Being a Wi-Fi Jerk with the ESP8266 NodeMCU and esp8266_deauther
Introduction to the ESP8266 NodeMCU
I generally try to keep the posts on this page constructive, but every once in a while you just need to have some malicious fun. Honestly, this little device could have some legitimate uses as well, but I’ll leave that up to your imagination.
The NodeMCU is a small device, about the size of two US quarters side by side, that is centered around the ESP8266 Wi-Fi chip. These boards are being touted as “Wi-Fi development boards,” mostly for “IOT” devices. They can be powered by a standard microUSB cable at 5V, and can run on one of those small 2200 mAh cell phone chargers for quite a long time. Best of all, the boards cost less than $4 shipped from China, on eBay. It should be noted that these devices are 2.4 GHz only.
The boards run embedded code, not a full OS, so programming one isn’t the simplest thing in the world. Thankfully, there’s an open source project called esp8266_deauther. They offer a pre-combiled .bin file that can be flashed on to the unit with one of many free utilities, which they outline on their project page.
If you aren’t familiar, deauthenticating is the process of sending deauthentication management frames to all or some of the clients on a Wi-Fi network. These frames tell them to disassociate from the AP that they’re currently connected to, and causes them to go offline. While this isn’t technically illegal, since you aren’t connecting to anyone else’s system and are just broadcasting frames on unregulated frequencies, it’s kind of a jerk thing to do. Here are some practical examples of where you would do this:
- Knocking Wi-Fi security cameras offline.
- Kicking a specific client from a Wi-Fi network and prevent them from reconnecting.
- Spamming all clients on an SSID with deauth frames to keep them from being productive.
- Disconnecting IOT devices from the Internet or a local network to prevent them from functioning.
- Disconnecting Wi-Fi radios from a LAN with location tracking to keep their location from being identified.
- Kicking clients from an identified rogue AP to keep them from doing harm while you locate said AP.
- And so much more…
With this knowledge comes great power. Don’t use it for evil.
In this article I’ll show you how to have some fun with esp8266_deauther, but first we need to flash the latest version on to the NodeMCU.
Flashing the esp8266_deauther Image
The project page lists 3 utilities for flashing. The first is Windows only and is pre-compiled. The second two are also available for macOS and Linux and require you to compile them. There are a bunch of tutorials on how to flash the NodeMCU with the Windows flasher, so we’ll do it in Kali with esptool.
- Download the latest .bin file from this site. If you purchase one of the NodeMCU units I linked to above, the 1MB image will work fine. Put it in your present working directory.
- Open a shell on your Kali machine and use the following command to install esptool.py.
pip install esptool
- Connect the NodeMCU to your machine with a microUSB cable and run dmesg in a terminal. The last line should read something like “ch341-uart converter now attached to ttyUSB0.” Keep the device name (ttyUSB0 in my case) in mind, since we’ll use it as a parameter when we flash.
- Run this command to flash the device: (Replace ttyUSB0 with the appropriate device.)
esptool.py -c esp8266 -p /dev/ttyUSB0 -b 230400 write_flash 0x0000 esp8266_deauther_1mb.bin -ff 80m -fs 4MB -fm qio
The device should flash quickly. Mine took just over 15 seconds. After flashing is complete, the device will restart and we’ll be ready to go.
Connecting to the esp8266_deauther NodeMCU
At this point you can optionally disconnect the device from your Kali machine’s USB port, and power it however you choose. If you want to power it using a PC USB port that’s fine too, but you can also power it with portable USB chargers, or even a AC to microUSB adapter.
The device will start broadcasting the SSID pwned. It’s protected with a WPA2 pre-shared key of deauther. You can connect to the device using anything with a browser, which is nice because you can have the NodeMCU running in a backpack with battery power and control it from your phone.
Once you’re connected to the ad-hoc Wi-Fi network, open a browser and go to 192.168.4.1. You’ll have to agree to a disclaimer upon visiting the page.
After agreeing to the disclaimer, you can go in to the Settings tab and change the SSID to something a bit more innocuous. You can also change the WPA2 password, and many other settings. When you’re done changing settings, be sure to scroll to the bottom of the page and click Save. Changes aren’t saved automatically.
Understanding the esp8266_deauther Workflow
To understand how to use the interface of esp8266_deauther, you need to know how the workflow typically goes. Typically you’ll start on the APs tab and scan for access points, select the ones you want to target, then optionally move to the Stations tab and scan for stations (connected nodes) on those access points, and then choose the Attacks tab and launch a given type of attack against a selected AP and/or Station.
I’ll outline all of the available attacks below and go step-by-step through the workflow for each.
Attack 1. Deauthing a Specific AP(s)
In my experience this attack is generally not very effective but it can be done. Depending on if or not the AP in question supports 802.11w, which is designed to encrypt management frames and ignore management frames in clear text. Many commercial grade APs today have 802.11w support. Most consumer APs do not.
Click on the APs tab and then click the Scan button. This will provide a list of APs within range, their signal strength, and allow you to select one or more of them.
Click the Attacks tab and then click the Start button next to Deauth. You will get a visual cue when the attack has started. You can stop the attack by pressing the Stop button.
Attack 2. Deauthing a Specific Station(s)
Scan for an select an AP(s) on the APs tab as we did in the previous attack. Click the Stations tab and select the Start button. The device will scan for connected stations for the time specified (20 seconds is the default).
Scanning can sometimes disassociate you from the SSID, so you may have to reconnect and will have to refresh the browser page to see the list of clients. Wait 20 seconds and attempt to refresh the page. If it doesn’t refresh, ensure you’re connected to the correct SSID.
When the scan is complete it will result in a list of stations that are connected to the AP(s) that you selected on the APs tab. You can now select one or more of the stations, and then choose the Attacks tab. Click the Start button next to Deauth. Deauthentication attacks will now be performed against the specific stations.
Attack 3. AP Cloning
Scan for and select an AP(s) on the APs tab as we have done before. Click the Attacks tab and click the Clone button near the top.
Scroll down on the Attack tab and you’ll see a list of 8 “clone” APs with the same SSID and authentication type. Click Save at the bottom of the page.
Scroll up and click the Start button next to Beacon. The device will immediately begin spamming the cloned SSIDs, which will result in a bunch of duplicate SSIDs when someone is searching for an AP to connect to. You can create up to 48 of these fake SSIDs and broadcast them at once.
You can’t do much with the traffic with this specific device (no man in the middle or anything fun like that). It’s basically just an annoyance, since clients won’t know which of the cloned listings is the real AP, unless they’ve previously authentication with that AP before (in which case they’ll simply auto-connect).
To clear the fake SSIDs from the list, click Stop to stop the attack, and tap the Clear button and then the Save button at the bottom of the page. All of the fake SSIDs should disappear from the list.
Attack 4. Fake AP Flooding
This is probably the most fun you can have with the device, and is similar to the last attack, but the SSID names being broadcast aren’t clones of real APs. Manually creating fake APs doesn’t require you to do any scanning before hand, just select the Attacks tab and scroll down to the section that says “SSID” and “Number of Clones.”
In the text field under SSID, you can specify the name of any SSID you want, provide a quantity, and then click the Add button to add it to the list. This can be extremely fun for pranking purposes, and unlike the 3 above attacks, isn’t very malicious. You can specify any number of funny SSIDs to just randomly broadcast. “FBI VAN” is a fun one. “ICE Enforcement” could draw some attention too. Be creative. You can broadcast up to 48 fake SSIDs at once.
If you change the quantity in the Number of Clones field before clicking Add you can create multiple SSIDs with the same name. Once you’re done creating SSIDs, click the Save button at the bottom of the page, and then scroll up and click the Start button next to Beacon to start flooding fake beacons.
The ESP8266 NodeMCU is a fun little device that is very cheap. In addition to the above, the device can be used for a variety of projects, so if you pick one up for a few bucks you aren’t just limited to Wi-Fi deauthing. Using the instructions above you can flash a number of fun project images to the device, and hundreds of pre-made projects are just a web search away.
If you enjoyed this tutorial and would like to see more, please feel free to share this article on social media, comment below letting me know what else you’d like to see, and follow me on Twitter @JROlmstead.