Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


wifi killer

Posted by fleschner at 2020-03-02

In the network world, we can experience the same speed of the network every day, but there are always some people who have bad intentions to make some normal networks abnormal, such as using DOS DDoS to attack, using reasonable service requests to occupy too much service resources, some normal visits are disturbed, and the same is true for WiFi.

Authentication attack detection (we usually call it authentication attack), which is a form of denial of service attack in wireless network. This attack is based on one of the following protocols of IEEE 802.11 protocol. Attack principle: an AP connects the router to access the network normally. At this time, hacker If you use your own computer or other devices to forge the message of canceling the identity authentication, the router will think it is the need sent by the AP to disconnect from the AP, and the connected devices will automatically disconnect. (when we turn on WiFi in the mobile phone to find the nearby WiFi, it's not your mobile phone that is looking for WiFi, but the router is looking for it according to the 802.11 frame.).


At this time, we need to know why this happens. First, we need to understand the MAC in some IEEE 802.11 protocols. 802.11 MAC (not referring to MAC address here) 802.11 has a thing called frame. This thing is very important for our WiFi. He is mainly divided into three parts: data frame control frame management frame. One of our attacks is from the management frame. The management frame takes up a large proportion in 802.11 frame (the author will not elaborate here). 802.11 frames are very many and complex) then we use a field called reason code in the management frame.

IEEE 802.11 Reason Code

Reason code field

What does the reason code field do?

Reason Code 字段他是干什么的?

When the access device is not suitable to join the network, it will send the disassociation or authentication frame as a response.

Why do you need to de authenticate?


At this time, a 16 bit reason code field will be sent to explain why you can't join in.

Explanation of reason code field table



Reason explanation:


This is the explanation of the reason code field table. If you want to understand, you need to eat through the 802.11 frame by yourself (the protocol is very complex). Then our attack method is to use the 802.11 frame protocol. Unlike other wireless interference, we need to bring very expensive equipment to interfere. We only need to send the authentication release frame to the router. The following figure explains the principle of how to release the authentication frame:


First, the client connects the WiFi to send the authentication request. The AP receives the authentication request and then gives the authentication response to the client. Then the client sends the authentication request. The AP sends the authentication response. The client transmits the data to the AP. At this time, the attacker sends the authentication cancellation. The client also sends the data result AP Blocked does not accept the client's data, AP sends to cancel the identity authentication, and the client disconnects (the attacker mistakenly thinks that AP sent to cancel the authentication, AP sends to cancel the authentication to the client to cancel the authentication). If the attacker does not stop the attack, you cannot connect.

The figure above explains how to de authenticate the frame.


This attack technique is basically used in the field of wireless security, such as cap (there is a password in the handshake bag and encryption needs to be brutally cracked). We will use this attack technique when grasping the handshake bag. First, let the online client disconnect and then be attacked by us. The device will automatically connect to the router, and then we will capture the cap The data packet is then run to the dictionary for brute force cracking. The same way for WiFi phishing is to create a phishing WiFi first, and then disconnect the client by using the deauth attack, so that when the mobile phone judges that he can't connect, he will directly connect to our phishing WiFi, and use the handshake packet for password verification. (you can go to the fishing WiFi "wireless penetration -" fishing "WiFi written by the author for the fishing tutorial.) the camera that uses WiFi to spread is also disturbed.

Welfare (the following content is aggressive, please grasp it well)

We want to interfere with WiFi in a place, take a notebook?

我们想对一个地方的 WiFi 进行干扰,带着笔记本去?

It's too big and inconvenient. It's raspberry pie. It's too expensive. At this time, we can bring a development version, esp8266. When he writes the firmware of WiFi killer, he can interfere with nearby WiFi.

This is esp8266 Taobao selling more than 30, but if it writes killer firmware, its value will be more than 30. A small development board is convenient, small and cheap.

When he's powered by a power bank, he'll launch a WiFi for us to control his access to the background.

Scan all nearby WiFi for attack options

Start our options

The first one is about the deauth attack we talked about today. The second one is to create AP. The third one is basically unnecessary. Let's take a look at the second one

We're looking at mobile wifi

Is it fun? The name of AP can be modified at will. At this time, you must want this firmware. Thank you very much for the tutorial of burning in the firmware provided by invention control

Link: password: c5cq