You may have heard of a signal jammer before, which usually refers to a device that blasts out a strong enough radio signal to drown out the reception of nearby devices like cell phones. Purpose-built jammer hardware is outright illegal in many countries. Still, Wi-Fi is vulnerable to several different jamming attacks that can be done with Kali Linux and a wireless network adapter.
Traditional signal jamming has been a cat-and-mouse game of detecting and disabling signals an opponent is using to communicate. Cutting off a target's ability to communicate leaves them isolated and vulnerable, making jamming these signals a top priority in modern-day electronic warfare. Countries today have developed capabilities to jam and spoof cell phones, GPS, Wi-Fi, and even satellite links.
There are two main types of jammers: elementary and advanced. Here, we'll be discussing elementary Wi-Fi jamming, focusing on unencrypted management frames.
Elementary jammers can be broken into two main types: proactive and reactive. The first type, a proactive jammer, is one that continuously functions whether there is traffic on a network or not. We'll be using MDK3 as a deceptive jammer, which injects normal-seeming packets that have a malicious effect on the network.
Jammers used in electronic warfare typically require equipment that overwhelms the signal of the target with radio energy, making it impossible to distinguish between the signal and the noise being introduced to the channel the target is using to communicate. This kind of jamming is popular because it works, but it also requires specialized equipment that is banned or heavily regulated in most countries.
Another type of jamming attempts to send messages that force the target to be disconnected from the network they are connected to, rather than drowning out a target's signal by trying to overwhelm it. You might think this kind of attack might only work if you are connected to the network, but this is where WPA has a severe flaw. Because so-called management frames are not encrypted, it is possible to send disruptive messages from outside the network, which causes people inside the network to be unable to connect.
The most common way this sort of attack is done is with deauthentication packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to hacking many Wi-Fi networks, as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking.
Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network.
Programs like Aireplay-ng rely on deauthentication packets to execute denial of service attacks, and this kind of tactic is often a part of the first WPA brute-forcing a hacker will learn. Spamming a target with deauth packets is simple but effective, often producing near-immediate action on the mark. But many who use Aireplay-ng may not know that there is another kind of management frame that can be abused to take out clients on a WPA network.
Disassociation packets are another type of management frame that is used to disconnect a node (meaning any device like a laptop or cell phone) from a nearby access point. The difference between deauthentication and disassociation frames is primarily the way they are used.
An AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area.
Different networks may be equipped with various countermeasures, so deauthentication itself may not work. In fact, WPA3 protects against this attack, as do some types of WPA2. According to the Wi-Fi Alliance website:
Wi-Fi CERTIFIED WPA2 with Protected Management Frames and Wi-Fi CERTIFIED WPA3 provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED ac and WPA3 devices require Protected Management Frames. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.
Because of this, deauthentication and disassociation attacks are just one of many which may be employed against a Wi-Fi network. While there are more advanced jamming attacks based on interrupting CTS (clear to send) or data packets, we'll save those attacks for another guide. For now, we'll start using a mix of deauthentication and disassociation to increase our chances of persistently taking out a network.
To understand Aireplay-ng vs MDK3 as jamming tools, we should take a look at the help file for each tool. For Aireplay-ng, we see the following relevant information.
~$ aireplay-ng --help Aireplay-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe https://www.aircrack-ng.org usage: aireplay-ng <options> <replay interface> Filter options: -b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit -D : disable AP detection Attack modes (numbers can still be used): --deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7) --migmode : attacks WPA migration mode (-8) --test : tests injection and quality (-9) --help : Displays this usage screen
While the tools included are interesting, only --deauth is helpful in jamming a Wi-Fi connection. Based on these filter settings, we can use Aireplay-ng to attack specific nodes on specific APs. We can do so with a command like below.
~$ aireplay-ng -0 0 -a f2:9f:c2:34:55:69 -c a4:14:37:44:1f:ac wlan0mon
This command uses the wlan0 interface in monitor mode to send an unlimited stream of deauths to the client at MAC address a4:14:37:44:1f:ac which is connected to the access point with a MAC address of f2:9f:c2:34:55:69. This attack is surgical and usually starts working immediately, but can fail or not be very effective on some networks.
MDK3, by comparison, has fewer surgical filters listen in its help file.
~$ mdk3 --help MDK 3.0 v6 - "Yeah, well, whatever" by ASPj of k2wrlz, using the osdep library from aircrack-ng And with lots of help from the great aircrack-ng community: Antragon, moongray, Ace, Zero_Chaos, Hirte, thefkboss, ducttape, telek0miker, Le_Vert, sorbo, Andy Green, bahathir and Dawid Gajownik THANK YOU! MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. MDK USAGE: mdk3 <interface> <test_mode> [test_options] TEST MODES: b - Beacon Flood Mode Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even drivers! a - Authentication DoS mode Sends authentication frames to all APs found in range. Too many clients freeze or reset some APs. p - Basic probing and ESSID Bruteforce mode Probes AP and check for an answer, useful for checking if SSID has been correctly decloaked or if AP is in your adaptors sending range SSID Bruteforcing is also possible with this test mode. d - Deauthentication / Disassociation Amok Mode Kicks everybody found from AP m - Michael shutdown exploitation (TKIP) Cancels all traffic continuously x - 802.1X tests w - WIDS/WIPS Confusion Confuse/Abuse Intrusion Detection and Prevention Systems f - MAC filter bruteforce mode This test uses a list of known client MAC Adresses and tries to authenticate them to the given AP while dynamically changing its response timeout for best performance. It currently works only on APs who deny an open authentication request properly g - WPA Downgrade test deauthenticates Stations and APs sending WPA encrypted packets. With this test you can check if the sysadmin will try setting his network to WEP or disable encryption.
With MDK3, we see a few attractive options. Option g will attempt to force a network administrator to disable or downgrade encryption by targeting any connection sending WPA encrypted packets with deauthentication attacks.
Option b attempts a beacon flood attack, randomly creating fake APs in the area, and option a attempts to jam a network by sending too many authentication frames. Neither of these attacks works for jamming the network, so instead, the most useful attack is option d.
The Deauthentication / Disassociation Amok Mode attack, by default, kicks everyone off of any nearby network, but with some filters, we can get it to behave more surgically.
To get started, you'll need a fully updated copy of Kali Linux and a Kali-compatible wireless network adapter. If you need help choosing one, you can check out our guide below.
To update your copy of Kali Linux, connect to the internet, open a terminal window, and run the commands below.
~$ apt update ~$ apt upgrade
Kali includes MDK3 by default, but if you don't have it installed, you can do so by typing the following.
~$ apt install mdk3 Reading package lists... Done Building dependency tree Reading state information... Done mdk3 is already the newest version (6.0-6). mdk3 set to manually installed. The following package was automatically installed and is no longer required: libgit2-27 Use 'apt autoremove' to remove it. 0 upgraded, 0 newly installed, 0 to remove and 1823 not upgraded.
Once this is installed, you can type mdk3 --help to see the main options.
Taking a look at the filter options for MDK3, we can type mdk3 --help d to get the help information for the deauthentication module specifically. Here we can see that it is different from the options for Aireplay-ng. Instead, we have the following options to craft our attack.
- -w flag for MAC addresses to ignore, or whitelist.
- -b flag for MAC addresses to attack, or blacklist.
- -s flag for the speed (packets per second) of the attack.
- -c flag for the channel to run the attack on.
Based on these options, we'll need to, at the very minimum, have one piece of information to start jamming anything. First, we'll need to put our network adapter into monitor mode and supply the name of the adapter in monitor mode to the program so it can execute.
To find this, we can type either ifconfig or the newer ip a in a terminal window to find the name of the network adapter. It should be something like "wlan0" or "wlan1."
When you have the name of the device, you can put it into monitor mode with the following airmon-ng command, where wlan0 is the name of your network card.
~$ sudo airmon-ng start wlan0
Once you've done so, type ifconfig or ip a again to get the new name of the device. You can expect it to be something like "wlan0mon."
When you have this information, you can run the script to deauthenticate everything nearby. This is noisy, not as effective as target jamming, and may require one card to work persistently. In my tests, one network card attacking everything nearby caused few noticeable disruptions, whereas three network cards attacking everything nearby caused noticeably annoying disconnections from the network.
To execute the attack, type the following in a terminal window, with wlan0mon as the name of your adapter in monitor mode.
~$ mdk3 wlan0mon d
Because this attack has to hop channels, it is likely to miss some APs and it may not be very fast. It's also very disruptive, as it can disconnect anything in range regardless of whether you have permission or if it's relevant to what you're doing.
A better option for jamming an area is to jam a channel. To know what channel to jam, we can use another tool called Airodump-ng to discover what channel our target is on. With our card in monitor mode as wlan0mon, we can type the following command to see information about all nearby wireless networks.
~$ airodump-ng wlan0mon
This will display all nearby access points, along with information about them. Here we can see which channel the access point we are targeting is on, which will limit our effect to a single channel rather than marauding around attacking anything that moves.
Once we know the channel the AP is on, we can press Ctrl-C to cancel the scan, and type the following into a terminal window, with the channel we're attacking being channel 6.
~$ mdk3 wlan0mon -c 6
Jamming a channel is very effective, but affects all APs and all devices operating on that channel. This can still be too noisy, so we'll need to refine this further to match the same targeting capabilities as Aireplay-ng.
Once we have a specific channel to attack, we can be more precise by adding a blacklist or a whitelist.
To do this, we'll re-run our Airmon-ng scan, and this time, we'll copy the MAC address of the device we wish to attack. I have tested doing this for both the address of the AP and the device you want to attack. Using the MAC address of the AP will attack everything on it, whereas adding the MAC address of the device will only attack it and nothing else on the network.
To get this information, we can type the following to find the APs on the channel we were targeting before, in this case, channel 6.
~$ airodump-ng wlan0mon -c 6
By specifying the channel we found before, we should be able to cut down on the number of devices we see. To find devices connected to our target network, we can look at the bottom of the output and discover devices that are listed as being associated with the MAC address matching our target network.
Once we find a MAC address that is associated, we can target it easily. Copy the MAC address, and then open a new terminal window. Type nano black.txt and press Enter to open a text editor window. Now, paste the MAC address of the device you wish to jam and press Ctrl-X to close the text editor.
Now, we can run MDK3 against the target network by running the command below, with black.txt as the text file we just created containing the MAC addresses we wish to jam.
~$ mdk3 wlan0mon d -c 6 -b ~/black.txt
Running this should very rapidly and persistently jam the device you indicated. In reverse, you can specify networks you want to leave alone the same way, and then run the command with the -w flag instead to attack everything else on the channel instead.
While these attacks can be scary depending on what is being targeted like a home security camera, these risks can be mitigated by using Ethernet wherever possible and upgrading the WPA3 when devices supporting it becomes available. One of the core differences between WPA2 and WPA3 is that WPA3 doesn't allow these kinds of attacks by preventing the authentication or disassociation packets from being forged in the first place.
Until then, you can use devices that support protected management frames, or if you suspect that you're being targeted with an attack like this, you can detect it using an intrusion detection system (IDS). Kismet can be used as an IDS to detect this sort of attack, as it will give you a warning on detecting disassociation or deauthentication frames being sprayed across a network.
I hope you enjoyed this guide to understanding advanced Wi-Fi jamming with MDK3 and Aireplay-ng! If you have any questions about this tutorial or Wi-Fi jamming, feel free to leave a comment or reach me on Twitter @KodyKinzie.