7

I realise that this question has been touched on before here. However, none of the solutions suggested solved my question and they all fail to answer the overarching question of how to send all types of Wi-Fi management frames. Whilst Kismac2, aireplay-ng and scapy are mentioned, none of the previous answers solved my problem.

My aim is to be able to send de-authentication frames (and other management frames as well if possible) from the command line.

Whilst aireplay-ng is supposedly available for Mac; after running it, it actually does nothing. I feel that this is the same problem that many other Mac users have experienced. Furthermore, scapy seems to have the same sort of issues (Possibly due to the difficulty of putting an OSX Wi-Fi interface into monitor mode?).

A solution like scapy would be great as it would allow me to send other management frames too, like beacon frames. Finally, Kismac2 is not preferable as it has a GUI and I just want a simple, command-line-based, method of sending out these frames.

P.S. A tool which works for me for sending deauths is JamWiFi. But once again, it is GUI based. However, I would be interested to know how exactly that tool is able to send out the frames.

Rocco
  • 205
  • 1
  • 6
  • `after running it, it actually does nothing` have you sniffed this? Are you sure the problem is on your Mac? Maybe it's on the "Victim" and you're doing it wrong. Have you captured the packets exiting the selected interface and proved that it actually does nothing? Try Wireshark. – Azteca Sep 11 '18 at 20:07
  • @Azteca Thanks for your response; as I said in my original question, I am successfully able to send deauth packets with JamWiFi (they appear in Wireshark) which will force the "Victim" to disconnect but there is no method I can find so far to send deauth packets (and other management frames) from the command line on Mac which is what I am asking for assistance with. – Rocco Sep 12 '18 at 13:31
  • 1
    Have you tried using scapy? There are likely some examples of deauths online. – multithr3at3d Apr 13 '20 at 00:19

1 Answers1

2

Seems like you're asking how JamWIFI sends a disassociation packet rather than anything else so I'll answer that. Firstly, looking at the Git repo we see the following:

libpcap provides a good point of abstraction for sending/receiving raw 802.11 frames at the MAC layer

This is the first half of the answer to your question, he's using libpcap. If you haven't heard of it before, it is a very large packet capture library but it can also do a bunch more here's the documentation.

The second half of the answer to your question lies in the code. I am by no means an Objective-C or C dev, however, if you take a look inside ANClientKiller.m we get an idea of how it sends a de-authentication request. Starting at the top of the code, we have the request itself defined as:

#define DEAUTH_REQ \
"\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
"\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"

You might be wondering what this packet does, so I'll tell you. The above packet is effectively an announcement which states that the receiver is no longer authenticated. Once this is sent, it causes the de-authentication, ironically in an attempt to re-authenticate. The trick here is that the request must be accepted & it must take immediate effect. That's all there really is to it. This is the same way that de-authentication takes place in Aircrack-ng. As well as other tools. Well, using the same packet at least.

As far as actually sending this packet goes, that is a bit more language specific. If you look further down the code you'll notice the following:

- (AN80211Packet *)deauthPacketForBSSID:(const unsigned char *)bssid client:(const unsigned char *)client {
    char deauth[26];
    memcpy(&deauth[0], DEAUTH_REQ, 26);
    memcpy(&deauth[4], client, 6);
    memcpy(&deauth[10], bssid, 6);
    memcpy(&deauth[16], bssid, 6);
    AN80211Packet * packet = [[AN80211Packet alloc] initWithData:[NSData dataWithBytes:deauth length:26]];
    return packet;
}

This is where you'll need to read up about memcpy if you're wondering on the specifics. Basically, this bit of code is preparing the packet to be sent.

Using memcpy it is taking the bytes from DEAUTH_REQ and copying the exact number of bytes to the destination. Once this is done we return the packet now with the DEAUTH_REQ inside it, as well as the BSSID (MAC address of the access point) and the client. This packet is now ready to be sent for a de-authentication to take place. If you were to keep sending this packet, you would keep de-authenticating the client from the access point to which they're connected.

You'll notice I have not included the code where the packet actually gets sent. This is because that entirely depends on what language you using to achieve this and what library and so there are too many specifics/nuances.

Hopefully that answers your question. If you would like to implement this yourself in another language, you could more or less take the code from JamWIFI only changing the nuances of your language & it would work, regardless of being on a mac. There is plenty of de-authenticating WIFI client implementations online already so you wouldn't need to re-invent the wheel.