Inject Packets With An ESP8266

[Kripthor] sent us a link to his blog where he writes the Hello World of low-level networking. Basically he’s constructing his own packet and sending it. By itself this isn’t a bad thing. You could use this power for all sorts of networks-diagnostic good. And so, despite the ominous name of his blog post “ESP8266 Jamming”, he’s not really doing anything that bad — he’s just creating many fake WiFi beacon frames and sending them out every so often.

Which can apparently do bad things to some vulnerable routers. Who knew? Want to test yours?

Naturally we wanted to see how he was doing it, and we opened up the Arduino code in GitHub. It turns out that Espressif has written a wifi_send_pkt_freedom() function that just sends out whatever packet you’d like to the network. That was easy.

It also turns out that the ESP8266 will enter monitor mode, where it listens to all WiFi traffic regardless of the MAC address that it’s directed toward. [Pulkin] seems to have done the work for us and posted the code in his GitHub. Now things get nasty. Combining promiscuous monitor mode with some carefully constructed management frames can end up with a classic WiFi deauth denial-of-service attack on a $2 piece of hardware.

We think it’s tremendously cool that the ESP8266 packs such power, and we beg you all to use it responsibly. The last thing we want to see is the world littered with WiFi-DOS throwies. And the last thing you’d want is a visit from the FCC.

35 thoughts on “Inject Packets With An ESP8266

          1. Last time I flooded my router with that attack, I got locked out.

            WPS cracking (via reaver) does not necessarily need to flood it, rather in intervals of a few second per packet. Flooding router would make it think it is being cracked (as it should) and down right lock you out; at least that’s what happens with my router. I think you are confusing this with WEP cracking, as WPS cracking doesn’t even need that much computational power as compared with the other.

        1. Yeah, very sad that new phones don’t have monitor-capable wifi chips. Some of the very early smartphones did like the N900, G1, and the Nexus One. But at least we have USB OTG now!

    1. I’m sure we can. It doesn’t require any computational power, you just have to wait for quite some time, and your presence at the spot is not something that’s advised (you know, when you’re performing pentesting of company’s infrastructure ordered by the said company, un-manned pentesting tools of a small size look so much more impressive…), so that it looks like actually the best way to crack WPS.

  1. HaD comment from 2011, @nono3:
    Look into IEEE 802.11w. This is a standard for management frame protection, the deauth frames (and others) are then also signed. Often used on not so critical control networks but where some jamming resistance is wanted (you can always just jam the rf signal, but most scriptkiddies can’t).

    You could mod the linux mac80211 to ignore deauth and disassoc, but then normal coordinated handovers in large wlan instalations would also stop working.

    Another way to jam wifi is spamming RTS frames telling every node to be silent for some time, if you can hack the cards firmware you can specify 0xFFFF as duration, which is somewhere around 32s if I remember correctly. This cannot be patched in software and requires hacking the card, but so does running the attack (one could send RTS frames using the cards short calculated duration, and it works if you do it fast enough, but then you don’t have the magic ‘one packet’ Dos.). This jams the entire channel btw, the RTS packets have no source.

    You could also, on WPA networks, inject fake EAPOL frames causing the authentication to fail every time. You can try disconnection already authenticated cllients by sending an EAPOL logoff frame, but most clients and soms AP’s ignore them, so you might start with deauth and then fake eapol. The fancy thing about this is that you can make the authentication look succesful to the client and ap, they just calculated another key so communication will not work, but it takes most clients 20 seconds trying dhcp to figure that out.

    I guess we have much more problems than just the classic deauth one.

  2. When I had a zaurus I had a program I could run that would start generating thousands of Wireless AP beacons, I would love a tiny little battery operated device that could do the same thing. broadcast thousands of fake AP’s out there to give some overly crazed IT security nut a heart attack by dropping a few around the company’s building.

  3. just want to ask, if the beacons sent from esp8266 can be used as BLE beacons? like iBeacon, eddystone, altbeacon..?

    can I use a android phone (or iPhone) and general 3rd party beacon app to listen to those BLE beacons?

    thanks ..

    1. I don’t know what’s going on in that (old) thread. As written in the post, and our writeup, it couldn’t be simpler to create and send custom packets with an ESP. And that’s a great feature for anyone who’s working on a WiFi network, security or just troubleshooting.

  4. Can we create a beacon when putting the esp8266 in deepsleep mode. This means when ever the esp wakes it sends a beacon.
    And other thing can we destroy the previously created beacon and create a new beacon ssid when I input a button press to esp?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.