قالب وردپرس درنا توس
Home / Tips and Tricks / How to Detect Script Kiddie Wi-Fi Jamming with Wireshark «Null Byte :: WonderHowTo

How to Detect Script Kiddie Wi-Fi Jamming with Wireshark «Null Byte :: WonderHowTo

Due to vulnerabilities in how Wi-Fi works, most Wi-Fi networks can be broken very easily with tools that spoof Deauthentication Packages. The ease with which these common tools can jam networks is achieved only by how easy they are to be seen by anyone who is waiting for them. We will use Wireshark to detect an ongoing Wi-Fi attack and determine which tool the attacker uses

How to Kill Script Kiddies Networks

Most denial-of-service (DOS) attacks are fairly simple and Leverage well-documented errors in the way WPA networks manage connections. Because the management packages that the devices use to control these connections are unencrypted, an attacker can easily create fake ones after snooping the wireless channels nearby. Tools for it are free, widely distributed and well documented on the internet, all perfect for script kiddies.

Most common scripts such as Aireplay-ng or MDK3 do this by flooding a target with de-authentication or dissociation packages, both normal appearing packets that interfere with the network. This only requires a wireless network adapter that can be put into monitor mode, and a simple command can remove an entire channel with many networks operating up to a block without special equipment.

Shared Wi-Fi Detecting DOS Attacks

While these script kiddie attacks can be very annoying, they can also be discovered through a variety of free and open source tools. Software like Wireshark can be quite overwhelming for a beginner, especially without knowing what you are looking for in the flood of information. To detect these attacks, we use Wireshark to sniff out packets in the environment and filter the types of packets we are interested in.

Other detection tools can also identify these ongoing attacks. Kismet provides a warning for such attacks in the Warnings section as well as alerts for other types of common attacks. While Kismet does not provide as much information as Wireshark, it is also a great way to visualize all attacks in your area.

Using Wireshark for Packet Sniffing

In this example, we use Wireshark Wi-Fi to detect jamming attacks from nearby script children. Wireshark can quickly become overwhelming with the amount of information displayed, so we need to filter them to make them useful. As you can see from below, a normally functioning Wi-Fi channel, even with some color rules, has a tremendous amount of information flying around. To understand it, we have to organize and filter it.

Click or tap the image to enlarge it.

While scanning, Wireshark will not control your wireless network adapter. So you have to use another program to tune (or scan via channels) the channel. Once you have tuned the channel to a network to be scanned, Wireshark will display all the packets detected on the channel, including other access points (APs) operating on the same channel. To sort them, we use some custom options in Wireshark.

Wireshark Custom Options

Wireshark provides a number of ways to filter what we consider more relevant. The first is to simply delete packages that are not relevant to what we are looking for. These may be packages from another AP or just data packages that we do not need to store. If you do not save these packages first, you can reduce the size of your Capture file and avoid displaying the distracting and irrelevant information.

The next way to organize information is to tag interesting packets with color codes. This makes packages with specific rules that we identify as important more visible. We can also immediately see the difference between someone using a program that uses Deauthentication packages only against a mix of Deauthentication and Dissociation, as in MDK3.

The last way to organize our view in Wireshark consists of display filters. With these we can choose which packages from our capture are displayed and which are hidden. This can allow us to be even more specific in our search while making sure the packages are in the capture file and available for analysis.

What you need

Wireshark is a fantastic program because it is so well supported. It is available for Window, macOS and Linux and can spy on a variety of package types. While we will use Wireshark to sniff Wi-Fi packets, it can also be used to sniff Bluetooth and Ethernet packets.

I will do this project in Kali Linux which is recommended because it makes it very much You can easily change the channel your card is scanning to with a tool like Airodump-ng. You can run Kali in a virtual machine or from a bootable USB flash drive, but it is not necessary to use Kali to run this project.

You can detect attacks on your W-Fi network without putting your card in monitor mode. But you will see many more packages if you use a card that supports it. Many wireless cards are supported by Wireshark. You should therefore test your internal card before using a separate adapter for this project. If your card does not support monitor mode, you can visit our list of adapters:

To download Wireshark, you can navigate to the official website and get a picture from the download page. Follow the instructions to install Wireshark, and once the installation is complete we can begin our first Wireshark capture.

Step 1: Prepare Your Network Card

First, we need to set up our wireless card's real channel, which we want to monitor. On Kali Linux, we can do this with the following commands after ifconfig or ip a finds the name of our network interface.

  airmon-ng start NameOfYourWirelessCard
airodump-ng NameOfNetworkAdapter 

If you are not sure which channel to use, Airodump-ng switches the card between channels to scan everything. This has the disadvantage that many packets "fragment" as the card hops between different networks. For best results, set the channel to the network you want to test.

Airodump-ng displays all the networks it sees. If you want to tune to a particular channel, if you find a network that you are interested in, you can press Ctrl-C to terminate the command and finish -c ItsChannelNumber add the previous airodump ng to lock the card on the desired channel.

Once this is done, our card is on the right channel and scans in wireless surveillance mode. With this addition, we can open Wireshark and apply capture filters to our investigation.

Step 2: Capture Filter in Wireshark

When you open Wireshark for the first time, you will see the menu below. First, select the adapter you want to use for capture. In our example we use en0 . Next, you'll see a field labeled "Capture" where we can enter Capture filters.

We Want to Build Some Capture Filters to Ensure We delete packages that are not relevant or interesting to us. In order to maintain our coverage for us relevant packages, we can specify the following packet filter:

  Wlan type data or Wlan type Mgt and (subtype Deauth or subtype Disassoc) 

This indicates that only WLAN packets to be maintained are data or packages of the administrative type. In addition, we want these packages to be either Deauthentication or Cancellation Packages. You can experiment with this syntax to develop your own filters. If you want to see more filters that you can use, click the green icon next to the Capture filter to see other commonly used filters.

Step 3: Filter what's different For some reason

Since we're looking for two types of packages, we can set two coloring rules so that they appear immediately when we see them. Without that, it's hard to tell at first glance what happens when packages are added to the list quickly, click "View" in the menu bar, and choose "Coloring Rules" from the drop-down list.

This will take you to a list of color rules n by clicking the plus sign (+) button at the bottom left. There you can enter a display filter and then a name for the filter in each line.

To change the colors, you can click the Foreground or Background buttons to select the color. I made my orange to mark the packages we are looking for.

The filters we use are green for data packets, orange for Deauthentication packets, and yellow for dissociation packets. We can set these by setting the following values:

  Data flow - Data
Deauth: Airmon or MDK3 - wlan.fc.type_subtype == 0x00c
Disassoc: Airmon or MDK3 - wlan.fc.type_subtype == 0x00a 

This sets the filter to separate the packages you are looking for according to the type of tool that creates them.

Use this setting to make sure the new color rules are checked and click "OK" to save the changes.

In the main window, you can enter the following display filter in the main filter panel. You'll notice that it has a completely different syntax than the Capture filter. In this case, we identify the packets by their wireless frame subtype and also allow data, so we can see if connections are throttled.

  Data || wlan.fc.type_subtype == 0x00c || wlan.fc.type_subtype == 0x00a 

After entering this filter, we can apply the display filter to all our data by pressing Return.

Step 4: Classify Classic Script – Kiddie Tools

Well, time for a test. Use Aireplay-ng and MDK3 from earlier tutorials, target your own Wi-Fi network (or one you have permission to) and record the results. You should notice two different attack patterns, and as a defender, you can use the data that Wireshark shows you to determine which program is running.

  • Aireplay-ng : With Aireplay-ng, you should see nothing but yellow deauthentication attacks; This is the only option in Aireplay-ng, and you can set a value for the number of packages sent in your attack to see how many you receive in Wireshark.
  • MDK3 : A pattern of orange and yellow stripes clearly highlights MDK3 in its attack signature and pepper targets with combined deauthentication and dissociation frames. The training of MDK3 on a target leads to a suffocation of green data packets after bundles of yellow and orange packets have flooded the channel.

While floods of these packets are positive signs of an ongoing attack, sometimes these packets appear in networks under normal circumstances, especially in corporate networks Can "suppress" access points. If you see a few individual dissociation packages or occasionally Deauth, this may not be cause for concern.

Step 5: Set custom filters

To further refine your search, it is obvious how useful filters are , Instead of laboriously learning any kind of expression for the allowed syntax, Wireshark has a handy way to set everything up as a display filter. Click on a package from a network that interests you, and we'll use the information it contains to create a new display filter to show only packages from that device.

Click the down arrows at the bottom to expand the information in the package. If you want to filter for anything like this thing (or filter out the thing), right-click on it and choose Apply as Filter followed by Selected.

Here you can also easily set colored filters.

Now you can specify that you only see transmissions to or from a specific MAC address. This is helpful when cutting other devices that match your display filter, but are still not relevant. To add something to your filter just type || after your last filter term and add a new one. This means "or" so you can add more conditions that match a filter.

To create more complex filters, you can also combine them with && statements to make the following filter a requirement or replace the == symbol with ! = to specify "not equal" to filter out something that matches this unwanted value.

While it's easy to find a network, it's also easy to spot

Wireshark and other tools can be used to quickly get to the bottom of suspicious glitches. Because the tools for detecting and locating jamming are free and available to everyone, hackers using tools like MDK3 and Aireplay-ng can tell a network administrator what you're doing, up to the program you're using for the attack. This level of information is extremely useful for defenders who can use it to create tools to automatically defend a network. Hackers, on the other hand, should consider how many alarm bells they can trigger in such activities.

Vulnerabilities in current Wi-Fi around unprotected management frames are largely fixed in the upcoming WPA3 standard, but current users do not have to wait to protect themselves from these script kiddie-style jukebox attacks. Protected management frames have been available in the 802.11w standard for some time, but on most devices, this is disabled by default. If you are interested in protecting against such attacks, you should check to see if your router's firmware settings require secure management frameworks.

I hope you liked this guide to detecting Wi-Fi jamming programs like MDK3 and Aireplay-ng with Wireshark! If you have questions about this tutorial on Wireshark or have a comment, do not hesitate to contact me on Twitter @KodyKinzie .

Do not Miss: How to Build a Software-Based Wi-Fi Jammer with Airgeddon

Cover Picture and Screenshots of Kody / Null Byte

Source link