How to Hack Wi-Fi: Performing a Denial of Service (DoS) Attack on a Wireless Access Point
Welcome back, my neophyte hackers!
As part of my series on Wi-Fi hacking, I want to next look at denial-of-service (DoS) attacks, and DoSing a wireless access point (AP). There are a variety of ways to do this, but in this tutorial we'll be sending repeated deauthentication frames to the AP with aircrack-ng's aireplay. Remember, hacking wireless networks isn't all just cracking Wi-Fi passwords!
Let's imagine a scenario where your best friend's girlfriend just broke up with him. He was madly in love with her, and of course, is now devastated. He's terribly depressed, and not able to eat or sleep, much less study for his upcoming exams. He even considers killing himself. You stick by your best buddy and help him through the worst time of his life, and with your care and consideration, he recovers.
Unfortunately, he has college exams tomorrow. If he only had a few more days, he could cram and pass them. Our mission is to DOS the wireless access point so that the exam can't take place at the scheduled time and the school has to reschedule it, giving our best buddy the time he needs to cram and recover.
So, on the day of the exam, our buddy goes to the classroom as scheduled, although totally unprepared to pass the exam. We only need to place ourselves somewhere close enough to be able to access the wireless access point. This could be in the hallway, the next room, or the library. Most access points will extend up to 300 feet (about 100 meters), so we don't have to be that close.
In addition, if we put a high gain antenna on our Alfa wireless card, we can be significantly farther away. Then we pull out our trusty computer with BackTrack and our Alfa wireless adapter to save our friend from exam Armageddon!
Now that we're positioned within range of the wireless access point for the exam, let's fire up BackTrack and open a terminal. Let's make certain our wireless adapter is recognized in BackTrack and functioning.
Our next step is to put our wireless adapter in monitor mode with airmon-ng.
- airmon-ng start wlan0
Now we want to take a look at all the access points in range by using airodump-ng.
- airodump-ng mon0
As we can see, the access point for Concord University is the third access point displayed. Note its BSSID (this is its globally unique identifier based on its MAC address) and copy it.
Now we need to connect to the AP with our computer.
We can see the connection at the bottom of screen. There we can see the access point's BSSID on the far left bottom and the MAC address of our client following it. We need both of these bits of information for our next step in this hack.
Now we're ready to deauthenticate (bump off) all the users from the AP. We need to send thousands of deauthenticate frames to keep any one from reconnecting to the AP. We can do this by typing the following into another terminal.
- aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E -h 44:6D:57:C8:58:A0 mon0
- 00:09:5B:6F:64:1E is the BSSID of the AP.
- 44:6D:57:C8:58:A0 is the MAC address of our computer.
- 1000 is the number of deauthentication frames to send to the AP.
As the students attempt to connect to the AP to take the exam, they will be unable to connect, or as soon as they do, they'll be disconnected. It's unlikely that the teacher or professor will have any idea what's happening, and for that matter, neither will the school IT director.
We need to keep these deauthentication frames going toward the AP until the teacher or professor finally gives up and reschedules the exam.
Now, our best buddy has a few days until the rescheduled exam to cram and pass. Thanks to BackTrack and a bit of hacking skill, we have saved our buddy from exam Armageddon!
Make sure to check back on our Wi-Fi Hacking series, because even more wireless hacks are coming! If you have any questions, please comment below or start a discussion in the Null Byte forum and we'll try to help you out.