Blog

Why Deauthing is not Jamming

Dec 5, 2021

Is a Deauther the same as a Jammer? What’s the difference? Let’s take a look at it and explore the legality of both.

What is a Jammer?

In a nutshell: A jammer creates a lot of random noise to prevent communication on a specific frequency.

Imagine playing music so loud that nobody around can talk to each other. Unfortunately, a jammer is doing precisely that. Depending on the jammed frequency, it can prevent GPS signal, mobile connections, WiFi, or Bluetooth communication.

The problem is that a jammer always affects every device in range. There is no way to tell it to only attack your own devices. It could mess with essential communication channels and even cause irreversible damage to some devices.

This is why owning, operating, distributing, or even just advertising jammers is illegal in many countries.

How is a Deauther different?

The ESP8266 Deauther project is a pentest tool for beginners to learn about WiFi security.

Instead of making a lot of noise drowning out all other communication, a Deauther uses deauthentication frames to tell devices from a specific WiFi network to disconnect. These frames are defined and sent according to the WiFi standard and only affect the device that they are addressed to.

Deauthentication frames are used to terminate the communication between a client and an access point. So if a client receives a deauth packet from the router, it will disconnect from that network. By continuously sending deauth packets, it’s possible to block a specific WiFi connection.

Because deauthentication frames are unprotected in older WiFi implementations, it’s very easy to spoof them. But we are happy to see that a lot of new WiFi routers and clients are now protected against this attack.

It’s not always easy to determine if your network is susceptible to deauthentication attacks. Your devices need to support and enforce a feature called **protected management frames. **To efficiently test your equipment, use our ESP8266 Deauther.

Is it legal?

Short answer: it’s complicated.

While we can clearly say that a jammer is illegal in most countries (one example is this FCC statement), there are little to no legal statements about Deauthers.

Jammers have to be illegal since you inevitably create interference with other devices. It could block emergency services or other critical communication infrastructure.

We made the ESP8266 Deauther for pentesting, research, and education. That’s why the attacks stop after 5 minutes, and it doesn’t attack devices automatically. It only affects a selected target device, and as the user, you are responsible for picking that target.

Make sure to only ever use it against your own device and never against other devices! It’s almost certain that you can get into legal trouble when you use a tool to create damage or do harm, with or without an explicit law.

So as long as you practice ethical hacking, you should be fine. But to use a jammer ethically, you’d have to make sure that all the noise it creates stays inside your own premises. Since that’s not an easy task, do us a favor and just stay away from jammers entirely.

How to detect Deauth Attacks

Nov 28, 2021

Wouldn’t it be great if you could see WiFi deauthentication attacks around you?

In 2017 I created a small project to detect deauthentication attacks. It is an excellent addition to my ESP8266 Deauther project. While it isn’t a big project of any sort, it does serve its purpose well!

The ESP8266 is searching for authentication frames, and as soon as it sees several such packets in one second, it turns on a LED. It’s a simple visual indicator of whether or not a deauthentication attack is happening around you.

Check out the GitHub repository here: https://github.com/SpacehuhnTech/DeauthDetector

Maltronics Deauth Detector

If this project sparked your interest and you would like to have your own Deauth Detector, well, you’re in luck! We worked with Maltronics on a brand new Deauth-Detector product!

🛒 You can purchase one here:  https://maltronics.com/products/deauth-detector

Deauther V3 Tutorial: Results Command

Nov 21, 2021

Get an overview of found devices and filter the scan results. The results command displays all devices the scan command found. We’ve explained the scan command in detail in another blog post and this tutorial video:

👉 For this tutorial, you’ll need to start Huhnitor and connect to your Deauther V3. Haven’t installed Huhnitor yet? Then follow this tutorial to find out how.

How to use the command

Get an overview of the command structure and available arguments by typing:

help results

You can see that all arguments besides the first are in square brackets, meaning they are optional. Below the command structure, you’ll find a list of all the available arguments, a short explanation, and their default value (if they’re optional).

Argument	Explanation
-t -type	The type of result you want to see. Pick ap for access points (networks), st for stations (clients), or ap+st for both.
-ch -channel	The channel(s) you want to see.
-ssid -ssids	The names of the networks you want to see.
-bssid -bssids	The BSSIDs you want to see.
-vendor -vendors	The vendor names you want to see. This filter can be used on APs as well as on stations.

AP Scan Table

Column	Information
ID	Each access point is given a number to make referencing easier.
SSID	The name of the network.
RSSI	This is the received signal strength of the packet. The bigger the number, the stronger the signal. A good signal could mean you’re close to the device, although many factors play into the signal strength, like the medium the signal needs to pass through.
Mode	Type of encryption the network uses.
Ch	The channel the network is operating on.
BSSID	The MAC address of the access point.
Vendor	Here, you can find the device manufacturer (provided it’s in the database programmed into the Deauther V3).

ST Scan Table

Column	Information
ID	Each station is given a number to make referencing easier.
Pkts	The number of packets captured from the device.
RSSI	This is the received signal strength of the packet. The bigger the number, the stronger the signal. A good signal could mean you’re close to the device, although many factors play into the signal strength, like the medium the signal needs to pass through.
Vendor	Here, you can find the device manufacturer (provided it’s in the database programmed into the Deauther V3).
MAC-Address	The MAC address of the station.
AccessPoint-SSID	Name of the network the device is connected to.
AccessPoint-BSSID	MAC-Address of the network the device is connected to.
Probe-Requests	Names of networks this device is asking for. Learn more about Probe Requests here.

Deauther V3 Tutorial: Scan Command

Nov 14, 2021

Monitor and log networks and devices in your area and gather information about them, like their MAC address and signal strength.

👉 For this tutorial, you’ll need to start Huhnitor and connect to your Deauther V3. Haven’t installed Huhnitor yet? Follow this tutorial to find out how.

How to use the command

Get an overview of the command structure and available arguments by typing:

help scan

You can see that all arguments besides the first are in square brackets, meaning they are optional. Below the command structure, you’ll find a list of all the available arguments, a short explanation, and their default value (if they’re optional).

Argument	Explanation
-m -mode	What you want to scan for. Pick ap for networks, st for clients, or ap+st for both.
-t -time	The time you spend scanning for stations (client devices).
-ch -channel	Specify the channel(s) you scan to find stations.
-ct -ctime	The time you spend on each channel before hopping to the next.
-r -retain	Add this argument to keep the previous scan results instead of overriding them.

AP Scan vs. Station Scan

Scanning for access points (APs) only takes a few seconds. Networks are easy to detect because they constantly advertise themselves by sending beacon frames.

But a station scan can be configured to run as long as you want. This is because we can’t know when we’ve detected all the stations in our area. We can only detect stations when they are actively sending packets. So if a station hasn’t jet sent any packet, we won’t yet know about its existence.

Running the command

scan

AP Scan Table:

Column	Information
ID	Each access point is given a number to make referencing easier.
SSID	The name of the network.
RSSI	This is the received signal strength of the packet. The bigger the number, the stronger the signal. A good signal could mean you’re close to the device, although many factors play into the signal strength, like the medium the signal needs to pass through.
Mode	Type of encryption the network uses.
Ch	The channel the network is operating on.
BSSID	The MAC address of the access point.
Vendor	Here, you can find the device manufacturer (provided it’s in the database programmed into the Deauther V3).

ST Scan Table

Column	Information
ID	Each station is given a number to make referencing easier.
Pkts	The number of packets captured from the device.
RSSI	This is the received signal strength of the packet. The bigger the number, the stronger the signal. A good signal could mean you’re close to the device, although many factors play into the signal strength, like the medium the signal needs to pass through.
Vendor	Here, you can find the device manufacturer (provided it’s in the database programmed into the Deauther V3).
MAC-Address	The MAC address of the station.
AccessPoint-SSID	Name of the network the device is connected to.
AccessPoint-BSSID	MAC-Address of the network the device is connected to.
Probe-Requests	Names of networks this device is asking for. Learn more about Probe Requests here.

You can stop a station scan by typing

stop scan

Or if you’re using huhnitor by hitting Ctrl + C.

Results

When the scan has finished, you’ll get a list of the scan results divided into access points and stations. If you want to recheck these results later, you can use the Results Command.

results

Missing Devices

If you know the scan isn’t picking up all devices in your area, it could be because of one of the following reasons:

• The scan is missing packets because it’s channel hopping. Try scanning on one channel exclusively.

• Only active client devices can be seen. Make sure the device you’re looking for is actually generating traffic.

• The WiFi device/network is running on 5 GHz. However, the ESP8266 can only see 2.4 GHz traffic.

• The device(s) are not close enough. If the signal strength of a connection is too low, it might not be recognized.

Deauther V3 Tutorial: Beacon Command

Nov 7, 2021

Create dozens of WiFi networks that aren’t actually there using beacon frames!

👉 For this tutorial, you’ll need to start Huhnitor and connect to your Deauther V3. Haven’t installed Huhnitor yet? Then, follow this tutorial to find out how.

What are Beacon Frames?

Beacon frames are small packets sent out by the access point (i.e., your router) to advertise its network to other WiFi devices in the area. They contain information like the network name and security (Open, WPA2, WPA3,…). Through these packets, client devices learn about available WiFi networks in the area. That is how your phone knows about the networks you see in the WiFi settings menu. This discovery process is also called passive scanning. Learn more about active and passive scanning in our post about WiFi Probe Requests. With the beacon command of the Deauther V3, we can send out a lot of these beacon frames and advertise networks with custom names without actually having to create real networks. We can also detect devices trying to connect to our fake networks.

Can Beacons be evil?

WiFi beacon frames are primarily harmless, but some devices can react unexpectedly to certain SSIDs: iPhone Bug breaks WiFi when you join Hotspot with unusual name It’s also possible to advertise common network names and monitor the connection attempts. This way, you can potentially uncover where a device has been. We explained this in more detail in our post about WiFi Probe Requests.

How to use the command

Get an overview of the command structure and available arguments by typing:

help beacon

You can see that all arguments besides the first are in square brackets, meaning they are optional. Below the command structure, you’ll find a list of all the available arguments, a short explanation, and their default value (if they’re optional).

Argument	Explanation
-ssid -ssids	A list of network names you want to advertise.
-from	The sender MAC address / MAC of the imaginary access point.
-to	The receiver’s MAC address. Use this to advertise only to a specified device. Leave it blank to broadcast your advertisement to all devices in range.
-enc -encryption	Create the appearance of a open or wpa2 encrypted network.
-ch -channel	Advertise on a specific channel.
-r -rate	The packet rate at which the frames are sent. 10 frames/s is typical. Increase it to raise the chances of your network being picked up.
-m -mon -monitor	Monitor your fake network for connection attempts.
-save	Save all probe requests detected while the attack is running.
-t -time -timeout	How long until the attack stops.

Running the command

beacon -ssid "Follow @Spacehuhn"

After running the command, you’ll see the parameters, a list of network names (SSIDs), and their corresponding sender MAC address (BSSID). Now your network should show up as an available network.

Sometimes it can take a minute or so before devices pick up your new network, especially in areas with many access points around. You can boost the discovery process by changing to a less busy channel or by increasing the packet rate. When you try to connect to your fake network, you’ll notice that it will always fail. This is because the beacon frames are advertising a network that is not real. Therefore, there is nothing to connect to. If you want to see those connection attempts enable monitor mode:

beacon -ssid "Free WiFi" -m

You can not read the password that the user entered to join your network, but you can see the MAC address and signal strength.

Newer posts

Older posts