Latest Updates

random

WiFi Beacon Spam

Wifi Routers, Smart Devices, Laptops etc, constantly send WiFi signals. In this Blog we will be using NodeMCU to create fake Wifi networks by broadcasting beacon frames. 

Beacon frames are used by the access points (and stations in an IBSS) to communicate throughout the serviced area the characteristics of the connection offered to the cell members. This information used by clients trying to connect to the network as well as clients already associated to the BSS.

Beacons are sent periodically at a time called Target Beacon Transmission Time (TBTT)

1 TU = 1024 microseconds

Beacon interval =100 TU (100x 1024 microseconds or 102.4 milliseconds)


Here is the frame format of a Beacon frame.

 


Here are the mandatory fields in a Beacon frame.

  1. Timestamp (8 byte)
  2. Beacon Interval (2 byte)
  3. Capability info (2 byte)
  4. SSID (variable size)
  5. Supported Rates (variable size)

Details of manadatory fields:

  1. Timestamp (8 byte): A value representing the time on the access point, which is  the number of microseconds the AP has been active.When timestamp reach its max (2^64 microsecond or ~580,000 years) it will reset to 0. This field contain in Beacon Frame & Probe Response frame.
  2. Beacon Interval (2 byte): Beacon Interval field represent the number of time units (TU) between  target beacon transmission times (TBTT). Default value is 100TU (102.4 milliseconds)
  3. Capability Information (2 byte): This field contains number of subfields that are used to indicate requested or advertised optional capabilities.
  4. SSID: Present in all Beacons, probe requests, probe responses,association request & re-association requests. Element ID is 0 for the SSID IE. SSID could have maximum of 32 characters.
  5. Supported Rates: This is present in Beacons, Probe Req, Probe Res, Association Req, Association Res, Reassociation Req and  Reassociation Response. It is 8 octet field where each octet describe a single supported rate. Last bit (7th) of each octet indicate whether the data rate is “basic rate or mandatory” or “supported rate”. If 7th bit value is 1 it indicate a basic rate where as if value is 0 indicate a supported rate. The next 7 bit (0-6) specify the data rate value in units of 500kbps.

Eg. 6 Mbps (12 x500kbps units) Basic Rate value represent as 10001100

7th bit =1 (to indicate basic rate)

0-6th = 001100 (value 12 to indicate 6 Mbps)

Here is a expansion of a “Supported Rate” field of a Beacon. It has Element ID, Length & Supported Rates fields. At least one mandatory rate must be set by AP & any station wanting to join the cell must support all basic rates. Given example shows a default setting of 802.11a radio where  6 Mbps, 12Mbps & 24Mbps set as “Basic Rates” to ensure joining station understand all modulation techniques (ie BPSK-6,9 Mbps QPSK-12,18 Mbps QAM-24Mbps & higher)


You can read more in this article: https://mrncciew.com/2014/10/08/802-11-mgmt-beacon-frame/


Please follow steps as given:

Step 1: Download and Install Arduino IDE

Step 2: Configure Arduino IDE with ESP8266

Step 3: Clone Beacon Spammer Project

We will need to download this project. You can download his project in zip via github by clicking on https://github.com/spacehuhn/esp8266_beaconSpam

Or if you use git you can directly clone the repository.

Git clone https://github.com/spacehuhn/esp8266_beaconSpam.git

Check out his website: https://spacehuhn.io/

Step 4: Compile and Flash the code in NodeMCU


Code:


Let’s Understand the Code:

1. Declaring variables for WiFi configurations and list of SSIDs.
  • const uint8_t channels[] = {1, 6, 11}; // used Wi-Fi channels (available: 1-14)

    const bool wpa2 = false; // WPA2 networks

    const bool appendSpaces = true; // makes all SSIDs 32 characters long to improve performance

     

    /*

      SSIDs:

      - don't forget the \n at the end of each SSID!

      - max. 32 characters per SSID

      - don't add duplicates! You have to change one character at least

    */

    const char ssids[] PROGMEM = {

      "Mom Use This One\n"

      "Abraham Linksys\n"

      "Benjamin FrankLAN\n"

      "Martin Router King\n"

      "John Wilkes Bluetooth\n"

      "Pretty Fly for a Wi-Fi\n"

      "Bill Wi the Science Fi\n"

      "I Believe Wi Can Fi\n"

      "Tell My Wi-Fi Love Her\n"

      "No More Mister Wi-Fi\n"

      "LAN Solo\n"

      "The LAN Before Time\n"

      "Silence of the LANs\n"

      "House LANister\n"

      "Winternet Is Coming\n"

      "Ping’s Landing\n"

      "The Ping in the North\n"

      "This LAN Is My LAN\n"

      "Get Off My LAN\n"

      "The Promised LAN\n"

      "The LAN Down Under\n"

      "FBI Surveillance Van 4\n"

      "Area 51 Test Site\n"

      "Drive-By Wi-Fi\n"

      "Planet Express\n"

      "Wu Tang LAN\n"

      "Darude LANstorm\n"

      "Never Gonna Give You Up\n"

      "Hide Yo Kids, Hide Yo Wi-Fi\n"

      "Loading…\n"

      "Searching…\n"

      "VIRUS.EXE\n"

      "Virus-Infected Wi-Fi\n"

      "Starbucks Wi-Fi\n"

      "Text ###-#### for Password\n"

      "Yell ____ for Password\n"

      "The Password Is 1234\n"

      "Free Public Wi-Fi\n"

      "No Free Wi-Fi Here\n"

      "Get Your Own Damn Wi-Fi\n"

      "It Hurts When IP\n"

      "Dora the Internet Explorer\n"

      "404 Wi-Fi Unavailable\n"

      "Porque-Fi\n"

      "Titanic Syncing\n"

      "Test Wi-Fi Please Ignore\n"

      "Drop It Like It’s Hotspot\n"

      "Life in the Fast LAN\n"

      "The Creep Next Door\n"

      "Ye Olde Internet\n"

    };
2. Important run-time variable declaration. Defining the Beacon frame as discussed above according to the packet structure.
  • // run-time variables

    char emptySSID[32];

    uint8_t channelIndex = 0;

    uint8_t macAddr[6];

    uint8_t wifi_channel = 1;

    uint32_t currentTime = 0;

    uint32_t packetSize = 0;

    uint32_t packetCounter = 0;

    uint32_t attackTime = 0;

    uint32_t packetRateTime = 0;

     

    // beacon frame definition

    uint8_t beaconPacket[109] = {

      /*  0 - 3  */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: managment beacon frame

      /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast

      /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source

      /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source

     

      // Fixed parameters

      /* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK)

      /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp

      /* 32 - 33 */ 0xe8, 0x03, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s

      /* 34 - 35 */ 0x31, 0x00, // capabilities Tnformation

     

      // Tagged parameters

     

      // SSID parameters

      /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32

      /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20,

      0x20, 0x20, 0x20, 0x20, // SSID

     

      // Supported Rates

      /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8

      /* 72 */ 0x82, // 1(B)

      /* 73 */ 0x84, // 2(B)

      /* 74 */ 0x8b, // 5.5(B)

      /* 75 */ 0x96, // 11(B)

      /* 76 */ 0x24, // 18

      /* 77 */ 0x30, // 24

      /* 78 */ 0x48, // 36

      /* 79 */ 0x6c, // 54

     

      // Current Channel

      /* 80 - 81 */ 0x03, 0x01, // Channel set, length

      /* 82 */      0x01,       // Current Channel

     

      // RSN information

      /*  83 -  84 */ 0x30, 0x18,

      /*  85 -  86 */ 0x01, 0x00,

      /*  87 -  90 */ 0x00, 0x0f, 0xac, 0x02,

      /*  91 -  92 */ 0x02, 0x00,

      /*  93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/

      /* 101 - 102 */ 0x01, 0x00,

      /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,

      /* 107 - 108 */ 0x00, 0x00

    };
3. Once one channel is broadcasted go to next channel
  • // goes to next channel

    void nextChannel() {

      if(sizeof(channels) > 1){

        uint8_t ch = channels[channelIndex];

        channelIndex++;

        if (channelIndex > sizeof(channels)) channelIndex = 0;

     

        if (ch != wifi_channel && ch >= 1 && ch <= 14) {

          wifi_channel = ch;

          wifi_set_channel(wifi_channel);

        }

      }

    }
4. Generate random MAC address to be attached with new ssid or WiFi packet.
  • // generates random MAC

    void randomMac() {

      for (int i = 0; i < 6; i++)

        macAddr[i] = random(256);

    }
5. In setup function we’re creating an empty packet. Generate random MAC address and WiFi settings.
  • void setup() {

      // create empty SSID

      for (int i = 0; i < 32; i++)

        emptySSID[i] = ' ';

     

      // for random generator

      randomSeed(os_random());

     

      // set packetSize

      packetSize = sizeof(beaconPacket);

      if (wpa2) {

        beaconPacket[34] = 0x31;

      } else {

        beaconPacket[34] = 0x21;

        packetSize -= 26;

      }

     

      // generate random mac address

      randomMac();

     

      // start serial

      Serial.begin(115200);

      Serial.println();

     

      // get time

      currentTime = millis();

     

      // start WiFi

      WiFi.mode(WIFI_OFF);

      wifi_set_opmode(STATION_MODE);

     

      // set channel

      wifi_set_channel(channels[0]);

     

      // print out saved SSIDs

      Serial.println("SSIDs:");

      int i = 0;

      int len = sizeof(ssids);

      while(i < len){

        Serial.print((char)pgm_read_byte(ssids + i));

        i++;

      }

     

      Serial.println();

      Serial.println("Started \\o/");

      Serial.println();

    }

6. Switch to next channel, Set MAC address and add this to beacon frame, write SSID in beacon frame and push the frame. Free memory of allocated buffer.
  • void loop() {

      currentTime = millis();

     

      // send out SSIDs

      if (currentTime - attackTime > 100) {

        attackTime = currentTime;

     

        // temp variables

        int i = 0;

        int j = 0;

        int ssidNum = 1;

        char tmp;

        int ssidsLen = strlen_P(ssids);

        bool sent = false;

       

        // go to next channel

        nextChannel();

     

        while (i < ssidsLen) {

          // read out next SSID

          j = 0;

          do {

            tmp = pgm_read_byte(ssids + i + j);

            j++;

          } while (tmp != '\n' && j <= 32 && i + j < ssidsLen);

     

          uint8_t ssidLen = j - 1;

         

          // set MAC address

          macAddr[5] = ssidNum;

          ssidNum++;

     

          // write MAC address into beacon frame

          memcpy(&beaconPacket[10], macAddr, 6);

          memcpy(&beaconPacket[16], macAddr, 6);

     

          // reset SSID

          memcpy(&beaconPacket[38], emptySSID, 32);

     

          // write new SSID into beacon frame

          memcpy_P(&beaconPacket[38], &ssids[i], ssidLen);

     

          // set channel for beacon frame

          beaconPacket[82] = wifi_channel;

     

          // send packet

          if(appendSpaces){

            for(int k=0;k<3;k++){

              packetCounter += wifi_send_pkt_freedom(beaconPacket, packetSize, 0) == 0;

              delay(1);

            }

          }

         

          // remove spaces

          else {

           

            uint16_t tmpPacketSize = (packetSize - 32) + ssidLen; // calc size

            uint8_t* tmpPacket = new uint8_t[tmpPacketSize]; // create packet buffer

            memcpy(&tmpPacket[0], &beaconPacket[0], 38 + ssidLen); // copy first half of packet into buffer

            tmpPacket[37] = ssidLen; // update SSID length byte

            memcpy(&tmpPacket[38 + ssidLen], &beaconPacket[70], wpa2 ? 39 : 13); // copy second half of packet into buffer

     

            // send packet

            for(int k=0;k<3;k++){

              packetCounter += wifi_send_pkt_freedom(tmpPacket, tmpPacketSize, 0) == 0;

              delay(1);

            }

     

            delete tmpPacket; // free memory of allocated buffer

          }

     

          i += j;

        }

      }

     

      // show packet-rate each second

      if (currentTime - packetRateTime > 1000) {

        packetRateTime = currentTime;

        Serial.print("Packets/s: ");

        Serial.println(packetCounter);

        packetCounter = 0;

      }

    }

Output:

If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don't Forget to Follow us on 👍 Social Networks😉
WiFi Beacon Spam Reviewed by Avotrix.Author on Thursday, October 22, 2020 Rating: 5

No comments:

All Rights Reserved by Avotrix © 2018 - 2019
Developed and created by Avotrix

Contact Form

Name

Email *

Message *

Powered by Blogger.