Hack Like a Pro:

Hack Like a Pro: How to Get Even with Your Annoying Neighbor by Bumping Them Off Their WiFi Network —Undetected

Welcome back, my hacker apprentices! My recent posts here in Null Byte have been very technical in nature, so I thought that I'd have a little fun with this one.

Have you ever had an annoying neighbor whose dog barks all night, who has loud parties that keep you awake, or who calls the cops when you have a loud party? Here's a simple way to get even with them without them ever knowing it.

Image via wordpress.com

Nearly everyone these days has a Wi-Fi router set up in their home so they can access the Internet in any room or nook and cranny within their house. This hack is in the grey area of the law, probably not illegal, and nearly impossible to detect. What we're going to do is simply bump or disconnect our neighbor from their Wi-Fi connection whenever they connect, driving them crazy and leaving them without Web access (temporarily).

We'll need the best Wi-Fi cracking software to do this hack—aircrack-ng—so let's fire up our BackTrack and get to annoying that annoying neighbor.

What we'll basically be doing is:

  1. Getting the BSSID of the neighbor's access point (that's the MAC of the access point),
  2. Getting your neighbor's MAC address when they connect to the Wi-Fi AP, and...
  3. Using that MAC address to de-authorize their connection. Actually, with aircrack-ng this is a really simple hack.

Let's open aircrack-ng in BackTrack by going to BackTrack, Exploitation Tools, Wireless, WLAN Exploitation, and then aircrack-ng.

As you can see below, we have a terminal now open in aircrack-ng. Let's first take a look at our wireless card. In Linux, the first wireless card is designated wlan0. We can do that by typing:

  • iwconfig wlan0

As you can see, Linux comes back with some basic info on the wireless card on our system. The first thing we want to do is put our wireless card in monitor mode. This allows us to see and capture all wireless traffic:

  • airmon-ng start wlan0

Notice that airmon has renamed your wireless device to mon0. This is critical, as your wireless card will now be referenced by this new name.

Now that the wireless card is in monitor mode, we want to see all the wireless access points in range.

  • airdump-ng mon0

In the screenshot above, we now can see all the wireless access points in range with all their key information. Our annoying neighbor, is access point 7871.

Note that airodump gives us the BSSID of the access point, their power, channel, speed, etc. What we need here is the BSSID. In our case, it's 0a:86:30:74:22:77. We can use that access point address in the next command. You must use the BSSID of your annoying neighbor's access point and the channel they are using.

  • airodump-ng mon0 --bssid BSSIDaddress --channel 6

This commands connects us to that annoying neighbor's access point. We need now for that annoying neighbor to connect to his access point to get the MAC address of his wireless card. We then need to spoof his MAC address.

Once the neighbor connects, we can see and copy his MAC address. Now that we have the MAC address, we can send de-authorization packets into the access point and disconnect them.

  • aireplay-ng --deauth 1 -a MACaddress mon0

Now, when your annoying neighbor connects, you can disconnect them! Those of you with some scripting skills can write a simple script that would knock him off this Wi-Fi, say, every 30 seconds to be really annoying, or 30 minutes to be slightly annoying. If you only do this hack when he does something particularly annoying, he might begin to believe that the gods are punishing him for his bad behavior!

Cable cutting photo via Shutterstock, Fist photo by Spiritualant

76 Comments

Thanks OTW

Can you please tell some more about aircrack-ng, aireplay-ng, airodump-ng, airmon-ng just what are there functions & which one is used to crack the password

Criss:

Aircrack is used for password cracking, airmon for putting your wifi card into monitor mode, airodump for capturing wifi traffic and aireplay for injecting traffic into the AP.

I'm going to start a series on Wifi cracking soon.

OTW

If i want to crack a wireless password i will follow these steps :

Capture>Monitor>Inject>Crack am i right ???. After cracking do we get password in hashes or what

Criss:

Monitor, inject, capture and then crack. When cracking WEP, they come back as the password, but often in hex. When cracking WPA, you grab the hashed password and then crack.

OTW

I'm hoping to have a WEP cracking tutorial online next week and then WPA cracking soon after that.

Thanks Waiting to see the tutorial :)

How bout a privilege escalation tutorial, that would be great so that when we do log into a network when can actually browse the network as well ... is this something that you could accomplish ?

Thank You

Philippe:

There are multiple ways to do privilege escalation. One is to get Metasploit's meterpreter on the remote system and the meterpeter has a built in script for privilege escalation called "system".

OTW

or is it possible to upload a rat to another computer on the network and execute them somehow ?

What do you mean? If you seriously mean uploading a "file" (in this case a RAT) then good luck. I'm not sure if that's possible. But what you could do is fake the acces point using the evil twin method. then you can make sure they go to a certain site. and then it's only a matter of Metasploit skills to crack their computer. Buit uploading a file to a acces point? Nope! probably impossible.

Th3skYf0x

Phillipe:

It is possible to upload a RAT to another computer, but not through the AP. I'll do a tutorial on uploading a RAT in the near future, so stay tuned.

OTW

Wow this is good stuff. I'll probably never use it but I thoroughly enjoyed the "Your Annoying Neighbor" story that came with the hack - pretty funny. even more intriguing is that I was able to follow it and understand it. Thats a feat in itself - to get a right brainer to understand a hack. so you get a big fat kudos from me!

I would love to see your methods of uploading crypted rats :) Thank You

im a little bit confused is the apps ur using nmap? i already downloaded nmap but dont sure how this thing works :) ill follow you i really like ur methods :) ill spend everyday doing this so i can learn as much as i can :)

by the way idownloaded nmap is this app only for tracing ip.? in ur methods aircrack where can i download that? im using windows 8

Anonymous:

Download BackTrack 5. All the tools are in it.

OTW

I followed all the steps yet I get an error in the end stating that mon0 and the AP have different channels. Like mon0 is at channel 6 and AP at 4 so it can't deauth.

Help.

Sahir:

You have two options. First, you can keep trying the death until they are on the same channels as mon0 rotates through the channels. Second, you can set mon0 on the target channel by typing

airmon-ng start wlan0 channel <channel#>

Hope this helps.

OTW

so how long it takes to neighbor to connect back? have any specific time?

Dhinesh:

You can keep him off indefinitely by keeping the deauth frames running on his AP. Once those deauth frames stop, he can reconnect almost instantanteously.

OTW

Is there a way to counter this hack becouse my father uses it on me?
Please help me

Hilarious, Your dad is Hacking you. Awesome (well maybe not for you) :-) You know 100% its him?

Franek:

You can block his MAC address in the router control panel. I'm sure he will love that.

OTW

in some part of the tutorial you say to put airdump-ng mon0, but you need to put airodump-ng mon0. Carefull with that.

while reading this post. An idea came in my mind is this possible that if i make a wifi access point with the same name as other like there an wifi called netgear if i create a hotsopt named netgear by mistake someone tries to connect with mine thinking of the original one.i get the pass

is this possible can u please explain how?
thank you

Yes, it is. I will be writing a tutorial on this soon.

Hello,

Firstly, I have been reading many of your articles non-stop over the past 72 hours and really enjoying them. I finally decided to create an account and engage this community. I had a question concerning the very last step you give: the deauth with the MAC address. Which BSSIDdo I input? Several of them are the same BSSID, but underneath that several MAC addresses are listed. But the only one that seems to work is the BSSID at the very top. How can I tell if what I'm doing is working?

Alex:

You want to use the BSSID of the AP. Look across the line and see the AP's SSID. Choose the BSSID of the SSID you want to deauth on.

If you are doing it right, you will see any connected wireless adapter drop off the bottom of the screen.

OTW

I appreciate your swift response. I changed the "1" too "100" in the command so that I can more easily study what happens. As far as the wireless adapter dropping off the bottom of the screen as you mentioned, I haven't seen anything that resembles that. However I did notice that the "PWR" changes from -65ish to 0 for the duration of the deauth. Does this mean the script is working?

There are much much easier ways to do than installing backtrack.

Hi Jay,
Would you mind sharing how there are much much easier ways to do than installing backtrack?

i installed virtual Box and Kali
i opened aircrack-ng
and i typed "iwconfig wlan0"
I received this message:
No such device

How can i solve this?

Nick:

First, you need an aircrack-ng comptible wifi adapter.
Second, you need to attach the wifi adapter to the VM.

OTW

nick I how would I go about configure my wifi adaptor to aircrack? and how do I attack the wifi adapter?

No configuration is nessary if you use it in Kali. Your wireless adapter must be aircrack-ng compatible.

so ill have to buy an new wireless adapter? because im having the problem when I open aircrack-ng and I typed "iwconfig wlan0"

I received this message: No such device

If you are using a VM, you will need an external wireless adapter. If you want to use aircrack-ng, you will need an aircrack-ng compatible adapter.

Sorry if i missed it in the comments or the article, im new here, but how do you know which MAC Address/access point your "neighbor" is?

Alaris:

Welcome to Null Byte!

Check out the step above where we used airodump-ng to see all the MAC addresses. If you know your neighbor's SSID, just match it up with the BSSID in the first column.

OTW

What do you do if you dont know their SSID? Is their a way to find it?
I also just installed Kali Linux and am using it by dual boot

Sorry for posting so many comments, but i just tried to use the airdump-ng mon0 command and got this "bash: airdump-ng: command not found"

You spelled it wrong.

Airodump-ng

ah, thank you.

So I have the command incuding the BSSID, and the only id connected is the same one I previously put in. Do I use the same thing for the deauth command?

How would you automate this in a python script as you say is possible? What is the module to get aireplay commands in python?

You don't need Python, just a BASH script. Check out my post on DoSing a AP continuously.

My annoying neighbor was smarter than expected, he knows how to hack on passwords now he got into MY WiFi and got even more annoying

I am new to this and wanted to know that I don't use any external wireless usb adapter but my laptop runs on wifi. So even if I connect my host wifi in virtualbox, why doesn't the iwconfig command work??

Blaze:

The virtual machine converts your wifi to wired (eth0). You will need an external wifi adapter with a VM. Also, most wifi adapters won't work with aircrack-ng. You need an aircrack-ng compatible wireless adapter. Check for compatibility at www. aircrack-ng.com.

OTW

Well I already know the WIFI Password of my Neighbor. So what do I now need to do?

Then all you need to do is to authenticate against his AP and use your MAC address in in the aireplay-ng command.

sorry i meant WIFI not WLAN (certainly a common mistake of Germans)

hi.. can you help me? I try to disconnect my neighbor who connects to my network but it says invalid AP MAC Address.

So he's inside your network ? So what, you run an unecrypted wifi connection ? Or he stole your password ? This is a different scenario than the one portrayed in this tutorial. You can do pretty anything to that annoying leecher. From mitm, to rickrollin' all his pages, intercept traffic, eventually ban him from the network with a mac filter.

Anyway, post some screens, like OTW said.

Please send a screenshot of your airodump-ng and your aireplay-ng commands.

I'm sorry, I don't really know if he's inside my network or not. it's just my thought. just want to disconnect this guy over here because he seems really fishy but every time I use aireplay-ng but it says no such BSSID available. can you guys tell me about it?

An easier way to check if someone is on your network is to check your router's DHCP settings. All computers that connected recently will be listed there.

How can i deauthenticate everyone in a particular AP.
is there any script or any command
please tell.. OTW

When I run (airmon-ng start wlan0) it creates (wlan0mon) and I get this error when I attempt to airdump.

ioctl(SIOCSIWMODE) failed: Device or resource busy

ARP linktype is set to 1 (Ethernet) - expected ARPHRDIEEE80211,
ARPHRD
IEEE80211FULL or ARPHRDIEEE80211PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0mon <#>'
Sysfs injection support was not found either.

Is this because my adapter is not compatible, I need another one? I've noted that it says injection support not found, could it be another issue though?

write airodump-ng wlan0mon
it will start work.mine also creates (wlan0mon) as well.

Good tut, thanks OTW!

I keep getting "No such BSSID available", then asks for the ESSID (-e). When I add the ESSID, it says "Waiting for beacon frame", then doesn't do anything.

To be clear, I'm trying to kick my laptop off of my net while running Kali in my VM on an external network card. I put eth0 down, so the VM has no connection to my network. I set my network card to monitor via iwconfig manually, because airmon doesn't seem to want to do it. (AWUS036NH)

aireplay-ng --deauth 1 -a ma:cm:ac:ma:cm:ac wlan0
Waiting for beacon frame (BSSID: 00:23:15:8B:A3:60) on channel 4
No such BSSID available.
Please specify an ESSID (-e).

---

aireplay-ng --deauth 1 -a ma:cm:ac:ma:cm:ac -e ESSID wlan0
Waiting for beacon frame (BSSID: 00:23:15:8B:A3:60) on channel 4
........................................almost fell asleep at this point.........

So, your trying to knock yourself off your wireless network?

Basically, yes. A guy's gotta learn somehow. I also tried knocking my phone off the network. Same deal.

edit: Actually, even with the -e, it comes back with "No such BSSID available." Now, just like without the -e, it's timing out after 10 seconds.

Let's start with the obvious. You are sending packets to deauth your own wireless adapter and it times out after 10 seconds. Can you think of any possible reasons?

I may be missing something, so bear with me while I explain... I'm using my external wireless adapter to deauth my internal adapter from the network. The external is not connected to the AP, is in monitor mode, and is controlled only by the VM. The internal (eth0) is down from the VM.

If I'm understanding where you're going, I'm not attacking "myself", but, as far as I know, a computer on a target AP that I'm not connected to. That is, unless I misunderstood something. I got the same result, however, when I tried to knock my phone off the network.

Send screenshots of airmon and aireplay commands.

http://imgur.com/a/y2scK

I can't think why this might be doing this... I made sure my eth0 was down (VM), so I theoretically have no access to the outside world. airmon-ng didn't seem to want to set the card into monitor mode, so I had to do it manually. I also made sure to forget all previous networks. I installed Kali from the images on the Kali site for VirtualBox, then ran apt-get update/upgrade. Hopefully this is sufficient background. In case I forget to say it later, thanks for the help.

First of all thank you OTW for your excellent tutorial, as well as the inspiration to grow my computer skills and delve into the wonderful world of Linux. I have a few questions I am hoping you could answer for me, I have read through previous comments and it seems they haven't been asked. When deauthing an access point is there any evidence available showing the amount of time it is offline (I notice during deauth the pwr goes from its -67 to 0), in addition does deauthing leave any trace of your equipment's MAC, IP, or ISP? From my understanding it uses the MAC of the machine being deauthed, but I wan't sure if perhaps an expert would have the ability to find where the deauth originated. I look forward to your response.

Best regards, G. Viceroy

Viceroy:

Every attack can be traced by a good forensic investigator and enough resources. In this case, it uses an authenticated user's MAC address, the packets are going through an ISP and no IP address has been obtained. This makes it difficult to find where the deauth originated from.

OTW

I'm using this attack and try to make my other computer disconnected from my own wifi. It actually sends deauth packets but nothing happens.

root@kali:~# aireplay-ng --deauth 1 -c 8c:dc:d4:93:20:bd -a a4:b1:e9:aa:98:83 wlan0mon
13:57:21 Waiting for beacon frame (BSSID: a4:b1:e9:aa:98:83) on channel 11
13:57:22 Sending 64 direct DeAuth. STMAC: 8C:DC:D4:93:20:BD 11|12 ACKs

I'm on the right channel, with the right BSSID and the right MAC address, but nothing happens afterwards. My wireless adapter is Atheros AR928X and must be compatible.

Any idea? :/

When i type
airodump-ng mon0 --bssid BSSIDaddress --channel MYChannel it doesnt shows the MAC addreses of connected devices

I already updated the drivers and it didnt work

Share Your Thoughts

  • Hot
  • Latest