Continuation of the story with the device for testing the Deauthentication attack on the Wi-Fi network.
Having played with the prototype from the previous project, I realized that the efficiency of the work is still not sufficient. The last straw was my son’s smartphone, which reconnected so quickly that it was not clear at all – “what’s the joke”.
But, we are not used to giving up 🙂
After thinking about it, I came up with a new option for improving the system. With the help of the second ESP8266 module.
The idea is to divide the system into two parts. One module continuously scans and searches for subscriber devices and access points. It transmits the results to the second module via the serial port. The second module sends out Deauthenticate as quickly as possible, constantly updating the list.
Hardware
Two ESP modules are installed on longer strips. They are connected to one voltage converter. In general, everything is the same as in the previous device. Additionally, the Tx of the serial port of one module is connected to the Rx of the other. (The ground is already common.) Thus, the port operates in simplex mode. Which module is the first, which is the second – it does not matter. The program is the same for them (see below).
Of the minuses – the battery life has decreased. I did not measure it exactly, but it feels like it lasts about an hour. I had to switch to a laboratory power supply for debugging.
Software
Naturally, I am too lazy to make two programs. So there’s only one program. After switching on, the modules transmit the 0xFF sequence for ~3 seconds. But only one of them (the future Jammer) receives it, since there’s simply no wire back. This is how the modules understand which of them will be the scanner and which will be the Jammer. As a bonus, there’s an unoccupied transmission channel on the Jammer, which can be used to output debug information.
The “Scanner” searches for access points and clients on each channel. Having found a new client on this channel, it sends the main information to the Jammer. Channel number, MACs, and the serial number of the last packet. If there are no new packets for about 200 milliseconds, the Scanner moves to the next channel. At the same time, the client counter is reset so that all found clients are sent back to the Jammer.
The protocol between the modules is as simple as possible, just transmitting 15 bytes per client. Initial synchronization is based on the fact that the first byte of the packet – the channel number, must be from 1 to 14, and not 0xFF, which the Scanner sends for 3 seconds. In principle, this can work in the future if there are errors in the channel (which is unlikely, given the scheme).
The jammer checks the port, if there is something new – adds / updates the list. Then disconnects everyone who is already registered on this channel. And goes to the next channel.
As a result, the suppression speed has increased many times. The device stably disconnects two smartphones, a laptop and a printer in two adjacent rooms from Wi-Fi.
Modding
From the very beginning, I was confused by the bent wires of the module antennas. And now there are two of them, in unpleasant proximity to each other. Also, the system has become mechanically not very stable.
This is how the mod “No-Wi-Fi-Coctail-Party-Edition” appeared. I think you have guessed where the tubes came from. The antennas are now located on the same axis, which, as I hope, should reduce mutual influence (“dipole field” and so on :-))
And a small magnet is attached to the battery, it holds the assembly on any vertical metal surface.
Leave a Reply
You must be logged in to post a comment.