Learn Kali Linux Episode #37: Signal Jamming and Denial of Service Demonstration (Part 2)

Learn Kali Linux Episode #37: Signal Jamming and Denial of Service Demonstration (Part 2)


Hello everybody and welcome to this
tutorial. Today, I will do, as I promised in the previous one, we will do a bit of
scripting, and we will see how that works to our advantage. Now a client might try
to hide, so you do need a key if you wish to perform some sort of a long term
wireless denial of service attack. You will want to be vigilant, you
will need to monitor the status of the network. You will need to see when the
MAC addresses are changed, when the ESSIDs are changed, when channels are
changed, and so on, and so forth. Now these things, well, you can do to manually, you
can do them with scripts, the choice is entirely yours. I can’t go into full bash
scripting here because that would be a course for itself, but I will show you some of the basics, and what you can do with bash
scripts. I mean, it’s very powerful, they’re very powerful, you can do a lot
with them. You can automate most of your tasks. And on top of that, we need to see
how we can deauthenticate particular clients on the network. So I didn’t
change anything, so I’m still in monitor mode if I’m not mistaken. I’m just gonna
go ahead, from the previous tutorial that is, I’m just going to go ahead and type
in airodump-ng wlp2s0, and when I press this, okay, I have my network here. So I’m just gonna go ahead and take its MAC address, and I want to
do a more precise scan. So here’s what I will do. I’ll do airodump-ng, and then
–bssid which will be the MAC address of this access point. And
I can also specify a channel with –channel, but I don’t really want to do
that. I just want to scan them for this MAC address and see, that way I’ll know
if the channel changes. The scan is now in progress. At some
point of time I’m sure I’ll get a client here, or something of a kind. Let me just deauthenticate it and authenticated on my cell phone. I’m just gonna turn wireless
on and off and then I should get the signal, because there is no activity. If I was browsing the net on my phone, or
something like that, it would show up immediately, but I am not doing anything,
and there we go. Simple authentication will show a transition of packets
between the bssid of 90:F6: 52:C1:BB:18, and station is basically
a device which is connected to that particular access point. Now I will go
ahead and stop this here, and before I continue you can see in the upper left
corner it says channel 6. This, and you have seen that these channels change, I
mean it’s been going from 1 to 14, if I’m not mistaken, and when these channels
here change, your wireless network card functions in accordance with these channels, and functions on these frequencies. So, that
might disrupt it, and you might need to, for a DoS attack, you might need to
manually reconfigure your wireless network card. As I’ve showed you before,
just use iwconfig and set it to whatever channel you want. Anyway, the
client, as I said, can change the MAC address, can change the ESSID, can change even the encryption method, and can change the channel. So how can you know
for sure if somebody changes all three of these? If somebody changed the channel, the MAC address, and the ESSID? How can you figure out what access point you are going to continue DoSing because you might have like a hundred of them, or
something of a kind, that you captured with this airodump-ng packet? How will you figure it out? Well, simple. Same clients, sorry
same clients, these are clients, will be authenticated with the same networks. So,
even if the BBSID changes, even if the the ESSID, the name changes, so even if, I don’t know, if I could change it here to something like 12345, or whatever, all of these parameters change, the clients which are authenticated to that access
point will not change. So, I suppose theoretically somebody could
go ahead and change the MAC addresses of every single device
connected to that access point, but think of the following scenario. You’re a company, or your coffee shop, or something like that, you cannot
go around changing everybody’s MAC addresses, on everybody’s
devices, no way. So, the first time around, see which clients are
authenticated to a particular access point, and then do a general airodump-ng
like this, so do a general one, do a general sweep like this, and
then you will see, there you go, you will see the authenticated clients down below.
This is for B0, somebody else I suppose. You will be able to
see down below who are the clients that are authenticated to that particular
network. And in such a way you will figure out the new MAC address and the new channel, the newest ESSID, and the DoS attack
will be able to proceed. So, as I said before, there really is no stopping it,
there is only hiding from it. Just go ahead and clear, and I have made a very
nice bash script here which I want to show you. Well, it’s not very nice but it does the job. So this signifies it’s a bash script.
This is a loop, this is an infinite loop. It will do, it will perform until I
actually put it to sleep, until I cancel it manually as a user. So let’s just go briefly
over it. It says aireplay -0 space 5, so I want to send 5 deauthentication signal packets, and then -a to this MAC address, from this
interface. Next up, when those 5 deauthentication packets have been
sent, I want you to bring the interface down, so go ahead and bring the interface
down, use macchanger to change the MAC address of the interface to random,
so randomly changed MAC addresses of my wireless interface. Just print out the
new Mac so I know that something is happening. And then after that, let me just put a space, there we go, so you can see it better, and then I want you to reconfigure the mode of the
wireless interface to monitor again, bring it back up, tell me that the mode is monitor when you grep it, so in order to confirm it. Go ahead
and sleep for three seconds, and while you’re sleeping echo waiting. I don’t know, I just wrote this down for some strange reason. Anyway, what you can modify here is the following: you can modify the sleep timer, so you
can go to sleep for relatively larger or shorter periods of time depending on how
you wish to perform this DoS attack; you can also say something like, over here
you can read values from a file where you have a list of access
points which you wish to jam at particular time intervals. Now that’s a bit more of a complex script, bash scripting method. If you’re
interested feel free to pose it in the question sections, but you do need to have a certain knowledge of bash in order to be able to do that.
In any case, these are some of the things that I would like you
to try and play around with. If you succeed, good. If not, feel free to post it in the question sections. I will be more than happy to help you out.
Anyway, so as I said, you can have a list of MAC addresses here that is loaded from, I don’t know, from some file that you’ve previously created, and you
can jam particular wireless access points in certain time intervals.
When you do that you will also need a command down below in order to change to the appropriate channel, because you will also need to know the channels of those
access points. So iwconfig wlp2s0 channel, and then you will need to
specify a channel name here, so 7, or, i don’t know, 3, or 1, or something like that. Excellent! So not a bad idea. You can you can increase the effectiveness of your
wireless jamming. You can effectively, basically, jam your entire neighborhood,
which I definitely do not recommend as that is illegal, but people have been known
to do it. I mean, somebody somewhere figures out how to do it, and is genius enough to actually attempt it, there’s literally no gain in it. It
just messes, just annoying the neighbors I suppose, something like that.
But, anyway, as I said you can change your time intervals, that’s not a
bad idea at all. Feel free to play around with this as much as you want,
with this part here in the loop, and if you come up with any new ideas, or
something of a kind, feel free to post them in the discussion section, in the
discussions. I will be more than happy to take a look at it and see what you have
done on your own, because that is really one of the best ways you can learn
something. Anyway, let’s just go ahead and apply the script and see what happens.
No, I do not wish to save any changes. Anyway, before you can run a script you
of course need to do chmod, I have done this previously but let me just
show you, +x to make it executable, jam.sh, and then I’m just gonna type in jam.sh. And see I am, again, on the wrong channel. Waiting for
beacon from on channel 7. wlp2s0 is on channel 7, but access point uses channel
6. Excellent! So this actually even tells
you on what channel is the wireless access point. Fantastic! So iwconfig wlp2s0 channel, let me just quickly change this, 6, excellent, and
now we can begin the jamming process. Excellent! So you see here it sends 5 deauthentication attempts, the one that I have selected, and then it changes
the MAC address to something, I don’t know unknown, and then it brings monitor mode
back up again and says waiting. When it says waiting it’s sleeping for 3 seconds, or
something of a kind, whatever you write down, and you see the process is just
going to repeat itself on end pretty much until you shut the computer down, or
until you terminate the process by killing the PID, or just pressing ctrl C.
Not a bad way to deauthenticate at all, but there is another thing that you can
do. So you see here, let me just see… nope, I don’t want aireplay, airodump, excellent! So airodump, and you can use airodump in combination with
airmon, but there is a trick to it. You have to manually configure the channel
for airodump-ng so it doesn’t change the channel. If it changes the
channel your deauthentication attempts will not go through. So –channel, and let’s just tell it 6, press enter, excellent! Now it’s permanently scanning on channel 6 and
you are able to monitor any and all changes that take place here. So, for
example, if there are some changes that take place, you notice them, you can
implement them elsewhere. And by that I mean, if you simply lose this wireless, if
you no longer see it, perhaps the channel has been changed, or the BSSID has been changed, you can, great, I even got the handshake here, amazing! Oh, well, I suppose it’s because…oh, no, wait. I am actually not even performing the deauthentication, I just got the handshake. It doesn’t matter. Anyway,
if you lose it, cancel it and do a general sweep without the bssid specified
and without the channel specified. But you can also try just with the bssid
specified and with the channel not specified, because somebody could have
just changed the channel and the BSSID could have remained the same. One
of the methods you can apply, and I’m gonna use this in conjunction, I’m going to use the jam.sh which starts up aireplay in conjunction with airodump. So I can monitor the status and what is going on here. In
addition to that, I can actually jam the signal as well. And even though it says
that this station is actually authenticated with it, believe me on my
Android phone, or whatever this is, I would not be able to browse the Internet,
there is no way. I would be continuously deauthenticated, it would be impossible
for me to even open up a basic website. That would be beyond the abilities of the device. As I said before, you can actually use your own phone, so
you can use your own tablets, or whatever other devices, in order to confirm this.
But you can see that these tools can actually work parallel to each other, no problems, as long as they are all using, you cannot tell your wireless card to function on several channels at
once. At least I don’t know how to do that,
maybe you can somewhere on the net. It definitely can be at the same time, they can be modulated, but you cannot have them at running at the same
time. So you do need to adjust the parameters a little bit, and then you can
use several of these tools at once. You can monitor the status, you can jam it, you can even get a WLP2 handshake, or something like that, and it says here interface is down because I have brought it down. Anyway, I thank
you for watching, and I hope see you in the next tutorial. Until then, I bid you
farewell, and I urge you to try to do things on your own as much as you can, as
that is absolutely the best way to learn. Okay, so let me just do a quick show. Here
you can actually clear and nano jam.sh, excellent! So instead of actually
doing a general deauthentication here, you are also able to do this. So space
-c for client, and I’m just gonna stop this for now. I’m gonna take this
client, so just take the MAC address of the client, where it says c paste it, ctrl
o to save, ctrl X to exit, and now we run jam.sh, excellent! It says Sending 64 directed DeAuth… this is all verbose output from the
program, that’s all that it is, and it says which client in specific it’s actually deauthenticating. That can be a pretty big problem as, see I’m gonna do
airodum-ng channel 6. Okay, it says interface wlp2s0 is down. Okay, so sometimes it’s not gonna actually work out as I said before, primarily because I’m bringing the
interface down, but the scanning is actually in progress. And even though the
station might show here as actually connected, or something of a kind, try
browsing the net. As I said before, try doing anything with it on the internet. You
won’t be able literally to move, because nothing will be able to pass through,
that’s gonna be a pretty big problem. As I said before, you can confirm this with
any of your devices, you won’t be able to do anything with them. I just wanted to
show you how you can actually jam a particular client. You can also set the
rotations here to, don’t know, jam a particular client for a while, and then
jam a different one for a while. Again, you can have a list of clients here, and
load them up from a file, so they can modulate. You are jamming this client for
five minutes, for the next five minutes the next one, and so on, and so forth, in
such a way creating a bit of a chaotic situation. Anyway, I strongly urge you to try. We don’t necessarily need to
practice but just try to do something on your own. Try to alter the code, try to jam something of course that you have a permission to jam, and try to do
it in a bit of a different way, apply some other arguments, play around with
things, there really isn’t much that you can break here especially if you’re
doing it on your own wireless that you have a permission to do it on. And that
is really the best possible way to learn. But, in any case, I’m gonna bid you
farewell now, and I hope to see you in the next tutorial.

13 thoughts on “Learn Kali Linux Episode #37: Signal Jamming and Denial of Service Demonstration (Part 2)

  1. should one who is totally new to Linux use Kali Linux as their first distro? I am interested in Ethical Hacking, networks, robotics, Python, Raspberry Pie and creating AI drones. What OS distro and what IDE would you suggest me to start off with?

  2. Hey Joseph,
    I've tried your bash script before like changing the interface to monitor mode it works fine. But your script for signal jamming, I don't know it somehow works fine for the first time but when it tried to run the second time I got the error saying "ioctl(SIOCGIFINDEX) failed: No such device.
    wlan0mon: ERROR while getting interface flags: No such device".
    My monitor mode automatically changed to managed mode. Please help I'm scratching my head for two days.

  3. Get The Complete Ethical Hacking Course Bundle! http://josephdelgadillo.com/product/hacking-bundle-2017/

    Enroll in our newest course! https://www.udemy.com/ethical-hacking-kali-linux/?couponCode=YOUTUBE

  4. i look for how to write bash on the internet and i learned how to make the bash script ask you for bssid and channel before it start doing all the things than it to the mac changing and all the other things

  5. i am unable to see networks near me by running airodump-ng <interface>

    😢😢
    its just showing blank

    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    BSSID STATION PWR Rate Lost Frames Probe

    i am on parrot os btw…
    and i am pretty much sure that i have proper network drivers …

    i am able to run on monitor mode but unable to scan for networks near me…

Leave a Reply

Your email address will not be published. Required fields are marked *