Close
0%
0%

Weekend on the Dark Side

Compact, ESP8266 based, battery powered, multi target De-Auth attack implementation.

Similar projects worth following
"Not standard" use of ESP8266 module. After reading Hackaday article about packet injection on ESP8266, just can't stop myself from trying it. I already have experience with MDK3 tool, and it wasn't difficult to bring part of it to the new hardware.

Long time ago I ordered several ESP8266 modules (ESP-201) for my yet-to-be-made home automation system. Not long before that time I had Wi-Fi security related project on "big" PCs. Which inevitably brought me to well known Kali system. So, idea to use tiny ESP8266s for wireless penetration tests come to my mind immediately after I had them on my table. But quick look through early version of Espressif SDK doesn't reveal any "hacker friendly" functions. So, I focused on other applications.

Some time ago I, as a faithful Hackaday RSS feed subscriber, read article about packet injection on ESP8266. This article finally gave me last part of the puzzle and plan for the weekend.


HARDWARE

My hardware setup consists of ESP module, mini DC-DC converter (D-SUN), pin headers, jumper, 9V battery plug and four 4k7 resistors.

Plug for 9V battery can be salvaged from old, discharged battery. Connections between plug and DC converter, and between converter and pin headers are from thick solid iron wire. This makes construction solid and easy to handle. Resistors are connected as required by my ESP module: CHIP, RST -> PullUp; io15 -> PullDown. io0 connected to small 3 pins male header at the side of the assembly. If you put the jumper and pull io0 to ground, you can flash module via TTL level serial cable.

Without jumper, module boots into the "battle" mode. It still outputs some diagnostic messages over serial port, even if there is nothing connected to receive them. As a bonus, small blinking LED connected to serial lines on surface of ESP module shows that something is going on and software is still running :-)


SOFTWARE

I use Arduino IDE (1.6.7), because it can work with all boards I have in my inventory. Also it is multi-platform, I can easily start project on Windows and finish on Linux. I am definitely missing code completion and editor tools from my "working horse" - MS VS, but for the small scale projects it doesn't matter much.

I started with code from original article, but first adopted it for Arduino project, and finally replaced nearly everything, looking with one eye onto the MDK3 source code. My code have couple of strange things, some fixes I made looking at test results, without deep understanding and reading standards. First - I do not have time for complete analysis, and second, let's face the truth, I can't see many usages for this code except to show it to my friends.

Below is the screenshot from wired Kali system which I use for monitoring. You can see how ping to my phone connected over Wi-Fi was terminated after ~10 seconds after I attached battery to assembly. Also you can see Deauthentication packets in Wireshark dump.

Work of software is rather simple. It receives & parses Beacons, Data and QoS frames on given channel. Software keeps lists of discovered Access Points and Clients. If Software doesn't encounter any new AP or Client for 200ms, it starts "deauth" procedure, disconnecting all clients discovered on this channel from corresponding APs. Then software goes to new channel.

Different devices behave differently in response to this attack. One of my phones goes permanently offline, and another manages to reconnect quickly, while software checking other channels. There are several options I can suggest for people who would like to have more stable effect:

  • At some moment stop scanning and only quickly hop over channels with DeAuth procedure.
  • Play with time constants and packet numbers, to find better combination.
  • Buy 14 ESP modules for every Wi-Fi channel :-)

There is a catch with Espressif SDK versions and "wifi_send_pkt_freedom" function. As it is mentioned here, "....wifi_send_pkt_freedom can't send management packets and encrypted packets, beacon is one kind of the management packets. We add this limitation because it may effect other devices......"

BUT, this fix is applied by Espressif only in latest versions of SDK. In the SDK version 1.3.0 "freedom" function was already present, but without limitations. You only may...

Read more »

DeAuthTest.ino

Source code for Arduino IDE

ino - 10.96 kB - 01/26/2016 at 13:34

Download

  • 1 × ESP8266 ESP-201 type, with antenna
  • 1 × Tiny DC-DC converter Input voltage: 4.5-28V, Output Voltage: 0.8-20V (adjustable)
  • 4 × Resistor 4.7 kOhm
  • 1 × 9V dry battery
  • 1 × 9V battery connector

View all 9 components

  • 1
    Step 1

    There is nothing difficult in this build, but there are a few things to pay attention.

    Start with power supply circuit. Cut iron wire and shape it properly. Attach 2 peaces to 9v battery clip.

  • 2
    Step 2

    Insert wires attached to 9v clip into holes on DC-DC converter. Use solder to fix them.

    Attention! Watch for polarity and Input / Output of converter. These tiny boards burn easily.

  • 3
    Step 3

    Attach converter & clip to battery. Use screwdriver to regulate output voltage to 3.3V. ESP is pretty sensitive to voltage, make sure you are within +- 0.2 V range from 3.3.

    Double check that + on converter output is really +.

View all 7 instructions

Enjoy this project?

Share

Discussions

Bharbour wrote 07/02/2017 at 18:28 point

If you like the MS VS environment, the Atmel development environment uses it for their ARM stuff as well as their other processors.

  Are you sure? yes | no

JOhn gado wrote 02/01/2016 at 21:37 point

Hi, I'm a newbie and don't understand the purpose of this project. You can shut down a whole wifi network ? You need to be connected to the wifi network ?(you need the password ?)

  Are you sure? yes | no

Rand Druid wrote 02/08/2016 at 07:44 point

You do not need the password. This is a main point. DeAuthentication packet is not encrypted. You can ask Wi-Fi client to disconnect from Access Point. Nearly all clients are comply to such request (although, I think, you can patch Linux to ignore it). If you repeat it fast enough, you can keep client(s) disconnected. Problem is, if you have only one Wi-Fi module and a lot of clients on different channels, delays between sending disconnect to one client will increase. During this delay client can connect back and work normally.

  Are you sure? yes | no

vinorasu wrote 02/01/2016 at 15:08 point

hi Rand,

, nicely done ,you got my admiration!

I am having issues replicating this ,mostly  the porting of sdk 13 to arduino environment. 

I did the modifications in "user_interface.h" (sdk13 and sdk 15 tested) but still the return from the wifi_send_pkt_freedom() is -1 ,as it 

has failed to send.  beacon and  data  packets return 0  as succeded to send.

I have IDE v. 1.6.5 +  esp8266 support 2.1.0-rc2

Could you please explain what files or folders   you copied from the old sdk 13 ?

thanks in advance & regards

  Are you sure? yes | no

Rand Druid wrote 02/08/2016 at 07:45 point

I've answered on GitHub.

  Are you sure? yes | no

p0x wrote 01/31/2016 at 11:32 point

Hey - nice work.

There's also another deauth library that seems to be a lot more compact / efficient.

Maybe you could see how it works for you?

https://github.com/quantum-x/esp8266-deauth

  Are you sure? yes | no

Rand Druid wrote 02/08/2016 at 07:59 point

Thanks for the link. But as you can see, this is solution only for fixed AP and Client MACs. In my project I added monitoring to find out MACs dynamically. On the same ESP in first version, and on the additional ESP module in second version.
As a next step I am thinking about adding small web page to monitoring ESP module, which you can open from your smartphone ans select - what do you want to jam. Although not sure I will find time for this...

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates