Jump to content


Photo
- - - - -

How to take out a wifi.


  • Please log in to reply
16 replies to this topic

#1 sk3l1t0r

sk3l1t0r

    SCRiPT KiDDie

  • Members
  • 25 posts
  • Country:
  • Gender:Male
  • Location:San Diego, CA

Posted 05 May 2011 - 03:13 PM

Just curious is all.. i think it would be fun to do it on my wifi. how would i jam up my wifi connection remotely from my laptop? my network is usable by guests but my admin requires a password. Hopefully this is possible.. i would thinking a DDOS attack but i dont think that would work. any thoughts welcomed.

#2 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 05 May 2011 - 03:35 PM

well assuming its your own router, you could dos other people, no need for distributed dos.. lol, as in just inject deauthentication packets to every ip/mac addy on the network thats simlarish to a denial of service.. youd prolly have to make a script to keep deauthing ip(s) that you type in.. otherwise they'd be able to just reconnect after, but if you keep sending them they would just keep getting dced. not really much use for this sort of thing besides keeping someone off your net, as if you had static ip's set up i guess you could "ground" people off it if you didnt want them on at some specific time or whatever..

#3 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 05 May 2011 - 04:50 PM

Sometime this summer I'm gonna look into getting DDWRT on a wireless router to send out white noise on channel 1, 6, or 11. That oughta DOS the router's wireless clients assuming it doesn't change channels automatically.

If anyone's got anything on this, let me know.

#4 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 06 May 2011 - 02:50 PM

EMP and/or HERF

#5 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 06 May 2011 - 03:24 PM

dinscurge's idea was very good. In aircrack-ng, if no source mac is specified it goes to ff:ff:ff:ff:ff:ff. Some systems will ignore the Ethernet broadcast, but most do not.

edit: destination address, not source address.....

Edited by tekio, 06 May 2011 - 03:26 PM.


#6 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 06 May 2011 - 05:53 PM

Sometime this summer I'm gonna look into getting DDWRT on a wireless router to send out white noise on channel 1, 6, or 11. That oughta DOS the router's wireless clients assuming it doesn't change channels automatically.

If anyone's got anything on this, let me know.

was wondering where the thread went my post got lost in transition :p. o well. as per this.. i assume it wouldnt work very well as thad basically be a jammer, accept id be the same power as the router instead of significantly higher power.. so the router would have to be closer to there computer than the other router for it to really have much of an effect, i think deauthing would work much better, or you can always make a spark gap transmitter that would be a couple watts or more, with a directional antenna would have much better results.. thoe that would just jam the signal, with deauthing you wouldnt have to totally jam the signal you could just pick certain computers to keep deauthing, which is more usefull as if say you were grounding someone from your net because they were doing something stupid you could sort of ban them that way, for any amount of time you desired where jamming would just block out any/all transmissions of lower power..

#7 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 06 May 2011 - 10:15 PM


Sometime this summer I'm gonna look into getting DDWRT on a wireless router to send out white noise on channel 1, 6, or 11. That oughta DOS the router's wireless clients assuming it doesn't change channels automatically.

If anyone's got anything on this, let me know.

was wondering where the thread went my post got lost in transition :p. o well. as per this.. i assume it wouldnt work very well as thad basically be a jammer, accept id be the same power as the router instead of significantly higher power.. so the router would have to be closer to there computer than the other router for it to really have much of an effect, i think deauthing would work much better, or you can always make a spark gap transmitter that would be a couple watts or more, with a directional antenna would have much better results.. thoe that would just jam the signal, with deauthing you wouldnt have to totally jam the signal you could just pick certain computers to keep deauthing, which is more usefull as if say you were grounding someone from your net because they were doing something stupid you could sort of ban them that way, for any amount of time you desired where jamming would just block out any/all transmissions of lower power..


Actually, you want about 10:1 signal:noise so if it's anywhere near the actual router you should be fine with a white noise generator. If anyone can pass me the code I'll be messing with this around May 12th and I can do some testing and tell you what the relative power needs to be.

#8 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 06 May 2011 - 11:17 PM

If you just want to screw with their heads... there's always airpwn.

#9 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 07 May 2011 - 03:15 PM

Just got a better statistic:
You can get 6Mbps at 6dB SNR (signal-noise ratio). So anything less than 6dB is essentially unuseable, and if you're running your own wireless on a non-overlapping channel, that's what they'll wind up connecting to. (Hint, hint kids.)

EDIT: If anyone can get me the info on how to set up DDWRT to do this, I'd really appreciate it.

Edited by serrath, 07 May 2011 - 05:35 PM.


#10 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 08 May 2011 - 01:02 AM

Actually, you want about 10:1 signal:noise so if it's anywhere near the actual router you should be fine with a white noise generator. If anyone can pass me the code I'll be messing with this around May 12th and I can do some testing and tell you what the relative power needs to be.


eh i suppose thats true :p it is digital technology after all once a certain amount of the signal is lost it instantly stops working, the the signal would still exist, as not all the traffic would be wiped out. probably alot would be left really, but that's not enough for it to work properly :p so that doesnt really matter.

#11 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 11 May 2011 - 02:39 AM


Actually, you want about 10:1 signal:noise so if it's anywhere near the actual router you should be fine with a white noise generator. If anyone can pass me the code I'll be messing with this around May 12th and I can do some testing and tell you what the relative power needs to be.


eh i suppose thats true :p it is digital technology after all once a certain amount of the signal is lost it instantly stops working, the the signal would still exist, as not all the traffic would be wiped out. probably alot would be left really, but that's not enough for it to work properly :p so that doesnt really matter.


So it's a plan? Help me script DDWRT to do this and I'll do some testing on range and power required.

#12 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 935 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 12 May 2011 - 09:22 PM

So it's a plan? Help me script DDWRT to do this and I'll do some testing on range and power required.


ahh then the problem is i've never used ddwrt :p lol

#13 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 14 May 2011 - 11:13 PM

Me neither. No problem, let's get learning!

#14 pan4x

pan4x

    Will I break 10 posts?

  • Members
  • 6 posts

Posted 27 May 2011 - 12:25 PM

The easiest way if you are in close proximity is to jam everything with a 2.4 GHz cordless phone. This will totally jam the channel and will prevent any communication. This works best on channel 1 or channels close to 1.

The downside to this is it will jam continuously, then not even you can communicate with the base station. Another strategy is to only jam when someone tries to send packets. A while back I helped develop a utility to do this based on madwifi and OpenHAL using cards with Atheros chipsets. Normally the hardware won't allow you to transmit when the channel is busy because of carrier sensing, but we found a way to force the card to transmit whenever we wanted even when the channel is busy. When multiple machines are trying to communicate with a basestation, the basestation randomly assigns each one a backoff timer or a NAV timer which is a countdown timer to determine when those machines are able to transmit. By setting the NAV timer to 0 you can force the card to transmit immediately regardless of carrier sensing. The location of the NAV register might be available in OpenHAL, we found it by reverse engineering the card.

We wrote a program to transmit as soon as there was an increase in RSSI, jamming the channel. It is also possible to selectively jam people if you grab the MAC header from the packet and identify the transmitter and jam before they finish sending the rest of the packet. This can really fuck with a sysadmins mind since you can attack a network and have everything appear to be normal and working although the targeted box never seems to be able to communicate. The only way they can determine what is really happening is if they monitor the channel RSSI in real time and see the channel get jammed whenever the target tries to transmit, and even then they most likely wouldn't realize they are being jammed or consider that their network would be attacked in this way.

#15 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 27 May 2011 - 12:59 PM

I still think the deauth is the best, most practical solution. I just say that because I've been a victim of it once. While playing with Kismac, I fell asleep, left it running; set for the Ethernet broadcast address. Of course by the time I woke up and went to get on the net, nothing would connect to my router. At first I thought my router was fuxed. Finally I fired up Omnipeek and saw all the deauths.

#16 jmp_loop

jmp_loop

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 02 June 2011 - 12:57 AM

The easiest way if you are in close proximity is to jam everything with a 2.4 GHz cordless phone. This will totally jam the channel and will prevent any communication. This works best on channel 1 or channels close to 1.

The downside to this is it will jam continuously, then not even you can communicate with the base station. Another strategy is to only jam when someone tries to send packets. A while back I helped develop a utility to do this based on madwifi and OpenHAL using cards with Atheros chipsets. Normally the hardware won't allow you to transmit when the channel is busy because of carrier sensing, but we found a way to force the card to transmit whenever we wanted even when the channel is busy. When multiple machines are trying to communicate with a basestation, the basestation randomly assigns each one a backoff timer or a NAV timer which is a countdown timer to determine when those machines are able to transmit. By setting the NAV timer to 0 you can force the card to transmit immediately regardless of carrier sensing. The location of the NAV register might be available in OpenHAL, we found it by reverse engineering the card.

We wrote a program to transmit as soon as there was an increase in RSSI, jamming the channel. It is also possible to selectively jam people if you grab the MAC header from the packet and identify the transmitter and jam before they finish sending the rest of the packet. This can really fuck with a sysadmins mind since you can attack a network and have everything appear to be normal and working although the targeted box never seems to be able to communicate. The only way they can determine what is really happening is if they monitor the channel RSSI in real time and see the channel get jammed whenever the target tries to transmit, and even then they most likely wouldn't realize they are being jammed or consider that their network would be attacked in this way.


In CSMA-CD there is an automatic backoff algorithm. Whenever there is a collision the senders wait for a random amount of time and then try again. You said if multiple users try to communicate the base station GIVES them the backoff value (as opposed to generating this value themselves). Are these two different things ? If they are, how does the base station succeeds in communicating the values when everybody wants to talk. Won't the packets collide ? Forgive my noobish question, I am new here. :)

#17 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 02 June 2011 - 01:20 AM


The easiest way if you are in close proximity is to jam everything with a 2.4 GHz cordless phone. This will totally jam the channel and will prevent any communication. This works best on channel 1 or channels close to 1.

The downside to this is it will jam continuously, then not even you can communicate with the base station. Another strategy is to only jam when someone tries to send packets. A while back I helped develop a utility to do this based on madwifi and OpenHAL using cards with Atheros chipsets. Normally the hardware won't allow you to transmit when the channel is busy because of carrier sensing, but we found a way to force the card to transmit whenever we wanted even when the channel is busy. When multiple machines are trying to communicate with a basestation, the basestation randomly assigns each one a backoff timer or a NAV timer which is a countdown timer to determine when those machines are able to transmit. By setting the NAV timer to 0 you can force the card to transmit immediately regardless of carrier sensing. The location of the NAV register might be available in OpenHAL, we found it by reverse engineering the card.

We wrote a program to transmit as soon as there was an increase in RSSI, jamming the channel. It is also possible to selectively jam people if you grab the MAC header from the packet and identify the transmitter and jam before they finish sending the rest of the packet. This can really fuck with a sysadmins mind since you can attack a network and have everything appear to be normal and working although the targeted box never seems to be able to communicate. The only way they can determine what is really happening is if they monitor the channel RSSI in real time and see the channel get jammed whenever the target tries to transmit, and even then they most likely wouldn't realize they are being jammed or consider that their network would be attacked in this way.


In CSMA-CD there is an automatic backoff algorithm. Whenever there is a collision the senders wait for a random amount of time and then try again. You said if multiple users try to communicate the base station GIVES them the backoff value (as opposed to generating this value themselves). Are these two different things ? If they are, how does the base station succeeds in communicating the values when everybody wants to talk. Won't the packets collide ? Forgive my noobish question, I am new here. :)

WiFi. 802.11 doesn't use collision detection, each device would need two radios. It uses collisions avoidance. Because the sending host first listens to the channel, looking to see if the receiving host is busy, random noise will cause it to just wait to send. ASAIK the sending host first looks for a CTR, clear to send from the receiving host. If none is returned it backs off for a random interval generated by the sending host.




BinRev is hosted by the great people at Lunarpages!