You may have heard of a signal jammer that usually refers to a device that emits a sufficiently strong radio signal to drown out the reception of nearby devices, such as cell phones. Specially designed jammer hardware is illegal in many countries, but Wi-Fi is vulnerable to several different jamming attacks that can be performed with Kali Linux and a wireless network adapter.
Traditional Signal Jamming was a cat and mouse game detecting and disabling signals that an opponent uses for communication. By cutting off the communicative capacity of a goal, they remain isolated and vulnerable, which means that these signals have top priority in modern electronic warfare. Countries today have developed capabilities to block and fake mobile phones, GPS, Wi-Fi and even satellite links.
Different Types of Jamming
There are two main types of jamming: elementary and advanced. Here we will discuss elementary Wi-Fi jamming, focusing on unencrypted management frames.
Elemental jammers can be divided into two main types: proactive and reactive. The first type, a proactive jammer, is one that works continuously, whether there is traffic on a network or not. We will use MDK3 as a fraudulent jammer that infiltrates normally-acting packets that have a harmful impact on the network.
The most common type of this type Attack occurs with Deauthentication Packages. This is a kind of "management" framework responsible for disconnecting a device from an access point. Faking these packages is the key to hacking on many Wi-Fi networks because you can forcibly separate any client from the client at any time. The ease with which this can be done is a bit scary and is often done as part of collecting a WPA handshake for cracking.
Aside from using this interruption to force a handshake, you can still let those deauths come in. This has the effect of seemingly infecting the client with Deauth packets from the network it's connected to becomes. Because these frames are not encrypted, many programs use management frames by forging them and sending them to one or all devices on a network.
Programs such as Aireplay-ng rely on Deauthentication packages to perform denial-of-service attacks. And this type of tactic is often part of the first WPA Brute Forcing that a hacker will learn. Spamming a target with packages is simple but effective and often results in almost instant actions on the mark. But many who use Aireplay-ng may not know that there is another type of management framework that can be abused to remove clients on a WPA network.
Dissociation packages are another type of management framework. This is used to separate a node (ie any device, such as a laptop or a cell phone) from a nearby access point. The difference between the Deauthentication and Dissociation frames is mainly the way they are used.
An AP attempting to disconnect a rogue device sends a deauthentication packet to notify the device that it has been disconnected from the network while a dissociation package is in use Disconnect all nodes when the AP is shut down, restarted, or disconnected the area is left.
Different networks may be equipped with different countermeasures, so the deauthentication itself might not work. In fact, WPA3 protects against this attack, as well as some WPA2 types. According to the Wi-Fi Alliance website:
Wi-Fi CERTIFIED WPA2 with Protected Management Frames and Wi-Fi CERTIFIED WPA3 provide protection for unicast and multicast management action frames. Unicast management action frames are protected from eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED ac and WPA3 devices require secure management frameworks. They expand the privacy of data frames with mechanisms to improve the resilience of mission-critical networks.
Because of this, de-authentication and dissociation attacks are just one of many that can be used against a Wi-Fi network. While there are advanced jamming attacks based on the interruption of CTS (clear to send) or data packets, we store these attacks for another guide. Right now, we're going to start using a mix of deauthentication and dissociation to increase our chances of permanently removing a network.
To understand aireplay-ng against MDK3 as jamming tools, we should take a look at the file help for each tool. For Aireplay-ng we see the following relevant information.
Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d & # 39; Otreppe http://www.aircrack-ng.org Usage: aireplay-ng
Filter options: -b Bssid: MAC address, access point -d dmac: MAC address, destination -s smac: MAC address, source -m len: minimum packet length -n len: maximum packet length -u type: frame control, enter field -v subordinate: frame control, subtype field -t Tods: frame control, to DS-bit -f fryds: Frame Control, From DS-Bit -w iswep: frame control, WEP bit -D: Disables AP detection Attack modes (numbers can still be used): --deauth count: Deauthenticate 1 or all stations (-0) --fakeauth delay: fake authentication with AP (-1) --interactive: interactive frame selection (-2) --arpreplay: standard ARP request repetition (-3) --chopchop: Decrypt WEP package / chopchop (-4) --fragment: generates valid keystream (-5) --caffe-latte: query a client for new IVs (-6) --cfrag: fragments against a client (-7) --migmode: Attacks the WPA migration mode (-8) --test: tests injection and quality (-9) --help: Displays this Usage Screen
While the tools included are of interest, only – deauth helps interfere with a Wi-Fi connection. Based on these filter settings, we can use Aireplay-ng to attack specific nodes on specific APs. We can do this with a command like below.
aireplay-ng-0 0-a f2: 9f: c2: 34: 55: 69 -c a4: 14: 37: 44: 1f: ac wlan0mon
This command uses the wlan0 interface in monitor mode, to send an unlimited stream of deauths to the client at the MAC address a4: 14: 37: 44: 1f: ac, which is connected to the MAC address f2: 9f: c2. 34:55:69. This attack is surgical and usually begins to work immediately, but may fail or not be effective in some networks.
By comparison, MDK3 has fewer surgical filters in its file .
MDK 3.0 v6 - "Yeah, well, whatever" MDK is a proof-of-concept tool to address the common weaknesses of the IEEE 802.11 protocol. MDK USE: mdk3
[test_options] TESTING: b - Beacon flood mode Sends beacon frames to show fake APs to clients. This can sometimes cause network scanners and even drivers to crash! a - Authentication DoS mode Sends authentication frames to all APs within range. Too many clients freeze or reset some APs. p - Easy probing and ESSID Bruteforce mode Verifies AP and checks for a response that is useful to check if SSID exists Was decoded correctly or if AP is within range of your adapter SSID Bruteforcing is also possible with this test mode. d - Deauthentication / Disassociation Amok mode Kicks that found all of AP m - Michael Shutdown Exploitation (TKIP) Cancels the entire traffic continuously x - 802.1X tests w - WIDS / WIPS confusion Confusion / Abuse Intrusion Detection and Prevention Systems f - MAC filter brute force mode This test uses a list of known client MAC addresses and tries to do so authenticate them to the given AP as they change dynamically his best-performing response time limit. It currently only works on APs that properly reject an open authentication request g - WPA downgrade test Deauthenticates stations and APs send WPA encrypted packets. This test lets you check if the system administrator is trying to apply his setting Network to WEP or disable the encryption.
With MDK3 we can see some attractive options. The option g will attempt to force a network administrator to disable or demote the encryption by targeting any connection with WPA-encrypted packets with de-authentication attacks.
Option b attempts a beacon flood attack to randomly create fake APs in the environment, and the option a attempts to block a network by sending too many authentication frames , None of these attacks works to stow the network, but instead the most useful attack is d .
The attack "Deauthentication / Disassociation Amok Mode" triggers all from a nearby network by default, but with some filters, we can make it more surgical.
What You Need
To begin, you need a fully updated copy of Kali Linux and a Kali-compatible wireless network adapter. If you need help selecting a program, you can visit our guide below:
To update your copy of Kali Linux, connect to the Internet, open a terminal window, and run the following commands:
19659022] apt update
Step 1: Install MDK3
apt install mdk3
After installation, you can use Enter mdk3 –help to see the most important options.
Step 2: Jam an area
If you look at the filter options for MDK3, you can enter . mdk3 –help d to get the help information for the Deauthentication module. Here we can see that it differs from the options for Aireplay-ng. Instead, we have the following options to execute our attack:
- -w Flag for MAC addresses to ignore or whitelist.
- -b Flag for MAC addresses to attack or blacklist.  -s Flag for the speed (packets per second) of the attack.
- -c Flag for the channel on which the attack is to be performed.
Based on these options we need to have at least some information to disturb something. First, we need to put our network adapter in monitor mode and pass the name of the adapter in monitor mode to the program for it to run.
To find that, we can use either ifconfig or the newer ip a in a terminal window to find the name of the network adapter. It should be something like "wlan0" or "wlan1".
If you have the name of the device, you can put it into monitor mode with the following command airmon-ng where wlan0 is the name of your network card
sudo airmon-ng start wlan0  If you have done so, tap [ifaconfig or ip a again to get the new name of the card device. You can expect it to be "wlan0mon".
If you have this information, you can run the script to authenticate everything nearby. This is loud, not as effective as target jamming and may require a card to work permanently. In my tests, a network card attacking everything nearby caused few noticeable interruptions, while three network cards attacked nearby and caused annoying disconnections from the network.
To perform the attack, in a terminal window type wlan0mon name of the adapter in monitor mode
mdk3 wlan0mon d
Since this attack needs to skip channels, it will likely miss some APs and may not be very fast , It's also very annoying because it can separate everything within range, regardless of whether you are eligible or whether it is relevant to what you do.
Step 3: Damming a Channel
A better option for perturbing a section is jamming a channel. To know which channel you can jam, we can use another tool named Airodump-ng to find out which channel our target is on. With our card in monitor mode as wlan0mon, we can enter the following command to display information about all nearby wireless networks.
This displays all nearby access points and information about them. Here we can see on which channel the access point we are aiming at, which limits our effect to a single channel, instead of fiddling with what is moving.
Once we know the channel on which the AP is running, we can press Ctrl-C to abort the scan, and enter the following in a terminal window, with the channel we attacked channel 6 is.
mdk3 wlan0mon -c 6
Blocking a channel is very effective, but affects all APs and all devices working on that channel. This may still be too loud, so we need to further refine it to achieve the same targeting capabilities as Aireplay-ng.
Step 4: Whitelist & Blacklist Devices
Once we have a particular channel to attack it can be more precise by adding a blacklist or whitelist.
To do this, we run our Airmon ng scan again, and this time we copy the MAC address of the device we want to attack. I've tested this for both the AP address and the device you want to attack. Using the MAC address of the AP attacks everything, while adding the device's MAC address only attacks this and nothing else on the network.
To get this information, we can type the following to find the APs the channel we targeted earlier, in this case channel 6.
airodump-ng wlan0mon -c 6
By specifying the previously found channel we should be able to reduce the number of devices we see. To search for devices connected to our target network, we can look at the bottom of the output and find devices that are listed that are associated with the MAC address that corresponds to our destination network.
Once we have found a MAC address, we can easily target it. Copy the MAC address and open a new terminal window. Enter nano black.txt and press Enter to open a text editor window. Now insert the MAC address of the device you want to jam and press Ctrl-X to close the text editor.
Now we can run MDK3 against the target network by executing the following command. with black.txt as the just created text file with the MAC addresses that we want to jam.
mdk3 wlan0mon d -c 6 -b ~ / black.txt
This should display the device very fast and persistent. Conversely, you can specify networks that you want to leave in the same way, and then execute the command with the flag -w to attack everything else on the channel instead.
These attacks can become scary depending on the target audience, such as a home security camera. However, these risks can be alleviated by using Ethernet as much as possible and by updating WPA3 if devices are supported. One of the main differences between WPA2 and WPA3 is that WPA3 does not allow such attacks by preventing the authentication or dissociation packages from being spoofed in the first place.
Until then, you can use devices that support protected management frames, or if you suspect you are being attacked by such an attack, you can detect it using a Intrusion Detection System (IDS). Kismet can be used as an IDS to detect this type of attack, as it will alert you when spraying disassociation or de-authentication frames over a network.
I hope you liked this guide to understanding advanced Wi-Fi jamming with MDK3 and Aireplay-ng! If you have questions about this tutorial or Wi-Fi jamming, feel free to leave a comment or contact me on Twitter @KodyKinzie .