How To Hack Wi-Fi: Performing A Denial Of Service (DoS) Attack On A ...

• By occupytheweb
• 7/23/13 8:43 AM
• Wi-Fi Hacking
• WonderHowTo

  

Welcome back, my neophyte hackers!

As part of my series on Wi-Fi hacking, I want to next look at denial-of-service (DoS) attacks, and DoSing a wireless access point (AP). There are a variety of ways to do this, but in this tutorial we'll be sending repeated deauthentication frames to the AP with aircrack-ng's aireplay. Remember, hacking wireless networks isn't all just cracking Wi-Fi passwords!

Our Problem Scenario

Let's imagine a scenario where your best friend's girlfriend just broke up with him. He was madly in love with her, and of course, is now devastated. He's terribly depressed, and not able to eat or sleep, much less study for his upcoming exams. He even considers killing himself. You stick by your best buddy and help him through the worst time of his life, and with your care and consideration, he recovers.

Unfortunately, he has college exams tomorrow. If he only had a few more days, he could cram and pass them. Our mission is to DOS the wireless access point so that the exam can't take place at the scheduled time and the school has to reschedule it, giving our best buddy the time he needs to cram and recover.

Our Scenario's Solution

So, on the day of the exam, our buddy goes to the classroom as scheduled, although totally unprepared to pass the exam. We only need to place ourselves somewhere close enough to be able to access the wireless access point. This could be in the hallway, the next room, or the library. Most access points will extend up to 300 feet (about 100 meters), so we don't have to be that close.

In addition, if we put a high gain antenna on our Alfa wireless card, we can be significantly farther away. Then we pull out our trusty computer with BackTrack and our Alfa wireless adapter to save our friend from exam Armageddon!

Step 1: Open a Terminal

Now that we're positioned within range of the wireless access point for the exam, let's fire up BackTrack and open a terminal. Let's make certain our wireless adapter is recognized in BackTrack and functioning.

• iwconfig

Step 2: Put the Wireless Adapter in Monitor Mode

Our next step is to put our wireless adapter in monitor mode with airmon-ng.

• airmon-ng start wlan0

Step 3: Monitor the Available APs with Airodump-Ng

Now we want to take a look at all the access points in range by using airodump-ng.

• airodump-ng mon0

As we can see, the access point for Concord University is the third access point displayed. Note its BSSID (this is its globally unique identifier based on its MAC address) and copy it.

Step 4: Connect to the Access Point

Now we need to connect to the AP with our computer.

We can see the connection at the bottom of screen. There we can see the access point's BSSID on the far left bottom and the MAC address of our client following it. We need both of these bits of information for our next step in this hack.

Step 5: Broadcast Deauthenticate Users on the AP

Now we're ready to deauthenticate (bump off) all the users from the AP. We need to send thousands of deauthenticate frames to keep any one from reconnecting to the AP. We can do this by typing the following into another terminal.

• aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E -h 44:6D:57:C8:58:A0 mon0

• 00:09:5B:6F:64:1E is the BSSID of the AP.
• 44:6D:57:C8:58:A0 is the MAC address of our computer.
• 1000 is the number of deauthentication frames to send to the AP.

As the students attempt to connect to the AP to take the exam, they will be unable to connect, or as soon as they do, they'll be disconnected. It's unlikely that the teacher or professor will have any idea what's happening, and for that matter, neither will the school IT director.

Step 6: Success!

We need to keep these deauthentication frames going toward the AP until the teacher or professor finally gives up and reschedules the exam.

Now, our best buddy has a few days until the rescheduled exam to cram and pass. Thanks to BackTrack and a bit of hacking skill, we have saved our buddy from exam Armageddon!

Stay Tuned...

Make sure to check back on our Wi-Fi Hacking series, because even more wireless hacks are coming! If you have any questions, please comment below or start a discussion in the Null Byte forum and we'll try to help you out.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

• Calculator
• Control Center
• Home Screen
• Lock Screen
• Maps
• Messages
• Music
• Notes
• Podcasts
• Reminders
• TV
• Weather

Keyboard, computers, and depressed kid images via Shutterstock

Related

• How to Hack Wi-Fi: Disabling Security Cameras on Any Wireless Network with Aireplay-Ng

• How to Hack Wi-Fi: Getting Started with the Aircrack-Ng Suite of Wi-Fi Hacking Tools

• How to Hack Wi-Fi: Cracking WPA2 Passwords Using the New PMKID Hashcat Attack

• How to Hack Wi-Fi: Getting Started with Terms & Technologies

• How To: The Beginner's Guide to Defending Against Wi-Fi Hacking

• Hack Like a Pro: How to Get Even with Your Annoying Neighbor by Bumping Them Off Their WiFi Network —Undetected

• How To: Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack Using Airgeddon

• How to Hack Wi-Fi: Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

• How To: Hack Wi-Fi Networks with Bettercap

• How To: Automate Wi-Fi Hacking with Wifite2

• How To: Null Byte & Null Space Labs Present: Wi-Fi Hacking, MITM Attacks & the USB Rubber Ducky

• How to Hack Wi-Fi: Selecting a Good Wi-Fi Hacking Strategy

• How To: Build a Pumpkin Pi — The Rogue AP & MITM Framework That Fits in Your Pocket

• How To: Spy on Network Relationships with Airgraph-Ng

• How to Hack Wi-Fi: Stealing Wi-Fi Passwords with an Evil Twin Attack

• How to Hack Wi-Fi: Creating an Evil Twin Wireless Access Point to Eavesdrop on Data

• How To: Scan, Fake & Attack Wi-Fi Networks with the ESP8266-Based WiFi Deauther

• How to Hack Wi-Fi: Choosing a Wireless Adapter for Hacking

• How to Hack Wi-Fi: DoSing a Wireless AP Continuously

• How to Hack Wi-Fi: Cracking WEP Passwords with Aircrack-Ng

• How To: Hack WiFi Passwords for Free Wireless Internet on Your PS3

• How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng

• How To: Turn Any Phone into a Hacking Super Weapon with the Sonic

• How To: Protect Yourself from the KRACK Attacks WPA2 Wi-Fi Vulnerability

• How To: Share Wi-Fi Adapters Across a Network with Airserv-Ng

• How To: Use MDK3 for Advanced Wi-Fi Jamming

• How To: Hack Wi-Fi & Networks More Easily with Lazy Script

• How to Hack Wi-Fi: Hunting Down & Cracking WEP Networks

• Hacking Android: How to Create a Lab for Android Penetration Testing

• Guide: Wi-Fi Cards and Chipsets

• How to Hack Wi-Fi: Breaking a WPS PIN to Get the Password with Bully

• How To: Hack 5 GHz Wi-Fi Networks with an Alfa Wi-Fi Adapter

• Hacking Gear: 10 Essential Gadgets Every Hacker Should Try

• How To: Hack Your Neighbor with a Post-It Note, Part 1 (Performing Recon)

• How To: Crack WPA & WPA2 Wi-Fi Passwords with Pyrit

• News: Project Zero Finds iPhone & Android Open to Bugs in Broadcom's Wi-Fi Chips

• How To: Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux

• How To: Send ADB Commands Over Wi-Fi on Android

• RIP: Scroogle

• How To: Get Free Wi-Fi from Hotels & More

68 Comments

-1 cr0c0p 11 years ago

I like the way you created the story very engaging.

I've a question, if I want to deauthenticate only one client, I have to change the MAC address of the AP and put in there the client MAC?

I think, this tool is very useful when it comes to wireless topics.

It complemented all your Wi-Fi How to, can't wait for the next one installment.

Brian.

Reply 1 Subhash S 4 years ago

How to find mac address of my computer

Reply 1 Hoid 4 years ago

On Linux type ipa in terminal.

Reply 1 occupytheweb 11 years ago

Brian:

Glad you enjoyed it.

If you just want to deauthenticate one client, in the aireplay command before the mon0, you simply add the -c switch then the client's MAC address. . Works great!

OTW

Reply 1 cr0c0p 11 years ago

Thanks for the reply.

I seen other tutorials that don't use the -h switch because they aren't within the network, they only use the -a and -c switches.

If I don't know the password from the wireless network so I can't connected to it, can I do the DoS attack in the same way?, being outside of the wireless network?

I just wanted to clarify this doubt.

Reply 1 Grzegorz Roman Mróz 7 years ago

Yes, you can. Both on WPA, WPA2 and WEP secured networks

Reply 1 Mr.Hacker 9 years ago

after i typeaireplay-ng --deauth 1000 -a 00:11:22:33:44:55 -c 4c:7F:RT:78:66 wlan0moni get,22:44:08 Waiting for beacon frame (BSSID 00:11:22:33:44:55) on channel 1222:44:09 wlan0mon is on channel 12, but the AP uses channel 6im using kali 2.0

Reply 1 CyberHitchHiker 9 years ago

<!-- Original -->aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E -h 44:6D:57:C8:58:A0 mon0<!-- Your Syntax -->"aireplay-ng --deauth 1000 -a 00:11:22:33:44:55 --->-c <---(??) 4c:7F:RT:78:66 wlan0mon"

Reply 1 Mr.Hacker 9 years ago

i am using kali 2.0 latest.. mon0 is replaced with wlan0monand i was trying to deauthenticate only one client.

Reply 1 CyberHitchHiker 9 years ago

The -c is wrong and un needed unless you are trying to monitor a certain channel. Should be -h according to this guide. The wlan0mon I understood already. ;-)

Reply 2 Mr.Hacker 9 years ago

ok ok i got.. insted -c i should use -h.. -c is for channel..Really thanks bro!!

Reply 1 occupytheweb 11 years ago

Brian:

You can do this attack without connecting to the AP, but you need to use the MAC address of someone who has.

OTW

Reply 1 cr0c0p 11 years ago

Thanks OTW I appreciate it.

Reply 2 code 404 9 years ago

amazing tutorials thank you very much I learned a lot .

sorry but I'm little bit confused ...back in Evil twin tutorial you did deathu attack without connecting to AP..but you didn't use a source MAC address ..but here you said we need the MAC address of someone who connected to AP...

I did it without a source MAC ..and it did work...

is there any difference ?

again thank you very much .

Reply 1 occupytheweb 9 years ago

The difference is that without a source MAC, everyone gets deauth-ed. With the source MAC, only that client gets deauth-ed. Some wireless AP's won't allow you to deauth without the MAC. As usual, it depends upon the circumstances.

Glad it worked for you.

Reply 1 code 404 9 years ago

thank you it's clear now :)

Reply 2 Guilty Spark 11 years ago

All of your posts are great. :)

Reply 1 Jacky marrow 11 years ago

Hey ,

Actually ,a great tutorial of yours OTW as usual ,keep up the good work .

I just wanted to ask does this trick will disconnect me too if i tried to connect to that AP while doing the DDoS'ing process ?

RegardsJacky

Reply 1 occupytheweb 11 years ago

Jacky:

Thanks Jacky. I'm glad you enjoy these tutorials!

Good question. In this attack, we really are not connected to the AP, just attacking it. If we were connected to the AP on another system, yes, we would be disconnected.

OTW

Reply 1 Jacky marrow 11 years ago - edited 11 years ago

Thanks for the fast reply OTW .

So that means we don't really need to know the authentication key for the network we are attacking ,just the MAC of the AP and our MAC and/or any machine's MAC inside the network (in case of an attack against a single machine inside the network ) ,right ?

RegardsJacky

Reply 1 occupytheweb 11 years ago

That is correct.

Reply 1 John Saul 11 years ago

For some reason... I followed the tutorial step-by-step, yet for some reason it didn't work.. Any ideas? I had to open numerous terminals in order to get through it all. And I'm on Ubuntu 12. I hope that doesn't make too big of a difference.

I followed this tutorial for installed aircrack-ng suite onto my ubuntu system,

https://null-byte.wonderhowto.com/how-to/install-aircrack-ng-your-linux-computer-correctly-0144216/

Reply 1 occupytheweb 11 years ago

John:

You will need to give me more info, if I'm to help you. Are you using a aircrack-ng compatible wireless adapter?

OTW

Reply 1 John Saul 11 years ago

Yeah, I"m pretty sure. It's an Intel Centrino Advanced-N 6230. It was an upgraded choice when I built my Dell XPS 17inch laptop through their website. And I'm unable to copy and paste the results from my xterm console when I issue something like "lspci -v". I hope this helps.. I'm very new here, and sure would like some guidance.

Thanks!!

Reply 1 occupytheweb 11 years ago

Is that wireless adapter on aircrack-ng's compatible list?

Reply 1 John Saul 11 years ago

It is compatible.

Reply 1 occupytheweb 11 years ago

Are you sure? I don't see it on the list.

Reply 1 occupytheweb 11 years ago - edited 11 years ago

John:

Check out these posts about getting your wireless Intel card to work on BT.

OTW

Reply 1 John Saul 11 years ago

You're right. I thought I saw the driver listed. I went to my terminal and did sudo lsmod and I thought I saw the proper driver listed there. Or maybe the module was loaded into the kernel but not chosen to be loaded? >.!!

Reply 1 Dante sky 10 years ago

It seems like it does not work under the "OPN" wireless?

Reply 1 occupytheweb 10 years ago

Dante:

It should work on an "OPN" access point as well.

OTW

Reply 1 secret king 10 years ago - edited 10 years ago

MASTER OTW:why i need to give our computer's MAC here????during WPA hacking we simply gave the command......

• aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0

what difference between two??...........

Reply 1 Astenon 10 years ago

OTW, is there any way to do one of these attacks on several AP's that have the same ESSID but different MAC addresses and channels? Such as a school network?

Thanks for any ideas besides opening several terminals of aireplay-ng!.

Reply 1 occupytheweb 10 years ago

Why not open several terminals?

Reply 1 Astenon 10 years ago

Was just wondering if there was an easier way to do it/ manage it. Like if you could type it all in from one line.

Reply 1 Vinh Vong Hoang 10 years ago

Hi,Command: aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E -h 44:6D:57:C8:58:A0 mon0

In this attack, that means that we will send 1000 deauthenticated frames come from our AP (mon0) to mac address 00:09:5B:6F:64:1E to try to disconnect everyone to the real AP, right? The option '-h' stands for 'set source Mac Address' and we set to our Mac Address computer and why we have to do that? I think that we just need to disconnect everybody: 'aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E mon0'. Sorry as if it just a stupid question, I'm newbie to security and trying to learn Linux os. ^^!

Reply 1 occupytheweb 10 years ago

This switch -h tells the application what Mac address to use. We can spoof another Mac if we want or need to.

OTW

Reply 1 helper play 10 years ago - edited 10 years ago

I have tried this one and the result is I am disconnected but the other is still connected to the APthen i cannot discover any AP on wifi network until i restart my booting using flashdiskand nothing happened by trying with -canyone could help?

my access point uses WPA2 for the securityThanks

Reply 1 occupytheweb 10 years ago

Are you using aircrack compatible wireless adapter?

Reply 1 helper play 10 years ago

What is it?I don't know anything about thatIt is new for me today to experience with backtrack 5I am newbie

How to check that I have used the compatible wireless adapter?I've run airmon and airodump well without any problemand also aireplay is running but nothing happened to the other client except me as the source being disconnected

Thanks

Reply 1 occupytheweb 10 years ago

Check the compatibility of your wireless adapter at aircrack-ng.org.

Reply 1 helper play 10 years ago

my adapter Atheros AR9285I think it is not compatiblethen is ther anyway else to try this tutorial?

Thankyou and sorry if I bother you with any newbie questions

Reply 1 occupytheweb 10 years ago

Did you check the compatibility list?

Reply 1 helper play 10 years ago - edited 10 years ago

is it in this link?[link removed]I can not find any ar9285or how to read that table?

Reply 1 occupytheweb 10 years ago

No. You need to go to www.aircrack-ng.org and check there.

Reply 1 helper play 10 years ago

It is on the list right? atheros ar9285 aka ar5009

it is said:

Atheros and Zydas USB 802.11n cards. The rest of atheros chipsets excluding the ones mentioned and MIMO series as well as fullMAC (these are rare, only found in embedded devices) should be supported.

you mean, my adapter could run well?

Reply 1 CyberHitchHiker 10 years ago

Are you sure about that?

Reply 1 Alex Chase 10 years ago

Would just using aireplay-ng --deauth 1000 -a 00:09:5B:6F:64:1E mon0 make this attack anonymous? Or would you suggest spoofing a MAC just to be on the safe side?

Since I can perform deauth's while being offline I would assume this is a pretty safe trick. Or am I wrong and it's more susceptible to tracking than I realize?

Reply 1 occupytheweb 10 years ago

Alex:

The second BSSID is the authenticated user. You are already spoofing their MAC so it is anonymous already.

OTW

Reply 1 Alex Chase 10 years ago

Thanks OTWGood info as always

Reply 1 Chris Frellis 9 years ago

will this kick everyone with a wired connection as well?or just the people connected via wireless?

Reply 1 piyush mittal 9 years ago

Is there any way by which we can deauthenticate all the connected users to a wifi except one whose mac address is known to us?

Reply 1 Cameron Glass 9 years ago

For the mac address of our computer should we put our host machine mac address instead of virtual box virtual mac address?

Reply 1 occupytheweb 9 years ago

The MAC address of your virtual machine.

Reply 1 Cameron Glass 9 years ago

Okay, good. Mac address of wlan0, right? Sorry for so many questions, I'm known to be a big ol' noob.

Reply 1 occupytheweb 9 years ago

Yes, the MAC address of whatever wireless card you are using. Usually, it will be wlan0, or it may be wlan1.

Reply 1 piyush mittal 9 years ago

sir can you please tell me the command for my query asked above!

Reply 1 occupytheweb 9 years ago

There is no such command.

Reply 1 Asad Ahmad 9 years ago

Very nice tutorials.but i have a question.when i send the deauth packets,both of my android devices are disconnected from the Ap and even my laptop on which im running kali on vm ware is disconnected from the internet but two other windows machines in my home connected to the same Ap are not deauthenticated,instead they surf the internet without any issue.can you kindly explain why they are not deauthenticated and how to deauthenticate them

Reply 1 Utkarsh Wadhwa 9 years ago - edited 9 years ago

Hi,I use a different command

"aireplay-ng -0 0 -a BSSID mon0 --ignore-negative-one"

In this, I am facing a problem that sometimes it works and sometimes not. I usually use it on multiple routers and after 3 terminal window simultaneously working and sending deauth packet, the command stop working on the next router(4th one.

Even the 1st time(1st router) I run the command it displays the error that mention the ESSID but if I run the same command again and again then it work fine.

I run Kali Linux on VM ware using the Alfa AWUS051NH card.

Please help me with it.

Reply 1 Alpha Shadow 9 years ago - edited 9 years ago

Hi,

I am trying to deauth an AP with aireplay but it's not working it used to work before.

I used this command :aireplay-ng --deauth 1000 -a B4:74:9F:06:05:C0 wlan0mon00:15:54 Waiting for beacon frame (BSSID: B4:74:9F:06:05:C0) on channel 1300:16:05 No such BSSID available.Please specify an ESSID (-e).

then this one:aireplay-ng -deauth 1000 -a B4:74:9F:06:05:C0 wlan0monInvalid destination MAC address."aireplay-ng --help" for help.

P.S: iam sure of the bssid i used the problem is not there

aireplay-ng --deauth 100 -a C0:4A:00:E6:00:B6 wlan0mon00:41:23 Waiting for beacon frame (BSSID: C0:4A:00:E6:00:B6) on channel 700:41:23 wlan0mon is on channel 7, but the AP uses channel 8

http://imgur.com/a/8FcdW

http://imgur.com/yt3Mgq3

Reply 1 occupytheweb 9 years ago

Please take a look at this article on wireless DoSing.

Reply 1 Rohan Patel 9 years ago

hey there i am using kali linux 2.0 latest and my terminal is not entering in monitoring mode ..........what should i do? please help.......

Reply 1 Yokai Seishinkage Innorruk 8 years ago

I swear... Some of these people commenting just do not need to be trying this without learning how to use the linux Kernel...

Reply 1 Ali Hobaba 8 years ago

Hi All, I want to make one WiFi access point down, how to do it?

Reply 1 vinod kumar 8 years ago

I'm getting error " Monitor is in channel 2 ,AP uses channel 6 please specify essid(-e)" I don't understand what to do.

Reply 1 Who AmI 7 years ago

continue it mr. vinod kumar until it comes the monitor is in channel 6.

Reply 1 Denis Damb 7 years ago

Very nice tutorial, there's just one things that's not clear for me. Do I really need a wireless adapter for this to work? And for other craks, it is needed?

Reply

Share Your Thoughts

You Login to Comment Click to share your thoughts

• Hot
• Latest

• Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 1 (Tools & Techniques)

• How To: Make Your Own Bad USB

• Hack Like a Pro: How to Conduct Passive Reconnaissance of a Potential Target

• How To: Spy on Traffic from a Smartphone with Wireshark

• How To: Buy the Best Wireless Network Adapter for Wi-Fi Hacking in 2019

• How to Hack Wi-Fi: Stealing Wi-Fi Passwords with an Evil Twin Attack

• Steganography: How to Hide Secret Data Inside an Image or Audio File in Seconds

• Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 1

• How To: Perform Advanced Man-in-the-Middle Attacks with Xerosploit

• Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 2 (Configuration)

• How To: Set Your Wi-Fi Card's TX Power Higher Than 30 dBm

• How To: Automate Wi-Fi Hacking with Wifite2

• How To: Use MDK3 for Advanced Wi-Fi Jamming

• How To: Stealthfully Sniff Wi-Fi Activity Without Connecting to a Target Router

• How To: Find Anyone's Private Phone Number Using Facebook

• Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools

• How to Hack Like a Pro: Getting Started with Metasploit

• How to Hack Wi-Fi: Build a Software-Based Wi-Fi Jammer with Airgeddon

• Mac for Hackers: How to Set Up Homebrew to Install & Update Open-Source Tools

• How To: Fake Captive Portal with an Android Phone

• All Features

• Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 1 (Tools & Techniques)

• How To: Make Your Own Bad USB

• Hack Like a Pro: How to Conduct Passive Reconnaissance of a Potential Target

• How To: Spy on Traffic from a Smartphone with Wireshark

• How To: Buy the Best Wireless Network Adapter for Wi-Fi Hacking in 2019

• How to Hack Wi-Fi: Stealing Wi-Fi Passwords with an Evil Twin Attack

• Steganography: How to Hide Secret Data Inside an Image or Audio File in Seconds

• Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 1

• How To: Perform Advanced Man-in-the-Middle Attacks with Xerosploit

• Hack Like a Pro: Capturing Zero-Day Exploits in the Wild with a Dionaea Honeypot, Part 2 (Configuration)

• How To: Set Your Wi-Fi Card's TX Power Higher Than 30 dBm

• How To: Automate Wi-Fi Hacking with Wifite2

• How To: Use MDK3 for Advanced Wi-Fi Jamming

• How To: Stealthfully Sniff Wi-Fi Activity Without Connecting to a Target Router

• How To: Find Anyone's Private Phone Number Using Facebook

• Hack Like a Pro: How to Use Netcat, the Swiss Army Knife of Hacking Tools

• How to Hack Like a Pro: Getting Started with Metasploit

• How to Hack Wi-Fi: Build a Software-Based Wi-Fi Jammer with Airgeddon

• Mac for Hackers: How to Set Up Homebrew to Install & Update Open-Source Tools

• How To: Fake Captive Portal with an Android Phone

• All Hot Posts

© 2024 WonderHowTo, Inc.