I study college in a small city in a third world country. Since this is my freshmen year, i decided to stay in a dorm. Having luxuries like watching entire series of anime(hence my academic failure), i found it hard to share an internet connection with sixty male college students. This is the point that my hacker wannabe highschool years paid out.
Wi-Fi technology includes a feature that allows access points to drop any device connected to them. Best part is; because of the protocol used, there isn’t anything preventing people to show themselves as the access point, and send these packets to the connected devices. Meaning: you can drop anyone from any Wi-Fi network you want. This is known as “Deauthentication Attack” and most of the Wi-Fi networks are vulnerable to these kinds of attack.
So knowing this, i set out an unethical plan: Whenever i had to download anime, i would check the Wi-Fi network to see who is using up the most bandwith and send de-auth packets. That way i could have that delicious bandwith for myself. After a quick google search i found out i could use the Aircrack suite for the job. This suite includes various tools to sniff/hack/deauth… wireless networks. Since i had Lubuntu installed on my laptop, i typed “sudo apt-get install aircrack-ng” and got the suite. After getting the suite, i had to set my wireless card to monitor mode(so i could sniff the Wi-Fi packets around me), identify the access points/devices i would like to attack and launch the attack. To do this i used 3 tools from the aircrack suite.
(wlan0, and mon0 used below are network interface names and may change for you.)
airmon-ng start wlan0 # set wlan0 network interface to monitor mode
airodump-ng mon0 # show the access points, stations and their information
aireplay-ng -0 10 -c XX:XX:XX:XX:XX:XX -a YY:YY:YY:YY:YY:YY mon0 # sends 10 deauth packets through mon0 interface to the XX… device connected to the YY… access point.
After seeing how easy it was to drop people from the network, i wrote a ruby script that would drop people continuously. Then i started to download my anime. Though i had one thing bothering me; i had to send de-auth packets to every client that is connected to the every access point in the dorm. I checked the aireplay-ng manual and found out i could do broadcast deauthentication, which would drop every device connected to the access point. So i wrote another script to broadcast de-auth for every access point that i’m not connected to. This way i would connect to the least used access point, de-auth other access points and few selected people from my own access point. (I’m pretty sure there is a script out there that does this but my script worked for me, so i was fine not searching for one)
After going like this for a while, i decided maybe i could find a better way to have my way with the dorm’s internet, so i scanned the subnet for open 80 ports(nmap 192.168.1.0/24 -p80) and found an access point web panel with default login name and password. After this discovery, i logged in to the panel, changed the SSID(name) of the access point, hid it so other people couldn’t see it(so people would think there was a problem with the access point. if they got a wrong password attempt, they would know something wasn’t right) and changed it’s password. This way i had an access point running on a different channel then the rest of the access points and mine to use. I also tried logging into the main router but the login credentials for the router was changed. If this is the case for you, you could try to brute force the webpanel using nmap. The command for this is: `nmap --script http-brute --script-args ‘userdb=”user.txt”,passdb=”pass.txt”’ -p80 192.168.1.x` this command uses every username/password combination in the user.txt and pass.txt files and tries to login to the web panel at 192.168.1.x(change it according to your nmap findings). You can also try telnetting to the router/ap so you can get more information about it. For example i found out the model of the router used in our dorm and searched for its default credentials before trying the brute force attack
Even though i didn’t have credentials to login to the router, i had the credentials for one of the access points. So, now i can connect to this access point and de-auth the rest.
My workflow as follows:
sudo airmong-ng start wlan1 # set the usb adapter to monitor mode
sudo iwconfig mon0 channel 6 # set the usb adapter’s channel to other access points channel
sudo ruby ap_dropper.rb mon0 # run the access point dropper and broadcast deauth the access points i’m not connected to. Which is just a script that uses `aireplay-ng -0 10 -a YY:YY:YY:YY:YY:YY mon0` command to broadcast deauth a preset list of access points.
Although i can download my anime with the whole bandwith of the dorm, i’m still confused how people can’t notice the fact that whenever i’m in my dorm room, the network goes wild. I guess an asocial fat guy with glasses isn’t a very suspicious type.
Things you need to have in mind when doing this is:
* You can’t deauth and connect to internet with the same network card.
My solution to this was buying a usb wireless adapter.
* Lubuntu(Linux) network manager uses both usb and on-board wireless adapter at the sametime. Since this gives a ‘resource is busy’ error, you can’t use either of the interfaces for attacking the network.
To fix this, you need to open up your /etc/network/interfaces file in an editor, and add the network interface(iface wlan0 inet manual) you would like network-manager not to use. This way, when you restart the network manager, the interface you specified will not be used by the linux.
* You can’t send deauth packets for access points that aren’t in the same channel with your network interface.
Fix for this is simple: `sudo iwconfig mon0 channel 6` where 6 is the channel the access points are using.
Tutorials for using and understanding some of the tools above:
