Traditional signal jamming has been a cat and mouse game of detecting and disabling signals an opponent is using to communicate. Cutting off a target's ability to communicate leaves them isolated and vulnerable, making jamming these signals a top priority in modern day electronic warfare. Countries today have developed capabilities to jam and spoof cell phones, GPS, Wi-Fi, and even satellite links.
Different Types of Jamming
There are two main types of jammers: elementary and advanced. Here, we'll be discussing elementary Wi-Fi jamming, focusing on unencrypted management frames.
Elementary jammers can be broken into two main types: proactive and reactive. The first type, a proactive jammer, is one that continuously functions whether there is traffic on a network or not. We'll be using MDK3 as a deceptive jammer, which injects normal-seeming packets that have a malicious effect on the network.
Jammers used in electronic warfare typically require equipment that overwhelms the signal of the target with radio energy, making it impossible to distinguish between the signal and the noise being introduced to the channel the target is using to communicate. This kind of jamming is popular because it works, but it also requires specialized equipment that is banned or heavily regulated in most countries.
The most common way this sort of attack is done is with deauthentication packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to hacking many Wi-Fi networks, as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking.
Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network.
Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network.
- Don't Miss: Disable Security Cams on Any Wireless Network with Aireplay-ng
To understand Aireplay-ng vs MDK3 as jamming tools, we should take a look at the help file for each tool. For Aireplay-ng, we see the following relevant information.
While the tools included are interesting, only --deauth is helpful in jamming a Wi-Fi connection. Based on these filter settings, we can use Aireplay-ng to attack specific nodes on specific APs. We can do so with a command like below.
This command uses the wlan0 interface in monitor mode to send an unlimited stream of deauths to the client at MAC address a4:14:37:44:1f:ac which is connected to the access point with a MAC address of f2:9f:c2:34:55:69. This attack is surgical and usually starts working immediately, but can fail or not be very effective on some networks.
MDK3, by comparison, has less surgical filters listen in its help file.
Option b attempts a beacon flood attack, randomly creating fake APs in the area, and option a attempts to jam a network by sending too many authentication frames. Neither of these attacks works for jamming the network, so instead, the most useful attack is option d.
The Deauthentication / Disassociation Amok Mode attack by default kicks everyone off of any nearby network, but with some filters, we can get it to behave more surgically.
Step 1> Install MDK3
Step 2> Jam an Area
Taking a look at the filter options for MDK3, we can type mdk3 --help d to get the help information for the deauthentication module specifically. Here we can see that it is different from the options for Aireplay-ng. Instead, we have the following options to craft our attack.
-b flag for MAC addresses to attack, or blacklist.
-s flag for the speed (packets per second) of the attack.
-c flag for the channel to run the attack on.
Based on these options, we'll need to, at the very minimum, have one piece of information to start jamming anything. First, we'll need to put our network adapter into monitor mode and supply the name of the adapter in monitor mode to the program so it can execute.
When you have the name of the device, you can put it into monitor mode with the following airmon-ng command, where wlan0 is the name of your network card.
When you have this information, you can run the script to deauthenticate everything nearby. This is noisy, not as effective as target jamming, and may require one card to work persistently. In my tests, one network card attacking everything nearby caused few noticeable disruptions, whereas three network cards attacking everything nearby caused noticeably annoying disconnections from the network.
To execute the attack, type the following in a terminal window, with wlan0mon as the name of your adapter in monitor mode.
Step 3> Jam a Channel
A better option for jamming an area is to jam a channel. To know what channel to jam, we can use another tool called Airodump-ng to discover what channel our target is on. With our card in monitor mode as wlan0mon, we can type the following command to see information about all nearby wireless networks.
This will display all nearby access points, along with information about them. Here we can see which channel the access point we are targeting is on, which will limit our effect to a single channel rather than marauding around attacking anything that moves.Once we know the channel the AP is on, we can press Ctrl-C to cancel the scan, and type the following into a terminal window, with the channel we're attacking being channel 6.
Step 4> Whitelist & Blacklist Devices
Once we have a specific channel to attack, we can be more precise by adding a blacklist or a whitelist.
To do this, we'll re-run our Airmon-ng scan, and this time, we'll copy the MAC address of the device we wish to attack. I have tested doing this for both the address of the AP and the device you want to attack. Using the MAC address of the AP will attack everything on it, whereas adding the MAC address of the device will only attack it and nothing else on the network.
To get this information, we can type the following to find the APs on the channel we were targeting before, in this case, channel 6.
By specifying the channel we found before, we should be able to cut down on the number of devices we see. To find devices connected to our target network, we can look at the bottom of the output and find devices which are listed as being associated with the MAC address matching our target network.
Once we find a MAC address that is associated, we can target it easily. Copy the MAC address, and then open a new terminal window. Type nano black.txt and press Enter to open a text editor window. Now, paste the MAC address of the device you wish to jam, and press Ctrl-X to close the text editor.
Now, we can run MDK3 against the target network by running the command below, with black.txt as the text file we just created containing the MAC addresses we wish to jam.
Protected Management Frames & WPA3
While these attacks can be scary depending on what is being targeted like a home security camera, these risks can be mitigated by using Ethernet wherever possible and upgrading the WPA3 when devices supporting it becomes available. One of the core differences between WPA2 and WPA3 is that WPA3 doesn't allow these kinds of attacks by preventing the authentication or disassociation packets from being forged in the first place.
Until then, you can use devices which support protected management frames, or if you suspect that you're being targeted with an attack like this, you can detect it using an intrusion detection system (IDS). Kismet can be used as an IDS to detect this sort of attack, as it will give you a warning on detecting dissasociation or deauthentication frames being sprayed across a network.
Until then, you can use devices which support protected management frames, or if you suspect that you're being targeted with an attack like this, you can detect it using an intrusion detection system (IDS). Kismet can be used as an IDS to detect this sort of attack, as it will give you a warning on detecting dissasociation or deauthentication frames being sprayed across a network.
THANK YOU.
INSTAGRAM> https://www.instagram.com/cybersecuritytrend/
GOOGLE+> https://plus.google.com/108787701517183226945
FACEBOOK>https://www.facebook.com/Cyber-Security-Trend-994219794073420/?ref=br_rs
Facebook Page:- https://www.facebook.com/theprogrammer.harshit/
Google Plus:- https://plus.google.com/u/0/communiti…/117296242526461886479