Due to vulnerabilities in how Wi-Fi works, most Wi-Fi networks can be broken very easily with tools that spoof Deauthentication Packages. The ease with which these common tools can jam networks is achieved only by how easy they are to be seen by anyone who is waiting for them. We will use Wireshark to detect an ongoing Wi-Fi attack and determine which tool the attacker uses
How to Kill Script Kiddies Networks
Most denial-of-service (DOS) attacks are fairly simple and Leverage well-documented errors in the way WPA networks manage connections. Because the management packages that the devices use to control these connections are unencrypted, an attacker can easily create fake ones after snooping the wireless channels nearby. Tools for it are free, widely distributed and well documented on the internet, all perfect for script kiddies.
Most common scripts such as Aireplay-ng or MDK3 do this by flooding a target with de-authentication or dissociation packages, both normal appearing packets that interfere with the network. This only requires a wireless network adapter that can be put into monitor mode, and a simple command can remove an entire channel with many networks operating up to a block without special equipment.
While these script kiddie attacks can be very annoying, they can also be discovered through a variety of free and open source tools. Software like Wireshark can be quite overwhelming for a beginner, especially without knowing what you are looking for in the flood of information. To detect these attacks, we use Wireshark to sniff out packets in the environment and filter the types of packets we are interested in.
Other detection tools can also identify these ongoing attacks. Kismet provides a warning for such attacks in the Warnings section as well as alerts for other types of common attacks. While Kismet does not provide as much information as Wireshark, it is also a great way to visualize all attacks in your area.
Using Wireshark for Packet Sniffing
In this example, we use Wireshark Wi-Fi to detect jamming attacks from nearby script children. Wireshark can quickly become overwhelming with the amount of information displayed, so we need to filter them to make them useful. As you can see from below, a normally functioning Wi-Fi channel, even with some color rules, has a tremendous amount of information flying around. To understand it, we have to organize and filter it.
While scanning, Wireshark will not control your wireless network adapter. So you have to use another program to tune (or scan via channels) the channel. Once you have tuned the channel to a network to be scanned, Wireshark will display all the packets detected on the channel, including other access points (APs) operating on the same channel. To sort them, we use some custom options in Wireshark.
Wireshark provides a number of ways to filter what we consider more relevant. The first is to simply delete packages that are not relevant to what we are looking for. These may be packages from another AP or just data packages that we do not need to store. If you do not save these packages first, you can reduce the size of your Capture file and avoid displaying the distracting and irrelevant information.
The next way to organize information is to tag interesting packets with color codes. This makes packages with specific rules that we identify as important more visible. We can also immediately see the difference between someone using a program that uses Deauthentication packages only against a mix of Deauthentication and Dissociation, as in MDK3.
The last way to organize our view in Wireshark consists of display filters. With these we can choose which packages from our capture are displayed and which are hidden. This can allow us to be even more specific in our search while making sure the packages are in the capture file and available for analysis.
Wireshark is a fantastic program because it is so well supported. It is available for Window, macOS and Linux and can spy on a variety of package types. While we will use Wireshark to sniff Wi-Fi packets, it can also be used to sniff Bluetooth and Ethernet packets.
I will do this project in Kali Linux which is recommended because it makes it very much You can easily change the channel your card is scanning to with a tool like Airodump-ng. You can run Kali in a virtual machine or from a bootable USB flash drive, but it is not necessary to use Kali to run this project.
You can detect attacks on your W-Fi network without putting your card in monitor mode. But you will see many more packages if you use a card that supports it. Many wireless cards are supported by Wireshark. You should therefore test your internal card before using a separate adapter for this project. If your card does not support monitor mode, you can visit our list of adapters:
To download Wireshark, you can navigate to the official website and get a picture from the download page. Follow the instructions to install Wireshark, and once the installation is complete we can begin our first Wireshark capture.
Step 1: Prepare Your Network Card
First, we need to set up our wireless card's real channel, which we want to monitor. On Kali Linux, we can do this with the following commands after ifconfig or ip a finds the name of our network interface.
airmon-ng start NameOfYourWirelessCard airodump-ng NameOfNetworkAdapter
If you are not sure which channel to use, Airodump-ng switches the card between channels to scan everything. This has the disadvantage that many packets "fragment" as the card hops between different networks. For best results, set the channel to the network you want to test.
Airodump-ng displays all the networks it sees. If you want to tune to a particular channel, if you find a network that you are interested in, you can press Ctrl-C to terminate the command and finish -c ItsChannelNumber add the previous airodump ng to lock the card on the desired channel.
Once this is done, our card is on the right channel and scans in wireless surveillance mode. With this addition, we can open Wireshark and apply capture filters to our investigation.
When you open Wireshark for the first time, you will see the menu below. First, select the adapter you want to use for capture. In our example we use en0 . Next, you'll see a field labeled "Capture" where we can enter Capture filters.
We Want to Build Some Capture Filters to Ensure We delete packages that are not relevant or interesting to us. In order to maintain our coverage for us relevant packages, we can specify the following packet filter:
Wlan type data or Wlan type Mgt and (subtype Deauth or subtype Disassoc)
This indicates that only WLAN packets to be maintained are data or packages of the administrative type. In addition, we want these packages to be either Deauthentication or Cancellation Packages. You can experiment with this syntax to develop your own filters. If you want to see more filters that you can use, click the green icon next to the Capture filter to see other commonly used filters.