type of attack is being used.

I hope you liked this guide to discovering and classifying Wi -Fi jamming attacks with the NodeMCU. If you have questions about this Wi-Fi Attack Detection tutorial or have a comment, you can reach me on Twitter @KodyKinzie .

Do not miss: More Zero Bytes Instructions on Hacking Wi-Fi

Cover Picture and Screenshots of Kody / Null Byte




Source link