Thursday, 16 March 2017

ESP8266 Deauther


Today we have another cheap hacking tool project! I recently came across a tool on Github called the ESP8266 Deauther by Stefan Kremser. Essentially we can make a very portable Wi-Fi 'Jammer' which is also capable of a few other neat tricks.

It's always important to understand what is going on behind the scenes. Essentially there are a lot of protocols and specifications implemented in wireless communication. These are created and maintained by the Institute of Electrical and Electronics Engineers (IEEE). Included in this set of protocols, classified as a management frame is something called a deauthentication frame, which is used to disconnect devices and access points. The problem is management frames are often unauthenticated and not encrypted. Which makes spoofing these frames easy and effective.

(Please only use this for testing on your own network)

Setting up:

We need a cheap micro controller which contains an ESP8266 chip, I used a NodeMcu DevKit which costs £8.10. There are cheaper options, however this was shipped from the UK so arrived in just a few days.




The Github page gives us two options for installing the tool onto the chip. I chose the quicker of the two as the Arduino way even though is well documented, takes a lot more effort to set up. I will explain in this article how I did it the quick way.



  • First download the esp8266_deauther_1.1_1mb.bin version from here
  • Secondly, download nodemcu-flasher from here


Plug in your chip to the computer and run the ESP8266Flasher.exe, we need to change a few things before we flash it.

Under Config make sure we have our esp8266_deauther_1.1_1mb.bin selected:




Under operation select the right COM port, it will normally be the one that isn't COM1. If your device isn't recognised make sure you are using the cable that supports data transfer:




Under Advanced make sure your options are the same as mine:




Now go back to Operation and click flash! It will take about 30 seconds then you should see a green tick.

On your computer or phone, we should see a new Wi-Fi network called pwned, connect to it using the password deauther. Now open your browser and go to 192.168.4.1 and you should see the control panel.

Usage:

On the APs panel we can scan for access points in range of us:


We can then select one or more of these AP's and move on to the Clients tab, here we can scan for client devices. It will disconnect during this scan so we will have to manually reconnect:




I am going to select my phone here for testing. Once we hit select we move onto the Attack tab:





Lets try out some attacks!

Starting the deauth attack my phone was instantly disconnected and kept trying to reconnect and being disconnected again:





Beacon clone spammed my Wi-Fi networks with clones of the AP, if this happened to you, you would have no idea which one to connect to:







The beacon list requires us to populate the list with AP's to flood with, we can either hit the random button or enter our own:

Random:




Manual:





We can also do all these attacks from our phone and hook up the chip to a battery back to make it really portable. Although connecting to the device from a phone has been slightly temperamental for me:




Further implementation and analysis:

Now we've seen the attacks how can we use them to our advantage?

  • We can use deauth attacks to reveal hidden SSIDs by disconnecting the clients, and then monitoring for Probe Requests which always contain the SSID. Probe Requests are discussed more in my article here
  • Capturing the 4-way handshake for cracking WPA-PSK Wi-Fi security can be made a lot easier getting clients to deauthenticate and reauthenticate with the access point.
  • Attempt to socially engineer a target to connect to your Evil AP. Assuming they can't reliably connect to an AP, the target might be tempted to use a free and open Wi-Fi network available near them.


Now we've seen the attacks working and how we can use them to our benefit, let's have a further look at what's going on behind the scenes by using a tool called Wireshark. To be able to sniff the 802.11 packets with Wireshark we have to use a network card that is capable of monitor mode, you can read more about why here, I personally use an Alfa AWUS036NHA. I captured about 20 seconds of the deauthentication attack and beacon cloning/flooding. 

Lets first take a look at the deauthentication attack. We can filter by just deauthentication packets by management frame (type 0) and by its subtype 12 (0x0c):
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)





Lets look a little further into what makes up the frame. We can see:







  1. We can see its Subtype, which is obviously Deauthentication
  2. We have a lot of vendor specific information including MAC addresses.
  3. A Reason code. This can help someone analysing why devices are being deauthenticated. We can see our device is giving Reason code: 1: Unspecified reason. For a full list of reason codes see here. I went back and checked the code and it specifies to use reason 0x01, so we could manually change this if we wish:





Now lets take a look at the beacon flood, we can filter by just Beacon frames by management frame (type 0) and by its subtype 8 (0x08):


(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08)



Once again we look a little further into what makes the frame:





  1. We can see its Subtype
  2. We can source and destination address, in this case, it's broadcast so it can flood the network list
  3. Beacon Interval is the time between beacons are broadcast, changing this may help network speed
  4. The SSID which is being broadcast, in this case we cloned the SSID of the AP


I also found out the chromecast in my house is constantly broadcasting beacons with the SSID of broadcast:


Not sure how normal this behaviour is I, will investigate soon. 

That wraps up today's write up. I've been enjoying making these cheap hacking projects and seeing how and why they work and it's been fun sharing it with you guys. I hope you enjoyed, and any questions or comments let me know.


No comments:

Post a Comment