Blog

Deauther V3 Tutorial: Auth Command

Oct 31, 2021

See when someone connects to any WiFi network in your area.

👉 For this tutorial, you’ll need to start Huhnitor and connect to your Deauther V3. Haven’t installed Huhnitor yet? Follow this tutorial to find out how.

What are Authentication Frames?

Authentication frames are small packets sent out by devices when connecting to a network. By looking for these frames, we can detect whenever a device tries to connect to a WiFi network and gather info about said device.

How to use the command

Get an overview of the command structure and available arguments by typing:

help auth

You’ll notice that all arguments are in square brackets, meaning they are optional. Below the command structure, you’ll find a list of all the available arguments, a short explanation, and their default value.

Argument	Explanation
-bssid	To monitor only specific networks, add the MAC address(es) here.
-ap	To monitor only specific networks, add the ID(s) of the access point. You get the ID of an access point by first running the Scan Command.
-ch -channel	Specify a channel or list of channels to only look for authentication frames there. This is to avoid channel-hopping, which can lead to the loss of packets.
-ct -ctime	This is to specify how long you want to remain on each channel before hopping to the next. You usually don’t need to change this value but feel free to experiment.
-t -time	Specify a time after which it will automatically stop monitoring.
-save	This will save all Probe Requests detected while the auth command runs.

Running the command

After running the command, you’ll see a list of all parameters and a table containing the information gathered from the captured authentication frames below.

Column	Information
RSSI	This is the received signal strength of the packet. The bigger the number, the stronger the signal. A good signal could mean you’re close to the device, although many factors play into the signal strength, like the medium the signal needs to pass through.
Ch	This is the channel the packet was captured on. This information is useful when monitoring multiple channels.
Vendor	Here, you can find the device manufacturer (provided it’s in the database programmed into the Deauther V3).
MAC-Adress	The MAC address of the device trying to connect to the network.
SSID	The name (SSID) of the network the device which sent the packet is trying to connect to.
BSSID	The MAC address of the specific access point/router the device attempts to connect to. This information could be interesting in a mesh network where multiple access points have the same SSID.

Combination with other commands

You can also combine the authentication scan with other commands. For example, you can use it to monitor fake networks you’re advertising using the Beacon Command:

beacon "test ssid" -auth

WiFi Probe Requests Explained

Oct 24, 2021

If you ever used our ESP8266 Deauther, you might have wondered what the probe attack is for. We get questions like this a lot. So let’s have a look at probe requests and what they are used for. 🕵️‍♀️

Active and Passive Scanning

If you open the WiFi settings menu on your phone, you’ll see a list of available networks. But how does the phone know about them?

There are two ways to discover WiFi networks: either by passively waiting and listening for announcements (beacon frames) from access points or by actively asking every WiFi device around if they are a network using probe requests.

When an access point receives a probe request frame, it will reply with a probe response frame.

The Problem with Meta Data

Probe requests are a type of WiFi management frame. They are not encrypted, since they contain no user data. They are used simply for network discovery.

But it’s common that a device will actively ask for a specific network name. Meaning the probe request will contain the SSID of a known network in cleartext. In other words, your phone might be leaking the name of your home network constantly. And not just that, it’s probably broadcasting the names of every network you ever connected to!

This data can be used to identify you because your phone is likely to have a unique list of known networks. In addition, services like WiGLE can be used to pinpoint an SSID to a specific location.

So by simply listening for probe requests, you can track how many WiFi clients are nearby and where they have been. Plus the metadata provided by the MAC address of said clients like the name of the manufacturer (i.e. Apple).

Because WiFi clients tend to send probe requests regularly, it’s possible to use mesh networks to track their movement. Systems like this could be used in locations like shopping malls to track the routes of customers.

Rogue APs

But it gets worse! Someone could collect the SSID from a received probe request, open a new WiFi network and give it the exact same name, then send a probe response. The client who sent the request will then automatically connect to that network, thinking it knows it. But really, it could be a malicious network that’s sniffing all your traffic. Worst of all, the user might not even notice it because their device switched networks in the background without informing them.

This is actually a feature at what the WiFi pineapple from Hak5 excels at! So really this isn’t some abstract theory, everyone with the right tools can pull this attack off.

Now that being said, there are limits to this attack. For example, if the rogue access point is using a different kind of encryption than the original network (i.e. network is open instead of using WPA2), it won’t work. The WiFi client will also refuse to switch networks if it’s already connected to one with a stronger signal. So it’s not guaranteed to work with every WiFi client all the time, but it is a very effective attack.

Probe Attacks

To answer the question of what the probe attack in the ESP8266 Deauther is for; it broadcasts a lot of probe requests with random SSIDs. This can be used to confuse probe request sniffers, like the mentioned WiFi Pineapple. Learn more about it in the video Testing WiFi Pineapple with ESP8266 Deauther.

Another form of abusing probe frames for attacking is to flood a specific access point with requests. If the access point doesn’t recognise the attack and tries to respond to each request, it will actively participate in the attack. This is because these packets take up a lot of air time and spamming them will basically clog the wifi channel and you will no longer be able to use the network effectively.

Probe Request Sniffing

Now you know all about the dangers, but how can you check if your WiFi devices are sending probe requests?

Luckily for you, we make a tool that’s capable of that. Our Deauther V3 can find WiFi devices and see the probe requests they’re sending. You can flash any ESP8266 development board with the firmware or buy our Andromeda board at spacehuhn.store.

Alternatively, you can use airodump-ng (part of the aircrack-ng suite), Wireshark, or a script like probeSniffer. But you will need a USB WiFi adapter that is capable of monitor mode.

MAC Randomization

One thing to look out for when scanning for probe requests is MAC randomization. Nowadays a lot of WiFi clients use randomized MAC addresses for sending probe requests. This makes it a lot harder to fingerprint and track a device. You can easily get the impression that there are more devices around than there actually are.

If you want to learn more about MAC randomization and its limits, have a look at: Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

Difference between Deauther V2 and V3 Explained

Oct 17, 2021

The ESP8266 Deauther is a popular open-source pen-testing tool. But what exactly changed in version 3, and why is it not replacing version 2? This post breaks down the most important differences.

Feature	Version 2	Version 3
Web Interface	✅
Display support	✅
Serial Command Line	✅	✅
Scanner	✅	✅
Deauth attack	✅	✅
Beacon attack	✅	✅
Probe attack	✅	✅
Huhnitor support		✅
Signal strength scanner		✅
Authentication scanner		✅
Rogue AP		✅

Both versions share the same basic functionalities like Deauth-, Beacon-, and Probe attack and communication over the serial command line. They also let you scan your local network for access points and clients.

Where they differ is mainly in how you control them, affecting the set of features available. Where v2 uses a web interface (and/or a display and buttons), Deauther v3 plugs directly into a computer via USB. It can only be controlled using a serial terminal ( our Huhnitor software makes that process a lot easier).

ESP8266 Deauther V2

Deauther version 2 is excellent for standalone devices, like our Hackheld because it only needs the USB connection for power delivery.

You can control it through the web interface by connecting to the pwned network and opening the URL 192.168.4.1 in a browser. This is ideal if you want to place a Deauther somewhere and interact with it remotely.

An alternative offers the support for a small OLED display and a couple of buttons. Then you can control it without requiring another device entirely.

🔗 ESP8266 Deauther V2 Github Repository

ESP8266 Deauther v3

Deauther version 3 was designed from the ground up with the focus on a powerful command-line interface (CLI), which is accessible through a USB serial. The web interface and display support from version 2 have not been implemented. This is so that the ESP8266 hardware (CPU, memory, and WiFi transceiver) can be fully utilized for features like signal strength scanning, authentication detector, or rogue access points.

This is also why we designed our Deauther Andromeda not as a standalone device but instead as an accessory to your computer. Its USB-A plug can be easily connected and then controlled through a serial connection.

🔗 ESP8266 Deauther V3 Github Repository

TL;DR:

The core features are the same, but Deauther V2 is best for standalone devices with its display support and web interface.

Deauther v3 is instead made to plug directly into a computer and used as a terminal application.

Recommended Dev-Boards for Deauther

Oct 10, 2021

While any ESP8266-based development board can be flashed with the Deauther firmware, the sheer amount of different boards available can create uncertainty about which one to buy. So here we’ve compiled a small list of boards we can recommend 😃

Feel free to use this list not only for the Deauther project but as a recommendation for good ESP8266 development boards in general.

If you want to learn more about the ESP8266 and how it is different from a development board, check my post NodeMCU vs. ESP8266.

NodeMCU

The NodeMCU board is probably the most popular ESP8266 development board. It’s cheap, widely available, uses the ESP12 module, and has pre-soldered header pins - which come in handy when using a breadboard.

The original NodeMCU (as seen in the picture above) uses a CP2102 USB serial chip. The NodeMCU V3 is slightly bigger and uses the CH340 chip. However, both versions work the same.

Do not buy an ESP32 version if you’re planning to build a deauther. You’ll need an ESP8266!

Affiliate Links:
🛒 Amazon
🛒 AliExpress

LOLIN (WEMOS) D1 mini

The D1 mini is an excellent choice if the size is a concern. It’s small, cheap, and supports add-ons. Like the NodeMCU, different versions of the D1 mini are also available. Some use a bare ESP8266 SoC with the CP2102 for serial, while others have an ESP12 module and CH240 serial chip. But they practically don’t make any difference in usage.

A significant pro or con, depending on your project, is that the included header pins are not pre-soldered! Therefore, you will need a soldering iron to connect sensors, buttons, or displays.

Another important note is that this board is widely known as WEMOS D1 Mini, but the original creators actually rebranded to LOLIN. Here is a link to their Aliexpress store. The original boards might be slightly more expensive than from other AliExpress shops but also of higher quality.

Affiliate links:
🛒 Amazon
🛒 AliExpress

Adafruit Feather HUZZAH with ESP8266

The Adafruit Feather HUZZAH is a high-quality development board with a LiPo battery charger. But not only that, the Feather board layout is a common form factor for various boards, and plenty of addons are available!

Versions with and without soldered header pins are available. Documentation and tutorials can be found at learn.adafruit.com.

If you want an easy way to add a battery to your Deauther, this is the board for you.

🛒 Adafruit.com

Maltronics Deauther

A close partner of ours and another provider of pre-made Deauthers is Maltronics.

Their implementation of the Deauther features a sleek metallic case and can be plugged into a USB-A or USB-C port for power. In addition, it comes with the Deauther V2 firmware pre-flashed and can be used as such.

While you can’t connect external components because of a lack of accessible GPIO pins, you could still use it as an incognito ESP8266 development board if you like.

Purchasing a Maltronics Deauther also supports our work ❤️

🛒 Maltronics.com

DSTIKE Deauther

DSTIKE is our longest partner. The DSTIKE Deauther OLED was the first official Deauther hardware, and today the Deauther Watch is probably the most well-known Deauther.

They offer a variety of development boards, mostly ESP8266, but increasingly ESP32 and other microcontrollers.

If you purchase a DSTIKE Deauther board, it will come pre-flashed with our Deauther firmware, and you will also support us, as we get a small percentage of their Deauther sales.

Affiliate Links:
🛒 AliExpress
🛒 Amazon

Huhnitor Installation Tutorial

Oct 3, 2021

Installing Huhnitor is the first step to getting started with the Deauther V3. Huhnitor is our cross-platform, open-source command-line tool built for a better Deauther V3 user experience.

UPDATE: You can now visit terminal.spacehuhn.com to access a serial terminal in your browser! It’s a great alternative to Huhnitor if you don’t want to install anything. You just need a compatible browser. Learn more

Quick Links

• Huhnitor Website

• Huhnitor Git Repository

• Deauther V3 Repository

• Rust Programming Language

Installation on Windows

Installation on Windows is one of the easiest methods. Download the latest .exe file from the release page and open it. The file name should look like this: “hunitor_[version]_windows.exe”.

Installation on Linux (Ubuntu or similar)

If you’ve installed something on Ubuntu before, this shouldn’t be an unfamiliar process. If you don’t have snap installed already, follow these steps: https://snapcraft.io/docs/installing-snapd.

With snap installed, open a terminal and run the command:

sudo snap install huhnitor --edge --devmode

After the installation has finished, you can start Huhnitor by running:

sudo huhnitor

Installation on Arch Linux

Arch users can install Huhnitor by running:

yay -S huhnitor

After the installation has finished, you can start Huhnitor by running:

sudo huhnitor

Installation on macOS

Install Homebrew. You can do so by running a single command via the terminal:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

After that, you’ll need to add the repository to your sources:

run brew tap spacehuhntech/huhnitor

Now you can install Huhnitor:

brew install huhnitor

With all of that done, you can start Huhnitor in the terminal via:

huhnitor

Compiling it yourself

Have troubles installing Huhnitor with the methods explained above? You can also compile Huhnitor yourself!

1. Huhnitor is written in the programming language rust, so you’ll need to install rust. Go to rust-lang.org/tools/install and follow the steps.

2. Additionally, depending on your operating system, you’ll either have to run sudo apt install libudev-dev pkg-config on Linux or make sure you’ve got Visual C++ Build Tools 2019 installed on Windows.

3. Now, you can continue and download the repository by running the command git clone https://github.com/SpacehuhnTech/Huhnitor.git or by downloading the zip file and extracting it.

4. After that, you’ll want to navigate to the newly created Huhnitor folder, where you can execute the next step, cd Huhnitor.

5. Inside the Huhnitor folder, you have two options: You can either start Huhnitor directly via cargo run or by running cargo build --release to create a binary file for your system.

Newer posts

Older posts