Stealth DoS Attack
(against a WiFi device)
Disclaimer: This article is ethically wrong. I am not responsible for your actions. To avoid legal issues: Do only try this at home with all people involved being content.
Some years ago, I had some serious trouble with a roommate. The day this escalated, I decided to block Internet access to that person while pulling myself out of the line. Blacklisting the unwanted MAC address in the router settings was not an option. Something subtle was the way to go.
My first idea was using a lovely tool called arpspoof (which is part of the package dsniff) to poison the ARP (Address Resolution Protocol) cache and pull off some kind of man-in-the-middle attack between victim and router. Instead of forwarding the traffic through my machine, I decided not to setup a bridge. The result is a reliable DoS attack.
Unfortunately, when monitoring the traffic via Wireshark, lots of suspicious ARP packages become visible. This demands for a different attack vector: WiFi can always be jammed.
The plan sounds easy. We just have to continuously scan the network (silently) and de-authenticate the desired device by spoofing it's MAC on our own WiFi adapter while logging into the network with invalid credentials.
The victim will be disconnected from the network. It will reconnect, but shortly after as it has, it will be disconnected again.
The common tools are needed for this project:
- computer with Linux OS (Any Raspberry Pi will do)
- WiFi adapter
Disguising Our Machine
To be even less suspicious, let's disguise our machine as a repeater.
1. Change the hostname. Example:
2. Choose a static IP address which ends on 10 or 100. Example for
3. Change the MAC address to look like It's made by AVM. That means it needs to start with
C80E14. Because macchanger is more reliable across all distributions, we use that for changing our MAC. Let's assume our network interface is named
First of all, we have to put our WiFi interface (we call it
wlan0) into monitor mode. It also won't hurt fitting it to the access point's WiFi channel. Let's assume it's ch 11. Depending on your software version, the generated monitor interface will either be called
wlan0mon. Just save the code below as a shell script, so you can execute it whenever you need:
If that causes an error, set your WiFi interface into manual and hotplug mode (
1. We check whether the victim is connected to the network. Because we want to automate this process easily we simply use
nmap with the
-sn parameter (depending on our software version). That way, we will not be able to see our pings in wireshark.
2. We playback some nonsense. However, this takes some attempts in order to work out. 5 may be a working value. Next, we need the MAC of the accesspoint (e.g. C8:0E:14:4D:4C:0A) and victim (e.g. 10:41:7F:A3:A8:AA)
Automating The Process
You can download the whole project here. You may tweak a few files if your network interfaces have different names. Also, I did not write a ReadMe, yet, so just follow these instructions:
- Put all known hosts in
./hostnames/hostnames.txt. This is used for the logging and monitoring features.
- Put all victims' MACs in
- Put all accesspoints in
- Run the
Daemonize.sh. It is set to intervals of 1 minute, but you can add the time as parameter, e.g.
You can run the
Scanner.shmanually, instead. By adding the parameter
--logdata is being logged to
These are the contents of the script files:
Next Level: SchedulingMy roommates knew who's the IT guy in the house. To divert the suspicion from myself, I had to let the jamming start and stop at times differing from my daily routines. The most common way to achieve this is to start and kill the Daemonize script via cron jobs. Make sure you cd into the project folder. Example entries in