White Hat Institute

Detect WiFi jamming attempts with Wireshark

Most DOS assaults are entirely essential and exploit well-recorded imperfections in the manner WPA systems oversee associations. Since the management packets that gadgets use to control these associations are unencrypted, it’s simple for an aggressor to craft fake ones in the wake of sniffing the remote channels close by. Numerous devices and tools can do this, and they are well-recorded on the internet. 

Most regular scripts like Aireplay-ng or MDK3 do this by flooding an objective with de-authentication or disassociation packets, which are both typical appearing packets that disruptively affect the system. Doing as such requires just a wireless network adapter that can be placed into monitor mode, and a basic command can take out a whole channel with numerous networks operating on it for up to a block with no specific gear.

Let’s perform jamming attacks on our wireless network and analyze the packets with the Wireshark. For this, we need to put our wireless network adapter into monitor mode and use Airodump-ng to list all information about the target network so that we can craft de-authentication attacks accordingly.

Ex: ([email protected]:/opt# airodump-ng wlan0mon).

In this example, we will be targeting ESSID “Netgear69,” which is on channel 9, so our attack commands will be based on this information.

Before starting to jam or wireless networks, we need to run Wireshark with the following filter option in the filter box.

Ex: “wlan type mgt and (subtype deauth or subtype disassoc)”

wireshark, jamming
wifi jamming 2

Now we can start jamming the network. First, we are going to use the “Mdk3” tool to send de-authentication and disassociation packets. To do so, type “mdk3” in the terminal and specify the interface which is in monitor mode (in our example, it is “wlan0mon”)Then provide the attack method; here, we will use the de-authentication and disassociation method “d,” and at the end, specify the channel number our target network is running on “-c.”

Ex: ([email protected]:~# mdk3 wlan0mon d -c 9).

Once you hit “Enter,” MDK3 will continuously send de-authentication and disassociation packets to the specific channel and jam the network.

wifi jamming 3

If you go back to your Wireshark, you’ll see a bunch of de-authentication and disassociation packets, which is a clear indication of a jamming attack.

wifi jamming 4

Now, let’s perform a similar jamming attack with the Aireplay-ng tool. Start the terminal and type “aireplay-ng” and then provide the interface which is in monitor mode “wlan0mon”. Next, specify the attack type “ – -deauth” and the MAC address of the ESSID “-a.”

Ex: ([email protected]:~# aireplay-ng wlan0mon  – -deauth 10 -a 8C:3B:AD:42:03:46).

wifi jamming 5

Once you hit “Enter,” you’ll notice a similar packet flow in the Wireshark, but instead of both de-authentication and disassociation packets, the traffic will be flooded with only de-authentication packets.

wifi jamming 6

Wireshark can be utilized to get to the base of any speculated jamming attempts rapidly. Since Wireshark is free and accessible to anybody, hackers using devices like MDK3 and Aireplay-ng might tell a network administrator what they are doing, directly down to the program they are utilizing for the assault. This level of information is beneficial for defenders, who can use it to create tools to defend a network automatically. Attackers, then again, should remember how many alerts they may trigger with such exercises.