Long time ago I ordered several ESP8266 modules (ESP-201) for my yet-to-be-made home automation system. Not long before that time I had Wi-Fi security related project on "big" PCs. Which inevitably brought me to well known Kali system. So, idea to use tiny ESP8266s for wireless penetration tests come to my mind immediately after I had them on my table. But quick look through early version of Espressif SDK doesn't reveal any "hacker friendly" functions. So, I focused on other applications.
Some time ago I, as a faithful Hackaday RSS feed subscriber, read article about packet injection on ESP8266. This article finally gave me last part of the puzzle and plan for the weekend.
My hardware setup consists of ESP module, mini DC-DC converter (D-SUN), pin headers, jumper, 9V battery plug and four 4k7 resistors.
Plug for 9V battery can be salvaged from old, discharged battery. Connections between plug and DC converter, and between converter and pin headers are from thick solid iron wire. This makes construction solid and easy to handle. Resistors are connected as required by my ESP module: CHIP, RST -> PullUp; io15 -> PullDown. io0 connected to small 3 pins male header at the side of the assembly. If you put the jumper and pull io0 to ground, you can flash module via TTL level serial cable.
Without jumper, module boots into the "battle" mode. It still outputs some diagnostic messages over serial port, even if there is nothing connected to receive them. As a bonus, small blinking LED connected to serial lines on surface of ESP module shows that something is going on and software is still running :-)
I use Arduino IDE (1.6.7), because it can work with all boards I have in my inventory. Also it is multi-platform, I can easily start project on Windows and finish on Linux. I am definitely missing code completion and editor tools from my "working horse" - MS VS, but for the small scale projects it doesn't matter much.
I started with code from original article, but first adopted it for Arduino project, and finally replaced nearly everything, looking with one eye onto the MDK3 source code. My code have couple of strange things, some fixes I made looking at test results, without deep understanding and reading standards. First - I do not have time for complete analysis, and second, let's face the truth, I can't see many usages for this code except to show it to my friends.
Below is the screenshot from wired Kali system which I use for monitoring. You can see how ping to my phone connected over Wi-Fi was terminated after ~10 seconds after I attached battery to assembly. Also you can see Deauthentication packets in Wireshark dump.
Work of software is rather simple. It receives & parses Beacons, Data and QoS frames on given channel. Software keeps lists of discovered Access Points and Clients. If Software doesn't encounter any new AP or Client for 200ms, it starts "deauth" procedure, disconnecting all clients discovered on this channel from corresponding APs. Then software goes to new channel.
Different devices behave differently in response to this attack. One of my phones goes permanently offline, and another manages to reconnect quickly, while software checking other channels. There are several options I can suggest for people who would like to have more stable effect:
- At some moment stop scanning and only quickly hop over channels with DeAuth procedure.
- Play with time constants and packet numbers, to find better combination.
- Buy 14 ESP modules for every Wi-Fi channel :-)
There is a catch with Espressif SDK versions and "wifi_send_pkt_freedom" function. As it is mentioned here, "....wifi_send_pkt_freedom can't send management packets and encrypted packets, beacon is one kind of the management packets. We add this limitation because it may effect other devices......"
BUT, this fix is applied by Espressif only in latest versions of SDK. In the SDK version 1.3.0 "freedom" function was already present, but without limitations. You only may...Read more »