For some time now, I became interested in network security and came across an article on how to make a Wi-Fi Jammer (deauthentication attack). I did not even suspect that you can make someone's life so easy and simple. To make a Jammer All we need is esp8266. The principle of operation is very simple. Our device pretends to be a router and sends information (deauthentication packets) to network users to disconnect. This option does not always work, but it is enough to set an attack on a specific device and you're done. I haven't been able to find information on how to defend myself against such an attack, but maybe one of the forum members knows and will share their knowledge. Remember that you can only use this for educational purposes and testing your OWN network. Link to the video with step-by-step instruction youtube.com/watch?v=9UgFafZhONI
Uploading the program to ESP8266:
1) Download the file with the files forbiddenbit.com/239/ 2) Unpack the Wi -Fi_Jammer.zip file 3) Install the driver for CH340 ch341SER / SETUP.EXE 4) Open ESP8266Flasher.exe. Select deauther_2.1.0_1m.bin in the file. In Operation, select the COM port from ESP8266 and click FLASH.
1) Connect to wpnet, password: deauther 2) Open the address of the browser entry 192.168.4.1 3) Accept the terms 4) Select your network from the list 5) Go to the attack tab, select deauth and click start. Now the devices connected to the network will be disconnected. If you select an attack beacon, multiple networks will be created
Interesting. If I understand correctly from the cursory information, the device copies the MAC of the indicated router and to the selected target (network client), impersonating the router, sends frames defined in the standard, which are used to force the client to disconnect from the router. An interesting method for a local attack that makes life difficult for someone. All in all, if the frame is defined in the standard, the customer should necessarily handle it, and thus it is difficult to defend against it.
There is hope though with 802.11w which encrypts management frames. It's been around for a while however manufacturers don't seem bothered and don't implement it, even though it would improve the security of a WiFi device from these types of attacks.
If you choose to attack the entire network it rarely works, but if you choose one device from the network it always worked in MY case, I checked on 3 laptops, 2 TVs and 5 phones and it fired every time.
If someone has a free evening, he can make a simple program that will allow anonymous use of the Internet for free - just make a loop on ESP that activates WPS every minute, put a tile by the window and just wait for a neighbor to press the WPS button on his router then you just need to write down the SSID together with the EEPROM password
it is enough to make a loop on ESP that activates WPS every minute
wait for a neighbor to press the WPS button on their router
You host two types of attack - bruteforce and regular occasion listening. In the first case, most devices block WPS after 2-3 failed pin bend attempts, so it will take some time to check 5,000-11,000 combinations. In the latter case, the opportunity may never come.
The fact is that it's better not to use WPS and turn it off at all.
WPS on ESP only works for a minute (or maybe two, I don't remember) and if it doesn't find any router, it turns itself off. This loop is for the WPS to be active all the time and waiting for an opportunity. It has nothing to do with any brute force.
Still do not understand. Either you are constantly listening for WPS-related frames, or you are actively attacking WPS.
What do you mean by "turn on WPS for a minute"?
Normal WPS pairing seems to work by clicking WPS on your router, running WPS in the client and without giving anything (weak passwords etc) they will find, exchange the keys and "pair". Hence, if you run WPS connection in a client over and over again, then you wait for the moment when someone in your router clicks WPS to connect your client. Then you count on the fact that you will shoot the moment between activation on the router and activation in the client, i.e. you will be the first to hit the router ... After this pairing, the router reliably turns off WPS. A moderately aware user will say that something has gone wrong and turn on WPS again to try again with your client, while you are glad that you already have the authorization data for that router in memory and can use them for free connections over someone else's network. ..
Normal WPS pairing seems to work by clicking WPS on your router, running WPS in the client and without giving anything (weak passwords etc) they will find, exchange the keys and "pair".
"Normal" WPS pairing requires a PIN printed on the AP.
Inventions that don't require a pin work like this:
Push button method:
In which the user has to push a button, either an actual or virtual one, on both the access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less)
I have not met the version with the pin, but maybe I just had such equipment in my hands.
The given description of the version without the pin is consistent with what I wrote earlier. The percentage of success is quite high, because instinctively, everyone clicks the router first, and then goes to encourage the client to cooperate, and since the attacker has WPS turned on in his client all the time (with minor breaks for reconnection), there is a chance to shoot between manual actions user-casualties are large. The downside here is another thing - how often do you pair your devices with the router? Because I have a set of devices that are connected once (not via WPS ) and I haven't added new ones for a long time Unless you have to play with this WPS every time you want to connect, which I sincerely doubt, because then the attack does not make much sense, because the acquired keys would not work with the next connection. So I assume that it is done once per device, which is veeeeery rarely
OpenWRT / LEDE has been configuring the option to detect this attack for some time, the only thing is an attack targeting network clients, not a router and basically a standard used for a malicious purpose.