WiFi jamming: jam wireless networks with Kali Linux
WiFi jamming allows you to drive unwanted, rogue stations off of your network. Is someone stealing your bandwidth? Or messing with your Wi-Fi? Then get rid of them with this deauthentication attack using Kali Linux and some simple tools.
WiFi jamming: a ‘denial-of-service attack’
In this tutorial we will be flooding the target accesspoint with deauthentication packets. This will cause the target accesspoint to disconnect the wireless clients from the network. So in fact this ‘Wi-Fi deauthentication attack‘ is a type of denial-of-service (DOS) attack. It doesn’t involve the actual jamming of radio frequencies.
Requirements and procedure
For WiFi jamming you will need a computer running Kali Linux, and a wireless interface which is capable of operating in monitor mode and can do packet injection. I will be using the TP-Link TL-WN722N 150Mbps High Gain Wireless USB Adapter
When you have your system up and running, it only takes 3 easy steps to drive rogue stations off your network:
- Enable monitor mode on your wireless interface.
- Determine the MAC addresses of the target accesspoint (and client).
- Send deauthentication packets to the access point to disconnect one or all clients.
Enable monitor mode on the WiFi interface
First of all, list the available wireless interfaces by running airmon-ng:
airmon-ng
My laptop has two built-in WiFi cards (wlan0 and wlan1), but for the WiFi jamming I will be using the TP-Link USB adapter which is wlan4. If your wireless interface is wlan0, you should type ‘wlan0’ whenever I mention ‘wlan4’ in this tutorial.
Enable monitor mode on the wireless card:
airmon-ng start wlan4
The output of airmon-ng tells us two important things:
- There are a few processes that could interfere with airodump-ng.
- A new monitor mode interface called wlan4mon was created.
To get rid of the interfering processes, kill them by using ‘airmon-ng check kill’:
airmon-ng check kill
Your wireless interface is now ready to be used by Airodump-ng in the following steps.
Determine the target MAC address
Now we use airodump-ng on the interface wlan4mon to scan for all nearby networks:
airodump-ng wlan4mon
In the image above you see our target accesspoint with ESSID ‘OneGuyOneBlog’. The important part here is the BSSID (‘C6:25:06:57:99:0E’) of this accesspoint. This is the MAC address which we will need to send our packtets to later on. Also take note of the channel (CH 1) which this accesspoint is operating on.
Next, we use airodump-ng to discover which clients are connected to ‘OneGuyOneBlog’ by using the BSSID and channel number we just found:
airodump-ng -c 1 --bssid C6:25:06:57:99:0E wlan4mon
Note: do not forget to change the channel ‘-c 1‘ to the channel number of your target AP, or you’ll get the error “No such BSSID available”.
The image above shows that there are two clients (‘stations’) connected to our target accesspoint ‘OneGuyOneBlog’. One with the MAC address 90:C1:15:1C:85:C0 and the other with address F0:25:B7:23:CB:03.
Disconnect all clients
If you want to disconnect all wireless devices from the target network, you can do this by using Aireplay on the BSSID of the accespoint like this:
aireplay-ng -0 0 -a C6:25:06:57:99:0E wlan4mon
The option ‘-0 0’ (two zeroes) tells Aireplay to use attack type 0 (deauthentication) for 0 amount of times (zero means infinite).
Disconnect a single client
If you also specify the MAC address of a client (see ‘stations’ above) with the -c option, you can disconnect just that single wireless device from the network instead of all devices:
aireplay-ng -0 0 -a C6:25:06:57:99:0E -c 90:C1:15:1C:85:C0 wlan4mon
Disclaimer
This tutorial is for educational purposes only. Although WiFi jamming is not real hacking, messing with other people’s wireless networks might be illegal where you live. So only use this method on networks you own or allowed to mess with.
Wifi jamming / deauth attack with ESP8266
If you are looking for a more portable and stealthy way of jamming wireless networks, then you should read WiFi jammer / deauth attack using ESP-Wroom-02. It describes how you can use a cheap battery powered microcontroller development board as a stand-alone device for wifi deauthentication attacks.
My terminals show that this bssid is not available at very last what to do? I followed all the steps
Is your signal strong enough to reach the AP? And what is the exact error message and after which command does it appear?
Hi there. Same problem here, aireplay-ng terminates with “No such BSSID available”. Signal is strong enough, I’m 4 meters away from the AP. The weird thing is that airodump-ng shows channel 3 for my AP’s MAC, while aireplay-ng prints “waiting for beacon frame on channel 6” and sometimes “… channel 8”.
Did you take this step:
airodump-ng -c 1 --bssid C6:25:06:57:99:0E wlan4monWhere you change ‘-c 1’ to the appropriate channel where the target bssid is on?
Dang, stupid me, missed the -c parameter in the command line. Works now! Thanks 🙂
Going now to draw a bulls-eye on the wall and label it “the place to bang my head”.
No problem, I’m glad you got it working. I will make it a bit more clear in the description.
I thought it was pretty clear, lets see what I missed. Im able to deauth and capture handshakes, but I cant see any clients. I have changed the -c to the correct channel. Weird.
Very weird indeed! Did you already uncover the mystery?
Yes, I found a solution, I update to kali 2017, now it works 90% of the time. prior to the update, i did a dist-upgrade and got it to work, but not consistently. thank you.
I’m glad you got t to work and thanks for the info 🙂
Does this work on iPhones? I tried specifically disconnecting my iPhone to test this and there is no errors on the console but my phone is still connected to the internet. Yes I checked if the bssid was correct and yes I’m connected to the same network
Hi Noah, are you able to disconnect other wireless devices from the same access point?
Hello I have one question . Let’s say I want to do it in a place with many devices connected to the network (yeah it’s illegal ,I know) just as an example. If I want to disconnect all clients except of myself how can I do that ? Because it would suck If I had to do one by one client . Thanks
I never tried it but I guess you coud do that by writing a (Python) script. It would take the output of Airodump (a list of all connected devices) and then invoke Aireplay to do the deauthentication of all those devices one by one, except for your device.
Can you please explain it a little bit more, perhaps by giving example as you did to explain other stuffs !
aireplay-ng -0 0 -a xx:xx:xx:xx:xx:xx -c xx:xx:xx:xx:xx:xx wlan0mon
when i hit this command, I’m not able to disconnect that particular client, and same thing when i try to disconnect all the client ,hope i could get some help. I’m using kali linux 2016 2.0 64bit with live boot
Is it just that one particular AP the method is not working on? Did you manage to disconnect clients from other APs using the same wireless adapter?
I tried usimg it on my home network by which 16 devices are connected , it worked fine but none device disconnected ‘#time Sending 64 directed DeAuth. STMAC: [] [0| ACKs]…
TIA
Did you check if your wireless adapter is compatible (see https://www.aircrack-ng.org/doku.php?id=compatible_cards)? Maybe you can find something useful here: https://forum.aircrack-ng.org/index.php?topic=853.0
02:00.0 Network controller: Intel Corporation Dual Band Wireless-AC 3165 Plus Bluetooth (rev 99)
ya, i just checked and it is there.
02:00.0 Network controller: Intel Corporation Dual Band Wireless-AC 3165 Plus Bluetooth (rev 99)
in command “airodump” not generate any “station” to me ? i should say my “beacons” are strong enough , so what is wrong to me ??
Probably new devices running 5gh while you’re adapter is only 4gh
Thank you so much for this. Especially for send deauth- packets to the single client.